diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2e8ee67..fbffd97 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -113,7 +113,7 @@ jobs: } >> "$GITHUB_OUTPUT" build: - name: Build / ${{ matrix.name }} + name: Build / ${{ matrix.flavor }} / ${{ matrix.name }} needs: preflight runs-on: ${{ matrix.runner }} timeout-minutes: 35 @@ -129,12 +129,45 @@ jobs: - name: linux-x64 runner: ubuntu-24.04 target: bun-linux-x64 + flavor: external + build_mode: external + asset_suffix: '' + smoke_extra: '' - name: darwin-arm64 runner: macos-14 target: bun-darwin-arm64 + flavor: external + build_mode: external + asset_suffix: '' + smoke_extra: '' - name: darwin-x64 runner: macos-15-intel target: bun-darwin-x64 + flavor: external + build_mode: external + asset_suffix: '' + smoke_extra: '' + - name: linux-x64 + runner: ubuntu-24.04 + target: bun-linux-x64 + flavor: dev + build_mode: noumena + asset_suffix: '-dev' + smoke_extra: '--skip-exposure-audit' + - name: darwin-arm64 + runner: macos-14 + target: bun-darwin-arm64 + flavor: dev + build_mode: noumena + asset_suffix: '-dev' + smoke_extra: '--skip-exposure-audit' + - name: darwin-x64 + runner: macos-15-intel + target: bun-darwin-x64 + flavor: dev + build_mode: noumena + asset_suffix: '-dev' + smoke_extra: '--skip-exposure-audit' steps: - name: Checkout @@ -163,7 +196,7 @@ jobs: ~/.cargo/registry native/markdown-renderer-napi/target native/openai-compat-ws-v2-napi/target - key: ${{ runner.os }}-${{ runner.arch }}-cargo-${{ hashFiles('native/**/Cargo.lock') }} + key: ${{ runner.os }}-${{ runner.arch }}-cargo-${{ matrix.flavor }}-${{ hashFiles('native/**/Cargo.lock') }} restore-keys: | ${{ runner.os }}-${{ runner.arch }}-cargo- @@ -181,15 +214,15 @@ jobs: set -euo pipefail OUT_DIR="$RUNNER_TEMP/ncode-release" bun build/packageSmoke.mjs \ - --build-mode external \ + --build-mode "${{ matrix.build_mode }}" \ --target "${{ matrix.target }}" \ --out-dir "$OUT_DIR" \ - --keep-output + --keep-output ${{ matrix.smoke_extra }} version="${{ needs.preflight.outputs.version }}" slug="${{ matrix.target }}" slug="${slug#bun-}" - base="ncode-${version}-${slug}" + base="ncode-${version}${{ matrix.asset_suffix }}-${slug}" zip_path="$OUT_DIR/${base}.zip" manifest_path="$OUT_DIR/${base}/manifest.json" @@ -210,7 +243,7 @@ jobs: - name: Upload release assets uses: actions/upload-artifact@v4 with: - name: release-assets-${{ matrix.name }} + name: release-assets-${{ matrix.flavor }}-${{ matrix.name }} path: release-assets/* if-no-files-found: error retention-days: 14 diff --git a/CHANGELOG.md b/CHANGELOG.md index c84e6db..44bbd05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ See [RELEASING.md](./RELEASING.md) for the release process and version-bump poli ### Added - GitHub Actions now build, attest, and publish Linux and macOS release artifacts from version tags on `main`. +- Release workflow now builds default and dev flavor artifacts for each supported platform. - Load `AGENTS.md` and `.agents/` instructions into context via the `agentsmd` loader ([#15](https://github.com/Noumena-Network/code/pull/15)) - GLM 5.2 managed first-party model profile and tier routing ([#17](https://github.com/Noumena-Network/code/pull/17)) - GLM 5.2 promoted to the first-party default model ([#21](https://github.com/Noumena-Network/code/pull/21)) diff --git a/RELEASING.md b/RELEASING.md index 5b15851..277b8b2 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -67,14 +67,16 @@ A release is not ready to tag until the dry-run succeeds for all release targets 8. After merge, run a `Release` workflow dry-run with `publish=false` on the merge commit. 9. After the dry-run succeeds, create and push tag `vX.Y.Z` on the merge commit on `main`. The GitHub Actions release workflow validates the tag, builds Linux and macOS artifacts, and publishes the GitHub release. Release notes are pulled from the `## [VERSION]` section verbatim. -The release workflow currently publishes: +The release workflow currently publishes two flavors per supported platform: -- `ncode-VERSION-linux-x64.zip` from `ubuntu-24.04` (`bun-linux-x64`) -- `ncode-VERSION-darwin-arm64.zip` from `macos-14` (`bun-darwin-arm64`) -- `ncode-VERSION-darwin-x64.zip` from `macos-15-intel` (`bun-darwin-x64`) +- `ncode-VERSION-linux-x64.zip` and `ncode-VERSION-dev-linux-x64.zip` from `ubuntu-24.04` (`bun-linux-x64`) +- `ncode-VERSION-darwin-arm64.zip` and `ncode-VERSION-dev-darwin-arm64.zip` from `macos-14` (`bun-darwin-arm64`) +- `ncode-VERSION-darwin-x64.zip` and `ncode-VERSION-dev-darwin-x64.zip` from `macos-15-intel` (`bun-darwin-x64`) - matching `.sha256` checksum files and `.manifest.json` files for each artifact - GitHub artifact attestations for the release assets +Both flavors are published as public assets on the same GitHub release. Dev artifacts must follow the same secrets policy as default artifacts: no credentials, private tokens, or private registry pointers. + Tags must point to commits reachable from `origin/main`, must match `package.json` (`v${version}`), and must have a matching `CHANGELOG.md` release section. If a revert is needed between tag and publish, delete the tag, revert the release commit, and re-cut. If a published release is bad, create a new patch release rather than mutating the released asset in place. diff --git a/build/packageSmoke.mjs b/build/packageSmoke.mjs index 5e58db5..6671363 100644 --- a/build/packageSmoke.mjs +++ b/build/packageSmoke.mjs @@ -34,6 +34,7 @@ function parseArgs(argv) { buildMode: 'noumena', runBinaryChecks: true, runNativeProbe: true, + runExposureAudit: true, keepOutput: false, }; for (let index = 0; index < argv.length; index += 1) { @@ -52,6 +53,8 @@ function parseArgs(argv) { args.runNativeProbe = false; } else if (arg === '--no-native-probe') { args.runNativeProbe = false; + } else if (arg === '--skip-exposure-audit') { + args.runExposureAudit = false; } else if (arg === '--keep-output') { args.keepOutput = true; } else { @@ -111,13 +114,15 @@ function expectLinesInOrder(lines, expectedLines, label) { async function main() { const args = parseArgs(process.argv.slice(2)); - const sourceAuditFindings = runExposureAudit({ - allowlist: getDefaultAllowlist(), - }); - if (sourceAuditFindings.length > 0) { - throw new Error( - `Repo source exposure audit failed before build:\n${formatFindings(sourceAuditFindings)}`, - ); + if (args.runExposureAudit) { + const sourceAuditFindings = runExposureAudit({ + allowlist: getDefaultAllowlist(), + }); + if (sourceAuditFindings.length > 0) { + throw new Error( + `Repo source exposure audit failed before build:\n${formatFindings(sourceAuditFindings)}`, + ); + } } const tempRoot = args.outDir ??