feat(release): centralize and harden artifact publishing#55
Open
francoischalifour wants to merge 1 commit into
Open
feat(release): centralize and harden artifact publishing#55francoischalifour wants to merge 1 commit into
francoischalifour wants to merge 1 commit into
Conversation
Define one typed release manifest for platform targets, public artifact names, updater resolution, and CI runners. Move build, smoke, upload, and publication behavior into directly testable repository scripts instead of embedding programs in workflow YAML. Gate branch and release publication on one reusable canonical verification workflow. Build and execute native artifacts on supported target runners, test the exact npm bytes under the release and minimum Bun runtimes, emit artifact-specific recipes and verified checksums, and attest the same bytes that are published. Keep GitHub releases draft until npm succeeds, make npm publication idempotent for retries, retain exact release binaries for the full 30-day rerun window, and preserve the independently tested Bun >=1.1.0 runtime contract. Replace long-lived npm publish credentials with GitHub Actions OIDC trusted publishing. Fail closed when OIDC or the required npm CLI is unavailable, reject token fallback, and document the staged post-release token revocation process.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
The release pipeline previously distributed release knowledge across TypeScript, shell commands, Make targets, and GitHub Actions workflow YAML. Platform targets, runner selection, artifact names, compiler options, smoke tests, and publication behavior could drift independently.
That created several supply-chain and operational risks:
macos-14runner.NPM_TOKENeven though the job already supported GitHub Actions OIDC.This branch makes the release pipeline an explicit, testable contract and ensures the exact bytes that pass verification are the bytes ultimately published.
Proposed solution
Centralize the release contract
Add a typed release manifest as the single source of truth for:
CI matrices, native compilation, updater resolution, smoke tests, and publication now derive from this manifest. Semantic tests protect public asset names and ensure every supported platform remains represented exactly once.
The Darwin ARM target now uses the supported
macos-15ARM runner instead of deprecatedmacos-14.Separate the build toolchain from the runtime contract
Pin Bun
1.3.14as the reproducible release build toolchain without changing the npm package’s existing runtime contract:The pinned Bun version controls compilation and bundling only. Users installing
@altertable/clido not need the pinned release compiler version; Bun1.1.0and newer remain supported.CI explicitly builds the npm bundle with the pinned toolchain and then smoke-tests those exact bytes under both:
1.1.0, the minimum supported npm runtimeHarden native compilation
Move release compilation into checked-in TypeScript scripts with explicit compiler settings, including:
.envloadingbunfig.tomlloadingThe build scripts validate the pinned toolchain and release tag before producing artifacts. Each native binary is smoke-tested on its target runner before it can enter the publication job.
Reuse one canonical verification workflow
Introduce a reusable verification workflow shared by branch CI and release CI.
The canonical gate covers:
Release jobs check out and verify the exact tagged revision rather than relying on unverified workspace state.
Publish the exact tested artifacts
Native jobs upload only binaries that have already passed their platform smoke tests. The final release job downloads those binaries instead of rebuilding them.
The JavaScript release asset and npm package are also produced from the same bundle bytes. The pipeline then:
This ordering prevents a GitHub release from being presented as complete when npm publication has failed.
Make publication recoverable and retry-safe
Release Please creates a draft GitHub release. It becomes public only after every artifact and npm publication step succeeds.
npm publication is idempotent:
404means publication is still required.GitHub asset uploads use replacement semantics, allowing a failed workflow to be rerun without manually deleting partially uploaded assets.
Tested native release binaries are retained for 30 days, matching the workflow recovery window. Disposable diagnostics remain at seven days:
Semantic workflow tests enforce this distinction so release recovery retention cannot accidentally regress.
Replace the npm publishing token with OIDC
Remove
NPM_TOKENfrom the release workflow and publish through npm trusted publishing using GitHub Actions OIDC.The npm package now trusts:
altertable-ai/altertable-clirelease-please.ymlnpm publishThe publishing script fails closed unless:
id-token: writeis availableNODE_AUTH_TOKENnorNPM_TOKENis presentThis prevents an accidental fallback to long-lived credentials. npm automatically generates provenance for a successful trusted publication.
The registry migration remains deliberately staged:
NPM_TOKENsecret and revoke the underlying npm token.Token publishing should not be disabled until the first OIDC release succeeds, preserving a controlled recovery path during the cutover.
Move behavioral logic out of workflow YAML
Reusable build, smoke-test, validation, upload, and publication behavior now lives in checked-in TypeScript scripts.
The workflows retain orchestration-level responsibilities such as:
This keeps CI readable while making release behavior locally executable and unit-testable.
Compatibility
This change does not alter the public CLI interface or release asset names.
In particular:
@altertable/clicontinues to support Bun>=1.1.0.1.3.14; that version is only the release compiler pin.