zero/.github/workflows/release.yml at main · zero-intel/zero · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Release Artifacts

on:
  push:
    tags:
      - "v*.*.*"

permissions:
  contents: read

jobs:
  public-proof:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        with:
          python-version: "3.12"
          cache: pip
      - name: Verify public proof surfaces
        run: |
          PYTHONPATH="$PWD/engine/src" scripts/proof_pack.py --check
          PYTHONPATH="$PWD/engine/src" scripts/network_proof_pack.py --check
          PYTHONPATH="$PWD/engine/src" python3 -m zero_engine.mcp --smoke
          PYTHONPATH="$PWD/engine/src" scripts/mcp_transcript.py --check

  registry-readiness:
    needs: [public-proof]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        with:
          python-version: "3.12"
          cache: pip
      - name: Check package registry readiness without publishing
        run: |
          scripts/registry_readiness.py
          scripts/registry_launch_packet.py --check
          scripts/mcp_registry_packet.py --check
          scripts/mcp_registry_listing_check.py --json

  python-package:
    needs: [registry-readiness]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        with:
          python-version: "3.12"
          cache: pip
      - name: Build wheel and sdist
        working-directory: engine
        run: |
          python -m pip install --upgrade build
          python -m build
      - name: Generate checksums
        run: python3 scripts/write_sha256s.py engine/dist/SHA256SUMS engine/dist/*
      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
        with:
          name: zero-engine-python
          path: engine/dist/*

  cli-binary:
    needs: [registry-readiness]
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
            artifact: zero-linux
          - os: macos-latest
            artifact: zero-macos
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      - name: Build CLI
        working-directory: cli
        run: cargo build -p zero-os --profile release-small
      - name: Prepare artifact
        run: |
          mkdir -p dist
          cp cli/target/release-small/zero dist/${{ matrix.artifact }}
          python3 scripts/write_sha256s.py dist/SHA256SUMS dist/${{ matrix.artifact }}
      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
        with:
          name: ${{ matrix.artifact }}
          path: dist/*

  container-smoke:
    needs: [registry-readiness]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      - name: Build paper image
        run: docker build -t zero-public:${{ github.ref_name }} .
      - name: Run paper demo
        run: docker run --rm zero-public:${{ github.ref_name }}
      - name: Run paper example
        run: docker run --rm zero-public:${{ github.ref_name }} python /app/examples/paper-trading/run.py
      - name: Export paper image artifact
        run: |
          mkdir -p dist
          docker save zero-public:${{ github.ref_name }} -o dist/zero-paper-image.tar
          python3 scripts/write_sha256s.py dist/SHA256SUMS dist/zero-paper-image.tar
      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
        with:
          name: zero-paper-image
          path: dist/*

  github-release:
    name: Draft GitHub Release
    needs: [python-package, cli-binary, container-smoke]
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
      attestations: write
      artifact-metadata: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
        with:
          path: release-artifacts
      - name: Assemble release assets
        run: |
          scripts/assemble_release_assets.sh release-artifacts release-dist
          ls -lh release-dist
      - name: Verify release assets
        run: python3 scripts/release_verify.py release-dist
      - name: Attest release assets
        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26
        with:
          subject-checksums: release-dist/SHA256SUMS
      - name: Create or update draft release
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          notes_file=".github/RELEASE_TEMPLATE.md"
          if [[ -f "docs/releases/${GITHUB_REF_NAME}.md" ]]; then
            notes_file="docs/releases/${GITHUB_REF_NAME}.md"
          fi
          if gh release view "$GITHUB_REF_NAME" >/dev/null 2>&1; then
            gh release upload "$GITHUB_REF_NAME" release-dist/* --clobber
            gh release edit "$GITHUB_REF_NAME" --notes-file "$notes_file"
          else
            gh release create "$GITHUB_REF_NAME" release-dist/* \
              --draft \
              --verify-tag \
              --title "$GITHUB_REF_NAME" \
              --notes-file "$notes_file"
          fi