Skip to content

Commit c086ad5

Browse files
committed
docs: Phase H install docs + provisioning checklist
- README: replace the build-from-source-only Install section with the install script, Homebrew, Scoop, and signed-binary methods (source kept as an option); update the Phase H roadmap row and requirements. - Add web/README.md: develop/build instructions and the owner provisioning checklist (tag v1.0.0, create the tap repos + tokens, Vercel setup) — the account-level steps that publishing depends on. - CHANGELOG: Phase H entry (GoReleaser, release workflow, taps, install script, web site). - golangci-lint: exclude web/ so the JS subtree's vendored stray .go files (node_modules/flatted/golang) don't trip the Go linters; keeps the Go and JS toolchains' checks cleanly separated.
1 parent 2b86255 commit c086ad5

4 files changed

Lines changed: 96 additions & 6 deletions

File tree

.golangci.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,12 @@ linters:
5757
- pkg: "github.com/nixrajput/siphon/internal/app"
5858
desc: "Drivers must not depend on Application — dependency flows down"
5959
exclusions:
60+
# web/ is the Next.js site; its node_modules can vendor stray .go files
61+
# (e.g. flatted/golang) that are not siphon code. Keep the Go linters off
62+
# the JS subtree. (node_modules is gitignored, so CI never sees it on a
63+
# fresh checkout; this keeps local lint consistent with CI.)
64+
paths:
65+
- web
6066
rules:
6167
- path: _test\.go
6268
linters:

CHANGELOG.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
99

1010
### Added
1111

12+
- Phase H (distribution) — release tooling + landing/docs site (publishing awaits the `v1.0.0` tag + owner provisioning):
13+
- **GoReleaser** (`.goreleaser.yaml`, v2): cross-platform builds (linux/darwin/windows × amd64/arm64), tar.gz/zip archives, a SHA-256 `checksums.txt`, and **cosign-keyless** signing of the checksums (GitHub OIDC, no key to manage). The version ldflags match the symbol the Makefile injects, so a released binary's `--version` reports its tag.
14+
- **Release workflow** (`.github/workflows/release.yml`): triggers on a `v*` tag, pins GoReleaser ~> v2, installs cosign, and grants `contents: write` + `id-token: write`. Tap-push tokens resolve to empty when unset so a first release without taps doesn't error (`skip_upload: auto`).
15+
- **Homebrew tap + Scoop bucket** blocks publishing to `nixrajput/homebrew-siphon` and `nixrajput/scoop-siphon`.
16+
- **Install script** (`scripts/install.sh`): POSIX `curl | sh` that detects OS/arch, resolves the latest release, and **verifies the archive's SHA-256 before installing** (refuses on mismatch).
17+
- **Landing + docs site** (`web/`): a Next.js (App Router) + Tailwind app deployed on Vercel. The docs pages render the repository's own `docs/*.md` at build time (single source of truth). README install section, CHANGELOG, and `web/README.md` (with the owner provisioning checklist) updated.
18+
1219
- Phase G (ops) — **multi-backend secrets** (final G cycle): two new secret-ref backends on the existing resolver seam, so passwords can come from a credential store instead of config.
1320
- **OS keychain** (`keychain://<account>` or `keychain://<service>/<account>`) via `go-keyring` — macOS Keychain, Windows Credential Manager, Linux Secret Service. No config, no network; short form looks up service `siphon`.
1421
- **AWS Secrets Manager** (`awssm://<secret-id>`, or `awssm://<secret-id>#<json-key>` to pull one field of a JSON secret) via the AWS SDK, reusing the same credential chain as S3 storage. Off by default; enable with `secrets.awssm: true` (+ optional `awssm_region`).

README.md

Lines changed: 28 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -56,11 +56,11 @@ A single binary that turns the painful, error-prone sprawl of `pg_dump` → `pg_
5656
| **E** — MySQL + MariaDB | Both drivers via a shared `_mysqlcommon` package (shared `Conn`, `mysqldump`/`mariadb-dump` backup, client-pipe restore), exercised by the Phase D `RunDriverSuite` harness | ✅ Complete |
5757
| **F** — Advanced transfer | All four advanced-transfer modes work end-to-end: bounded-buffer streaming sync; **incremental** backup/restore (`backup --incremental --base <id>` captures a bounded change set via Postgres logical decoding / MySQL-MariaDB binlog, `restore` replays the base→incremental chain, Postgres orphan-slot sweep); **cross-engine** sync (`sync --cross-engine` — typed `SchemaInspector` introspection → canonical type-mapping, e.g. Postgres → MySQL); and **CDC** (`siphon cdc` / `sync --continuous` — unbounded change streaming with snapshot→stream handoff, resumable, same- and cross-engine). Live DB paths are integration-tested in CI — see [docs/INCREMENTAL.md](docs/INCREMENTAL.md), [docs/CROSS_ENGINE.md](docs/CROSS_ENGINE.md), [docs/CDC.md](docs/CDC.md) | ✅ Complete |
5858
| **G** — Ops features | **Cloud storage** (✅): the dump catalog can live in an S3 / S3-compatible bucket via a pluggable `storage.Store` backend (local + S3; GCS/Azure are a fast-follow), `storage:` config block, SHA-256 integrity end-to-end — see [docs/STORAGE.md](docs/STORAGE.md). **Retention** (✅): chain-aware pruning (`siphon dumps prune`) with keep-last-N / max-age / GFS rules, per-profile `retention:` config; see [docs/RETENTION.md](docs/RETENTION.md). **Ops suite** (✅): an append-only **audit log** of destructive ops (`audit:` config), **2FA/group gating** (a profile group can require a typed confirmation and/or TOTP before destructive ops), opt-in aggregate **telemetry** (`telemetry:` config), **`siphon schedule`** (manages recurring backups in your crontab), and **`siphon tunnel`** (SSH local-forward to a DB via a bastion). **Multi-backend secrets** (✅): `keychain://` (OS credential store) and `awssm://` (AWS Secrets Manager) join `env:` as secret-ref schemes. See [docs/OPS.md](docs/OPS.md). | ✅ Complete |
59-
| **H** — Distribution | GoReleaser, Homebrew tap, Scoop bucket, install script, docs site | ⏳ Planned |
59+
| **H** — Distribution | GoReleaser (cross-platform binaries, checksums, cosign-keyless signatures, tag-triggered release workflow), Homebrew tap + Scoop bucket, a checksum-verifying `curl \| sh` install script, and a Next.js landing + docs site (in `web/`, deployed on Vercel, rendering the repo Markdown). Tooling is in the repo; publishing awaits the `v1.0.0` tag + owner provisioning (tap repos/tokens, Vercel) — see [`web/README.md`](web/README.md). | 🟡 In progress |
6060

6161
## Requirements
6262

63-
- **[Go](https://go.dev/dl/) 1.26 or newer** — to build from source (the only install method until Phase H).
63+
- **[Go](https://go.dev/dl/) 1.26 or newer**only needed to build from source; prebuilt binaries are available via the install script, Homebrew, and Scoop (see [Install](#install)).
6464
- **Database client tools** — siphon shells out to the native dump/restore tools; it does not embed a client. You only need the tools for the engines you actually use:
6565
- **PostgreSQL** profiles need `pg_dump`, `pg_restore`, `psql`.
6666
- **MySQL** profiles need `mysqldump`, `mysql`.
@@ -77,16 +77,38 @@ A single binary that turns the painful, error-prone sprawl of `pg_dump` → `pg_
7777

7878
## Install
7979

80-
> Pre-1.0: no Homebrew tap or prebuilt binaries yet. Build from source.
80+
**Linux / macOS** — the install script downloads the right release binary and verifies its SHA-256 before installing:
81+
82+
```bash
83+
curl -fsSL https://siphon.dev/install.sh | sh
84+
```
85+
86+
Override the target with `SIPHON_INSTALL_DIR=…` or pin a version with `SIPHON_VERSION=v1.0.0`.
87+
88+
**Homebrew:**
89+
90+
```bash
91+
brew install nixrajput/siphon/siphon
92+
```
93+
94+
**Scoop (Windows):**
95+
96+
```powershell
97+
scoop bucket add siphon https://github.com/nixrajput/scoop-siphon
98+
scoop install siphon
99+
```
100+
101+
**Prebuilt binaries** for every OS/arch are attached to each [release](https://github.com/nixrajput/siphon/releases), with a `checksums.txt` and a cosign signature (`checksums.txt.sig` + `.pem`) — verify with `cosign verify-blob`.
102+
103+
**From source:**
81104

82105
```bash
83106
git clone https://github.com/nixrajput/siphon.git
84-
cd siphon
85-
make build
107+
cd siphon && make build
86108
./bin/siphon --version
87109
```
88110

89-
This produces `./bin/siphon`. Move it onto your `PATH` (e.g. `sudo install -m 0755 bin/siphon /usr/local/bin/siphon`) to call it as `siphon`.
111+
This produces `./bin/siphon`; move it onto your `PATH` (e.g. `sudo install -m 0755 bin/siphon /usr/local/bin/siphon`).
90112

91113
## Quick start
92114

web/README.md

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
# siphon web — landing page & docs
2+
3+
The marketing landing page and documentation site for siphon, built with
4+
Next.js (App Router) + Tailwind and deployed on Vercel. The docs pages render
5+
the repository's own `docs/*.md` at build time, so the site never drifts from
6+
the shipped documentation.
7+
8+
## Develop
9+
10+
```bash
11+
cd web
12+
npm install
13+
npm run dev # http://localhost:3000
14+
npm run build # production build (also what Vercel runs)
15+
npm run lint
16+
```
17+
18+
The docs pipeline (`lib/docs.ts`) reads `../docs/*.md` relative to `web/`, so
19+
run commands from inside `web/` with the repo checked out around it.
20+
21+
## Deploy (Vercel) — owner setup
22+
23+
Vercel deploys from this subdirectory via its git integration (no GitHub Action
24+
needed). One-time setup on the Vercel account:
25+
26+
1. **Import the repo** into a new Vercel project.
27+
2. Set **Root Directory** = `web`.
28+
3. Framework preset: **Next.js** (auto-detected). Build command `next build`,
29+
output handled by Vercel.
30+
4. (Optional) Point the `siphon.dev` domain at the project; the install command
31+
on the landing page references `https://siphon.dev/install.sh`, so either map
32+
that path to the repo's `scripts/install.sh` (e.g. a redirect/rewrite) or
33+
update the command to the raw GitHub URL.
34+
35+
Pushes to `main` then deploy production; PRs get preview deployments.
36+
37+
## Phase H release provisioning checklist (owner)
38+
39+
The release tooling in the repo root (`.goreleaser.yaml`,
40+
`.github/workflows/release.yml`, `scripts/install.sh`) is wired but needs these
41+
account-level actions before a `v1.0.0` release publishes everywhere:
42+
43+
- [ ] **Tag and push `v1.0.0`** — triggers the release workflow (cross-platform
44+
binaries, checksums, cosign-keyless signatures, GitHub Release). This
45+
alone works with no further setup; `skip_upload: auto` means the brew/scoop
46+
steps no-op until their repos+tokens exist.
47+
- [ ] **Homebrew tap** — create the public repo `nixrajput/homebrew-siphon`, mint
48+
a PAT with `repo` scope on it, and add it as the `HOMEBREW_TAP_GITHUB_TOKEN`
49+
secret on this repo. Then `brew install nixrajput/siphon/siphon` works.
50+
- [ ] **Scoop bucket** — create `nixrajput/scoop-siphon`, add a PAT as
51+
`SCOOP_TAP_GITHUB_TOKEN`.
52+
- [ ] **Actions permissions** — ensure the repo's Actions can use
53+
`contents: write` + `id-token: write` (already requested in the workflow;
54+
org settings may need to allow it).
55+
- [ ] **Vercel** — the steps above, to publish this site.

0 commit comments

Comments
 (0)