release.yml

name: release

on:
  push:
    tags:
      - "v*"

concurrency:
  group: release-${{ github.ref_name }}
  cancel-in-progress: false

permissions:
  contents: write
  id-token: write
  actions: read

env:
  ALPINE_IMAGE_REF: alpine:latest@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11

jobs:
  verify-tag-source:
    name: verify tag source state
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.version.outputs.version }}
    defaults:
      run:
        shell: bash
    steps:
      - name: Check out repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          submodules: recursive
          fetch-depth: 0

      - name: Resolve tag version
        id: version
        run: |
          set -euo pipefail
          version="${GITHUB_REF_NAME#v}"
          if [[ ! "${GITHUB_REF_NAME}" =~ ^v[0-9]+(\.[0-9]+){2}([-.][0-9A-Za-z.-]+)?$ ]]; then
            echo "tag must be a semver with leading v, got: ${GITHUB_REF_NAME}" >&2
            exit 1
          fi
          echo "version=$version" >>"$GITHUB_OUTPUT"

      - name: Verify tag commit is anchored on origin/main
        run: |
          set -euo pipefail
          git fetch --no-tags origin main:refs/remotes/origin/main
          git merge-base --is-ancestor "$GITHUB_SHA" "origin/main"

      - name: Validate committed release version state
        run: |
          set -euo pipefail
          source_version="$(sed -n 's/^const Version = "\(.*\)"$/\1/p' internal/bootstrap/version.go)"
          if [[ -z "${source_version}" ]]; then
            echo "failed to resolve bootstrap.Version from internal/bootstrap/version.go" >&2
            exit 1
          fi
          if [[ "${source_version}" != "${{ steps.version.outputs.version }}" ]]; then
            echo "tag version ${{ steps.version.outputs.version }} does not match bootstrap.Version ${source_version}" >&2
            exit 1
          fi

  linux-build:
    name: linux build (${{ matrix.platform_id }})
    runs-on: ${{ matrix.runner }}
    needs: verify-tag-source
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform_id: linux-amd64
            goos: linux
            goarch: amd64
            rust_target: x86_64-unknown-linux-gnu
            runner: ubuntu-latest
            manylinux_image: quay.io/pypa/manylinux2014_x86_64@sha256:96412a3110ba598851ba1cd9bfa66b74c2903bfec1af978f5e55def5f0f1912c
          - platform_id: linux-arm64
            goos: linux
            goarch: arm64
            rust_target: aarch64-unknown-linux-gnu
            runner: ubuntu-24.04-arm
            manylinux_image: quay.io/pypa/manylinux2014_aarch64@sha256:2cfb8a1feca0f640b26689e27aadff0a8ff367243d2672a31207d075318d26c7
    defaults:
      run:
        shell: bash
    env:
      PURE_SIMDJSON_PAGESIZE_PROOF_OUTPUT: ${{ github.workspace }}/linux-arm64-pagesize.txt
    steps:
      - name: Check out repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          submodules: recursive

      - name: Resolve release metadata
        id: metadata
        run: |
          set -euo pipefail

          version="${{ needs.verify-tag-source.outputs.version }}"
          if [[ -z "$version" ]]; then
            echo "failed to resolve release version from the pushed tag" >&2
            exit 1
          fi

          SOURCE_DATE_EPOCH="$(git log -1 --pretty=%ct)"
          echo "SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH" >>"$GITHUB_ENV"
          echo "version=$version" >>"$GITHUB_OUTPUT"
          echo "source-date-epoch=$SOURCE_DATE_EPOCH" >>"$GITHUB_OUTPUT"

      - name: Record linux/arm64 4K page-size proof
        if: ${{ matrix.platform_id == 'linux-arm64' }}
        run: |
          set -euo pipefail
          bash scripts/release/build_linux_manylinux.sh prove-pagesize \
            --linux-platform linux/arm64 \
            --output linux-arm64-pagesize.txt

      - name: Build shared library
        id: build
        uses: ./.github/actions/build-shared-library
        with:
          target: ${{ matrix.rust_target }}
          goos: ${{ matrix.goos }}
          goarch: ${{ matrix.goarch }}
          runner_kind: linux
          manylinux_image: ${{ matrix.manylinux_image }}
          source_date_epoch: ${{ steps.metadata.outputs.source-date-epoch }}
          verify_reproducible: true
          # Escape hatch stays explicit: keep use_zigbuild false unless a later
          # manual path proves manylinux is blocked.
          use_zigbuild: "false"

      - name: Verify glibc floor and linux export surface
        run: |
          set -euo pipefail
          bash scripts/release/verify_glibc_floor.sh "${{ steps.build.outputs.built-library-path }}"

      - name: Package linux shared library
        id: package
        uses: ./.github/actions/package-shared-artifact
        with:
          input: ${{ steps.build.outputs.built-library-path }}
          goos: ${{ matrix.goos }}
          goarch: ${{ matrix.goarch }}
          rust-target: ${{ matrix.rust_target }}
          version: ${{ steps.metadata.outputs.version }}
          out-dir: ${{ github.workspace }}/dist/${{ matrix.platform_id }}

      - name: Promote linux manifest row for staged assembly
        run: |
          set -euo pipefail
          mv "${{ steps.package.outputs.manifest-path }}" \
            "${{ github.workspace }}/dist/${{ matrix.platform_id }}/manifest-${{ matrix.platform_id }}.json"

      - name: Run CI-04 native smoke gate (ffi_export_surface.c + minimal_parse.c)
        run: |
          set -euo pipefail
          bash scripts/release/run_native_smoke.sh \
            "${{ steps.package.outputs.r2-path }}" \
            "${{ matrix.platform_id }}"

      - name: Upload staged linux artifact bundle
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: release-${{ matrix.platform_id }}
          if-no-files-found: error
          path: ${{ github.workspace }}/dist/${{ matrix.platform_id }}

  darwin-build:
    name: darwin build (${{ matrix.platform_id }})
    runs-on: ${{ matrix.runner }}
    needs: verify-tag-source
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform_id: darwin-amd64
            goos: darwin
            goarch: amd64
            rust_target: x86_64-apple-darwin
            runner: macos-15-intel
            expected_file_arch: x86_64
            expected_r2_filename: libpure_simdjson.dylib
            expected_github_asset_name: libpure_simdjson-darwin-amd64.dylib
          - platform_id: darwin-arm64
            goos: darwin
            goarch: arm64
            rust_target: aarch64-apple-darwin
            runner: macos-15
            expected_file_arch: arm64
            expected_r2_filename: libpure_simdjson.dylib
            expected_github_asset_name: libpure_simdjson-darwin-arm64.dylib
    defaults:
      run:
        shell: bash
    steps:
      - name: Check out repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          submodules: recursive

      - name: Resolve release metadata
        id: metadata
        run: |
          set -euo pipefail

          version="${{ needs.verify-tag-source.outputs.version }}"
          if [[ -z "$version" ]]; then
            echo "failed to resolve release version from the pushed tag" >&2
            exit 1
          fi

          SOURCE_DATE_EPOCH="$(git log -1 --pretty=%ct)"
          echo "SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH" >>"$GITHUB_ENV"
          echo "version=$version" >>"$GITHUB_OUTPUT"
          echo "source-date-epoch=$SOURCE_DATE_EPOCH" >>"$GITHUB_OUTPUT"

      - name: Build shared library
        id: build
        uses: ./.github/actions/build-shared-library
        with:
          target: ${{ matrix.rust_target }}
          goos: ${{ matrix.goos }}
          goarch: ${{ matrix.goarch }}
          runner_kind: darwin
          source_date_epoch: ${{ steps.metadata.outputs.source-date-epoch }}
          verify_reproducible: true

      - name: Ad-hoc codesign darwin dylib
        run: |
          set -euo pipefail
          codesign -s - --force --timestamp=none "${{ steps.build.outputs.built-library-path }}"
          codesign --verify --verbose "${{ steps.build.outputs.built-library-path }}"

      - name: Verify darwin dylib is thin
        run: |
          set -euo pipefail
          file_output="$(file "${{ steps.build.outputs.built-library-path }}")"
          echo "$file_output"
          if [[ -n "${GITHUB_STEP_SUMMARY:-}" ]]; then
            printf '### %s file output\n\n```\n%s\n```\n' "${{ matrix.platform_id }}" "$file_output" >>"$GITHUB_STEP_SUMMARY"
          fi
          if grep -Eiq 'fat|universal' <<<"$file_output"; then
            echo "expected a thin darwin binary, got: $file_output" >&2
            exit 1
          fi
          if ! grep -q "${{ matrix.expected_file_arch }}" <<<"$file_output"; then
            echo "expected darwin binary for arch ${{ matrix.expected_file_arch }}, got: $file_output" >&2
            exit 1
          fi

      - name: Package darwin shared library
        id: package
        uses: ./.github/actions/package-shared-artifact
        with:
          input: ${{ steps.build.outputs.built-library-path }}
          goos: ${{ matrix.goos }}
          goarch: ${{ matrix.goarch }}
          rust-target: ${{ matrix.rust_target }}
          version: ${{ steps.metadata.outputs.version }}
          out-dir: ${{ github.workspace }}/dist/${{ matrix.platform_id }}

      - name: Assert darwin artifact names
        run: |
          set -euo pipefail
          test "${{ steps.package.outputs.github-asset-name }}" = "${{ matrix.expected_github_asset_name }}"
          test "$(basename "${{ steps.package.outputs.r2-path }}")" = "${{ matrix.expected_r2_filename }}"

      - name: Promote darwin manifest row for staged assembly
        run: |
          set -euo pipefail
          mv "${{ steps.package.outputs.manifest-path }}" \
            "${{ github.workspace }}/dist/${{ matrix.platform_id }}/manifest-${{ matrix.platform_id }}.json"

      - name: Run CI-04 native smoke gate (ffi_export_surface.c + minimal_parse.c)
        run: |
          set -euo pipefail
          bash scripts/release/run_native_smoke.sh \
            "${{ steps.package.outputs.r2-path }}" \
            "${{ matrix.platform_id }}"

      - name: Upload staged darwin artifact bundle
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: release-${{ matrix.platform_id }}
          if-no-files-found: error
          path: ${{ github.workspace }}/dist/${{ matrix.platform_id }}

  windows-build:
    name: windows build (${{ matrix.platform_id }})
    runs-on: ${{ matrix.runner }}
    needs: verify-tag-source
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform_id: windows-amd64
            goos: windows
            goarch: amd64
            rust_target: x86_64-pc-windows-msvc
            runner: windows-latest
            expected_r2_filename: pure_simdjson-msvc.dll
            expected_github_asset_name: pure_simdjson-windows-amd64-msvc.dll
            import_library_name: pure_simdjson.dll.lib
            dependency_report_name: windows-dependents.txt
    defaults:
      run:
        shell: bash
    steps:
      - name: Configure MSVC developer shell
        uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756

      - name: Enable git long paths
        shell: pwsh
        run: git config --system core.longpaths true

      - name: Check out repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          submodules: recursive

      - name: Resolve release metadata
        id: metadata
        run: |
          set -euo pipefail

          version="${{ needs.verify-tag-source.outputs.version }}"
          if [[ -z "$version" ]]; then
            echo "failed to resolve release version from the pushed tag" >&2
            exit 1
          fi

          SOURCE_DATE_EPOCH="$(git log -1 --pretty=%ct)"
          echo "SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH" >>"$GITHUB_ENV"
          echo "version=$version" >>"$GITHUB_OUTPUT"
          echo "source-date-epoch=$SOURCE_DATE_EPOCH" >>"$GITHUB_OUTPUT"

      - name: Build shared library
        id: build
        uses: ./.github/actions/build-shared-library
        with:
          target: ${{ matrix.rust_target }}
          goos: ${{ matrix.goos }}
          goarch: ${{ matrix.goarch }}
          runner_kind: windows
          source_date_epoch: ${{ steps.metadata.outputs.source-date-epoch }}
          verify_reproducible: true

      - name: Audit windows exports
        shell: pwsh
        run: dumpbin /EXPORTS "${{ steps.build.outputs.built-library-path }}"

      - name: Package windows shared library
        id: package
        uses: ./.github/actions/package-shared-artifact
        with:
          input: ${{ steps.build.outputs.built-library-path }}
          goos: ${{ matrix.goos }}
          goarch: ${{ matrix.goarch }}
          rust-target: ${{ matrix.rust_target }}
          version: ${{ steps.metadata.outputs.version }}
          out-dir: ${{ github.workspace }}/dist/${{ matrix.platform_id }}

      - name: Assert windows artifact names
        run: |
          set -euo pipefail
          test "${{ steps.package.outputs.github-asset-name }}" = "${{ matrix.expected_github_asset_name }}"
          test "$(basename "${{ steps.package.outputs.r2-path }}")" = "${{ matrix.expected_r2_filename }}"

      - name: Preserve windows import library
        run: |
          set -euo pipefail
          import_lib_path="$(
            python3 -c 'from pathlib import Path; import sys; print(Path(sys.argv[1]).with_name(sys.argv[2]))' \
              '${{ steps.build.outputs.built-library-path }}' \
              '${{ matrix.import_library_name }}'
          )"
          if [[ -f "$import_lib_path" ]]; then
            r2_dir="$(dirname "${{ steps.package.outputs.r2-path }}")"
            cp "$import_lib_path" "$r2_dir/${{ matrix.import_library_name }}"
          fi

      - name: Record windows dependent DLLs
        shell: pwsh
        run: |
          $reportPath = "dist/${{ matrix.platform_id }}/${{ matrix.dependency_report_name }}"
          $output = dumpbin /DEPENDENTS "${{ steps.build.outputs.built-library-path }}" | Out-String
          $output.TrimEnd() | Out-File -FilePath $reportPath -Encoding utf8
          if ($env:GITHUB_STEP_SUMMARY) {
            $summary = [string]::Join(
              [Environment]::NewLine,
              @(
                '### windows-amd64 DLL dependents'
                ''
                '```text'
                $output.TrimEnd()
                '```'
              )
            )
            Add-Content -Path $env:GITHUB_STEP_SUMMARY -Value $summary
          }

      - name: Promote windows manifest row for staged assembly
        run: |
          set -euo pipefail
          mv "${{ steps.package.outputs.manifest-path }}" \
            "dist/${{ matrix.platform_id }}/manifest-${{ matrix.platform_id }}.json"

      - name: Run CI-04 native smoke gate (ffi_export_surface.c + minimal_parse.c)
        run: |
          set -euo pipefail
          bash scripts/release/run_native_smoke.sh \
            "${{ steps.package.outputs.r2-path }}" \
            "${{ matrix.platform_id }}"

      - name: Upload staged windows artifact bundle
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: release-${{ matrix.platform_id }}
          if-no-files-found: error
          path: dist/${{ matrix.platform_id }}

  alpine-smoke:
    name: alpine smoke (PURE_SIMDJSON_LIB_PATH escape hatch)
    runs-on: ubuntu-latest
    needs: verify-tag-source
    defaults:
      run:
        shell: bash
    steps:
      - name: Check out repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          submodules: recursive

      - name: Run pinned Alpine smoke gate (PURE_SIMDJSON_LIB_PATH)
        run: |
          set -euo pipefail
          bash scripts/release/run_alpine_smoke.sh --image-ref "$ALPINE_IMAGE_REF"

  release-publish:
    name: release publish
    runs-on: ubuntu-latest
    needs:
      - verify-tag-source
      - linux-build
      - darwin-build
      - windows-build
      - alpine-smoke
    defaults:
      run:
        shell: bash
    env:
      PROJECT: ${{ github.event.repository.name }}
      RELEASES_DOMAIN: ${{ vars.RELEASES_DOMAIN || 'releases.amikos.tech' }}
      R2_BUCKET: ${{ vars.R2_BUCKET || secrets.R2_BUCKET || 'releases' }}
      R2_ENDPOINT_URL: ${{ secrets.R2_ENDPOINT || secrets.R2_ENDPOINT_URL || vars.R2_ENDPOINT || vars.R2_ENDPOINT_URL }}
      AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID || secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY || secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN || secrets.R2_SESSION_TOKEN }}
      AWS_DEFAULT_REGION: ${{ vars.AWS_DEFAULT_REGION || 'auto' }}
    steps:
      - name: Check out repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          submodules: recursive

      - name: Set up Go for packaged-artifact smoke
        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff
        with:
          go-version-file: go.mod

      - name: Resolve release metadata
        id: metadata
        run: |
          set -euo pipefail
          version="${{ needs.verify-tag-source.outputs.version }}"
          if [[ -z "$version" ]]; then
            echo "failed to resolve release version from the pushed tag" >&2
            exit 1
          fi
          echo "version=$version" >>"$GITHUB_OUTPUT"

      - name: Download staged release artifact bundles
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
        with:
          pattern: release-*
          path: ${{ github.workspace }}/release-staging
          merge-multiple: true

      - name: Assemble combined manifest from staged manifest rows
        run: |
          set -euo pipefail
          python3 - "${{ github.workspace }}/release-staging" "${{ steps.metadata.outputs.version }}" "${{ github.workspace }}/release-staging/combined-manifest.json" <<'PY'
          import json
          import pathlib
          import sys

          root = pathlib.Path(sys.argv[1])
          version = sys.argv[2]
          output = pathlib.Path(sys.argv[3])
          expected = [
              ("linux", "amd64", "x86_64-unknown-linux-gnu"),
              ("linux", "arm64", "aarch64-unknown-linux-gnu"),
              ("darwin", "amd64", "x86_64-apple-darwin"),
              ("darwin", "arm64", "aarch64-apple-darwin"),
              ("windows", "amd64", "x86_64-pc-windows-msvc"),
          ]
          required_keys = {
              "goos",
              "goarch",
              "rust_target",
              "r2_key",
              "github_asset_name",
              "local_path",
              "sha256",
          }

          manifest_rows = sorted(root.rglob("manifest-*.json"))
          if len(manifest_rows) != len(expected):
              raise SystemExit(f"expected {len(expected)} manifest rows, found {len(manifest_rows)}")

          entries = {}
          for manifest_path in manifest_rows:
              manifest = json.loads(manifest_path.read_text(encoding="utf-8"))
              if manifest.get("version") != version:
                  raise SystemExit(f"manifest {manifest_path} version {manifest.get('version')!r} != {version!r}")
              raw_entries = manifest.get("entries")
              if not isinstance(raw_entries, list) or len(raw_entries) != 1:
                  raise SystemExit(f"manifest {manifest_path} must contain exactly one entry")
              entry = raw_entries[0]
              if not isinstance(entry, dict) or set(entry.keys()) != required_keys:
                  raise SystemExit(f"manifest {manifest_path} entry shape mismatch")
              tuple_key = (entry["goos"], entry["goarch"], entry["rust_target"])
              if tuple_key not in expected:
                  raise SystemExit(f"unexpected manifest tuple {tuple_key} in {manifest_path}")
              if tuple_key in entries:
                  raise SystemExit(f"duplicate manifest tuple {tuple_key}")
              entries[tuple_key] = entry

          missing = [tuple_key for tuple_key in expected if tuple_key not in entries]
          if missing:
              raise SystemExit(f"missing manifest tuples: {missing}")

          combined = {"version": version, "entries": [entries[tuple_key] for tuple_key in expected]}
          output.write_text(json.dumps(combined, indent=2) + "\n", encoding="utf-8")
          PY

      - name: Assemble staged release tree for packaged-artifact smoke
        run: |
          set -euo pipefail
          bash scripts/release/assemble_staged_release_tree.sh \
            --version "${{ steps.metadata.outputs.version }}" \
            --manifest-dir "${{ github.workspace }}/release-staging" \
            --artifact-dir "${{ github.workspace }}/release-staging" \
            --staged-root "${{ github.workspace }}/release-staged-root"

      - name: Generate SHA256SUMS from the rebuilt manifest
        run: |
          set -euo pipefail
          python3 - "${{ github.workspace }}/release-staging/combined-manifest.json" "${{ github.workspace }}/release-staged-root" <<'PY'
          import json
          import pathlib
          import sys

          manifest_path = pathlib.Path(sys.argv[1])
          staged_root = pathlib.Path(sys.argv[2])
          manifest = json.loads(manifest_path.read_text(encoding="utf-8"))
          version = manifest["version"]
          sums_path = staged_root / f"v{version}" / "SHA256SUMS"
          lines = [f'{entry["sha256"]}  {entry["r2_key"]}' for entry in manifest["entries"]]
          sums_path.write_text("\n".join(lines) + "\n", encoding="utf-8")
          print(sums_path)
          PY

      - name: Run Go packaged-artifact smoke gate (PURE_SIMDJSON_BINARY_MIRROR + PURE_SIMDJSON_DISABLE_GH_FALLBACK)
        run: |
          set -euo pipefail
          bash scripts/release/run_go_packaged_smoke.sh \
            --staged-root "${{ github.workspace }}/release-staged-root" \
            --version "${{ steps.metadata.outputs.version }}"

      - name: Install cosign
        uses: sigstore/cosign-installer@f713795cb21599bc4e5c4b58cbad1da852d7eeb9

      - name: Sign raw shared-library assets and SHA256SUMS
        run: |
          set -euo pipefail
          mapfile -t sign_targets < <(python3 -c '
          import json
          import pathlib
          import sys

          manifest_path = pathlib.Path(sys.argv[1])
          staged_root = pathlib.Path(sys.argv[2])
          manifest = json.loads(manifest_path.read_text(encoding="utf-8"))
          for entry in manifest["entries"]:
              print((staged_root / entry["r2_key"]).resolve())
          print((staged_root / ("v" + manifest["version"]) / "SHA256SUMS").resolve())
          ' "${{ github.workspace }}/release-staging/combined-manifest.json" "${{ github.workspace }}/release-staged-root")
          for target in "${sign_targets[@]}"; do
            cosign sign-blob --yes \
              --output-signature "${target}.sig" \
              --output-certificate "${target}.pem" \
              "$target"
          done

      - name: Verify cosign signatures before upload
        run: |
          set -euo pipefail
          identity="https://github.com/amikos-tech/pure-simdjson/.github/workflows/release.yml@refs/tags/${{ github.ref_name }}"
          mapfile -t verify_targets < <(python3 -c '
          import json
          import pathlib
          import sys

          manifest_path = pathlib.Path(sys.argv[1])
          staged_root = pathlib.Path(sys.argv[2])
          manifest = json.loads(manifest_path.read_text(encoding="utf-8"))
          for entry in manifest["entries"]:
              print((staged_root / entry["r2_key"]).resolve())
          print((staged_root / ("v" + manifest["version"]) / "SHA256SUMS").resolve())
          ' "${{ github.workspace }}/release-staging/combined-manifest.json" "${{ github.workspace }}/release-staged-root")
          for target in "${verify_targets[@]}"; do
            cosign verify-blob \
              --certificate "${target}.pem" \
              --signature "${target}.sig" \
              --certificate-identity "$identity" \
              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
              "$target"
          done

      - name: Prepare flat GitHub Release assets
        run: |
          set -euo pipefail
          python3 - "${{ github.workspace }}/release-staging/combined-manifest.json" "${{ github.workspace }}/release-staged-root" "${{ github.workspace }}/release-assets" <<'PY'
          import json
          import pathlib
          import shutil
          import sys

          manifest_path = pathlib.Path(sys.argv[1])
          staged_root = pathlib.Path(sys.argv[2])
          release_assets = pathlib.Path(sys.argv[3])
          release_assets.mkdir(parents=True, exist_ok=True)
          manifest = json.loads(manifest_path.read_text(encoding="utf-8"))
          version_dir = staged_root / f'v{manifest["version"]}'

          for entry in manifest["entries"]:
              raw_path = staged_root / entry["r2_key"]
              flat_path = release_assets / entry["github_asset_name"]
              shutil.copy2(raw_path, flat_path)
              shutil.copy2(pathlib.Path(f"{raw_path}.sig"), pathlib.Path(f"{flat_path}.sig"))
              shutil.copy2(pathlib.Path(f"{raw_path}.pem"), pathlib.Path(f"{flat_path}.pem"))

          for name in ("SHA256SUMS", "SHA256SUMS.sig", "SHA256SUMS.pem"):
              shutil.copy2(version_dir / name, release_assets / name)
          PY

      - name: Show assembled staged release tree
        run: |
          set -euo pipefail
          find "${{ github.workspace }}/release-staged-root" -type f | sort

      - name: Upload combined manifest and staged release tree
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: release-staging
          if-no-files-found: error
          path: |
            ${{ github.workspace }}/release-staging/combined-manifest.json
            ${{ github.workspace }}/release-staged-root
            ${{ github.workspace }}/release-assets

      - name: Publish immutable release payload to R2
        run: |
          set -euo pipefail
          bash scripts/release/publish_r2.sh \
            --version "${{ github.ref_name }}" \
            --staged-root "${{ github.workspace }}/release-staged-root"

      - name: Publish latest.json to R2
        run: |
          set -euo pipefail
          if [[ -z "${AWS_ACCESS_KEY_ID}" || -z "${AWS_SECRET_ACCESS_KEY}" || -z "${R2_ENDPOINT_URL}" ]]; then
            echo "Missing required R2 credentials or endpoint configuration." >&2
            exit 1
          fi
          release_date="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
          jq -n \
            --arg version "${{ github.ref_name }}" \
            --arg date "${release_date}" \
            --arg checksums_url "${PROJECT}/${{ github.ref_name }}/SHA256SUMS" \
            --arg checksums_full_url "https://${RELEASES_DOMAIN}/${PROJECT}/${{ github.ref_name }}/SHA256SUMS" \
            '{version: $version, date: $date, checksums_url: $checksums_url, checksums_full_url: $checksums_full_url}' \
            > /tmp/latest.json
          aws s3 cp /tmp/latest.json "s3://${R2_BUCKET}/${PROJECT}/latest.json" \
            --endpoint-url "${R2_ENDPOINT_URL}" \
            --content-type "application/json" \
            --cache-control "public, max-age=60"

      - name: Update releases.json index (optional)
        if: vars.RELEASE_INDEX_ENABLED == '1'
        run: |
          set -euo pipefail
          if [[ -z "${AWS_ACCESS_KEY_ID}" || -z "${AWS_SECRET_ACCESS_KEY}" || -z "${R2_ENDPOINT_URL}" ]]; then
            echo "Missing required R2 credentials or endpoint configuration." >&2
            exit 1
          fi
          release_date="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
          fetch_err="$(mktemp)"
          trap 'rm -f "${fetch_err}"' EXIT
          if ! aws s3 cp "s3://${R2_BUCKET}/${PROJECT}/releases.json" /tmp/releases-existing.json \
            --endpoint-url "${R2_ENDPOINT_URL}" 2>"${fetch_err}"; then
            if grep -Eiq '404|NoSuchKey|Not Found|does not exist' "${fetch_err}"; then
              rm -f /tmp/releases-existing.json
            else
              echo "Failed to fetch existing releases.json from R2." >&2
              cat "${fetch_err}" >&2
              exit 1
            fi
          fi
          rm -f "${fetch_err}"

          bash scripts/release/build_releases_index.sh \
            --existing /tmp/releases-existing.json \
            --output /tmp/releases.json \
            --project "${PROJECT}" \
            --version "${{ github.ref_name }}" \
            --date "${release_date}" \
            --domain "${RELEASES_DOMAIN}" \
            --max 100

          identity="https://github.com/amikos-tech/pure-simdjson/.github/workflows/release.yml@refs/tags/${{ github.ref_name }}"
          cosign sign-blob --yes \
            --output-signature /tmp/releases.json.sig \
            --output-certificate /tmp/releases.json.pem \
            /tmp/releases.json
          cosign verify-blob \
            --signature /tmp/releases.json.sig \
            --certificate /tmp/releases.json.pem \
            --certificate-identity "${identity}" \
            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
            /tmp/releases.json

          aws s3 cp /tmp/releases.json "s3://${R2_BUCKET}/${PROJECT}/releases.json" \
            --endpoint-url "${R2_ENDPOINT_URL}" \
            --content-type "application/json" \
            --cache-control "public, max-age=60"
          aws s3 cp /tmp/releases.json.sig "s3://${R2_BUCKET}/${PROJECT}/releases.json.sig" \
            --endpoint-url "${R2_ENDPOINT_URL}" \
            --content-type "application/octet-stream" \
            --cache-control "public, max-age=60"
          aws s3 cp /tmp/releases.json.pem "s3://${R2_BUCKET}/${PROJECT}/releases.json.pem" \
            --endpoint-url "${R2_ENDPOINT_URL}" \
            --content-type "application/x-pem-file" \
            --cache-control "public, max-age=60"

      - name: Purge latest.json from CDN cache
        if: vars.CF_ZONE_ID != ''
        env:
          CF_ZONE_ID: ${{ vars.CF_ZONE_ID }}
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
        run: |
          set -euo pipefail
          if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then
            echo "::warning::CLOUDFLARE_API_TOKEN is not set; skipping cache purge."
            exit 0
          fi
          curl -sf -X POST \
            "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/purge_cache" \
            -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
            -H "Content-Type: application/json" \
            --data "{\"files\":[\"https://${RELEASES_DOMAIN}/${PROJECT}/latest.json\"]}"

      - name: Purge releases index from CDN cache (optional)
        if: vars.CF_ZONE_ID != '' && vars.RELEASE_INDEX_ENABLED == '1'
        env:
          CF_ZONE_ID: ${{ vars.CF_ZONE_ID }}
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
        run: |
          set -euo pipefail
          if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then
            echo "::warning::CLOUDFLARE_API_TOKEN is not set; skipping cache purge."
            exit 0
          fi
          curl -sf -X POST \
            "https://api.cloudflare.com/client/v4/zones/${CF_ZONE_ID}/purge_cache" \
            -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
            -H "Content-Type: application/json" \
            --data "{\"files\":[\"https://${RELEASES_DOMAIN}/${PROJECT}/releases.json\",\"https://${RELEASES_DOMAIN}/${PROJECT}/releases.json.sig\",\"https://${RELEASES_DOMAIN}/${PROJECT}/releases.json.pem\"]}"

      - name: Render release notes from CHANGELOG.md
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          set -euo pipefail
          python3 scripts/release/render_release_notes.py \
            --changelog CHANGELOG.md \
            --version "${{ github.ref_name }}" \
            --output "${{ github.workspace }}/release-notes.md"

      - name: Publish GitHub release
        if: startsWith(github.ref, 'refs/tags/')
        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65
        with:
          files: ${{ github.workspace }}/release-assets/*
          body_path: ${{ github.workspace }}/release-notes.md