name: Release # Manually triggered ("Run workflow"). On trigger it: # 1. reads the version from package.json, # 2. promotes `## [Unreleased]` content into `## []` in # CHANGELOG.md (and commits + pushes that change back to main), so # the published release notes are never sparse just because the # maintainer didn't pre-stage the [] block by hand, # 3. builds a self-contained bundle for every platform (one runner — there's no # native compilation, so cross-packaging is fine), # 4. creates the GitHub Release (tag v) with all archives, using the # release notes from CHANGELOG.md, # 5. publishes the npm thin-installer (shim + per-platform packages). # # Before triggering: bump package.json. CHANGELOG.md entries can live under # `## [Unreleased]` — step 2 takes care of moving them. Set the NPM_TOKEN secret. on: workflow_dispatch: {} permissions: contents: write # create the GitHub Release + tag, push the CHANGELOG promote jobs: release: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 with: # Default checkout is detached at a SHA; we need an actual branch # so the CHANGELOG-promote commit knows where to push. ref: ${{ github.ref }} - uses: actions/setup-node@v6 with: node-version: 22 registry-url: https://registry.npmjs.org - name: Sync package-lock.json if version drifted # When the maintainer bumps the version on package.json only — for # example via a GitHub web-UI edit — `npm ci` would refuse to run # with `EUSAGE: npm ci can only install packages when your # package.json and package-lock.json … are in sync`. This step # rewrites just the lock-file's version fields (top-level + the # `packages.""` entry) to match package.json, then auto-commits # and pushes the result so on-disk truth on `main` stays # consistent. Idempotent: if the lock file already matches, no # commit is made. run: | set -euo pipefail PKG_V=$(node -p "require('./package.json').version") LOCK_V=$(node -p "require('./package-lock.json').version") if [ "$PKG_V" = "$LOCK_V" ]; then echo "package-lock.json already at $PKG_V — nothing to sync." exit 0 fi echo "Lock-file version drift: lock=$LOCK_V, package=$PKG_V. Syncing." # `--package-lock-only` rewrites only the lock file, doesn't # touch node_modules or actually install anything. Cheap. npm install --package-lock-only --ignore-scripts # Sanity: lockfile should now report the package version. NEW_LOCK_V=$(node -p "require('./package-lock.json').version") if [ "$NEW_LOCK_V" != "$PKG_V" ]; then echo "::error::lock-file still at $NEW_LOCK_V after sync attempt; expected $PKG_V"; exit 1 fi if git diff --quiet -- package-lock.json; then echo "lock file unchanged after sync? bailing"; exit 1 fi git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git add package-lock.json git commit -m "release: sync package-lock.json to ${PKG_V}" -m "[skip ci] Auto-generated by Release workflow." git push origin "HEAD:${GITHUB_REF#refs/heads/}" - run: npm ci - name: Ensure zip/unzip run: sudo apt-get update -qq && sudo apt-get install -y -qq zip unzip - name: Resolve version id: ver run: echo "version=$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT" - name: Promote [Unreleased] → [] in CHANGELOG.md # Idempotent: a no-op if [Unreleased] is empty OR if the previous # run already moved everything. Auto-commit + push the change back # so the version block on main is the source of truth going # forward (and so subsequent extract-release-notes.mjs calls # surface the full content even if this run is re-triggered). run: | set -euo pipefail V="${{ steps.ver.outputs.version }}" before=$(git rev-parse HEAD) node scripts/prepare-release.mjs "$V" if git diff --quiet -- CHANGELOG.md; then echo "CHANGELOG.md unchanged — nothing to commit." else git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git add CHANGELOG.md git commit -m "docs(changelog): promote [Unreleased] into [${V}]" -m "[skip ci] Auto-generated by Release workflow." # Push to the branch the workflow was triggered on (main). git push origin "HEAD:${GITHUB_REF#refs/heads/}" fi - name: Build all platform bundles run: | for t in darwin-arm64 darwin-x64 linux-x64 linux-arm64 win32-x64 win32-arm64; do bash scripts/build-bundle.sh "$t" done ls -lh release - name: Generate SHA256SUMS # Published as a release asset; the npm launcher verifies downloaded # bundles against it (basenames only, so its path.basename match works). run: | ( cd release && sha256sum codegraph-* > SHA256SUMS ) cat release/SHA256SUMS - name: Release notes from CHANGELOG.md # The [] block was guaranteed-populated by the # "Promote" step above, so the [Unreleased] fallback should # never be needed in practice. Kept for defense-in-depth. run: | V="${{ steps.ver.outputs.version }}" node scripts/extract-release-notes.mjs "$V" > notes.md 2>/dev/null \ || node scripts/extract-release-notes.mjs Unreleased > notes.md 2>/dev/null || true if [ ! -s notes.md ]; then echo "::error::No release notes in CHANGELOG.md for [$V] or [Unreleased]." exit 1 fi echo "----- release notes -----"; cat notes.md - name: Create GitHub Release env: GH_TOKEN: ${{ github.token }} run: | TAG="v${{ steps.ver.outputs.version }}" # Idempotent: create the release once, otherwise (re-run) refresh assets. if gh release view "$TAG" >/dev/null 2>&1; then gh release upload "$TAG" release/codegraph-* release/SHA256SUMS --clobber else gh release create "$TAG" release/codegraph-* release/SHA256SUMS --title "$TAG" --notes-file notes.md fi - name: Publish to npm env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: | V="${{ steps.ver.outputs.version }}" bash scripts/pack-npm.sh "$V" # Platform packages first, then the main shim (which depends on them). # Skip any already on the registry so a re-run only fills in gaps. for dir in release/npm/codegraph-* release/npm/main; do name=$(node -p "require('./$dir/package.json').name") if npm view "$name@$V" version >/dev/null 2>&1; then echo "skip $name@$V (already published)" else echo "publishing $name@$V" ( cd "$dir" && npm publish --access public ) fi done - name: Verify every package is actually on the registry run: | V="${{ steps.ver.outputs.version }}" # npm publish can print success without persisting; confirm against the # registry (with retries for propagation) so green means really shipped. for dir in release/npm/codegraph-* release/npm/main; do name=$(node -p "require('./$dir/package.json').name") ok= for i in 1 2 3 4 5 6; do if npm view "$name@$V" version >/dev/null 2>&1; then ok=1; break; fi echo "waiting for $name@$V to appear ($i)…"; sleep 10 done [ -n "$ok" ] || { echo "::error::$name@$V never appeared on the registry"; exit 1; } echo "verified $name@$V" done - name: Sync packages to npmmirror # npmmirror/cnpm mirror lazily and frequently never pull the per-platform # optionalDependencies on their own, so `npm i` there fails with # "no prebuilt bundle" (issue #303). Nudge a sync now so mirror users get # the bundle without waiting. Best-effort — the launcher also self-heals # from GitHub Releases — so a mirror hiccup never fails the release. continue-on-error: true run: | for dir in release/npm/codegraph-* release/npm/main; do name=$(node -p "require('./$dir/package.json').name") enc=$(node -p "encodeURIComponent(require('./$dir/package.json').name)") echo "sync $name" curl -s -X PUT "https://registry.npmmirror.com/-/package/$enc/syncs" || true echo done