Auto-tag releases from main when version bumps

mikkeldamsgaard · claude · mikkeldamsgaard · commit 948a16b3cd6a · 2026-04-14T21:21:01.000+02:00
Release workflow now runs on push to main as well as on release-* tags.
A new prepare job reads the canonical version from src-tauri/Cargo.toml,
fails if the CLI Cargo.toml, tauri.conf.json, or package.json disagree,
and creates/pushes the matching release-X.Y.Z tag when one doesn't
already exist. Downstream build and release jobs are gated on that
prepare output and read the tag/version from its outputs.

Also bumps ralph-cli from 0.2.2 to 0.2.3 to align with the rest of the
workspace.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,14 +2,88 @@ name: Release
 
 on:
   push:
+    branches: [main]
     tags:
       - "release-[0-9]+.[0-9]+.[0-9]+*"
 
 permissions:
   contents: write
 
 jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.decide.outputs.version }}
+      tag: ${{ steps.decide.outputs.tag }}
+      should_release: ${{ steps.decide.outputs.should_release }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine version and tag
+        id: decide
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          extract_toml_version() {
+            # Read the first `version = "X.Y.Z"` line from the [package] table.
+            awk -F'"' '/^version = /{print $2; exit}' "$1"
+          }
+
+          DESKTOP_VER=$(extract_toml_version src-tauri/Cargo.toml)
+          CLI_VER=$(extract_toml_version crates/ralph-cli/Cargo.toml)
+          CONF_VER=$(python3 -c 'import json; print(json.load(open("src-tauri/tauri.conf.json"))["version"])')
+          PKG_VER=$(python3 -c 'import json; print(json.load(open("package.json"))["version"])')
+
+          # src-tauri/Cargo.toml is canonical. Every other version string must
+          # agree, otherwise the built artifacts would misrepresent themselves
+          # and the updater's latest.json would disagree with the installed
+          # binary's reported version.
+          fail=0
+          for pair in "src-tauri/Cargo.toml=$DESKTOP_VER" \
+                      "crates/ralph-cli/Cargo.toml=$CLI_VER" \
+                      "src-tauri/tauri.conf.json=$CONF_VER" \
+                      "package.json=$PKG_VER"; do
+            file="${pair%%=*}"
+            ver="${pair#*=}"
+            if [[ "$ver" != "$DESKTOP_VER" ]]; then
+              echo "::error file=$file::version mismatch: $file is '$ver', expected '$DESKTOP_VER' (from src-tauri/Cargo.toml)"
+              fail=1
+            fi
+          done
+          if [[ "$fail" -eq 1 ]]; then
+            exit 1
+          fi
+
+          VERSION="$DESKTOP_VER"
+          TAG="release-${VERSION}"
+
+          if [[ "$GITHUB_REF" == refs/tags/release-* ]]; then
+            # Direct tag push — build + release unconditionally.
+            SHOULD_RELEASE=true
+          else
+            # Push to main — only release if this version hasn't been tagged.
+            if git rev-parse -q --verify "refs/tags/$TAG" >/dev/null; then
+              echo "Tag $TAG already exists — version unchanged, skipping release"
+              SHOULD_RELEASE=false
+            else
+              git config user.name "github-actions[bot]"
+              git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+              git tag -a "$TAG" -m "Release $VERSION"
+              git push origin "$TAG"
+              SHOULD_RELEASE=true
+            fi
+          fi
+
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+          echo "should_release=$SHOULD_RELEASE" >> "$GITHUB_OUTPUT"
+
   build-cli:
+    needs: prepare
+    if: needs.prepare.outputs.should_release == 'true'
     strategy:
       matrix:
         include:
@@ -113,6 +187,8 @@ jobs:
           path: ${{ matrix.artifact }}${{ runner.os == 'Windows' && '.exe' || '' }}
 
   build-desktop:
+    needs: prepare
+    if: needs.prepare.outputs.should_release == 'true'
     strategy:
       matrix:
         include:
@@ -193,12 +269,12 @@ jobs:
       - name: Collect updater metadata
         shell: bash
         env:
-          TAG_NAME: ${{ github.ref_name }}
+          TAG_NAME: ${{ needs.prepare.outputs.tag }}
+          VERSION: ${{ needs.prepare.outputs.version }}
           BUNDLE_DIR: target/${{ matrix.target }}/release/bundle
           UPDATER_PLATFORM: ${{ matrix.updater_platform }}
         run: |
           set -euo pipefail
-          VERSION="${TAG_NAME#release-}"
           # Find the updater bundle + its .sig produced by Tauri. Each OS
           # has exactly one updater target: .app.tar.gz (mac), .nsis .exe
           # (windows), .AppImage (linux).
@@ -251,38 +327,35 @@ jobs:
           path: updater-meta/*.json
 
   release:
-    needs: [build-cli, build-desktop]
+    needs: [prepare, build-cli, build-desktop]
+    if: needs.prepare.outputs.should_release == 'true'
     runs-on: ubuntu-latest
 
     steps:
-      - name: Extract version from tag
-        id: version
-        run: echo "version=${GITHUB_REF_NAME#release-}" >> $GITHUB_OUTPUT
-
       - name: Download all artifacts
         uses: actions/download-artifact@v4
         with:
           path: artifacts
 
       - name: Assemble updater latest.json
+        env:
+          VERSION: ${{ needs.prepare.outputs.version }}
         run: |
           set -euo pipefail
-          VERSION="${{ steps.version.outputs.version }}"
           PUB_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
           python3 - <<PY
           import json, glob, os
           platforms = {}
-          version = None
+          version = os.environ["VERSION"]
           for path in glob.glob("artifacts/updater-meta-*/*.json"):
               with open(path) as f:
                   meta = json.load(f)
-              version = meta["version"]
               platforms[meta["platform"]] = {
                   "signature": meta["signature"],
                   "url": meta["url"],
               }
           out = {
-              "version": version or "$VERSION",
+              "version": version,
               "notes": "See release notes on GitHub.",
               "pub_date": "$PUB_DATE",
               "platforms": platforms,
@@ -296,7 +369,8 @@ jobs:
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
         with:
-          name: v${{ steps.version.outputs.version }}
+          tag_name: ${{ needs.prepare.outputs.tag }}
+          name: v${{ needs.prepare.outputs.version }}
           generate_release_notes: true
           body: |
             ## macOS notes
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/README.md b/README.md
@@ -127,6 +127,22 @@ npx tauri signer generate -w ~/.tauri/ralph-updater.key
 Losing the private key is unrecoverable — existing installs can no longer be
 upgraded through the in-app updater and would need a fresh install.
 
+### Maintainer: cutting a release
+
+1. Bump the version in **all four** files (they must match):
+   - `src-tauri/Cargo.toml` (canonical source)
+   - `crates/ralph-cli/Cargo.toml`
+   - `src-tauri/tauri.conf.json`
+   - `package.json`
+2. Commit and push to `main`. The release workflow will:
+   - verify the four version strings agree (fail CI otherwise),
+   - tag the commit as `release-X.Y.Z` if that tag doesn't already exist,
+   - build and sign the CLI + desktop bundles,
+   - publish them + `latest.json` to a GitHub Release.
+
+Pushing a `release-X.Y.Z` tag by hand also works and skips the version-change
+detection — useful for re-running a release.
+
 ## Building from source
 
 ```bash
diff --git a/crates/ralph-cli/Cargo.toml b/crates/ralph-cli/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "ralph-cli"
-version = "0.2.2"
+version = "0.2.3"
 edition = "2021"
 
 [[bin]]
