feat: Build out Craft release flow (#50)

Builds the release flow for prevent cli using
[Craft](https://github.com/getsentry/craft) via
[`action-prepare-release`](https://github.com/getsentry/action-prepare-release)
and the [getsentry/publish](https://github.com/getsentry/publish) repo
for release management.

This is the resulting flow:

### On workflow dispatch with version number:
- commits result of `scripts/bump_version.sh` to new `release/$version`
- opens issue on getsentry/publish 
  (example: getsentry/publish#5871)

### On creation of that release/* branch: 
- build assets and upload as workflow artifacts (not release artifacts
yet)

### On 'accepted' label applied in publish repo issue:
IF assets are all present and checks are passing:
- craft merges release branch into main
- craft publishes prevent-cli to release targets (github release, pypi)
- a separate workflow publishes codecov-cli like we do today (no craft)
(github release, pypi, gcs)

Author: spalmurray

.craft.yml

@@ -4,11 +4,21 @@ github:
 
 changelogPolicy: auto
 
+requireNames:
+  - sentry-prevent-cli_wheel
+  - sentry-prevent-cli_alpine_arm64
+  - sentry-prevent-cli_alpine_x86_64
+  - sentry-prevent-cli_linux_arm64
+  - sentry-prevent-cli_linux_x86_64
+  - sentry-prevent-cli_macos
+  - sentry-prevent-cli_windows.exe
+
 targets:
   # For direct binary downloads + shasum + shasum.sig
   - name: github
     tagPrefix: v
+    checksums:
+      - algorithm: sha256
+    includeNames: sentry-prevent-cli.*
 
   # - name: pypi
-  # - name: sentry-pypi
-  #   internalPypiRepo: getsentry/pypi

.github/workflows/build.yml

@@ -0,0 +1,158 @@
+# This workflow builds both sentry-prevent-cli and codecov-cli on push to a
+# release/* branch. These are later released by Craft and another workflow,
+# respectively.
+name: Build and publish codecov-cli
+
+on:
+  push:
+    branches:
+      - "release/**"
+
+permissions:
+  contents: read
+
+jobs:
+  build_for_pypi:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Install dependencies
+        run: pip install uv
+
+      - name: Build codecov-cli sdist and bdist
+        run: |
+          cd codecov-cli
+          uv build
+
+      - name: Build prevent-cli sdist and bdist
+        run: |
+          cd prevent-cli
+          uv build
+
+      - name: Upload codecov-cli artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: codecov-cli_wheel
+          path: ./codecov-cli/dist/*
+
+      - name: Upload prevent-cli artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: sentry-prevent-cli_wheel
+          path: ./prevent-cli/dist/*
+
+  build_assets:
+    name: Build ${{ matrix.os }} binaries
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - os: macos-13
+            TARGET: macos
+            CMD_BUILD: >
+              cd ./codecov-cli &&
+              uv run pyinstaller --target-arch universal2 -F ./codecov_cli/main.py &&
+              mv ./dist/main ./dist/codecovcli_macos && 
+              cd ../prevent-cli &&
+              uv run pyinstaller --target-arch universal2 -F ./src/prevent_cli/main.py &&
+              mv ./dist/main ./dist/sentry-prevent-cli_macos
+            OUT_FILE_SUFFIX: _macos
+            ASSET_MIME: application/octet-stream
+
+          - os: windows-2022
+            TARGET: windows
+            CMD_BUILD: >
+              Set-Location .\codecov-cli &&
+              uv run pyinstaller -F .\codecov_cli\main.py &&
+              Move-Item -Path ".\dist\main.exe" -Destination ".\dist\codecovcli_windows.exe" &&
+              Set-Location ..\prevent-cli &&
+              uv run pyinstaller -F .\src\prevent_cli\main.py &&
+              Move-Item -Path ".\dist\main.exe" -Destination ".\dist\sentry-prevent-cli_windows.exe"
+            OUT_FILE_SUFFIX: _windows.exe
+            ASSET_MIME: application/vnd.microsoft.portable-executable
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Python 3.9
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.9"
+
+      - name: Install dependencies
+        run: |
+          pip install uv
+          cd prevent-cli
+          # Need to build pyyaml and ijson from sdists to get universal2 macos build to work
+          uv sync --no-binary-package pyyaml --no-binary-package ijson
+          cd ../codecov-cli
+          uv sync --no-binary-package pyyaml --no-binary-package ijson
+
+      - name: Build with pyinstaller for ${{matrix.TARGET}}
+        run: ${{matrix.CMD_BUILD}}
+
+      - name: Upload codecovcli binary for ${{matrix.TARGET}}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: codecovcli${{matrix.OUT_FILE_SUFFIX}}
+          path: ./codecov-cli/dist/codecovcli${{matrix.OUT_FILE_SUFFIX}}
+
+      - name: Upload sentry-prevent-cli binary for ${{matrix.TARGET}}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: sentry-prevent-cli${{matrix.OUT_FILE_SUFFIX}}
+          path: ./prevent-cli/dist/sentry-prevent-cli${{matrix.OUT_FILE_SUFFIX}}
+
+  build_linux_assets:
+    name: Build ${{ matrix.distro_name }}_${{ matrix.arch }} binary
+    runs-on: ${{ matrix.runs-on }}
+    strategy:
+      matrix:
+        include:
+          - distro: "alpine:3.14" # alpine 3.14 needed for musl 1.2.2/python 3.9 compatibility
+            arch: arm64
+            distro_name: alpine
+            runs-on: ubuntu-24.04-arm
+          - distro: "alpine:3.14"
+            arch: x86_64
+            distro_name: alpine
+            runs-on: ubuntu-24.04
+          - distro: "ubuntu:20.04" # ubuntu 20.04 needed for glibc 2.31/python 3.9 compatibility
+            arch: arm64
+            distro_name: linux
+            runs-on: ubuntu-24.04-arm
+          - distro: "ubuntu:20.04"
+            distro_name: linux
+            arch: x86_64
+            runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run in Docker
+        run: |
+          docker run \
+            --rm \
+            -v $(pwd):/${{ github.workspace }} \
+            -w ${{ github.workspace }} \
+            --platform linux/${{ matrix.arch }} \
+            ${{ matrix.distro }} \
+            ./scripts/build_${{ matrix.distro_name }}.sh ${{ matrix.distro_name }}_${{ matrix.arch }}
+
+      - name: Upload codecovcli binary for ${{matrix.distro_name}}_${{ matrix.arch}}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: codecovcli_${{ matrix.distro_name }}_${{ matrix.arch }}
+          path: ./codecov-cli/dist/codecovcli_*
+
+      - name: Upload sentry-prevent-cli binary for ${{matrix.distro_name}}_${{ matrix.arch}}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: sentry-prevent-cli_${{ matrix.distro_name }}_${{ matrix.arch }}
+          path: ./prevent-cli/dist/sentry-prevent-cli_*

.github/workflows/create-release.yml

@@ -0,0 +1,46 @@
+name: Create release
+
+permissions:
+  contents: read
+  pull-requests: write
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version to release
+        required: true
+
+      force:
+        description: Force a release even when there are release-blockers (optional)
+        required: false
+
+      merge_target:
+        description: Target branch to merge into. Uses the default branch as a fallback (optional)
+        required: false
+
+jobs:
+  release:
+    runs-on: ubuntu-24.04
+    name: "Release a new version"
+    steps:
+      - name: Get auth token
+        id: token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: ${{ steps.token.outputs.token }}
+          fetch-depth: 0
+
+      - name: Prepare release
+        uses: getsentry/action-prepare-release@3cea80dc3938c0baf5ec4ce752ecb311f8780cdc # v1.6.4
+        env:
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+        with:
+          version: ${{ github.event.inputs.version }}
+          force: ${{ github.event.inputs.force }}
+          merge_target: ${{ github.event.inputs.merge_target }}