fix(irm): accept bare filenames in path extraction #229
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | ||
|
Check failure on line 1 in .github/workflows/release.yml
|
||
| on: | ||
| push: | ||
| tags: | ||
| - 'v*' | ||
| env: | ||
| CARGO_TERM_COLOR: always | ||
| jobs: | ||
| # Build and test before publishing | ||
| preflight: | ||
| name: Preflight Checks | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Install Rust toolchain | ||
| uses: dtolnay/rust-toolchain@stable | ||
| - name: Validate version consistency | ||
| run: scripts/release-preflight.sh "${GITHUB_REF#refs/tags/v}" | ||
| - name: Run tests | ||
| run: cargo test --workspace | ||
| - name: Run clippy | ||
| run: cargo clippy --all-targets --all-features -- -D warnings | ||
| # Publish to crates.io | ||
| publish-crates: | ||
| name: Publish to crates.io | ||
| runs-on: ubuntu-latest | ||
| needs: preflight | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Install Rust toolchain | ||
| uses: dtolnay/rust-toolchain@stable | ||
| - name: Publish hush-core | ||
| run: cargo publish -p hush-core --token ${{ secrets.CARGO_REGISTRY_TOKEN }} | ||
| env: | ||
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} | ||
| - name: Wait for crates.io index update | ||
| run: sleep 30 | ||
| - name: Publish hush-proxy | ||
| run: cargo publish -p hush-proxy --token ${{ secrets.CARGO_REGISTRY_TOKEN }} | ||
| env: | ||
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} | ||
| - name: Wait for crates.io index update | ||
| run: sleep 30 | ||
| - name: Publish clawdstrike | ||
| run: cargo publish -p clawdstrike --token ${{ secrets.CARGO_REGISTRY_TOKEN }} | ||
| env: | ||
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} | ||
| - name: Wait for crates.io index update | ||
| run: sleep 30 | ||
| - name: Publish hush-cli | ||
| run: cargo publish -p hush-cli --token ${{ secrets.CARGO_REGISTRY_TOKEN }} | ||
| env: | ||
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} | ||
| # Publish to npm | ||
| publish-npm: | ||
| name: Publish to npm | ||
| runs-on: ubuntu-latest | ||
| needs: preflight | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: '24' | ||
| registry-url: 'https://registry.npmjs.org' | ||
| - name: Build @clawdstrike/clawdstrike-security | ||
| working-directory: packages/adapters/clawdstrike-openclaw | ||
| run: | | ||
| npm ci | ||
| npm run build | ||
| - name: Publish @clawdstrike/clawdstrike-security | ||
| working-directory: packages/adapters/clawdstrike-openclaw | ||
| run: npm publish --access public | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| # Publish @clawdstrike/sdk to npm | ||
| publish-hush-ts: | ||
| name: Publish @clawdstrike/sdk to npm | ||
| runs-on: ubuntu-latest | ||
| needs: preflight | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: '24' | ||
| registry-url: 'https://registry.npmjs.org' | ||
| - name: Install and build | ||
| working-directory: packages/sdk/hush-ts | ||
| run: | | ||
| npm ci | ||
| npm run build | ||
| - name: Set version from tag | ||
| working-directory: packages/sdk/hush-ts | ||
| run: | | ||
| VERSION=${GITHUB_REF#refs/tags/v} | ||
| npm version $VERSION --no-git-tag-version --allow-same-version | ||
| - name: Publish to npm | ||
| working-directory: packages/sdk/hush-ts | ||
| run: npm publish --access public | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| # Publish WASM package to npm | ||
| publish-wasm: | ||
| name: Publish @clawdstrike/wasm to npm | ||
| runs-on: ubuntu-latest | ||
| needs: [preflight] | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Setup Rust | ||
| uses: dtolnay/rust-toolchain@stable | ||
| with: | ||
| targets: wasm32-unknown-unknown | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: '24' | ||
| registry-url: 'https://registry.npmjs.org' | ||
| - name: Install wasm-pack | ||
| run: cargo install wasm-pack --locked --version 0.14.0 | ||
| - name: Build WASM (web target) | ||
| run: | | ||
| cd crates/libs/hush-wasm | ||
| wasm-pack build --target web --release --out-dir pkg | ||
| - name: Prepare package for publishing | ||
| run: | | ||
| cd crates/libs/hush-wasm | ||
| # Copy our package.json (overwrite wasm-pack generated one) | ||
| cp package.json pkg/ | ||
| # Copy README for npm | ||
| cp README.npm.md pkg/README.md | ||
| # Copy hand-written TypeScript types (augment wasm-pack types) | ||
| cp types/hush_wasm.d.ts pkg/ | ||
| - name: Set version from tag | ||
| run: | | ||
| VERSION=${GITHUB_REF#refs/tags/v} | ||
| echo "Setting version to $VERSION" | ||
| cd crates/libs/hush-wasm/pkg | ||
| npm version $VERSION --no-git-tag-version --allow-same-version | ||
| - name: Verify package contents | ||
| run: | | ||
| cd crates/libs/hush-wasm/pkg | ||
| echo "Package contents:" | ||
| ls -la | ||
| echo "" | ||
| echo "package.json:" | ||
| cat package.json | ||
| - name: Publish to npm | ||
| run: | | ||
| cd crates/libs/hush-wasm/pkg | ||
| npm publish --access public | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| # Publish to PyPI (when hush-py package exists) | ||
| publish-pypi: | ||
| name: Publish to PyPI | ||
| runs-on: ubuntu-latest | ||
| needs: preflight | ||
| # Only run if hush-py package exists | ||
| if: ${{ hashFiles('packages/sdk/hush-py/pyproject.toml') != '' }} | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Setup Python | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: '3.12' | ||
| - name: Install build tools | ||
| run: pip install build twine | ||
| - name: Build package | ||
| run: cd packages/sdk/hush-py && python -m build | ||
| - name: Publish to PyPI | ||
| run: twine upload packages/sdk/hush-py/dist/* | ||
| env: | ||
| TWINE_USERNAME: __token__ | ||
| TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }} | ||
| # Build release binaries | ||
| build-binaries: | ||
| name: Build Binaries | ||
| needs: preflight | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| - target: x86_64-unknown-linux-gnu | ||
| os: ubuntu-latest | ||
| artifact: hush-linux-x86_64 | ||
| - target: x86_64-apple-darwin | ||
| os: macos-latest | ||
| artifact: hush-darwin-x86_64 | ||
| - target: aarch64-apple-darwin | ||
| os: macos-latest | ||
| artifact: hush-darwin-aarch64 | ||
| - target: x86_64-pc-windows-msvc | ||
| os: windows-latest | ||
| artifact: hush-windows-x86_64.exe | ||
| runs-on: ${{ matrix.os }} | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Install Rust toolchain | ||
| uses: dtolnay/rust-toolchain@stable | ||
| with: | ||
| targets: ${{ matrix.target }} | ||
| - name: Build release binary | ||
| run: cargo build --release --target ${{ matrix.target }} -p hush-cli | ||
| - name: Rename binary (Unix) | ||
| if: runner.os != 'Windows' | ||
| run: | | ||
| cp target/${{ matrix.target }}/release/hush ${{ matrix.artifact }} | ||
| - name: Rename binary (Windows) | ||
| if: runner.os == 'Windows' | ||
| run: | | ||
| cp target/${{ matrix.target }}/release/hush.exe ${{ matrix.artifact }} | ||
| - name: Upload artifact | ||
| uses: actions/upload-artifact@v6 | ||
| with: | ||
| name: ${{ matrix.artifact }} | ||
| path: ${{ matrix.artifact }} | ||
| # Create GitHub release with binaries | ||
| create-release: | ||
| name: Create Release | ||
| runs-on: ubuntu-latest | ||
| needs: [build-binaries, publish-crates] | ||
| permissions: | ||
| contents: write | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Download all artifacts | ||
| uses: actions/download-artifact@v7 | ||
| with: | ||
| path: artifacts | ||
| - name: Create checksums | ||
| run: | | ||
| cd artifacts | ||
| for dir in */; do | ||
| cd "$dir" | ||
| for file in *; do | ||
| sha256sum "$file" > "$file.sha256" | ||
| done | ||
| cd .. | ||
| done | ||
| - name: Flatten artifacts | ||
| run: | | ||
| mkdir -p release-files | ||
| find artifacts -type f -exec mv {} release-files/ \; | ||
| - name: Create GitHub Release | ||
| uses: softprops/action-gh-release@v1 | ||
| with: | ||
| generate_release_notes: true | ||
| files: release-files/* | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| # Update Homebrew formula with correct SHA256 | ||
| update-homebrew: | ||
| name: Update Homebrew Formula | ||
| runs-on: ubuntu-latest | ||
| needs: [create-release] | ||
| permissions: | ||
| contents: write | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| ref: main # Checkout main branch for the update | ||
| - name: Calculate SHA256 | ||
| id: sha | ||
| run: | | ||
| VERSION=${GITHUB_REF#refs/tags/v} | ||
| URL="https://github.com/backbay-labs/clawdstrike/archive/refs/tags/v${VERSION}.tar.gz" | ||
| echo "Downloading from: $URL" | ||
| SHA=$(curl -sL "$URL" | shasum -a 256 | cut -d' ' -f1) | ||
| echo "sha256=$SHA" >> $GITHUB_OUTPUT | ||
| echo "version=$VERSION" >> $GITHUB_OUTPUT | ||
| echo "Calculated SHA256: $SHA" | ||
| - name: Update formula | ||
| run: | | ||
| # Update URL with new version | ||
| sed -i 's|url "https://github.com/backbay-labs/clawdstrike/archive/refs/tags/v[^"]*"|url "https://github.com/backbay-labs/clawdstrike/archive/refs/tags/v${{ steps.sha.outputs.version }}.tar.gz"|' infra/packaging/HomebrewFormula/hush.rb | ||
| # Update SHA256 | ||
| sed -i 's|sha256 "[^"]*"|sha256 "${{ steps.sha.outputs.sha256 }}"|' infra/packaging/HomebrewFormula/hush.rb | ||
| echo "Updated formula:" | ||
| cat infra/packaging/HomebrewFormula/hush.rb | ||
| - name: Commit and push | ||
| run: | | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "github-actions[bot]@users.noreply.github.com" | ||
| git add infra/packaging/HomebrewFormula/hush.rb | ||
| git diff --cached --quiet || git commit -m "chore: update Homebrew formula for v${{ steps.sha.outputs.version }}" | ||
| git push origin main | ||
