name: Release on: workflow_dispatch: permissions: contents: read concurrency: group: release-main cancel-in-progress: false jobs: preflight: name: Preflight runs-on: runners-farhoodlabs permissions: contents: write outputs: should_release: ${{ steps.probe.outputs.should_release }} version: ${{ steps.probe.outputs.version }} steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Install pnpm uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 cache: 'pnpm' - name: Install dependencies run: pnpm install --frozen-lockfile - name: Probe semantic-release id: probe shell: bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -euo pipefail npx semantic-release@25 --dry-run --no-ci 2>&1 | tee semantic-release.log if grep -qi "the next release version is" semantic-release.log; then echo "should_release=true" >> "$GITHUB_OUTPUT" VERSION=$(grep -oiE "the next release version is [0-9]+\.[0-9]+\.[0-9]+" semantic-release.log | grep -oE "[0-9]+\.[0-9]+\.[0-9]+") echo "version=$VERSION" >> "$GITHUB_OUTPUT" else echo "should_release=false" >> "$GITHUB_OUTPUT" fi build-docker: name: Build Docker (worker) needs: preflight if: needs.preflight.outputs.should_release == 'true' runs-on: runners-farhoodlabs permissions: contents: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to Docker Hub uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push worker image uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . push: true provenance: mode=max sbom: true tags: | farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }} farhoodlabs/trebuchet:latest build-docker-api: name: Build Docker (API) needs: preflight if: needs.preflight.outputs.should_release == 'true' runs-on: runners-farhoodlabs permissions: contents: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to Docker Hub uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push API image uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . file: apps/api/Dockerfile push: true provenance: mode=max sbom: true tags: | farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }} farhoodlabs/trebuchet-api:latest sign-docker: name: Sign Docker images needs: [preflight, build-docker, build-docker-api] runs-on: runners-farhoodlabs permissions: contents: read id-token: write outputs: worker_digest: ${{ steps.inspect-worker.outputs.digest }} api_digest: ${{ steps.inspect-api.outputs.digest }} steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Log in to Docker Hub uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Inspect worker image id: inspect-worker run: | docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" - name: Inspect API image id: inspect-api run: | docker buildx imagetools inspect "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)" echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" - name: Install cosign uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 - name: Sign worker image run: cosign sign --yes "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}" - name: Sign API image run: cosign sign --yes "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}" - name: Verify worker image signature run: | sleep 10 cosign verify \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }} \ "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}" - name: Verify API image signature run: | cosign verify \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }} \ "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}" publish-npm: name: Publish npm needs: [preflight, sign-docker] runs-on: runners-farhoodlabs permissions: contents: read id-token: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install pnpm uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Configure npm registry uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 registry-url: https://registry.npmjs.org cache: 'pnpm' - name: Install dependencies run: pnpm install --frozen-lockfile - name: Set CLI package version run: cd apps/cli && npm version "${{ needs.preflight.outputs.version }}" --no-git-tag-version --allow-same-version - name: Sync lockfile with bumped version run: pnpm install --lockfile-only - name: Build CLI run: pnpm --filter @trebuchet/cli run build - name: Publish npm package working-directory: apps/cli env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: | if npm view "@trebuchet/cli@${{ needs.preflight.outputs.version }}" version 2>/dev/null; then echo "Version already published, skipping" else pnpm publish --access public --no-git-checks fi release: name: Create GitHub release needs: [preflight, publish-npm] runs-on: runners-farhoodlabs permissions: contents: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Install pnpm uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 - name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 cache: 'pnpm' - name: Install dependencies run: pnpm install --frozen-lockfile - name: Create GitHub release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: npx semantic-release@25