Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 39 additions & 6 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ jobs:
} >> "$GITHUB_OUTPUT"

build:
name: Build / ${{ matrix.name }}
name: Build / ${{ matrix.flavor }} / ${{ matrix.name }}
needs: preflight
runs-on: ${{ matrix.runner }}
timeout-minutes: 35
Expand All @@ -129,12 +129,45 @@ jobs:
- name: linux-x64
runner: ubuntu-24.04
target: bun-linux-x64
flavor: external
build_mode: external
asset_suffix: ''
smoke_extra: ''
- name: darwin-arm64
runner: macos-14
target: bun-darwin-arm64
flavor: external
build_mode: external
asset_suffix: ''
smoke_extra: ''
- name: darwin-x64
runner: macos-15-intel
target: bun-darwin-x64
flavor: external
build_mode: external
asset_suffix: ''
smoke_extra: ''
- name: linux-x64
runner: ubuntu-24.04
target: bun-linux-x64
flavor: dev
build_mode: noumena
asset_suffix: '-dev'
smoke_extra: '--skip-exposure-audit'
- name: darwin-arm64
runner: macos-14
target: bun-darwin-arm64
flavor: dev
build_mode: noumena
asset_suffix: '-dev'
smoke_extra: '--skip-exposure-audit'
- name: darwin-x64
runner: macos-15-intel
target: bun-darwin-x64
flavor: dev
build_mode: noumena
asset_suffix: '-dev'
smoke_extra: '--skip-exposure-audit'

steps:
- name: Checkout
Expand Down Expand Up @@ -163,7 +196,7 @@ jobs:
~/.cargo/registry
native/markdown-renderer-napi/target
native/openai-compat-ws-v2-napi/target
key: ${{ runner.os }}-${{ runner.arch }}-cargo-${{ hashFiles('native/**/Cargo.lock') }}
key: ${{ runner.os }}-${{ runner.arch }}-cargo-${{ matrix.flavor }}-${{ hashFiles('native/**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-${{ runner.arch }}-cargo-

Expand All @@ -181,15 +214,15 @@ jobs:
set -euo pipefail
OUT_DIR="$RUNNER_TEMP/ncode-release"
bun build/packageSmoke.mjs \
--build-mode external \
--build-mode "${{ matrix.build_mode }}" \
--target "${{ matrix.target }}" \
--out-dir "$OUT_DIR" \
--keep-output
--keep-output ${{ matrix.smoke_extra }}

version="${{ needs.preflight.outputs.version }}"
slug="${{ matrix.target }}"
slug="${slug#bun-}"
base="ncode-${version}-${slug}"
base="ncode-${version}${{ matrix.asset_suffix }}-${slug}"
zip_path="$OUT_DIR/${base}.zip"
manifest_path="$OUT_DIR/${base}/manifest.json"

Expand All @@ -210,7 +243,7 @@ jobs:
- name: Upload release assets
uses: actions/upload-artifact@v4
with:
name: release-assets-${{ matrix.name }}
name: release-assets-${{ matrix.flavor }}-${{ matrix.name }}
path: release-assets/*
if-no-files-found: error
retention-days: 14
Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ See [RELEASING.md](./RELEASING.md) for the release process and version-bump poli
### Added

- GitHub Actions now build, attest, and publish Linux and macOS release artifacts from version tags on `main`.
- Release workflow now builds default and dev flavor artifacts for each supported platform.
- Load `AGENTS.md` and `.agents/` instructions into context via the `agentsmd` loader ([#15](https://github.com/Noumena-Network/code/pull/15))
- GLM 5.2 managed first-party model profile and tier routing ([#17](https://github.com/Noumena-Network/code/pull/17))
- GLM 5.2 promoted to the first-party default model ([#21](https://github.com/Noumena-Network/code/pull/21))
Expand Down
10 changes: 6 additions & 4 deletions RELEASING.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,14 +67,16 @@ A release is not ready to tag until the dry-run succeeds for all release targets
8. After merge, run a `Release` workflow dry-run with `publish=false` on the merge commit.
9. After the dry-run succeeds, create and push tag `vX.Y.Z` on the merge commit on `main`. The GitHub Actions release workflow validates the tag, builds Linux and macOS artifacts, and publishes the GitHub release. Release notes are pulled from the `## [VERSION]` section verbatim.

The release workflow currently publishes:
The release workflow currently publishes two flavors per supported platform:

- `ncode-VERSION-linux-x64.zip` from `ubuntu-24.04` (`bun-linux-x64`)
- `ncode-VERSION-darwin-arm64.zip` from `macos-14` (`bun-darwin-arm64`)
- `ncode-VERSION-darwin-x64.zip` from `macos-15-intel` (`bun-darwin-x64`)
- `ncode-VERSION-linux-x64.zip` and `ncode-VERSION-dev-linux-x64.zip` from `ubuntu-24.04` (`bun-linux-x64`)
- `ncode-VERSION-darwin-arm64.zip` and `ncode-VERSION-dev-darwin-arm64.zip` from `macos-14` (`bun-darwin-arm64`)
- `ncode-VERSION-darwin-x64.zip` and `ncode-VERSION-dev-darwin-x64.zip` from `macos-15-intel` (`bun-darwin-x64`)
- matching `.sha256` checksum files and `.manifest.json` files for each artifact
- GitHub artifact attestations for the release assets

Both flavors are published as public assets on the same GitHub release. Dev artifacts must follow the same secrets policy as default artifacts: no credentials, private tokens, or private registry pointers.

Tags must point to commits reachable from `origin/main`, must match `package.json` (`v${version}`), and must have a matching `CHANGELOG.md` release section.

If a revert is needed between tag and publish, delete the tag, revert the release commit, and re-cut. If a published release is bad, create a new patch release rather than mutating the released asset in place.
Expand Down
19 changes: 12 additions & 7 deletions build/packageSmoke.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ function parseArgs(argv) {
buildMode: 'noumena',
runBinaryChecks: true,
runNativeProbe: true,
runExposureAudit: true,
keepOutput: false,
};
for (let index = 0; index < argv.length; index += 1) {
Expand All @@ -52,6 +53,8 @@ function parseArgs(argv) {
args.runNativeProbe = false;
} else if (arg === '--no-native-probe') {
args.runNativeProbe = false;
} else if (arg === '--skip-exposure-audit') {
args.runExposureAudit = false;
} else if (arg === '--keep-output') {
args.keepOutput = true;
} else {
Expand Down Expand Up @@ -111,13 +114,15 @@ function expectLinesInOrder(lines, expectedLines, label) {

async function main() {
const args = parseArgs(process.argv.slice(2));
const sourceAuditFindings = runExposureAudit({
allowlist: getDefaultAllowlist(),
});
if (sourceAuditFindings.length > 0) {
throw new Error(
`Repo source exposure audit failed before build:\n${formatFindings(sourceAuditFindings)}`,
);
if (args.runExposureAudit) {
const sourceAuditFindings = runExposureAudit({
allowlist: getDefaultAllowlist(),
});
if (sourceAuditFindings.length > 0) {
throw new Error(
`Repo source exposure audit failed before build:\n${formatFindings(sourceAuditFindings)}`,
);
}
}

const tempRoot = args.outDir ??
Expand Down
Loading