release.yml

name: Release

on:
  push:
    tags:
      - 'v*'

# Least-privilege default. Only `create-release` escalates to
# `contents: write` (publish release) + `id-token: write` (cosign).
# Build jobs only produce artifacts via actions/upload-artifact and
# stay read-only.
permissions:
  contents: read

jobs:
  build-wasm:
    name: Build WASM Binary
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Setup Go
      uses: actions/setup-go@v6
      with:
        go-version: '1.25.10'

    - name: Get dependencies
      run: go mod download

    - name: Build WASM binary
      run: make build-wasm

    - name: Bundle WASM archive with JS dependencies
      run: |
        set -euo pipefail
        GO_VERSION=$(go env GOVERSION)
        GOROOT=$(go env GOROOT)

        # Get wasm_exec.js - try multiple locations then download
        echo "::group::Fetching wasm_exec.js for ${GO_VERSION}"
        if [ -f "${GOROOT}/misc/wasm/wasm_exec.js" ]; then
          cp "${GOROOT}/misc/wasm/wasm_exec.js" bin/wasm_exec.js
          echo "Copied from GOROOT/misc/wasm/ (${GO_VERSION})"
        elif [ -f "${GOROOT}/lib/wasm/wasm_exec.js" ]; then
          cp "${GOROOT}/lib/wasm/wasm_exec.js" bin/wasm_exec.js
          echo "Copied from GOROOT/lib/wasm/ (${GO_VERSION})"
        else
          # Download from Go repository matching the build version
          DOWNLOAD_URL="https://raw.githubusercontent.com/golang/go/${GO_VERSION}/misc/wasm/wasm_exec.js"
          echo "Downloading from ${DOWNLOAD_URL}"
          curl -sfL --retry 3 --retry-delay 5 -o bin/wasm_exec.js "${DOWNLOAD_URL}"
          echo "Downloaded wasm_exec.js for ${GO_VERSION}"
        fi
        echo "::endgroup::"

        # Copy ailang-repl.js wrapper from web/
        echo "::group::Bundling ailang-repl.js"
        cp web/ailang-repl.js bin/ailang-repl.js
        echo "Copied ailang-repl.js from web/"
        echo "::endgroup::"

        # Create archive with all three files
        echo "::group::Creating ailang-wasm.tar.gz"
        cd bin
        ls -lh ailang.wasm wasm_exec.js ailang-repl.js
        tar -czf ailang-wasm.tar.gz ailang.wasm wasm_exec.js ailang-repl.js
        echo "::endgroup::"

    - name: Verify WASM archive contents
      run: |
        set -euo pipefail
        echo "::group::Archive verification"
        tar -tzf bin/ailang-wasm.tar.gz
        # Size checks
        WASM_SIZE=$(stat -c%s bin/ailang.wasm 2>/dev/null || stat -f%z bin/ailang.wasm)
        EXEC_SIZE=$(stat -c%s bin/wasm_exec.js 2>/dev/null || stat -f%z bin/wasm_exec.js)
        REPL_SIZE=$(stat -c%s bin/ailang-repl.js 2>/dev/null || stat -f%z bin/ailang-repl.js)
        echo "ailang.wasm: ${WASM_SIZE} bytes"
        echo "wasm_exec.js: ${EXEC_SIZE} bytes"
        echo "ailang-repl.js: ${REPL_SIZE} bytes"
        if [ "$WASM_SIZE" -lt 1000000 ]; then
          echo "::error::ailang.wasm is too small (${WASM_SIZE} bytes, expected >1MB)"
          exit 1
        fi
        if [ "$EXEC_SIZE" -lt 10000 ]; then
          echo "::error::wasm_exec.js is too small (${EXEC_SIZE} bytes, expected >10KB)"
          exit 1
        fi
        if [ "$REPL_SIZE" -lt 3000 ]; then
          echo "::error::ailang-repl.js is too small (${REPL_SIZE} bytes, expected >3KB)"
          exit 1
        fi
        echo "All files verified"
        echo "::endgroup::"

    - name: Upload artifact
      uses: actions/upload-artifact@v7
      with:
        name: ailang-wasm
        path: bin/ailang-wasm.tar.gz

  build-bootstrap-content:
    name: Build Bootstrap Content Bundle
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Setup Go
      uses: actions/setup-go@v6
      with:
        go-version: '1.25.10'

    - name: Get dependencies
      run: go mod download

    - name: Build bootstrap content bundle
      run: make bootstrap-content

    - name: Upload artifact
      uses: actions/upload-artifact@v7
      with:
        name: bootstrap-content
        path: bin/bootstrap-content.tar.gz

  build-examples:
    name: Build Examples Bundle
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Create examples.zip
      run: |
        cd examples
        zip -r ../examples.zip . -i '*.ail' '*.json' -x 'sim_stub/*'
        cd ..
        echo "Contents:"
        unzip -l examples.zip | tail -5
        ls -lh examples.zip

    - name: Upload artifact
      uses: actions/upload-artifact@v7
      with:
        name: examples
        path: examples.zip

  build-release:
    name: Build Release ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        include:
          # Naming follows Gemini CLI convention: {platform}.{arch}.{name}
          # See: https://geminicli.com/docs/extensions/extension-releasing/
          - os: ubuntu-latest
            goos: linux
            goarch: amd64
            binary_name: ailang
            artifact_name: linux.x64.ailang
          - os: macos-latest
            goos: darwin
            goarch: amd64
            binary_name: ailang
            artifact_name: darwin.x64.ailang
          - os: macos-latest
            goos: darwin
            goarch: arm64
            binary_name: ailang
            artifact_name: darwin.arm64.ailang
          - os: windows-latest
            goos: windows
            goarch: amd64
            binary_name: ailang.exe
            artifact_name: win32.x64.ailang

    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Setup Go
      uses: actions/setup-go@v6
      with:
        go-version: '1.25.10'

    - name: Get dependencies
      run: go mod download

    - name: Get version
      id: get_version
      run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
      shell: bash

    - name: Build binary with version
      env:
        GOOS: ${{ matrix.goos }}
        GOARCH: ${{ matrix.goarch }}
        VERSION: ${{ steps.get_version.outputs.VERSION }}
      run: |
        go build -v -ldflags "-X github.com/sunholo-data/ailang/internal/version.Version=${VERSION}" -o bin/${{ matrix.binary_name }} ./cmd/ailang

    - name: Create archive (Unix)
      if: matrix.os != 'windows-latest'
      run: |
        chmod +x bin/${{ matrix.binary_name }}
        tar -czf ${{ matrix.artifact_name }}.tar.gz -C bin ${{ matrix.binary_name }}

    - name: Create archive (Windows)
      if: matrix.os == 'windows-latest'
      shell: pwsh
      run: |
        Compress-Archive -Path bin\${{ matrix.binary_name }} -DestinationPath ${{ matrix.artifact_name }}.zip

    - name: Upload artifact (Unix)
      if: matrix.os != 'windows-latest'
      uses: actions/upload-artifact@v7
      with:
        name: ${{ matrix.artifact_name }}
        path: ${{ matrix.artifact_name }}.tar.gz

    - name: Upload artifact (Windows)
      if: matrix.os == 'windows-latest'
      uses: actions/upload-artifact@v7
      with:
        name: ${{ matrix.artifact_name }}
        path: ${{ matrix.artifact_name }}.zip

  build-error-codes:
    name: Generate error_codes.json
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Setup Go
      uses: actions/setup-go@v6
      with:
        go-version: '1.25.10'

    - name: Get dependencies
      run: go mod download

    - name: Generate error_codes.json
      run: make error-codes

    - name: Upload artifact
      uses: actions/upload-artifact@v7
      with:
        name: error-codes
        path: dist/error_codes.json

  create-release:
    name: Create GitHub Release
    needs: [build-release, build-wasm, build-bootstrap-content, build-examples, build-error-codes]
    runs-on: ubuntu-latest
    # id-token: write is required for cosign keyless signing — the job
    # requests an OIDC token from GitHub which Sigstore's Fulcio CA uses
    # to issue a short-lived signing cert bound to this workflow's
    # identity (sunholo-data/ailang/.github/workflows/release.yml).
    # No long-lived keys are stored; the chain terminates at Sigstore's
    # public transparency log (Rekor).
    permissions:
      contents: write
      id-token: write
    outputs:
      # Base64-encoded SHA256SUMS body, consumed by the SLSA provenance
      # generator job below. Format expected by the generator: one line
      # per artifact, "<sha256>  <basename>".
      hashes: ${{ steps.compute-subjects.outputs.hashes }}

    steps:
    - name: Checkout code
      uses: actions/checkout@v6

    - name: Download all artifacts
      uses: actions/download-artifact@v8
      with:
        path: ./artifacts

    - name: Compute SHA256 checksums
      # Produces two things the installer consumes:
      #  * SHA256SUMS           — canonical file (one-per-line: <hash>  <filename>)
      #  * <file>.sha256        — per-artifact companion, format expected by
      #                           `sha256sum -c` / `shasum -a 256 -c`.
      # The per-file format includes a leading "<hash>  <basename>" so the
      # install script can verify without path munging after `cd $TMPDIR`.
      run: |
        set -euo pipefail
        mkdir -p artifacts-flat
        # Flatten actions/download-artifact's nested folders (one subdir per
        # artifact) into a single directory so the hash file references
        # basenames only — what the installer downloads into its $TMPDIR.
        find artifacts -type f \( -name '*.tar.gz' -o -name '*.zip' -o -name '*.json' \) -print0 \
          | xargs -0 -I{} cp {} artifacts-flat/
        cd artifacts-flat
        ls -la
        # Canonical SHA256SUMS (one file per release).
        sha256sum *.tar.gz *.zip *.json > SHA256SUMS
        # Per-artifact companions so the installer can fetch just the one
        # matching the archive it downloaded (avoids a full SHA256SUMS pull).
        for f in *.tar.gz *.zip *.json; do
          sha256sum "$f" > "$f.sha256"
        done
        echo "::group::SHA256SUMS"
        cat SHA256SUMS
        echo "::endgroup::"

    - name: Compute base64 subjects for SLSA provenance
      # The SLSA generic generator expects a base64-encoded blob whose
      # decoded content has one line per artifact: "<sha256>  <basename>".
      # SHA256SUMS already has exactly that format, so we just base64 it.
      id: compute-subjects
      run: |
        set -euo pipefail
        cd artifacts-flat
        echo "hashes=$(base64 -w0 < SHA256SUMS)" >> "$GITHUB_OUTPUT"

    - name: Install cosign
      uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
      with:
        cosign-release: 'v2.4.1'

    - name: Sign artifacts (cosign keyless)
      # Keyless signing via the workflow's OIDC identity.
      # - `--yes` bypasses the interactive confirmation prompt (required in CI).
      # - The short-lived cert is logged to Rekor, the public transparency log,
      #   so a verifier can later prove the signature was issued by a specific
      #   workflow run in THIS repo — not just "some github action, somewhere".
      # Both SHA256SUMS and each archive get signed so verifiers can choose
      # either the summary file or the per-archive route.
      run: |
        set -euo pipefail
        cd artifacts-flat
        for f in *.tar.gz *.zip *.json SHA256SUMS; do
          echo "Signing $f..."
          cosign sign-blob --yes \
            --output-signature "$f.sig" \
            --output-certificate "$f.pem" \
            "$f"
        done
        echo "::group::Signature artifacts"
        ls -la *.sig *.pem
        echo "::endgroup::"

    - name: Get version
      id: get_version
      run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT

    - name: Generate changelog
      id: changelog
      run: |
        echo "## What's Changed" > changelog.md
        echo "" >> changelog.md
        git log --pretty=format:"* %s (%h)" $(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")..HEAD >> changelog.md || echo "* Initial release" >> changelog.md
        echo "" >> changelog.md
        echo "## Downloads" >> changelog.md
        echo "" >> changelog.md
        echo "### Installation" >> changelog.md
        echo "" >> changelog.md
        echo '```bash' >> changelog.md
        echo '# macOS (Intel)' >> changelog.md
        echo 'curl -L https://github.com/${{ github.repository }}/releases/download/${{ steps.get_version.outputs.VERSION }}/darwin.x64.ailang.tar.gz | tar -xz' >> changelog.md
        echo 'sudo mv ailang /usr/local/bin/' >> changelog.md
        echo '' >> changelog.md
        echo '# macOS (Apple Silicon)' >> changelog.md
        echo 'curl -L https://github.com/${{ github.repository }}/releases/download/${{ steps.get_version.outputs.VERSION }}/darwin.arm64.ailang.tar.gz | tar -xz' >> changelog.md
        echo 'sudo mv ailang /usr/local/bin/' >> changelog.md
        echo '' >> changelog.md
        echo '# Linux' >> changelog.md
        echo 'curl -L https://github.com/${{ github.repository }}/releases/download/${{ steps.get_version.outputs.VERSION }}/linux.x64.ailang.tar.gz | tar -xz' >> changelog.md
        echo 'sudo mv ailang /usr/local/bin/' >> changelog.md
        echo '```' >> changelog.md
        echo '' >> changelog.md
        echo '### Examples' >> changelog.md
        echo '' >> changelog.md
        echo 'Download code examples to use with `ailang examples`:' >> changelog.md
        echo '```bash' >> changelog.md
        echo 'ailang examples download' >> changelog.md
        echo '```' >> changelog.md
        echo '' >> changelog.md
        echo '### WebAssembly' >> changelog.md
        echo '' >> changelog.md
        echo 'For embedding AILANG REPL in web applications:' >> changelog.md
        echo '```bash' >> changelog.md
        echo 'curl -L https://github.com/${{ github.repository }}/releases/download/${{ steps.get_version.outputs.VERSION }}/ailang-wasm.tar.gz | tar -xz' >> changelog.md
        echo '# Contains: ailang.wasm, wasm_exec.js, ailang-repl.js (all version-matched)' >> changelog.md
        echo '```' >> changelog.md
        echo '' >> changelog.md
        echo 'See [web/README.md](https://github.com/${{ github.repository }}/blob/main/web/README.md) for integration guide.' >> changelog.md

    - name: Create Release (draft)
      # Created as a draft so the SLSA provenance job (next) can attach
      # multiple.intoto.jsonl. Once a release is published GitHub locks
      # its assets ("immutable releases") and post-publish uploads fail
      # with "Cannot upload assets to an immutable release". The
      # finalize-release job below flips draft=false after provenance
      # uploads its attestation.
      uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
      with:
        name: AILANG ${{ steps.get_version.outputs.VERSION }}
        body_path: changelog.md
        draft: true
        prerelease: ${{ contains(steps.get_version.outputs.VERSION, '-') }}
        files: |
          artifacts/**/*.tar.gz
          artifacts/**/*.zip
          artifacts/**/*.json
          artifacts-flat/SHA256SUMS
          artifacts-flat/*.sha256
          artifacts-flat/*.sig
          artifacts-flat/*.pem

  # SLSA Build Level 3 provenance for every published artifact.
  #
  # Cosign (above) proves: this binary was signed by a workflow with the
  # OIDC identity sunholo-data/ailang/.github/workflows/release.yml.
  #
  # SLSA provenance proves: which source commit + builder + materials
  # produced that binary. The two claims compose — a verifier checks the
  # signature, then the provenance describes the build that ran inside
  # that signed identity.
  #
  # Output: a single multiple.intoto.jsonl attached to the release that
  # covers all artifacts listed in SHA256SUMS. Verifiable with:
  #   slsa-verifier verify-artifact <archive> \
  #     --provenance-path multiple.intoto.jsonl \
  #     --source-uri github.com/sunholo-data/ailang \
  #     --source-tag <tag>
  provenance:
    needs: [create-release]
    permissions:
      actions: read       # detect the build workflow
      id-token: write     # OIDC token for keyless signing
      contents: write     # attach .intoto.jsonl to the release
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.create-release.outputs.hashes }}"
      upload-assets: true
      # Keep the release in draft state while we attach provenance.
      # GitHub locks asset lists once a release is published
      # ("immutable releases"), so post-publish uploads fail with
      # "Cannot upload assets to an immutable release". Typed as
      # string per the generator's input schema.
      draft-release: "true"
      provenance-name: "multiple.intoto.jsonl"

  finalize-release:
    name: Publish Release
    needs: [provenance]
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Publish draft release
        # Flip draft -> published now that provenance has been attached.
        # After this point GitHub locks the asset list (immutable
        # releases), which is what we want — the published release is
        # complete and tamper-evident.
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAG: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          gh release edit "$TAG" \
            --repo "${{ github.repository }}" \
            --draft=false