robustness audit: state/logs/observability/dev-ex hardening + statusl… #11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: | |
| bump: | |
| description: "Version bump level" | |
| required: true | |
| default: minor | |
| type: choice | |
| options: | |
| - patch | |
| - minor | |
| - major | |
| permissions: | |
| contents: write | |
| concurrency: | |
| group: release | |
| cancel-in-progress: false | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| # Pin to the major+minor declared in go.mod so `go mod vendor` | |
| # and the release build succeed against the source tree. | |
| go-version-file: go.mod | |
| - name: Run tests | |
| run: go test ./... | |
| - name: Determine bump level | |
| id: level | |
| run: | | |
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | |
| echo "level=${{ inputs.bump }}" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "level=patch" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Compute next version | |
| id: version | |
| run: | | |
| git fetch --tags --force | |
| LATEST=$(git tag -l 'v[0-9]*' --sort=-v:refname | head -n1) | |
| if [ -z "$LATEST" ]; then | |
| LATEST="v0.0.0" | |
| fi | |
| echo "latest=$LATEST" >> "$GITHUB_OUTPUT" | |
| VERSION="${LATEST#v}" | |
| MAJOR=$(echo "$VERSION" | cut -d. -f1) | |
| MINOR=$(echo "$VERSION" | cut -d. -f2) | |
| PATCH=$(echo "$VERSION" | cut -d. -f3) | |
| case "${{ steps.level.outputs.level }}" in | |
| major) | |
| MAJOR=$((MAJOR + 1)); MINOR=0; PATCH=0 ;; | |
| minor) | |
| MINOR=$((MINOR + 1)); PATCH=0 ;; | |
| patch) | |
| PATCH=$((PATCH + 1)) ;; | |
| esac | |
| NEXT="v${MAJOR}.${MINOR}.${PATCH}" | |
| echo "next=$NEXT" >> "$GITHUB_OUTPUT" | |
| echo "Next version: $NEXT (from $LATEST, bump=${{ steps.level.outputs.level }})" | |
| - name: Generate release notes | |
| id: notes | |
| env: | |
| VERSION: ${{ steps.version.outputs.next }} | |
| PREV: ${{ steps.version.outputs.latest }} | |
| run: | | |
| { | |
| echo "## Install" | |
| echo | |
| echo '```bash' | |
| echo "go install github.com/${{ github.repository }}@$VERSION" | |
| echo '```' | |
| echo | |
| echo "## Changes" | |
| echo | |
| if [ "$PREV" = "v0.0.0" ]; then | |
| git log --pretty=format:'- %s (%h)' | head -n 200 | |
| else | |
| git log --pretty=format:'- %s (%h)' "$PREV"..HEAD | |
| fi | |
| } > release-notes.md | |
| echo "Generated notes:" | |
| cat release-notes.md | |
| - name: Configure git | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| - name: Create tag | |
| env: | |
| VERSION: ${{ steps.version.outputs.next }} | |
| run: | | |
| git tag -a "$VERSION" -m "Release $VERSION" | |
| git push origin "$VERSION" | |
| - name: Build release artifacts (vendored source tarball + checksums) | |
| env: | |
| VERSION: ${{ steps.version.outputs.next }} | |
| run: | | |
| set -euo pipefail | |
| mkdir -p dist | |
| # Vendor deps so the tarball builds offline (rules/build.md: | |
| # air-gapped deploys require vendored dependencies). | |
| go mod vendor | |
| # Deterministic tarball of the source tree at this tag, with | |
| # a top-level ctm-<VERSION>/ prefix for friendly extraction. | |
| # Exclude transient artefacts (.git, dist, node_modules, etc.) | |
| # while keeping vendor/ and hidden dotfiles that are part of | |
| # the release (.github, .gitignore). | |
| tar \ | |
| --transform "s,^\\.,ctm-${VERSION}," \ | |
| --exclude='./.git' \ | |
| --exclude='./dist' \ | |
| --exclude='*.DS_Store' \ | |
| -czf "dist/ctm-${VERSION}-src.tar.gz" \ | |
| . | |
| # SHA256SUMS over every artifact in dist/. Format is the GNU | |
| # coreutils standard (`sha256sum -c SHA256SUMS` verifies). | |
| (cd dist && sha256sum *.tar.gz > SHA256SUMS) | |
| echo "Artifacts:" | |
| ls -lh dist | |
| echo "Checksums:" | |
| cat dist/SHA256SUMS | |
| - name: Append checksums to release notes | |
| run: | | |
| { | |
| echo | |
| echo "## Verification" | |
| echo | |
| echo 'Tarball SHA256 sums (also attached as `SHA256SUMS`):' | |
| echo | |
| echo '```' | |
| cat dist/SHA256SUMS | |
| echo '```' | |
| echo | |
| echo 'Verify:' | |
| echo | |
| echo '```bash' | |
| echo 'sha256sum -c SHA256SUMS # inside the dir where both files live' | |
| echo '```' | |
| } >> release-notes.md | |
| - name: Create GitHub release | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION: ${{ steps.version.outputs.next }} | |
| run: | | |
| gh release create "$VERSION" \ | |
| --title "$VERSION" \ | |
| --notes-file release-notes.md \ | |
| "dist/ctm-${VERSION}-src.tar.gz" \ | |
| dist/SHA256SUMS |