-
Notifications
You must be signed in to change notification settings - Fork 0
210 lines (196 loc) · 8.49 KB
/
release-node.yml
File metadata and controls
210 lines (196 loc) · 8.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
name: release-node
# Triggered on every `v*.*.*` tag pushed to this repo. Stages the
# per-platform `aasm` binaries from agent-assembly's matching GitHub
# Release, bumps the version across the 5 packages in this workspace
# (1 SDK + 4 runtime sub-packages), then publishes them to npm in the
# correct order so the main `@agent-assembly/sdk`'s optionalDependencies
# resolve to existing npm versions.
#
# `workflow_dispatch` lets an operator re-run the publish for an
# already-pushed tag (e.g. after fixing a partial-publish failure)
# without having to re-cut the tag.
#
# Issue: AAASM-1222 (sub-task of AAASM-1203 / F113)
# Companion: AAASM-1200 (the agent-assembly release workflow that
# produces the aasm-{rust-target}.tar.gz assets consumed here)
on:
push:
tags:
- "v*.*.*"
workflow_dispatch:
inputs:
release_tag:
description: "agent-assembly release tag to consume (e.g. v0.0.1). Required for manual dispatch."
required: true
type: string
permissions:
contents: read
id-token: write # npm OIDC Trusted Publishing + SLSA provenance
jobs:
publish:
name: Publish @agent-assembly/sdk + 4 runtime sub-packages to npm
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 10.33.2
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 22
registry-url: "https://registry.npmjs.org"
cache: pnpm
- run: pnpm install --frozen-lockfile
- name: Resolve release tag
id: tag
env:
EVENT_NAME: ${{ github.event_name }}
DISPATCH_TAG: ${{ inputs.release_tag }}
REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
if [[ "$EVENT_NAME" == "workflow_dispatch" ]]; then
tag="$DISPATCH_TAG"
else
tag="$REF_NAME"
fi
if [[ ! "$tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]; then
echo "::error::tag '$tag' does not match v*.*.* (semver) pattern"
exit 1
fi
echo "tag=${tag}" >> "$GITHUB_OUTPUT"
echo "version=${tag#v}" >> "$GITHUB_OUTPUT"
echo "Resolved tag=${tag} version=${tag#v}"
- name: Download aasm binaries from agent-assembly release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RELEASE_TAG: ${{ steps.tag.outputs.tag }}
run: |
set -euo pipefail
mkdir -p bin-staging
# Cross-repo race: release-node fires on the same tag-push event as
# agent-assembly's Release workflow, in parallel. agent-assembly takes
# ~10 min to build + publish the binaries we depend on. Retry up to
# 20 times × 60s = 20 min ceiling waiting for the Release object.
# AAASM-2328.
MAX_ATTEMPTS=20
for attempt in $(seq 1 $MAX_ATTEMPTS); do
if gh release download "$RELEASE_TAG" \
--repo AI-agent-assembly/agent-assembly \
--pattern "aasm-*.tar.gz" \
--dir bin-staging 2>&1 | tee /tmp/gh-rd.log; then
echo "✓ Downloaded on attempt ${attempt}/${MAX_ATTEMPTS}"
break
fi
# Distinguish 'release not found' (race — retry) from other errors (fail-fast)
if ! grep -q 'release not found' /tmp/gh-rd.log; then
echo "::error::gh release download failed with non-race error — aborting retry"
exit 1
fi
if [ "$attempt" -eq "$MAX_ATTEMPTS" ]; then
echo "::error::Release v${RELEASE_TAG} never appeared after $((MAX_ATTEMPTS * 60))s — agent-assembly Release pipeline likely failed"
exit 1
fi
echo "Attempt ${attempt}/${MAX_ATTEMPTS}: release not yet published, sleeping 60s..."
sleep 60
done
ls -la bin-staging/
- name: Stage runtime binaries into runtime-* sub-packages
run: |
set -euo pipefail
# Map Rust target triples to the matching node-sdk runtime
# sub-package (per AAASM-1220's package layout).
declare -A MAP=(
["x86_64-unknown-linux-gnu"]="runtime-linux-x64"
["aarch64-unknown-linux-gnu"]="runtime-linux-arm64"
["x86_64-apple-darwin"]="runtime-darwin-x64"
["aarch64-apple-darwin"]="runtime-darwin-arm64"
)
for target in "${!MAP[@]}"; do
pkg="${MAP[$target]}"
archive="bin-staging/aasm-${target}.tar.gz"
if [[ ! -f "$archive" ]]; then
echo "::error::missing release asset $archive"
exit 1
fi
tar -xzf "$archive" -C "packages/${pkg}/bin/"
chmod +x "packages/${pkg}/bin/aasm"
echo "staged ${pkg}/bin/aasm <- ${target}"
done
# Strip the AAASM-1220 .gitkeep placeholders so they don't end
# up in the published tarball alongside the real binary.
rm -f packages/*/bin/.gitkeep
- name: Bump versions across the 5 packages
env:
VERSION: ${{ steps.tag.outputs.version }}
run: |
set -euo pipefail
node <<'NODE'
const fs = require("node:fs");
const version = process.env.VERSION;
const files = [
"package.json",
"packages/runtime-linux-x64/package.json",
"packages/runtime-linux-arm64/package.json",
"packages/runtime-darwin-x64/package.json",
"packages/runtime-darwin-arm64/package.json",
];
for (const file of files) {
const pkg = JSON.parse(fs.readFileSync(file, "utf8"));
pkg.version = version;
if (pkg.optionalDependencies) {
for (const dep of Object.keys(pkg.optionalDependencies)) {
if (dep.startsWith("@agent-assembly/runtime-")) {
pkg.optionalDependencies[dep] = version;
}
}
}
fs.writeFileSync(file, JSON.stringify(pkg, null, 2) + "\n");
console.log(`bumped ${file} -> ${version}`);
}
NODE
- name: Build main SDK (ESM + CJS)
run: pnpm build
# Publish the 4 runtime sub-packages first. The main SDK's
# optionalDependencies (declared under AAASM-1221) point at the
# `@agent-assembly/runtime-*` versions we're publishing here;
# publishing them out of order would mean the main SDK install
# phase produces "no matching version" warnings during the brief
# window before all sub-packages land on the registry.
- name: Publish 4 runtime sub-packages
env:
NPM_CONFIG_PROVENANCE: "true"
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
set -euo pipefail
VERSION=$(node -p "require('./package.json').version")
# Derive the npm dist-tag from the SemVer pre-release identifier.
# 0.0.1-alpha.1 → --tag alpha, 0.0.1-rc.1 → --tag rc, 0.0.1 → (empty, defaults to @latest)
if [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-([a-zA-Z]+) ]]; then
DIST_TAG="--tag ${BASH_REMATCH[1]}"
else
DIST_TAG=""
fi
echo "Publishing runtime sub-packages at version=$VERSION dist-tag arg='$DIST_TAG'"
for pkg in runtime-linux-x64 runtime-linux-arm64 runtime-darwin-x64 runtime-darwin-arm64; do
echo "::group::publish @agent-assembly/${pkg}"
# shellcheck disable=SC2086
pnpm publish --access public --no-git-checks $DIST_TAG "packages/${pkg}"
echo "::endgroup::"
done
- name: Publish main @agent-assembly/sdk
env:
NPM_CONFIG_PROVENANCE: "true"
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
VERSION=$(node -p "require('./package.json').version")
# Derive the npm dist-tag from the SemVer pre-release identifier.
# 0.0.1-alpha.1 → --tag alpha, 0.0.1-rc.1 → --tag rc, 0.0.1 → (empty, defaults to @latest)
if [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-([a-zA-Z]+) ]]; then
DIST_TAG="--tag ${BASH_REMATCH[1]}"
else
DIST_TAG=""
fi
echo "Publishing main SDK at version=$VERSION dist-tag arg='$DIST_TAG'"
# shellcheck disable=SC2086
pnpm publish --access public --no-git-checks $DIST_TAG