open-code-review/.github/workflows/release.yml
kite e6e5da0930
ci: bump Go image to 1.26.5 to fix GO-2026-5856 govulncheck failure (#330)
govulncheck flags GO-2026-5856 (Encrypted Client Hello privacy leak in
crypto/tls), present in the Go standard library through go1.26.4 and
fixed in go1.26.5. The CI and release workflows pin the golang:1.26.4
container image, so govulncheck fails with exit code 3 on every run.
Bump both workflow images to golang:1.26.5.
2026-07-09 11:00:45 +08:00

231 lines
6.9 KiB
YAML

name: Release
on:
push:
tags: ['v*']
permissions:
contents: write
jobs:
build:
runs-on: self-hosted
container:
image: golang:1.26.5
strategy:
matrix:
include:
- goos: linux
goarch: amd64
- goos: linux
goarch: arm64
- goos: darwin
goarch: amd64
- goos: darwin
goarch: arm64
- goos: windows
goarch: amd64
- goos: windows
goarch: arm64
steps:
- uses: actions/checkout@v4
- name: Trust workspace
run: git config --global --replace-all safe.directory '*'
- name: Build
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
CGO_ENABLED: '0'
run: |
VERSION=${GITHUB_REF_NAME}
GIT_COMMIT=$(git rev-parse --short HEAD)
BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
LD_FLAGS="-s -w -X main.Version=${VERSION} -X main.GitCommit=${GIT_COMMIT} -X main.BuildDate=${BUILD_DATE}"
BIN_NAME=opencodereview-${{ matrix.goos }}-${{ matrix.goarch }}
if [ "${{ matrix.goos }}" = "windows" ]; then
BIN_NAME="${BIN_NAME}.exe"
fi
go build -ldflags "${LD_FLAGS}" -o "${BIN_NAME}" ./cmd/opencodereview
echo "bin_name=${BIN_NAME}" >> $GITHUB_ENV
- uses: actions/upload-artifact@v4
with:
name: binary-${{ matrix.goos }}-${{ matrix.goarch }}
path: ${{ env.bin_name }}
release:
needs: build
runs-on: self-hosted
permissions:
contents: write
id-token: write
attestations: write
container:
image: ubuntu:24.04
steps:
- name: Install git
run: apt-get update && apt-get install -y git
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Trust workspace
run: git config --global --replace-all safe.directory '*'
- name: Generate release notes from commits
id: notes
shell: bash
run: |
CURRENT_TAG="${GITHUB_REF_NAME}"
PREV_TAG=$(git describe --tags --abbrev=0 "${CURRENT_TAG}^" 2>/dev/null || echo "")
if [ -z "$PREV_TAG" ]; then
RANGE="$CURRENT_TAG"
else
RANGE="${PREV_TAG}..${CURRENT_TAG}"
fi
FEATS=""
FIXES=""
REFACTORS=""
DOCS=""
OTHERS=""
while IFS= read -r line; do
msg="${line#* }"
case "$msg" in
feat*) FEATS="${FEATS}- ${msg}
";;
fix*) FIXES="${FIXES}- ${msg}
";;
refactor*) REFACTORS="${REFACTORS}- ${msg}
";;
docs*) DOCS="${DOCS}- ${msg}
";;
*) OTHERS="${OTHERS}- ${msg}
";;
esac
done < <(git log --oneline --no-merges "$RANGE")
{
echo "body<<RELEASE_NOTES_EOF"
if [ -n "$FEATS" ]; then
printf '## 🚀 Features\n\n%s\n' "$FEATS"
fi
if [ -n "$FIXES" ]; then
printf '## 🐛 Bug Fixes\n\n%s\n' "$FIXES"
fi
if [ -n "$REFACTORS" ]; then
printf '## 🔧 Refactoring\n\n%s\n' "$REFACTORS"
fi
if [ -n "$DOCS" ]; then
printf '## 📖 Documentation\n\n%s\n' "$DOCS"
fi
if [ -n "$OTHERS" ]; then
printf '## Other Changes\n\n%s\n' "$OTHERS"
fi
if [ -n "$PREV_TAG" ]; then
printf '\n**Full Changelog**: https://github.com/%s/compare/%s...%s\n' "$GITHUB_REPOSITORY" "$PREV_TAG" "$CURRENT_TAG"
fi
echo "RELEASE_NOTES_EOF"
} >> "$GITHUB_OUTPUT"
- uses: actions/download-artifact@v4
with:
pattern: binary-*
merge-multiple: true
- name: Generate checksums
run: sha256sum opencodereview-* | sort > sha256sum.txt
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
body: ${{ steps.notes.outputs.body }}
files: |
opencodereview-*
sha256sum.txt
- name: Attest release artifacts
uses: actions/attest-build-provenance@v2
with:
subject-path: |
opencodereview-*
sha256sum.txt
npm-publish:
needs: release
runs-on: self-hosted
container:
image: node:24
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- name: Trust workspace
run: git config --global --replace-all safe.directory '*'
- name: Install jq
run: apt-get update && apt-get install -y jq
- uses: actions/download-artifact@v4
with:
pattern: binary-*
merge-multiple: true
- name: Configure npm registry
run: echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Publish platform packages
run: |
VERSION="${GITHUB_REF_NAME#v}"
PLATFORMS="darwin-arm64:opencodereview-darwin-arm64:opencodereview
darwin-x64:opencodereview-darwin-amd64:opencodereview
linux-arm64:opencodereview-linux-arm64:opencodereview
linux-x64:opencodereview-linux-amd64:opencodereview
win32-arm64:opencodereview-windows-arm64.exe:opencodereview.exe
win32-x64:opencodereview-windows-amd64.exe:opencodereview.exe"
for entry in $PLATFORMS; do
platform_dir="${entry%%:*}"
rest="${entry#*:}"
dist_binary="${rest%%:*}"
dest_name="${rest#*:}"
pkg_dir="./npm/$platform_dir"
mkdir -p "$pkg_dir/bin"
cp "$dist_binary" "$pkg_dir/bin/$dest_name"
chmod 755 "$pkg_dir/bin/$dest_name" 2>/dev/null || true
jq --arg v "$VERSION" '.version = $v' "$pkg_dir/package.json" > "$pkg_dir/package.json.tmp"
mv "$pkg_dir/package.json.tmp" "$pkg_dir/package.json"
pkg_name=$(jq -r '.name' "$pkg_dir/package.json")
already=$(npm view "${pkg_name}@${VERSION}" version 2>/dev/null || true)
if [ "$already" = "$VERSION" ]; then
echo "Skip: ${pkg_name}@${VERSION} already published"
else
npm publish "$pkg_dir" --access public
echo "Published: ${pkg_name}@${VERSION}"
fi
done
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Inject version and optionalDependencies
run: |
VERSION="${GITHUB_REF_NAME#v}"
jq --arg v "$VERSION" '
.version = $v |
.optionalDependencies |= with_entries(.value = $v)
' package.json > package.json.tmp && mv package.json.tmp package.json
- name: Publish to npm
run: npm publish --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}