sprout/.github/workflows/release.yml at 7c6c40c7c8f713810e8d349612629b13a252704a · block/sprout · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: Canary Release

on:
  workflow_run:
    workflows: ["CI"]
    branches: [main]
    types: [completed]
  workflow_dispatch:

concurrency:
  group: release
  cancel-in-progress: true

permissions: {}

jobs:
  resolve:
    if: |
      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') ||
      (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')
    runs-on: ubuntu-latest
    timeout-minutes: 5
    outputs:
      sha: ${{ steps.resolve.outputs.sha }}
    steps:
      - name: Resolve commit SHA
        id: resolve
        env:
          WF_SHA: ${{ github.event.workflow_run.head_sha }}
          FALLBACK_SHA: ${{ github.sha }}
        run: echo "sha=${WF_SHA:-$FALLBACK_SHA}" >> "$GITHUB_OUTPUT"

  build:
    needs: resolve
    permissions:
      contents: read
    timeout-minutes: 30
    strategy:
      fail-fast: false
      matrix:
        target:
          - x86_64-unknown-linux-musl
          - aarch64-unknown-linux-musl

    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ needs.resolve.outputs.sha }}

      - name: Activate Hermit
        uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1

      - name: Cache Rust artifacts
        uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
        with:
          key: ${{ matrix.target }}

      - name: Install cross
        uses: taiki-e/install-action@0abfcd587b70a713fdaa7fb502c885e2112acb15 # v2
        with:
          tool: cross@0.2.5

      - name: Build binaries
        env:
          TARGET: ${{ matrix.target }}
        run: |
          cross build --release --target "$TARGET" \
            -p sprout-relay \
            -p sprout-acp \
            -p sprout-mcp

      - name: Package tarballs
        env:
          TARGET: ${{ matrix.target }}
        run: |
          BIN="target/${TARGET}/release"

          mkdir sprout-relay && cp "${BIN}/sprout-relay" sprout-relay/
          tar czf "sprout-relay-canary-${TARGET}.tar.gz" sprout-relay

          mkdir sprout-agent && cp "${BIN}/sprout-acp" "${BIN}/sprout-mcp-server" sprout-agent/
          tar czf "sprout-agent-canary-${TARGET}.tar.gz" sprout-agent

      - name: Upload artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: sprout-${{ matrix.target }}
          path: sprout-*-canary-${{ matrix.target }}.tar.gz
          retention-days: 1

  bundle-desktop-macos:
    needs: resolve
    uses: ./.github/workflows/bundle-desktop-macos.yml
    permissions:
      id-token: write
      contents: read
    with:
      ref: ${{ needs.resolve.outputs.sha }}
      signing: true
    secrets:
      OSX_CODESIGN_ROLE: ${{ secrets.OSX_CODESIGN_ROLE }}
      CODESIGN_S3_BUCKET: ${{ secrets.CODESIGN_S3_BUCKET }}

  release:
    needs: [resolve, build, bundle-desktop-macos]
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
      contents: write

    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ needs.resolve.outputs.sha }}

      - name: Download all artifacts
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
        with:
          path: dist/
          merge-multiple: true

      - name: Get build timestamp
        id: timestamp
        run: echo "ts=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"

      - name: Force-move canary tag
        env:
          COMMIT_SHA: ${{ needs.resolve.outputs.sha }}
        run: |
          git tag -f canary "$COMMIT_SHA"
          git push origin canary --force

      - name: Create or update canary release
        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1
        with:
          tag: canary
          name: "Canary (latest main)"
          body: |
            Pre-alpha canary build. Not for production.

            Built from commit `${{ needs.resolve.outputs.sha }}` at ${{ steps.timestamp.outputs.ts }}.

            **Relay**: `sprout-relay-canary-<target>.tar.gz`
            **Agent tooling** (ACP harness + MCP server): `sprout-agent-canary-<target>.tar.gz`
            **Desktop** (macOS arm64): `Sprout-darwin-arm64.zip`
          prerelease: true
          allowUpdates: true
          removeArtifacts: true
          artifacts: "dist/*.tar.gz,dist/*.zip"
          token: ${{ secrets.GITHUB_TOKEN }}