-
Notifications
You must be signed in to change notification settings - Fork 0
80 lines (67 loc) · 2.08 KB
/
release.yml
File metadata and controls
80 lines (67 loc) · 2.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
name: release
on:
push:
tags:
- "v*"
permissions:
id-token: write
contents: write
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: astral-sh/setup-uv@v4
- uses: pnpm/action-setup@v4
with:
version: 10
- uses: actions/setup-node@v4
with:
node-version: 22
- name: Install deps
run: |
uv sync --all-packages
pnpm install
- name: Full check
run: |
lake build
uv run --project pipeline python -m sm_pipeline.cli validate-all
pnpm --dir portal build
- name: Package artifacts
run: bash scripts/release_artifacts.sh
- name: Verify release checksums (Gate 7)
run: bash scripts/verify_release_checksums.sh
- name: Install cosign (Sigstore)
uses: sigstore/cosign-installer@v3
with:
cosign-release: "v2.2.3"
- name: Sign release manifest (Gate 7 – Sigstore keyless)
run: |
cosign sign-blob dist/checksums.txt \
--output-signature=dist/checksums.txt.sig \
--output-certificate=dist/checksums.txt.pem
env:
COSIGN_EXPERIMENTAL: "true"
- name: Emit release integrity (Gate 7)
run: |
echo "--- Release checksums ---"
cat dist/checksums.txt
echo "--- Changelog ---"
head -30 dist/CHANGELOG.md
- name: Create release bundle archive (publication)
run: |
(cd dist && zip -r release-bundle.zip . -x "release-bundle.zip")
echo "Release bundle: dist/release-bundle.zip"
- name: Create GitHub Release and upload artifacts (publication)
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true
files: |
dist/CHANGELOG.md
dist/checksums.txt
dist/checksums.txt.sig
dist/checksums.txt.pem
dist/release-bundle.zip
body_path: dist/CHANGELOG.md
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}