name: Release on: push: tags: ['v*'] permissions: contents: write jobs: build: runs-on: self-hosted container: image: golang:1.26.5 strategy: matrix: include: - goos: linux goarch: amd64 - goos: linux goarch: arm64 - goos: darwin goarch: amd64 - goos: darwin goarch: arm64 - goos: windows goarch: amd64 - goos: windows goarch: arm64 steps: - uses: actions/checkout@v4 - name: Trust workspace run: git config --global --replace-all safe.directory '*' - name: Build env: GOOS: ${{ matrix.goos }} GOARCH: ${{ matrix.goarch }} CGO_ENABLED: '0' run: | VERSION=${GITHUB_REF_NAME} GIT_COMMIT=$(git rev-parse --short HEAD) BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") LD_FLAGS="-s -w -X main.Version=${VERSION} -X main.GitCommit=${GIT_COMMIT} -X main.BuildDate=${BUILD_DATE}" BIN_NAME=opencodereview-${{ matrix.goos }}-${{ matrix.goarch }} if [ "${{ matrix.goos }}" = "windows" ]; then BIN_NAME="${BIN_NAME}.exe" fi go build -ldflags "${LD_FLAGS}" -o "${BIN_NAME}" ./cmd/opencodereview echo "bin_name=${BIN_NAME}" >> $GITHUB_ENV - uses: actions/upload-artifact@v4 with: name: binary-${{ matrix.goos }}-${{ matrix.goarch }} path: ${{ env.bin_name }} release: needs: build runs-on: self-hosted permissions: contents: write id-token: write attestations: write container: image: ubuntu:24.04 steps: - name: Install git run: apt-get update && apt-get install -y git - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Trust workspace run: git config --global --replace-all safe.directory '*' - name: Generate release notes from commits id: notes shell: bash run: | CURRENT_TAG="${GITHUB_REF_NAME}" PREV_TAG=$(git describe --tags --abbrev=0 "${CURRENT_TAG}^" 2>/dev/null || echo "") if [ -z "$PREV_TAG" ]; then RANGE="$CURRENT_TAG" else RANGE="${PREV_TAG}..${CURRENT_TAG}" fi FEATS="" FIXES="" REFACTORS="" DOCS="" OTHERS="" while IFS= read -r line; do msg="${line#* }" case "$msg" in feat*) FEATS="${FEATS}- ${msg} ";; fix*) FIXES="${FIXES}- ${msg} ";; refactor*) REFACTORS="${REFACTORS}- ${msg} ";; docs*) DOCS="${DOCS}- ${msg} ";; *) OTHERS="${OTHERS}- ${msg} ";; esac done < <(git log --oneline --no-merges "$RANGE") { echo "body<> "$GITHUB_OUTPUT" - uses: actions/download-artifact@v4 with: pattern: binary-* merge-multiple: true - name: Generate checksums run: sha256sum opencodereview-* | sort > sha256sum.txt - name: Create GitHub Release uses: softprops/action-gh-release@v2 with: body: ${{ steps.notes.outputs.body }} files: | opencodereview-* sha256sum.txt - name: Attest release artifacts uses: actions/attest-build-provenance@v2 with: subject-path: | opencodereview-* sha256sum.txt npm-publish: needs: release runs-on: self-hosted container: image: node:24 permissions: contents: read steps: - uses: actions/checkout@v4 - name: Trust workspace run: git config --global --replace-all safe.directory '*' - name: Install jq run: apt-get update && apt-get install -y jq - uses: actions/download-artifact@v4 with: pattern: binary-* merge-multiple: true - name: Configure npm registry run: echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Publish platform packages run: | VERSION="${GITHUB_REF_NAME#v}" PLATFORMS="darwin-arm64:opencodereview-darwin-arm64:opencodereview darwin-x64:opencodereview-darwin-amd64:opencodereview linux-arm64:opencodereview-linux-arm64:opencodereview linux-x64:opencodereview-linux-amd64:opencodereview win32-arm64:opencodereview-windows-arm64.exe:opencodereview.exe win32-x64:opencodereview-windows-amd64.exe:opencodereview.exe" for entry in $PLATFORMS; do platform_dir="${entry%%:*}" rest="${entry#*:}" dist_binary="${rest%%:*}" dest_name="${rest#*:}" pkg_dir="./npm/$platform_dir" mkdir -p "$pkg_dir/bin" cp "$dist_binary" "$pkg_dir/bin/$dest_name" chmod 755 "$pkg_dir/bin/$dest_name" 2>/dev/null || true jq --arg v "$VERSION" '.version = $v' "$pkg_dir/package.json" > "$pkg_dir/package.json.tmp" mv "$pkg_dir/package.json.tmp" "$pkg_dir/package.json" pkg_name=$(jq -r '.name' "$pkg_dir/package.json") already=$(npm view "${pkg_name}@${VERSION}" version 2>/dev/null || true) if [ "$already" = "$VERSION" ]; then echo "Skip: ${pkg_name}@${VERSION} already published" else npm publish "$pkg_dir" --access public echo "Published: ${pkg_name}@${VERSION}" fi done env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Inject version and optionalDependencies run: | VERSION="${GITHUB_REF_NAME#v}" jq --arg v "$VERSION" ' .version = $v | .optionalDependencies |= with_entries(.value = $v) ' package.json > package.json.tmp && mv package.json.tmp package.json - name: Publish to npm run: npm publish --access public env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}