name: Release (Beta) on: workflow_dispatch: permissions: contents: read concurrency: group: release-beta cancel-in-progress: false jobs: preflight: name: Preflight runs-on: runners-farhoodlabs outputs: version: ${{ steps.version.outputs.version }} steps: - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 registry-url: https://registry.npmjs.org - name: Compute next beta version id: version shell: bash run: | set -euo pipefail LATEST=$(npm view "@trebuchet/cli" dist-tags.beta 2>/dev/null || echo "") if [[ -z "$LATEST" ]]; then echo "version=1.0.0-beta.1" >> "$GITHUB_OUTPUT" else # Extract N from 1.0.0-beta.N and increment N=$(echo "$LATEST" | grep -oE 'beta\.([0-9]+)' | grep -oE '[0-9]+') NEXT=$((N + 1)) echo "version=1.0.0-beta.$NEXT" >> "$GITHUB_OUTPUT" fi - name: Print version run: 'echo "Next beta version: ${{ steps.version.outputs.version }}"' build-docker: name: Build Docker (worker) needs: preflight runs-on: runners-farhoodlabs permissions: contents: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to Docker Hub uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push worker image uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . push: true provenance: mode=max sbom: true tags: farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }} build-docker-api: name: Build Docker (API) needs: preflight runs-on: runners-farhoodlabs permissions: contents: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to Docker Hub uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push API image uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . file: apps/api/Dockerfile push: true provenance: mode=max sbom: true tags: farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }} sign-docker: name: Sign Docker images needs: [preflight, build-docker, build-docker-api] runs-on: runners-farhoodlabs permissions: contents: read id-token: write outputs: worker_digest: ${{ steps.inspect-worker.outputs.digest }} api_digest: ${{ steps.inspect-api.outputs.digest }} steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to Docker Hub uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Inspect worker image id: inspect-worker run: | docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" - name: Inspect API image id: inspect-api run: | docker buildx imagetools inspect "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" - name: Install cosign uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 - name: Sign worker image run: cosign sign --yes "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}" - name: Sign API image run: cosign sign --yes "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}" - name: Verify worker image signature run: | sleep 10 cosign verify \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release-beta.yml@${{ github.ref }} \ "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}" - name: Verify API image signature run: | cosign verify \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release-beta.yml@${{ github.ref }} \ "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}" publish-npm: name: Publish npm (beta) needs: [preflight, sign-docker] runs-on: runners-farhoodlabs permissions: contents: read id-token: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install pnpm uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Configure npm registry uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 registry-url: https://registry.npmjs.org cache: 'pnpm' - name: Install dependencies run: pnpm install --frozen-lockfile - name: Set CLI package version run: cd apps/cli && npm version "${{ needs.preflight.outputs.version }}" --no-git-tag-version --allow-same-version - name: Sync lockfile with bumped version run: pnpm install --lockfile-only - name: Build CLI run: pnpm --filter @trebuchet/cli run build - name: Publish npm package working-directory: apps/cli env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: | if npm view "@trebuchet/cli@${{ needs.preflight.outputs.version }}" version 2>/dev/null; then echo "Version already published, skipping" else pnpm publish --access public --no-git-checks --tag beta fi