You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+15-15Lines changed: 15 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,22 +6,22 @@ Shared GitHub actions and workflows for Braintrust SDK repositories.
6
6
7
7
**Copy the canonical release workflow template** from `.github/workflows/release-<LANG>.yml` and adapt it for your repository. Using it as an upstream source will enable the implemented release process to receive improvements in the future.
2.**Adapt the marked sections** — version source, gem name, working directory,
17
-
and so on. The template's comments flag exactly what changes per repo;
18
-
everything else is provided by the pinned actions.
19
-
3.**Record the upstream version you based it on** — the sdk-actions ref (commit
20
-
SHA or tag) your copy was adapted from, e.g. in a header comment. Tracking it
21
-
lets you (or an agent) diff your copy against a newer upstream template and
22
-
sync changes deliberately as this repo evolves.
23
-
4.**Bump the pinned SHA** to pick up action changes. Because each action is
24
-
self-contained, one SHA bump pulls in the whole updated chain.
21
+
2.**Configure an OIDC trusted publisher** on your registry (npm / PyPI / RubyGems) for this repo + workflow (and environment, if gated) — publishing and attestation use it, no long-lived tokens. (Adapting an existing workflow rather than copying? Also grant the publish job `attestations: write`.)
22
+
3.**Adapt the marked sections** — version source, package/gem name, working directory, and so on; the template's comments flag exactly what changes.
23
+
4.**Record the upstream version you based it on** — the sdk-actions ref (commit SHA or tag) your copy was adapted from, e.g. in a header comment. Tracking it lets you (or an agent) diff your copy against a newer upstream template and sync changes deliberately as this repo evolves.
24
+
5.**Bump the pinned SHA** to pick up action changes. Because each action is self-contained, one SHA bump pulls in the whole updated chain.
25
25
26
26
### Available release actions
27
27
@@ -32,12 +32,12 @@ pulls in everything it needs.
32
32
33
33
| Action | Purpose |
34
34
|---|---|
35
-
|`release/lang/ruby/publish`|Push the gemto RubyGems, create the GitHub release, and notify |
36
-
|`release/lang/ruby/validate`| Check out the SHA, set up Ruby, read the version, validate the release (tag/branch/metadata), lint + build |
37
-
|`release/lang/js/publish`|Publish the package to npm (OIDC trusted publishing), create the GitHub release, and notify |
38
-
|`release/lang/js/validate`| Check out the SHA, set up Node + package manager, read the version, validate the release (channel/tag/branch/metadata), build |
39
-
|`release/lang/py/publish`|Publish the package to PyPI (OIDC trusted publishing + PEP 740 attestations), create the GitHub release, and notify |
40
-
|`release/lang/py/validate`| Check out the SHA, set up uv + Python, read the version, validate the release (tag/branch/metadata, PyPI availability), build |
35
+
|`release/lang/ruby/publish`|Build the gem, generate + sign a CycloneDX SBOM and SLSA build provenance, push to RubyGems (OIDC trusted publishing), create the GitHub release (SBOM attached), and notify |
36
+
|`release/lang/ruby/validate`| Check out the SHA, set up Ruby, read the version, validate the release (tag/branch/metadata), lint + build + generate SBOM (pre-gate check) |
37
+
|`release/lang/js/publish`|Build, generate + sign a CycloneDX SBOM, publish to npm (OIDC trusted publishing + provenance), create the GitHub release (SBOM attached), and notify |
38
+
|`release/lang/js/validate`| Check out the SHA, set up Node + package manager, read the version, validate the release (channel/tag/branch/metadata), build + generate SBOM (pre-gate check) |
39
+
|`release/lang/py/publish`|Build, generate + sign a CycloneDX SBOM, publish to PyPI (OIDC trusted publishing + PEP 740 attestations), create the GitHub release (SBOM attached), and notify |
40
+
|`release/lang/py/validate`| Check out the SHA, set up uv + Python, read the version, validate the release (tag/branch/metadata, PyPI availability), build + generate SBOM (pre-gate check) |
41
41
|`release/notify-pending`| Post the pre-approval job summary and Slack notification |
42
42
|`release/prepare`| Fetch the PR list and release notes |
0 commit comments