diff --git a/.github/workflows/beam.release.yml b/.github/workflows/beam.release.yml index 6e09886..367a5e2 100644 --- a/.github/workflows/beam.release.yml +++ b/.github/workflows/beam.release.yml @@ -51,9 +51,11 @@ jobs: is_prerelease=false fi - echo "version=${version}" >> "$GITHUB_OUTPUT" - echo "tag=${tag}" >> "$GITHUB_OUTPUT" - echo "is_prerelease=${is_prerelease}" >> "$GITHUB_OUTPUT" + { + echo "version=${version}" + echo "tag=${tag}" + echo "is_prerelease=${is_prerelease}" + } >> "$GITHUB_OUTPUT" # Beam release tags are immutable: never rebuild or republish an existing version. if git ls-remote --exit-code --tags origin "refs/tags/${tag}" >/dev/null 2>&1; then @@ -121,7 +123,10 @@ jobs: run: rustup show - name: Build beam release binary - run: cargo build --release --locked -p beam-cli --bin beam --target ${{ matrix.target }} + run: > + cargo build --release --locked -p beam-cli --bin beam + --features payy-evm-client/bb-bindings + --target ${{ matrix.target }} - name: Package release asset shell: bash diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 88db2d7..bf36bbf 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -250,7 +250,7 @@ jobs: --locked \ --workspace --all-targets \ --feature-powerset \ - --exclude-features bb_rs,bb_utxo,bb-bindings + --exclude-features bb_rs,bb_utxo,bb-bindings,release-bundled-bb - name: Verify rust-i18n translations run: cargo i18n diff --git a/pkg/beam-cli/Cargo.toml b/pkg/beam-cli/Cargo.toml index a54014e..49cbec7 100644 --- a/pkg/beam-cli/Cargo.toml +++ b/pkg/beam-cli/Cargo.toml @@ -47,3 +47,7 @@ workspace-hack.workspace = true insta = { workspace = true } mockito = { workspace = true } serial_test = { workspace = true } + +[features] +default = ["privacy-bb-cli"] +privacy-bb-cli = ["payy-evm-client/bb-cli"] diff --git a/pkg/beam-cli/README.md b/pkg/beam-cli/README.md index 458e78e..7f1b0e1 100644 --- a/pkg/beam-cli/README.md +++ b/pkg/beam-cli/README.md @@ -11,13 +11,13 @@ The defaults and chain presets are tuned for Payy workflows. Install the latest public release: ```bash -curl -L https://beam.payy.network | bash +curl -L https://install.beam.payy.network | bash ``` Install a specific version: ```bash -curl -L https://beam.payy.network | bash -s -- 0.1.0 +curl -L https://install.beam.payy.network | bash -s -- 0.1.0 ``` The installer downloads the correct binary for: @@ -30,6 +30,10 @@ Before installing, the script selects the newest stable release that includes th platform asset with a valid GitHub Release SHA-256 digest, then verifies the downloaded binary against that digest and aborts on any mismatch. +Release binaries are built with the bundled Barretenberg bindings backend, so privacy +operations do not require a local `bb` executable. Local development builds keep using the +`bb` CLI backend by default. + Local development install: ```bash @@ -649,23 +653,39 @@ The release workflow only publishes a given `beam-v` tag once. If that exists, reruns skip publication rather than replacing assets, so cut a new Beam version before triggering another public release. -## Serving `beam.payy.network` +### Release Control + +Beam release versions are prepared in the source `polybase/zk-rollup` repository with +release-plz. The `.github/workflows/beam.release-plz.yml` workflow opens a release PR for +`pkg/beam-cli`, updates the crate version and `Cargo.lock`, and tags the merged release PR +as `beam-source-v` in the source repository. The source tag prefix is deliberately +different from public `beam-v` tags so that mirrored source tags cannot make the +public release workflow think a user-facing Beam release already exists. + +release-plz is configured in git-only mode because `beam-cli` is a binary that is not +published to crates.io. It intentionally does not create GitHub Releases; the public +`polybase/payy` action owns the user-facing release. After Copybara mirrors the version +change into `polybase/payy`, `.github/workflows/beam.release.yml` builds the platform +binaries and publishes the public `beam-v` GitHub Release assets that the +installer and `beam update` consume. + +## Serving `install.beam.payy.network` -`beam.payy.network` should serve `scripts/install-beam.sh` as the public installer entrypoint. +`install.beam.payy.network` should serve `scripts/install-beam.sh` as the public installer entrypoint. One straightforward setup is: 1. Publish `scripts/install-beam.sh` to a static host such as GitHub Pages. 2. Configure the host to serve the script at `/`. -3. Point the `beam.payy.network` DNS record at that static host. +3. Point the `install.beam.payy.network` DNS record at that static host. 4. Keep the script in sync with the current public GitHub Releases asset naming scheme. The release workflow lives in the internal repo but is mirrored into `polybase/payy` via Copybara so the public repo can publish the assets that `beam update` and the installer consume. -If you use GitHub Pages, a simple `CNAME` record from `beam.payy.network` to the Pages host -is enough as long as the root URL responds with the installer script body. +If you use GitHub Pages, a simple `CNAME` record from `install.beam.payy.network` to the +Pages host is enough as long as the root URL responds with the installer script body. ## Development @@ -673,6 +693,7 @@ From the repository root: ```bash cargo check -p beam-cli +cargo check -p beam-cli --features payy-evm-client/bb-bindings cargo test -p beam-cli ``` diff --git a/scripts/install-beam.sh b/scripts/install-beam.sh index 06fe9c1..9d78843 100755 --- a/scripts/install-beam.sh +++ b/scripts/install-beam.sh @@ -480,6 +480,7 @@ main() { log "Run \`beam --help\` to get started." } -if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then +script_source="${BASH_SOURCE[0]:-}" +if [[ -z "$script_source" || "$script_source" == "$0" ]]; then main "$@" fi