Prereqs:
mise(recommended for tool version management)rusttoolchain (installed viamise)pre-commit(optional but recommended)
Clone and install tools:
mise installInstall JS dependencies (for tsc):
pnpm install --ignore-scriptsEnable the mise shell hook (if you haven't already), then re-open your shell or cd back into the repo. This repo adds ./target/debug to your PATH via mise.toml, so binaries built in debug mode are on your PATH while you're in this directory.
Install git hooks:
pre-commit installIf you want to run this via mise:
mise run pre-commit-installThe CLI depends on braintrust-sdk-rust. The default dependency is pinned to a git rev in Cargo.toml.
To override with a local checkout:
cp .cargo/config.toml.example .cargo/config.tomlThen ensure the path in .cargo/config.toml points to your local SDK checkout (default: ../braintrust-sdk-rust). This file is ignored by git.
Note: when the local override is enabled, Cargo will treat the SDK as a path dependency and update Cargo.lock accordingly. The committed lockfile should reflect the git dependency (for CI). If you need to update Cargo.lock, temporarily move .cargo/config.toml out of the way, run cargo generate-lockfile, then restore it.
Build:
cargo buildRun the CLI:
cargo run -- sql "SELECT 1"Run evals (JS default runner):
bt eval path/to/foo.eval.tsRun evals locally (no logs sent):
bt eval --local path/to/foo.eval.tsEval fixture tests:
mise run eval-testsNote: eval fixtures use Node + pnpm (or npm) to install dependencies in tests/evals/js/*.
Required env vars:
BRAINTRUST_API_KEY: API key used for login
Optional env vars:
BRAINTRUST_API_URL: override API endpoint (defaulthttps://api.braintrust.dev)BRAINTRUST_DEFAULT_PROJECT: default project name
Pre-commit runs:
cargo fmt --allcargo clippy --all-targets --all-features -- -D warnings
Stable releases are prepared with a release bump PR and published after GitHub Environment approval.
- Open Actions in
braintrustdata/bt. - Select release-bump-pr.
- Click Run workflow and enter the target version without a leading
v(for example0.9.2). - Review and merge the generated PR. The PR updates
Cargo.tomlandCargo.lock. - After the PR merges to
main, the release workflow reads the version fromCargo.toml, creates and pushes the matching tag (for examplev0.9.2), builds release artifacts, then waits for thereleaseGitHub Environment approval before publishing. - Approve the
releasedeployment to upload artifacts, create the GitHub Release, and publish installers. - Wait for the post-release smoke install jobs to pass.
You can also manually run release with an existing tag input such as v0.9.2. Tags must match v<major>.<minor>.<patch>.
Release artifacts and installers are generated by cargo-dist from dist-workspace.toml. The release workflow publishes the shell and PowerShell installers plus target archives/checksums for the configured platforms.
Use the release-canary workflow when you need a one-off installer build from a PR branch.
- Open Actions in
braintrustdata/bt. - Select release-canary.
- Click Run workflow.
- Choose the PR branch in the branch/ref selector.
- Run the workflow and wait for the
announcejob to complete. - Open the run summary and copy the install command from Canary Install Commands.
gh workflow run release-canary.yml --repo braintrustdata/bt --ref <pr-branch>Then open the run in Actions and copy the install command from the summary.
Notes:
- The workflow publishes an immutable tag:
canary-<branch-slug>-<short-sha>. - It also updates a moving branch tag:
canary-<branch-slug>when the run is for the latest commit on that branch.
Release workflows Authenticode-sign Windows artifacts via Azure Trusted Signing (the sign-windows-artifacts composite action). Signing runs when these GitHub Actions repository secrets are configured:
AZURE_CLIENT_IDAZURE_TENANT_IDAZURE_SUBSCRIPTION_ID
The signing account is selected by these repository variables:
AZURE_SIGNING_ENDPOINTAZURE_SIGNING_ACCOUNT_NAMEAZURE_SIGNING_CERT_PROFILE
If the secrets are absent (for example, on forks or PRs without access), the signing step is skipped and published bt.exe remains unsigned. The verify-windows-signature action surfaces unsigned builds via a neutral check run rather than failing the job.