open-code-review/.github/workflows/release.yml
kite f577742c04 ci: drop npm provenance flag incompatible with self-hosted runners
Sigstore provenance verification only supports GitHub-hosted runners,
causing E422 on publish. Remove --provenance and the unused id-token
permission.
2026-06-13 11:08:45 +08:00

107 lines
2.8 KiB
YAML

name: Release
on:
push:
tags: ['v*']
permissions:
contents: write
jobs:
build:
runs-on: self-hosted
container:
image: golang:1.26.4
strategy:
matrix:
include:
- goos: linux
goarch: amd64
- goos: linux
goarch: arm64
- goos: darwin
goarch: amd64
- goos: darwin
goarch: arm64
- goos: windows
goarch: amd64
- goos: windows
goarch: arm64
steps:
- uses: actions/checkout@v4
- name: Trust workspace
run: git config --global safe.directory '*'
- name: Build
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
CGO_ENABLED: '0'
run: |
VERSION=${GITHUB_REF_NAME}
GIT_COMMIT=$(git rev-parse --short HEAD)
BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
LD_FLAGS="-s -w -X main.Version=${VERSION} -X main.GitCommit=${GIT_COMMIT} -X main.BuildDate=${BUILD_DATE}"
BIN_NAME=opencodereview-${{ matrix.goos }}-${{ matrix.goarch }}
if [ "${{ matrix.goos }}" = "windows" ]; then
BIN_NAME="${BIN_NAME}.exe"
fi
go build -ldflags "${LD_FLAGS}" -o "${BIN_NAME}" ./cmd/opencodereview
echo "bin_name=${BIN_NAME}" >> $GITHUB_ENV
- uses: actions/upload-artifact@v4
with:
name: binary-${{ matrix.goos }}-${{ matrix.goarch }}
path: ${{ env.bin_name }}
release:
needs: build
runs-on: self-hosted
container:
image: ubuntu:24.04
steps:
- uses: actions/download-artifact@v4
with:
pattern: binary-*
merge-multiple: true
- name: Generate checksums
run: sha256sum opencodereview-* | sort > sha256sum.txt
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
files: |
opencodereview-*
sha256sum.txt
generate_release_notes: true
npm-publish:
needs: release
runs-on: self-hosted
container:
image: node:20
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- name: Trust workspace
run: git config --global safe.directory '*'
- name: Install jq
run: apt-get update && apt-get install -y jq
- name: Inject version from tag
run: jq --arg v "${GITHUB_REF_NAME#v}" '.version = $v' package.json > package.json.tmp && mv package.json.tmp package.json
- name: Configure npm registry
run: echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Publish to npm
run: npm publish --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}