Commit graph

21 commits

Author SHA1 Message Date
kite
e6e5da0930
ci: bump Go image to 1.26.5 to fix GO-2026-5856 govulncheck failure (#330)
govulncheck flags GO-2026-5856 (Encrypted Client Hello privacy leak in
crypto/tls), present in the Go standard library through go1.26.4 and
fixed in go1.26.5. The CI and release workflows pin the golang:1.26.4
container image, so govulncheck fails with exit code 3 on every run.
Bump both workflow images to golang:1.26.5.
2026-07-09 11:00:45 +08:00
Lei Zhang
64e008fcb4
ci: upgrade node version to 24 (#240) 2026-07-02 10:33:37 +08:00
kite
0881ad87b8 fix(ci): use --replace-all for git safe.directory to prevent self-hosted runner failure
Some checks are pending
CI / test (push) Waiting to run
On self-hosted runners, _github_home/.gitconfig persists across jobs.
The ocr-review workflow used --add which accumulated multiple safe.directory
values over time. Once multiple values existed, other workflows using plain
git config (without --add/--replace-all) failed with "cannot overwrite
multiple values with a single value".

Unify all workflows to use --replace-all, which clears previous values and
writes exactly one entry regardless of prior state.
2026-06-29 11:37:23 +08:00
kite
e1a6a404ba feat(ci): add Sigstore attestation for release artifacts
Add build provenance attestation to the release workflow using
actions/attest-build-provenance with OIDC keyless signing.
Document release signature verification in SECURITY.md.
2026-06-26 22:18:03 +08:00
kite
757b359673 fix(ci): use bash shell for release notes generation step
The ubuntu:24.04 container defaults to sh (dash) which does not support
process substitution (< <(...)). Add shell: bash to the step.
2026-06-23 20:09:43 +08:00
kite
a86389c5e5 fix(ci): install git in release job container to fix workflow failure
The release job uses ubuntu:24.04 which lacks git. After adding
commit-based release notes generation, git commands (config/describe/log)
fail with "git: not found". Install git before checkout so the full
history is available for release notes.
2026-06-23 19:57:09 +08:00
kite
0ceffc87f4 feat(release): auto-generate structured release notes from conventional commits
Satisfy the OpenSSF Best Practices "release_notes" criterion by parsing
commits between tags and categorizing them into Features, Bug Fixes,
Refactoring, and Documentation sections.
2026-06-22 15:52:06 +08:00
kite
810af47d4d fix(ci): prefix local path with ./ to prevent npm GitHub shorthand resolution
npm interprets "npm/darwin-arm64" as a GitHub user/repo shorthand
instead of a local directory, causing git ls-remote failures.
2026-06-17 15:00:08 +08:00
kite
b46f48e40d fix(ci): replace bash here-string with POSIX parameter expansion
The CI container uses sh (not bash), which doesn't support the <<<
here-string syntax, causing "Syntax error: redirection unexpected".
2026-06-17 14:43:06 +08:00
kite
f76d4266ed feat: add platform-specific npm packages to eliminate postinstall download
Ship Go binaries inside per-platform npm packages (@alibaba-group/ocr-{os}-{arch})
so npm install resolves the correct binary via optionalDependencies + os/cpu fields.
This removes the need for a postinstall download from GitHub Releases, which is
extremely slow for users behind restricted networks (e.g. China mainland).

The postinstall download is retained as a fallback for --no-optional installs.
2026-06-17 14:17:03 +08:00
kite
f577742c04 ci: drop npm provenance flag incompatible with self-hosted runners
Sigstore provenance verification only supports GitHub-hosted runners,
causing E422 on publish. Remove --provenance and the unused id-token
permission.
2026-06-13 11:08:45 +08:00
kite
372802d294 ci: fix npm publish auth failure on self-hosted runners
The node:20 container lacks automatic NODE_AUTH_TOKEN mapping to npm
registry credentials. Add explicit .npmrc configuration step before
npm publish.
2026-06-13 11:08:45 +08:00
Lei Zhang
76b4d5a3b5
ci: use self-hosted runners with container images for build and deplo… (#107)
* ci: use self-hosted runners with container images for build and deploy workflows

- deploy-pages: switch to self-hosted runner with node:20 container, remove redundant setup-node

- release: use self-hosted runner with golang:1.26.4 container for build job, remove redundant setup-go

- release: use self-hosted runner with ubuntu:24.04 container for release job

- release: use self-hosted runner with node:20 container for npm-publish job, remove redundant setup-node

- release: add jq installation step for version injection in npm-publish

* ci: fix dubious ownership in self-hosted container jobs

- Add git safe.directory trust step after checkout in release.yml build and npm-publish jobs
- Add git safe.directory trust step after checkout in deploy-pages.yml build job
- Switch deploy-pages deploy job from ubuntu-latest to self-hosted with node:20 container
2026-06-12 14:30:51 +08:00
Bison Xu
89effb6b22
feat(build): add Windows platform support (#13)
* feat(build): add Windows platform support

Add windows/amd64 and windows/arm64 to CI build matrix, Makefile
cross-platform targets, and handle .exe suffix in install/update
scripts and binary wrapper. Skip chmod on Windows where unsupported.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* docs(README): add Windows download instructions

Add Windows x86_64 and ARM64 binary download commands to both
English and Chinese README install sections.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-02 21:57:31 +08:00
kite
bbf673d4d1 chore(workflow): Add environment variables for npm publish step 2026-05-25 22:52:21 +08:00
kite
db5bc4b8a9 feat(rules): add include/exclude file filter support in rule.json
Allow users to configure include/exclude glob patterns in
  .open-code-review/rule.json (global or project-level) to control
  which files are reviewed. Exclude has highest priority, include
  penetrates default path exclusions but not the extension allowlist.
  Only one layer takes effect following --rule > project > global priority.
2026-05-25 20:19:02 +08:00
kite
44120e28b6 fix: fix some bug 2026-05-22 21:27:39 +08:00
kite
3940e1af3f fix(ci): remove registry-url to allow npm OIDC authentication
setup-node's registry-url generates .npmrc with a token placeholder
that overrides npm's OIDC flow, causing 404 on publish.
2026-05-21 21:50:33 +08:00
kite
80d5121d88 ci: inject version from git tag before npm publish
Use git tag as the single source of truth for version number.
Eliminates the need to keep package.json version in sync manually.
2026-05-21 21:20:48 +08:00
kite
365c9ee9a4 ci: switch npm publish to OIDC trusted publishing
Remove NPM_TOKEN secret dependency and use GitHub Actions OIDC
id-token for npm authentication with provenance attestation.
2026-05-21 19:28:53 +08:00
kite
7c8b8562aa feat: init 2026-05-20 22:03:52 +08:00