release.yml

name: Release SAME Binary

on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write
  id-token: write

jobs:
  build:
    strategy:
      matrix:
        include:
          - os: macos-latest
            goos: darwin
            goarch: arm64
            suffix: darwin-arm64
            cc: ""
          # darwin-amd64 removed - Intel Macs rare, no free CI runner
          - os: ubuntu-latest
            goos: linux
            goarch: amd64
            suffix: linux-amd64
            cc: ""
          - os: ubuntu-24.04-arm
            goos: linux
            goarch: arm64
            suffix: linux-arm64
            cc: ""
          - os: ubuntu-latest
            goos: windows
            goarch: amd64
            suffix: windows-amd64.exe
            cc: zig
            zig_target: x86_64-windows-gnu
          - os: ubuntu-latest
            goos: windows
            goarch: arm64
            suffix: windows-arm64.exe
            cc: zig
            zig_target: aarch64-windows-gnu
    runs-on: ${{ matrix.os }}

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
        with:
          go-version: '1.25'
          cache-dependency-path: go.sum

      - name: Install zig (Windows cross-compile)
        if: matrix.cc == 'zig'
        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
        with:
          version: 0.13.0

      - name: Run tests
        if: matrix.goos == 'darwin' && matrix.goarch == 'arm64'
        env:
          CGO_ENABLED: '1'
        run: go test ./... -v -count=1

      - name: Build (native)
        if: matrix.cc == ''
        env:
          CGO_ENABLED: '1'
          GOOS: ${{ matrix.goos }}
          GOARCH: ${{ matrix.goarch }}
        run: |
          go build -ldflags "-s -w -X main.Version=${{ github.ref_name }}" \
            -o build/same-${{ matrix.suffix }} ./cmd/same

      - name: Build (zig cross-compile)
        if: matrix.cc == 'zig'
        env:
          CGO_ENABLED: '1'
          GOOS: ${{ matrix.goos }}
          GOARCH: ${{ matrix.goarch }}
          CC: "zig cc -target ${{ matrix.zig_target }}"
          CXX: "zig c++ -target ${{ matrix.zig_target }}"
          CGO_CFLAGS: "-I${{ github.workspace }}/cgo-headers -fno-sanitize=undefined"
        run: |
          go build -ldflags "-s -w -X main.Version=${{ github.ref_name }}" \
            -o build/same-${{ matrix.suffix }} ./cmd/same

      - name: Upload artifact
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: same-${{ matrix.suffix }}
          path: build/same-${{ matrix.suffix }}

  release:
    needs: build
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          path: artifacts

      - name: Generate SHA256 checksums
        run: |
          cd artifacts
          sha256sum \
            same-darwin-arm64/same-darwin-arm64 \
            same-linux-amd64/same-linux-amd64 \
            same-linux-arm64/same-linux-arm64 \
            same-windows-amd64.exe/same-windows-amd64.exe \
            same-windows-arm64.exe/same-windows-arm64.exe \
            | sed 's|[^ ]*/||' > sha256sums.txt

      - name: Create GitHub Release
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
        with:
          generate_release_notes: true
          files: |
            artifacts/same-darwin-arm64/same-darwin-arm64
            artifacts/same-linux-amd64/same-linux-amd64
            artifacts/same-linux-arm64/same-linux-arm64
            artifacts/same-windows-amd64.exe/same-windows-amd64.exe
            artifacts/same-windows-arm64.exe/same-windows-arm64.exe
            artifacts/sha256sums.txt

  npm-publish:
    needs: release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: '22'
          registry-url: 'https://registry.npmjs.org'

      - name: Verify version match
        run: |
          MAKE_VERSION=$(grep '^VERSION' Makefile | head -1 | awk '{print $NF}')
          NPM_VERSION=$(node -p "require('./npm/package.json').version")
          TAG_VERSION="${GITHUB_REF_NAME#v}"
          if [ "$MAKE_VERSION" != "$NPM_VERSION" ]; then
            echo "Version mismatch: Makefile=$MAKE_VERSION npm=$NPM_VERSION"
            exit 1
          fi
          if [ "$TAG_VERSION" != "$NPM_VERSION" ]; then
            echo "Tag version $TAG_VERSION does not match npm version $NPM_VERSION"
            exit 1
          fi
          echo "Version match: $MAKE_VERSION (tag: $GITHUB_REF_NAME)"

      - name: Publish to npm
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
        working-directory: npm
        run: |
          PKG_NAME=$(node -p "require('./package.json').name")
          PKG_VER=$(node -p "require('./package.json').version")
          if npm view "${PKG_NAME}@${PKG_VER}" version 2>/dev/null; then
            echo "::notice::Version ${PKG_VER} already published to npm — skipping"
            exit 0
          fi
          # Attempt publish; handle expected failures gracefully (e.g., npm org
          # not yet created, 2FA required, token permissions).
          if npm publish --access public 2>&1; then
            echo "::notice::Published ${PKG_NAME}@${PKG_VER} to npm"
          else
            echo "::warning::npm publish failed — this is non-blocking. Publish manually: cd npm && npm publish --access public --auth-type=web"
            exit 0
          fi

  mcp-registry-publish:
    needs: npm-publish
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Sync server.json version with tag
        run: |
          VERSION="${GITHUB_REF_NAME#v}"
          jq --arg v "$VERSION" '
            .version = $v |
            .packages[0].version = $v
          ' server.json > server.tmp && mv server.tmp server.json
          echo "Updated server.json to version $VERSION"
          cat server.json

      - name: Validate server.json against MCP schema
        run: |
          npm install -g ajv-cli ajv-formats
          curl -sL "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json" -o /tmp/server.schema.json
          ajv validate -s /tmp/server.schema.json -d server.json --strict=false
          echo "✓ server.json is valid"

      - name: Install mcp-publisher
        run: |
          curl -L "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz" | tar xz mcp-publisher

      - name: Authenticate to MCP Registry
        run: ./mcp-publisher login github-oidc

      - name: Publish to MCP Registry
        run: |
          if ./mcp-publisher publish 2>&1; then
            echo "::notice::Published to MCP Registry"
          else
            echo "::warning::MCP Registry publish failed — this is non-blocking. Publish manually with: mcp-publisher login github && mcp-publisher publish"
            exit 0
          fi