Cortex/.github/workflows/release.yml at main · cdeust/Cortex · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
name: Release

# Cortex's SUPPORTED install path is Anthropic's plugin marketplace
# (`/plugin install cortex@cortex-plugins`). The marketplace consumes the
# git tree directly via ``${CLAUDE_PLUGIN_ROOT}``. See ADR-0050.
#
# PyPI is a DEPRECATED secondary channel, kept best-effort for legacy
# `pip install` / `uvx` users. It is NOT the supported path and may lag
# or be removed. The publish-pypi job below is intentionally
# non-blocking: if PyPI rejects the upload (e.g. the Trusted Publisher
# entry was removed), the GitHub Release + marketplace propagation still
# succeed. Publishing uses PEP 740 Trusted Publishing (OIDC) against the
# trusted-publisher entry configured for this workflow + environment
# `pypi` — the same one that published versions up to 3.14.7.
#
# This workflow runs the tests on tag push, creates a GitHub Release with
# auto-generated notes, and (best-effort) publishes to the deprecated
# PyPI channel.

on:
  push:
    tags:
      - "v*"

permissions:
  contents: write

jobs:
  test:
    name: Test before release
    runs-on: ubuntu-latest

    env:
      DATABASE_URL: postgresql://cortex:cortex@localhost:5432/cortex

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      # Runner-local PostgreSQL + pgvector (no Docker Hub pull). See ci.yml for
      # the rationale: anonymous registry-1.docker.io pulls are rate-limited and
      # outage-prone; PGDG apt is the canonical, unmetered pgvector source.
      - name: Set up PostgreSQL + pgvector (runner-local, no registry pull)
        run: |
          set -euxo pipefail
          sudo systemctl start postgresql
          PG_VER="$(pg_lsclusters -h | awk 'NR==1 {print $1}')"
          sudo install -d /usr/share/postgresql-common/pgdg
          sudo curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc \
            -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc
          echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" \
            | sudo tee /etc/apt/sources.list.d/pgdg.list
          for i in 1 2 3; do sudo apt-get update && break || sleep 5; done
          for i in 1 2 3; do sudo apt-get install -y "postgresql-${PG_VER}-pgvector" && break || sleep 5; done
          sudo -u postgres psql -v ON_ERROR_STOP=1 \
            -c "CREATE ROLE cortex LOGIN SUPERUSER PASSWORD 'cortex';"
          sudo -u postgres createdb -O cortex cortex
          sudo -u postgres psql -v ON_ERROR_STOP=1 -d cortex \
            -c "CREATE EXTENSION IF NOT EXISTS vector; CREATE EXTENSION IF NOT EXISTS pg_trgm;"
          for i in $(seq 1 30); do
            PGPASSWORD=cortex pg_isready -h localhost -U cortex -d cortex && break || sleep 1
          done
          PGPASSWORD=cortex psql -h localhost -U cortex -d cortex -c "SELECT version();"

      - name: Cache HuggingFace models
        uses: actions/cache@v4
        with:
          path: ~/.cache/huggingface
          key: ${{ runner.os }}-hf-all-MiniLM-L6-v2

      - name: Install dependencies
        run: pip install -e ".[dev,postgresql]"

      - name: Pre-download embedding model
        run: python -c "from sentence_transformers import SentenceTransformer; SentenceTransformer('all-MiniLM-L6-v2', device='cpu')"
        continue-on-error: true

      - name: Run tests
        run: pytest --tb=short -q

  github-release:
    name: GitHub Release
    needs: test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Generate changelog
        id: changelog
        run: |
          # Get previous tag
          PREV_TAG=$(git tag --sort=-version:refname | head -2 | tail -1)
          if [ -z "$PREV_TAG" ]; then
            CHANGELOG=$(git log --pretty=format:"- %s" HEAD)
          else
            CHANGELOG=$(git log --pretty=format:"- %s" ${PREV_TAG}..HEAD)
          fi
          # Write to file to avoid escaping issues
          echo "$CHANGELOG" > changelog.txt

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          body_path: changelog.txt
          generate_release_notes: true

  # ── DEPRECATED PyPI channel (best-effort) ──────────────────────────────
  # Restored after being dropped in a2dc7e3. Marketplace (ADR-0050) is the
  # supported path; these jobs keep the legacy `pip install` / `uvx` users
  # on a non-vulnerable version. Decoupled from github-release so a PyPI
  # failure never blocks the supported channel.
  build:
    name: Build sdist + wheel (deprecated PyPI channel)
    needs: test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install build tools
        run: pip install build

      - name: Build sdist and wheel
        run: python -m build

      - name: Upload build artifacts
        uses: actions/upload-artifact@v4
        with:
          name: dist
          path: dist/

  publish-pypi:
    name: Publish to PyPI (deprecated channel)
    needs: build
    runs-on: ubuntu-latest
    # OIDC Trusted Publishing — no stored secret. Verified by PyPI against
    # the trusted-publisher entry for (cdeust/Cortex, release.yml,
    # environment=pypi). This is the same entry that published <= 3.14.7.
    environment:
      name: pypi
      url: https://pypi.org/p/hypermnesia-mcp
    permissions:
      id-token: write
    steps:
      - name: Download build artifacts
        uses: actions/download-artifact@v4
        with:
          name: dist
          path: dist/

      - name: Publish to PyPI (best-effort — must not fail the release)
        uses: pypa/gh-action-pypi-publish@release/v1
        # Deprecated channel: a rejected upload (already-exists, or the
        # Trusted Publisher entry was removed) must NOT red-X the release.
        continue-on-error: true
        with:
          verbose: true
          # skip-existing so a retag against an already-published version
          # is a no-op instead of a hard failure — this was the exact
          # failure mode that motivated removing PyPI in a2dc7e3.
          skip-existing: true