ci: add release workflow for automated CLI releases (#403)

## Summary

- Adds `.github/workflows/release.yml` that automates CLI releases
end-to-end
- Triggered by `cli-v*` tag push: validates tag is on main, builds CLI
tarball in Docker, publishes to npm via OIDC trusted publishing, creates
GitHub Release with tarball + changelog

## Tested

Temporarily triggered the workflow on push (dry-run mode) — all steps
passed:
- Docker build, tarball extraction, SHA256 computation
- npm ci + wasm build
- Changelog extraction
- `npm publish --dry-run`

## How to use

```bash
# After merging a release PR:
git tag cli-v<version>
git push origin cli-v<version>
```

## Key decisions

- **OIDC trusted publishing** instead of NPM_TOKEN — no secrets to
manage
- **Single job** for simplicity (can split build/publish later if
needed)
- All `${{ }}` expressions passed through `env:` to prevent expression
injection
- npm pinned to 11.4.0 (minimum for trusted publishing)
- `--ignore-scripts` on `npm publish` avoids redundant `prepare` run
- Changelog extraction via awk (avoids tsx/node dependency for a simple
text extraction)

Author: Kamirus

.github/workflows/release.yml

@@ -0,0 +1,154 @@
+name: Release CLI
+
+on:
+  push:
+    tags:
+      - "cli-v*"
+
+permissions:
+  contents: write
+  id-token: write
+
+concurrency:
+  group: release-cli
+  cancel-in-progress: false
+
+jobs:
+  release:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Abort if tag is not on main
+        run: |
+          set -euo pipefail
+          git fetch origin main
+          if git merge-base --is-ancestor "${GITHUB_SHA}" "origin/main"; then
+            echo "Tag commit ${GITHUB_SHA} is reachable from main."
+          else
+            echo "::error::Tag commit ${GITHUB_SHA} is not on main. Aborting."
+            exit 1
+          fi
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          VERSION="${GITHUB_REF_NAME#cli-v}"
+          if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
+            echo "::error::Could not extract a valid version from tag '${GITHUB_REF_NAME}'"
+            exit 1
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "Version: $VERSION"
+
+      - name: Validate version matches package.json
+        working-directory: cli
+        env:
+          TAG_VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          if [ "$PKG_VERSION" != "$TAG_VERSION" ]; then
+            echo "::error::Tag version ($TAG_VERSION) does not match package.json ($PKG_VERSION)"
+            exit 1
+          fi
+
+      # --- Docker build ---
+
+      - name: Set up Docker
+        uses: docker/setup-docker-action@efe9e3891a4f7307e689f2100b33a155b900a608 # v4.5.0
+
+      - name: Build CLI tarball using Docker
+        working-directory: cli
+        env:
+          COMMIT_HASH: ${{ github.sha }}
+          MOPS_VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          docker build . \
+            --build-arg COMMIT_HASH="$COMMIT_HASH" \
+            --build-arg MOPS_VERSION="$MOPS_VERSION" \
+            -t mops
+
+      - name: Extract tarball from container
+        working-directory: cli
+        run: |
+          cid=$(docker create mops)
+          mkdir -p bundle
+          docker cp "$cid:/mops/cli/bundle/cli.tgz" ./bundle/cli.tgz
+          docker rm "$cid"
+
+      - name: Compute SHA256
+        id: hash
+        working-directory: cli
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          HASH=$(sha256sum bundle/cli.tgz | awk '{print $1}')
+          echo "hash=$HASH" >> "$GITHUB_OUTPUT"
+          echo "### CLI Release v${VERSION}" >> "$GITHUB_STEP_SUMMARY"
+          echo "**SHA256:** \`$HASH\`" >> "$GITHUB_STEP_SUMMARY"
+
+      # --- npm publish ---
+
+      - name: Set up Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 22
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Upgrade npm for trusted publishing
+        run: npm install -g npm@11.4.0
+
+      - uses: ./.github/actions/cache-rust-wasm
+
+      - name: Install dependencies
+        working-directory: cli
+        run: npm ci
+
+      - name: Extract changelog
+        working-directory: cli
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+          BUILD_HASH: ${{ steps.hash.outputs.hash }}
+          COMMIT_HASH: ${{ github.sha }}
+        run: |
+          ESCAPED=$(echo "$VERSION" | sed 's/\./\\./g')
+          awk "/^##? ${ESCAPED}$/{found=1; next} found && /^##? [0-9]/{exit} found && /^##? Next/{exit} found" \
+            CHANGELOG.md > /tmp/release-notes.md
+
+          if [ ! -s /tmp/release-notes.md ]; then
+            echo "::error::No changelog entry found for version ${VERSION}"
+            exit 1
+          fi
+
+          {
+            echo ""
+            echo "---"
+            echo "**SHA256:** \`${BUILD_HASH}\`"
+            echo ""
+            echo "**Verify build:**"
+            echo '```bash'
+            echo "cd cli"
+            echo "docker build . --build-arg COMMIT_HASH=${COMMIT_HASH} --build-arg MOPS_VERSION=${VERSION} -t mops"
+            echo "docker run --rm --env SHASUM=${BUILD_HASH} mops"
+            echo '```'
+          } >> /tmp/release-notes.md
+
+      - name: Publish to npm
+        working-directory: cli
+        run: npm publish --provenance --ignore-scripts
+
+      # --- GitHub Release ---
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ github.ref_name }}
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          gh release create "$TAG" \
+            cli/bundle/cli.tgz#cli.tgz \
+            --title "CLI v${VERSION}" \
+            --notes-file /tmp/release-notes.md

cli/RELEASE.md

@@ -2,34 +2,17 @@
 
 ## Prerequisites
 
-### macOS: GNU tar
-
-```bash
-brew install gnu-tar
-```
-
-Add to `~/.zshrc` or `~/.bashrc`:
-```bash
-export PATH="$HOMEBREW_PREFIX/opt/gnu-tar/libexec/gnubin:$PATH"
-```
-
 ### Docker
 
-Docker (or OrbStack) must be installed and running. The CLI build happens inside a Docker container (`zenvoich/mops-builder:1.1.0`) for reproducibility.
+Docker (or OrbStack) must be installed and running. The on-chain release step builds the CLI inside a Docker container (`zenvoich/mops-builder:1.1.0`) for reproducibility.
 
 ### dfx
 
 `dfx` must be installed with the `mops` identity configured (see [Adding the `mops` identity to dfx](#adding-the-mops-identity-to-dfx)).
 
 ## Release Steps
 
-### 1. Install dependencies
-
-```bash
-cd cli && bun install
-```
-
-### 2. Update changelog
+### 1. Update changelog
 
 Move items from the `## Next` section in `CHANGELOG.md` into a new version heading:
 
@@ -41,28 +24,19 @@ Move items from the `## Next` section in `CHANGELOG.md` into a new version headi
 - Change 2
 ```
 
-The heading must contain the exact version string — `release-cli.ts` parses it to extract release notes.
-
-### 3. Create a release branch and PR
-
-Direct pushes to `main` are not allowed. Create a branch and PR:
-
-```bash
-git checkout -b <username>/release-X.Y.Z
-```
-
-### 4. Bump version
+The heading must contain the exact version string — the release workflow parses it to extract release notes for the GitHub Release.
 
-Use `--no-git-tag-version` since the version bump will be committed as part of the PR (not directly on `main`):
+### 2. Bump version
 
 ```bash
 cd cli
 npm version minor --no-git-tag-version  # or: patch / major
 ```
 
-### 5. Commit, push, and open PR
+### 3. Create a release branch and PR
 
 ```bash
+git checkout -b <username>/release-X.Y.Z
 git add cli/CHANGELOG.md cli/package.json cli/package-lock.json
 git commit -m "release: CLI vX.Y.Z"
 git push -u origin <username>/release-X.Y.Z
@@ -71,41 +45,26 @@ gh pr create --title "release: CLI vX.Y.Z" --body "..."
 
 Wait for CI to pass, then merge the PR.
 
-### 6. Check reproducibility of the build
-
-After the PR is merged to `main`, check the SHA256 hash from the latest [build-hash workflow](https://github.com/caffeinelabs/mops/actions/workflows/build-hash.yml) run.
+### 4. Tag and push
 
-**Important**: The CI hash is written to the GitHub Actions **Step Summary** — it is only visible on the **Summary tab** of the workflow run page. It does **not** appear in the downloadable logs (`gh run view --log` will not find it). You must open the run URL in a browser to see it.
+After the PR is merged to `main`:
 
-Build the same version locally:
 ```bash
-cd cli
-MOPS_VERSION=0.0.0 ./build.sh
+git checkout main && git pull
+git tag cli-vX.Y.Z
+git push origin cli-vX.Y.Z
 ```
 
-`build.sh` does the following:
-1. Reads `COMMIT_HASH` (defaults to `git rev-parse HEAD`) and `MOPS_VERSION`
-2. Runs `docker build` using `cli/Dockerfile` with those as build args
-3. The Dockerfile clones the repo at that commit, runs `bun install`, sets the version, and runs `npm run build`
-4. Prints the SHA256 hash of `cli.tgz`
-5. Copies `cli.tgz` out of the container into `cli/bundle/cli.tgz`
+This triggers the [`release.yml`](../.github/workflows/release.yml) workflow which automatically:
+1. Validates the tag is on `main` and version matches `package.json`
+2. Builds the CLI tarball in Docker (reproducible build)
+3. Computes and reports the SHA256 hash (visible in the workflow Step Summary)
+4. Publishes to npm via OIDC trusted publishing
+5. Creates a GitHub Release with the tarball attached and changelog as release notes
 
-Compare the locally printed hash with the one from the CI Step Summary. If they don't match, do not proceed.
-
-**Notes on the local build output:**
-- The "Verification failed" message at the end is **expected** — it happens because no `SHASUM` env var is passed for comparison. The important output is the `Actual shasum: <hash>` line.
-
-### 7. Publish to npm
-
-After the PR is merged and the build hash is verified:
-
-```bash
-git checkout main && git pull
-cd cli
-npm publish
-```
+Monitor the workflow run at [Actions → Release CLI](https://github.com/caffeinelabs/mops/actions/workflows/release.yml).
 
-### 8. Prepare on-chain release
+### 5. Prepare on-chain release
 
 Run from the **repo root** (not `cli/`), with Docker running:
 
@@ -122,25 +81,25 @@ This runs `cli/release-cli.ts`, which:
 6. Updates `cli-releases/tags/latest` to the new version
 7. Updates `cli-releases/releases.json` with metadata (timestamp, size, hash, commit hash, download URL, release notes)
 
-### 9. Deploy the canister
+### 6. Deploy the canister
 
 ```bash
 dfx deploy --network ic --no-wallet cli --identity mops
 ```
 
 This deploys the `cli-releases` canister (serving `cli.mops.one`) to the Internet Computer mainnet.
 
-### 10. Deploy the docs canister
+### 7. Deploy the docs canister
 
 ```bash
 dfx deploy --network ic --no-wallet docs --identity mops
 ```
 
 This builds the Docusaurus site (`docs/`) and deploys the `docs` assets canister (serving `docs.mops.one`). Docs are not auto-deployed, so this step ensures any documentation changes from the release are published.
 
-### 11. Commit and push release artifacts
+### 8. Commit and push release artifacts
 
-Step 8 generates files in `cli-releases/` that must be committed and pushed:
+Step 5 generates files in `cli-releases/` that must be committed and pushed:
 
 ```bash
 git add cli-releases/
@@ -159,7 +118,7 @@ Merge this PR after approval.
 
 ## Verify build
 
-Anyone can verify a released version by rebuilding from source:
+Anyone can verify a released version by rebuilding from source. The SHA256 hash and verification instructions are included in each [GitHub Release](https://github.com/caffeinelabs/mops/releases).
 
 ```bash
 cd cli