feat(release): v0.11.0 — multi-platform npm distribution

Ship Linux x64 and macOS Apple Silicon native binaries alongside Windows
via esbuild-style optionalDependencies. The meta-package @ytsuda/ripple
carries bin/cli.mjs (a Node launcher that resolves the platform-matched
subpackage and spawns its native binary with stdio inherited + signal
forwarding) and optionalDependencies pinning @ytsuda/ripple-{win32-x64,
linux-x64,darwin-arm64}. npm's os/cpu filters mean only the matching
subpackage is downloaded per install.

Workflow reshaped into a two-job matrix: build on {windows-latest,
ubuntu-latest, macos-latest} with dotnet publish -r matching the RID,
runs --test suite as runtime gate, uploads artifact; publish on
ubuntu-latest (environment: release) downloads all three, Authenticode-
signs the Windows binary via AzureSignTool (cross-platform on Linux),
publishes subpackages sequentially then meta, attaches all three
binaries to the GitHub Release.

Version cross-check now verifies five fields: csproj <Version>, meta
package.json, and each of three platform subpackages — any mismatch
aborts publish fast. *.mjs added to .gitattributes (eol=lf) so the
Node shebang stays LF-terminated for Linux/macOS consumers.

Author: yotsuda

.gitattributes

@@ -27,6 +27,7 @@
 # should be stable across platforms).
 *.py          text eol=lf
 *.js          text eol=lf
+*.mjs         text eol=lf
 *.bash        text eol=lf
 *.zsh         text eol=lf
 *.sh          text eol=lf

.github/workflows/release.yml

@@ -3,14 +3,14 @@ name: Release
 # Triggered only by tag pushes matching v*. The release environment's
 # deployment_branch_policy further restricts execution to tag refs
 # matching v*; subscribed environment reviewers must approve before
-# the publish job runs.
+# the publish job runs. Build jobs do NOT require approval (they
+# produce unsigned artifacts that are useless without the publish
+# step's signing + npm push), so review friction is one-time.
 on:
   push:
     tags:
       - 'v*'
 
-# Concurrency: serialize releases so a quick double-tag doesn't race
-# two npm publish jobs against each other.
 concurrency:
   group: release-${{ github.ref }}
   cancel-in-progress: false
@@ -20,16 +20,72 @@ permissions:
   id-token: write       # OIDC for Azure + npm provenance
 
 jobs:
-  release:
-    name: Build, sign, and publish
-    runs-on: windows-latest
-    environment: release   # gates: required reviewers + tag-only deploy policy + NPM_TOKEN secret scope
+  build:
+    name: Build ${{ matrix.rid }}
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - rid: win-x64
+            runner: windows-latest
+            platform: win32-x64
+            exe: ripple.exe
+          - rid: linux-x64
+            runner: ubuntu-latest
+            platform: linux-x64
+            exe: ripple
+          - rid: osx-arm64
+            runner: macos-latest
+            platform: darwin-arm64
+            exe: ripple
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+
+      - name: Setup .NET 9
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '9.0.x'
+
+      - name: dotnet restore
+        run: dotnet restore ripple.csproj -r ${{ matrix.rid }}
+
+      - name: dotnet publish (NativeAOT)
+        run: dotnet publish ripple.csproj -c Release -r ${{ matrix.rid }} -o dist --no-restore
+
+      # Run the full --test suite on the produced binary. This is the
+      # real gate — a build that compiles but breaks at runtime on
+      # this platform should not be published. No special
+      # adapter-test setup; the tests that exercise cross-cutting
+      # concerns (capture, render, OSC parsing, etc.) don't need
+      # external shells / REPLs to be installed.
+      - name: Run unit tests
+        shell: bash
+        run: |
+          chmod +x "dist/${{ matrix.exe }}" || true
+          "./dist/${{ matrix.exe }}" --test
+
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@v4
         with:
-          fetch-depth: 0   # tags + history for changelog/notes extraction
+          name: ripple-${{ matrix.platform }}
+          path: dist/${{ matrix.exe }}
+          if-no-files-found: error
+          retention-days: 7
+
+  publish:
+    name: Sign, publish, release
+    needs: build
+    runs-on: ubuntu-latest
+    environment: release   # required-reviewer gate + NPM_TOKEN scope
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Setup .NET 9
         uses: actions/setup-dotnet@v4
@@ -42,143 +98,131 @@ jobs:
           node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
-      # Restore the AOT compiler workload + project deps so the publish
-      # step pulls only from the local nuget cache (no network surprise).
-      - name: dotnet restore
-        run: dotnet restore ripple.csproj -r win-x64
-
-      # NativeAOT publish — produces dist\ripple.exe identical (modulo
-      # signature) to what Build.ps1 produces locally.
-      - name: dotnet publish (NativeAOT, win-x64)
-        run: dotnet publish ripple.csproj -c Release -r win-x64 -o dist --no-restore
-
-      # Tests run against the framework-dependent build under
-      # bin/Release; --tests in NativeAOT mode is unsupported, so this
-      # is a sanity gate using the regular dotnet build.
-      - name: Run unit tests
-        shell: pwsh
+      - name: Verify tag matches all version fields
+        shell: bash
         run: |
-          dotnet build -c Release --nologo
-          .\bin\Release\net9.0\ripple.exe --test
-          if ($LASTEXITCODE -ne 0) { throw "ripple --test failed (exit $LASTEXITCODE)" }
+          set -euo pipefail
+          tag='${{ github.ref_name }}'
+          version="${tag#v}"
+          csproj_version=$(grep -oE '<Version>[^<]+</Version>' ripple.csproj | head -n1 | sed -E 's/<Version>([^<]+)<\/Version>/\1/')
+          meta_version=$(node -p "require('./npm/package.json').version")
+          echo "Tag:     $version"
+          echo "csproj:  $csproj_version"
+          echo "meta:    $meta_version"
+          [[ "$version" == "$csproj_version" ]] || { echo "csproj version mismatch" >&2; exit 1; }
+          [[ "$version" == "$meta_version" ]]   || { echo "meta package.json version mismatch" >&2; exit 1; }
+          for plat in win32-x64 linux-x64 darwin-arm64; do
+            pv=$(node -p "require('./npm/platforms/${plat}/package.json').version")
+            echo "$plat: $pv"
+            [[ "$version" == "$pv" ]] || { echo "$plat subpackage version mismatch" >&2; exit 1; }
+          done
+
+      - name: Download all platform binaries
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
 
-      - name: Verify tag matches csproj version
-        shell: pwsh
+      - name: Place binaries into subpackages + fix executable bits
+        shell: bash
         run: |
-          $tagVersion = '${{ github.ref_name }}'.TrimStart('v')
-          $csprojVersion = ([xml](Get-Content ripple.csproj)).Project.PropertyGroup.Version | Where-Object { $_ } | Select-Object -First 1
-          $npmVersion = (Get-Content npm/package.json | ConvertFrom-Json).version
-          "Tag:     $tagVersion"
-          "csproj:  $csprojVersion"
-          "package: $npmVersion"
-          if ($tagVersion -ne $csprojVersion) { throw "Tag $tagVersion does not match csproj <Version> $csprojVersion" }
-          if ($tagVersion -ne $npmVersion)    { throw "Tag $tagVersion does not match npm package version $npmVersion" }
-
-      # OIDC login to Azure — no client secret. The federated credential
-      # on the gha-ripple-signing app trusts repo:yotsuda/ripple:environment:release.
+          set -euo pipefail
+          cp artifacts/ripple-win32-x64/ripple.exe    npm/platforms/win32-x64/bin/ripple.exe
+          cp artifacts/ripple-linux-x64/ripple        npm/platforms/linux-x64/bin/ripple
+          cp artifacts/ripple-darwin-arm64/ripple     npm/platforms/darwin-arm64/bin/ripple
+          chmod +x npm/platforms/linux-x64/bin/ripple
+          chmod +x npm/platforms/darwin-arm64/bin/ripple
+          # Remove placeholder .gitkeep files so they don't ship in the tarball.
+          rm -f npm/platforms/*/bin/.gitkeep
+          ls -la npm/platforms/*/bin/
+
       - name: Azure OIDC login
         uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      # AzureSignTool fetches the signing cert from Azure Key Vault and
-      # signs in-process. Uses the action's bundled Azure auth from the
-      # azure/login step above (the Az CLI / Az PowerShell context that
-      # azure/login establishes is consumed transparently).
       - name: Install AzureSignTool
-        shell: pwsh
         run: dotnet tool install --global AzureSignTool
 
-      # Sign dist\ripple.exe with the cert in Key Vault.
-      # `--azure-key-vault-managed-identity` would use the IMDS-backed
-      # ManagedIdentityCredential, which is wrong for our OIDC
-      # federated credential. Instead, fetch a Key Vault access token
-      # via the Azure CLI session that azure/login established, then
-      # hand it to AzureSignTool with --azure-key-vault-accesstoken.
-      # The token never leaves this step's PowerShell process.
-      - name: Sign dist\ripple.exe with Azure Key Vault
-        shell: pwsh
+      # AzureSignTool is a cross-platform .NET tool; Authenticode
+      # signing works from Linux as long as we have the Key Vault
+      # access token. If this step ever starts failing, fall back to
+      # a dedicated windows-latest signing job that uploads a signed
+      # artifact for this job to consume.
+      - name: Sign Windows binary via Azure Key Vault
         env:
           AZURE_KV_URL: ${{ vars.KEY_VAULT_URL }}
           AZURE_KV_CERT: ${{ vars.SIGNING_CERT_NAME }}
+          EXPECTED_THUMBPRINT: '74E5208228DFB12A067747D536BF497B6E98C73C'
+        shell: bash
         run: |
-          $tokenObj = az account get-access-token --resource https://vault.azure.net | ConvertFrom-Json
-          if (-not $tokenObj.accessToken) { throw "Failed to acquire Key Vault access token" }
-          AzureSignTool sign `
-            --azure-key-vault-url $env:AZURE_KV_URL `
-            --azure-key-vault-certificate $env:AZURE_KV_CERT `
-            --azure-key-vault-accesstoken $tokenObj.accessToken `
-            --file-digest sha256 `
-            --timestamp-rfc3161 'http://timestamp.digicert.com' `
-            --description 'ripple - declarative shell adapter framework' `
-            --description-url 'https://github.com/yotsuda/ripple' `
-            'dist\ripple.exe'
-          if ($LASTEXITCODE -ne 0) { throw "AzureSignTool failed (exit $LASTEXITCODE)" }
-          # Verify the signature landed. Get-AuthenticodeSignature's
-          # Status reports UnknownError for self-signed certs because
-          # the GHA runner's machine trust store doesn't contain the
-          # yotsuda root — the chain build fails even though the
-          # signature itself is cryptographically valid. Verify by
-          # thumbprint match against the expected yotsuda cert
-          # instead; that's the actual question we care about
-          # ("was the binary signed with our cert?"), independent of
-          # whether the runner's OS happens to trust the root.
-          $sig = Get-AuthenticodeSignature 'dist\ripple.exe'
-          if (-not $sig.SignerCertificate) { throw "No signature on dist\ripple.exe" }
-          $expectedThumb = '74E5208228DFB12A067747D536BF497B6E98C73C'
-          if ($sig.SignerCertificate.Thumbprint -ne $expectedThumb) {
-              throw "Wrong cert thumbprint: got $($sig.SignerCertificate.Thumbprint), expected $expectedThumb"
-          }
-          "Signed: $($sig.SignerCertificate.Subject) | thumb=$($sig.SignerCertificate.Thumbprint) | runner-status=$($sig.Status)"
-
-      # Mirror to npm/dist so the npm publish step packages the signed
-      # binary, matching Build.ps1's local layout.
-      - name: Mirror signed binary to npm/dist
-        shell: pwsh
+          set -euo pipefail
+          token=$(az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv)
+          [[ -n "$token" ]] || { echo "Failed to acquire Key Vault access token" >&2; exit 1; }
+          AzureSignTool sign \
+            --azure-key-vault-url "$AZURE_KV_URL" \
+            --azure-key-vault-certificate "$AZURE_KV_CERT" \
+            --azure-key-vault-accesstoken "$token" \
+            --file-digest sha256 \
+            --timestamp-rfc3161 'http://timestamp.digicert.com' \
+            --description 'ripple - declarative shell adapter framework' \
+            --description-url 'https://github.com/yotsuda/ripple' \
+            npm/platforms/win32-x64/bin/ripple.exe
+
+      # Publish subpackages BEFORE meta. Meta's optionalDependencies
+      # reference these exact versions; if meta published first and a
+      # subpackage publish later failed, users installing the meta
+      # would see missing optional deps and degraded UX. Sequential
+      # ordering also lets a failure halt before meta is published
+      # (avoids broken meta pointing at a missing subpackage).
+      - name: Publish subpackages with provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        shell: bash
         run: |
-          New-Item -ItemType Directory -Force -Path npm\dist | Out-Null
-          Copy-Item dist\ripple.exe npm\dist\ripple.exe -Force
-          $size = [Math]::Round((Get-Item npm\dist\ripple.exe).Length / 1MB, 2)
-          "Mirrored to npm\dist\ripple.exe ($size MB)"
-
-      # Publish with provenance. --provenance + id-token: write +
-      # GitHub-hosted runner = npm records the SLSA build attestation
-      # linking @ytsuda/ripple@VERSION to this exact workflow run.
-      - name: npm publish (with provenance)
-        shell: pwsh
-        working-directory: npm
+          set -euo pipefail
+          for plat in win32-x64 linux-x64 darwin-arm64; do
+            echo "=== publishing @ytsuda/ripple-${plat} ==="
+            (cd "npm/platforms/${plat}" && npm publish --access public --provenance)
+          done
+
+      - name: Publish meta package with provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        shell: bash
         run: |
+          set -euo pipefail
+          cd npm
           npm publish --access public --provenance
-          if ($LASTEXITCODE -ne 0) { throw "npm publish failed (exit $LASTEXITCODE)" }
 
-      # Extract the section for this version from CHANGELOG.md so the
-      # GitHub Release body matches exactly what's in the repo.
       - name: Extract changelog entry
-        id: changelog
-        shell: pwsh
+        shell: bash
         run: |
-          $version = '${{ github.ref_name }}'.TrimStart('v')
-          $lines = Get-Content CHANGELOG.md
-          $startPattern = "^##\s+\[$([regex]::Escape($version))\]"
-          $startIdx = ($lines | Select-String -Pattern $startPattern | Select-Object -First 1).LineNumber
-          if (-not $startIdx) { throw "No CHANGELOG section for v$version" }
-          # Find the next "## [" heading; section ends one line above.
-          $endMatch = $lines | Select-Object -Skip $startIdx | Select-String -Pattern '^##\s+\[' | Select-Object -First 1
-          $endIdx = if ($endMatch) { $startIdx + $endMatch.LineNumber - 1 } else { $lines.Count }
-          $section = $lines[($startIdx)..($endIdx - 1)] -join "`n"
-          $section | Set-Content release-notes.md -NoNewline
-          "Extracted $($endIdx - $startIdx) lines for v$version"
+          set -euo pipefail
+          version='${{ github.ref_name }}'
+          version="${version#v}"
+          awk -v v="$version" '
+            /^## +\[/ {
+              if (capture) exit
+              if ($0 ~ "^## +\\[" v "\\]") { capture = 1; next }
+            }
+            capture { print }
+          ' CHANGELOG.md > release-notes.md
+          if [[ ! -s release-notes.md ]]; then
+            echo "No CHANGELOG section for v$version" >&2
+            exit 1
+          fi
+          wc -l release-notes.md
 
       - name: Create GitHub Release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh release create ${{ github.ref_name }} `
-            --title "ripple ${{ github.ref_name }}" `
-            --notes-file release-notes.md `
-            --verify-tag `
-            dist\ripple.exe
+          gh release create '${{ github.ref_name }}' \
+            --title "ripple ${{ github.ref_name }}" \
+            --notes-file release-notes.md \
+            --verify-tag \
+            'npm/platforms/win32-x64/bin/ripple.exe#ripple-${{ github.ref_name }}-win32-x64.exe' \
+            'npm/platforms/linux-x64/bin/ripple#ripple-${{ github.ref_name }}-linux-x64' \
+            'npm/platforms/darwin-arm64/bin/ripple#ripple-${{ github.ref_name }}-darwin-arm64'