Skip to content
.github/workflows/release.yml

ci(sonar): SonarCloud scan workflow + project config #120

Sign in to view logs

ci(sonar): SonarCloud scan workflow + project config

ci(sonar): SonarCloud scan workflow + project config #120

Workflow file for this run

.github/workflows/release.yml at 2bb40a1
# SPDX-License-Identifier: MPL-2.0

Check failure on line 1 in .github/workflows/release.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/release.yml

Invalid workflow file 

(Line: 167, Col: 5): Unexpected value 'uses', (Line: 168, Col: 5): Unexpected value 'with'
# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
#
# Release workflow — triggered by version tags (v*).
# Builds artifacts, generates changelog via git-cliff, creates a GitHub Release,
# and produces SLSA provenance attestations.
name: Release
on:
push:
tags:
- 'v*'
permissions:
contents: read
jobs:
build:
name: Build Artifacts
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: read
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Zig
uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
with:
version: 0.15.2
- name: Fetch cartridges
# Cartridge source lives in the canonical registry, not this repo. Fetch
# it into a flat <name>/ cache and point the build loops below at it.
run: |
BOJ_CARTRIDGES_PATH="$RUNNER_TEMP/cartridges" bash scripts/fetch-cartridges.sh
echo "CARTS_ROOT=$RUNNER_TEMP/cartridges" >> "$GITHUB_ENV"
- name: Build core FFI libraries
run: cd ffi/zig && zig build -Doptimize=ReleaseSafe
- name: Build cartridge shared libraries
run: |
for cart in database-mcp fleet-mcp nesy-mcp agent-mcp cloud-mcp container-mcp k8s-mcp git-mcp secrets-mcp queues-mcp iac-mcp observe-mcp ssg-mcp proof-mcp lsp-mcp dap-mcp bsp-mcp feedback-mcp; do
echo "Building $cart .so..."
cd "$CARTS_ROOT/$cart/ffi" && zig build -Doptimize=ReleaseSafe
cd "$GITHUB_WORKSPACE"
done
- name: Collect release artifacts
run: |
mkdir -p release-artifacts/core release-artifacts/cartridges
# Core static libraries and benchmark binary
cp ffi/zig/zig-out/lib/*.a release-artifacts/core/
cp ffi/zig/zig-out/bin/boj_bench release-artifacts/core/ 2>/dev/null || true
# Cartridge shared libraries (built from the fetched cache)
for cart in database-mcp fleet-mcp nesy-mcp agent-mcp cloud-mcp container-mcp k8s-mcp git-mcp secrets-mcp queues-mcp iac-mcp observe-mcp ssg-mcp proof-mcp lsp-mcp dap-mcp bsp-mcp feedback-mcp; do
cp "$CARTS_ROOT/$cart/ffi/zig-out/lib/"*.so "release-artifacts/cartridges/" 2>/dev/null || true
done
- name: Create release tarball
run: |
VERSION="${GITHUB_REF_NAME#v}"
tar czf "boj-server-${VERSION}-linux-x86_64.tar.gz" -C release-artifacts .
- name: Generate artifact hashes
id: hash
run: |
VERSION="${GITHUB_REF_NAME#v}"
HASHES=$(sha256sum "boj-server-${VERSION}-linux-x86_64.tar.gz" | base64 -w0)
echo "hashes=${HASHES}" >> "$GITHUB_OUTPUT"
- name: Upload build artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: release-artifacts
path: boj-server-*-linux-x86_64.tar.gz
retention-days: 5
changelog:
name: Generate Changelog
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: read
outputs:
changelog: ${{ steps.cliff.outputs.content }}
version: ${{ steps.version.outputs.version }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Extract version from tag
id: version
run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
- name: Install git-cliff
run: |
curl -sSfL https://github.com/orhun/git-cliff/releases/latest/download/git-cliff-$(uname -m)-unknown-linux-gnu.tar.gz \
| tar -xz --strip-components=1 -C /usr/local/bin/ git-cliff-*/git-cliff
- name: Generate changelog for this release
id: cliff
run: |
# Generate changelog for the current tag only
CHANGELOG=$(git cliff --latest --strip header)
# Write to output using delimiter to handle multiline
{
echo "content<<CLIFF_EOF"
echo "$CHANGELOG"
echo "CLIFF_EOF"
} >> "$GITHUB_OUTPUT"
- name: Update full CHANGELOG.md
run: |
git cliff --output CHANGELOG.md
- name: Upload updated CHANGELOG.md
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: changelog
path: CHANGELOG.md
retention-days: 5
release:
name: Create GitHub Release
needs: [build, changelog]
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Download build artifacts
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: release-artifacts
path: artifacts/
- name: Create GitHub Release
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
with:
body: ${{ needs.changelog.outputs.changelog }}
draft: false
prerelease: ${{ contains(github.ref_name, '-rc') || contains(github.ref_name, '-beta') || contains(github.ref_name, '-alpha') }}
generate_release_notes: false
files: |
artifacts/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
provenance:
name: SLSA Provenance
needs: [build]
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
actions: read
id-token: write
contents: write
# SLSA generator must run in a separate, isolated workflow
# See: https://slsa.dev/spec/v1.0/requirements#build-l3
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"