Skip to content

fix: simplify release to workflow_dispatch (no bot commits) #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Wenxin Jiang (Wenxin-Jiang) merged 4 commits into from
Apr 2, 2026
Merged

fix: simplify release to workflow_dispatch (no bot commits) #48

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b53aa0c
fix: simplify release to workflow_dispatch (no bot commits needed)
Wenxin-Jiang Apr 1, 2026
98e404f
fix: remove NPM_TOKEN, use OIDC trusted publishing like socket-cli
Wenxin-Jiang Apr 1, 2026
bcbd063
fix: restore NPM_TOKEN with environment for new package publishing
Wenxin-Jiang Apr 1, 2026
d0c042b
fix: use pure OIDC trusted publishing, matching socket-cli/socket-mcp
Wenxin-Jiang Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
fix: simplify release to workflow_dispatch (no bot commits needed) 
Replace the two-workflow PR-based release flow with a single
workflow_dispatch trigger, matching the socket-cli pattern.

Changes:
- Remove release-prep.yml (automated version bump + PR creation)
- Make release.yml a manual workflow_dispatch that reads the version
  from Cargo.toml, tags, builds, and publishes
- Add dry-run option to build without publishing
- Use NPM_TOKEN secret for npm publish (fixes ENEEDAUTH on new packages)
- Add registry-url to setup-node for proper auth

Release flow after this change:
1. Bump version in a PR: run scripts/version-sync.sh, commit, merge
2. Click "Run workflow" on Release
3. Done - tags, builds, and publishes automatically

This avoids the signed commit requirement that blocked github-actions[bot]
from pushing to protected branches.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
  • Loading branch information
@Wenxin-Jiang @claude
Wenxin-Jiang and claude committed Apr 1, 2026
commit b53aa0c4a093130a0a3ab1060875e8526e199f72
68 changes: 0 additions & 68 deletions .github/workflows/release-prep.yml
View file
Open in desktop

This file was deleted.

80 changes: 45 additions & 35 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,55 +1,60 @@
name: Release

on:
pull_request:
types: [closed]
branches: [main]
workflow_dispatch:
inputs:
dry-run:
description: 'Dry run (build only, skip publish)'
type: boolean
default: false

permissions: {}

jobs:
check-release:
if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'release/v')
version:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.extract.outputs.VERSION }}
version: ${{ steps.read.outputs.VERSION }}
steps:
- name: Extract version from branch name
id: extract
env:
HEAD_REF: ${{ github.event.pull_request.head.ref }}
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Read version from Cargo.toml
id: read
run: |
VERSION="${HEAD_REF#release/v}"
VERSION=$(grep '^version = ' Cargo.toml | head -1 | sed 's/version = "\(.*\)"/\1/')
echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
echo "Detected release version: $VERSION"
echo "Release version: $VERSION"

- name: Check tag does not exist
run: |
VERSION="${{ steps.read.outputs.VERSION }}"
if git rev-parse "v${VERSION}" >/dev/null 2>&1; then
echo "::error::Tag v${VERSION} already exists. Bump the version in a PR first."
exit 1
fi

tag:
needs: check-release
needs: version
if: ${{ !inputs.dry-run }}
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Configure Git
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"

- name: Create and push tag
run: |
VERSION="${{ needs.check-release.outputs.version }}"
TAG="v${VERSION}"
if git rev-parse "$TAG" >/dev/null 2>&1; then
echo "::error::Tag $TAG already exists."
exit 1
fi
TAG="v${{ needs.version.outputs.version }}"
git tag "$TAG"
git push origin "$TAG"

build:
needs: [check-release, tag]
needs: [version, tag]
if: ${{ always() && needs.version.result == 'success' && (needs.tag.result == 'success' || needs.tag.result == 'skipped') }}
strategy:
matrix:
include:
Expand Down Expand Up @@ -116,7 +121,6 @@ jobs:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: v${{ needs.check-release.outputs.version }}
persist-credentials: false

- name: Install Rust
Expand Down Expand Up @@ -165,7 +169,8 @@ jobs:
path: socket-patch-${{ matrix.target }}.zip

github-release:
needs: [check-release, build]
needs: [version, build]
if: ${{ !inputs.dry-run }}
runs-on: ubuntu-latest
permissions:
contents: write
Expand All @@ -180,14 +185,15 @@ jobs:
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
TAG="v${{ needs.check-release.outputs.version }}"
TAG="v${{ needs.version.outputs.version }}"
gh release create "$TAG" \
--repo "$GITHUB_REPOSITORY" \
--generate-notes \
artifacts/*

cargo-publish:
needs: [check-release, build]
needs: [version, build]
if: ${{ !inputs.dry-run }}
runs-on: ubuntu-latest
permissions:
contents: read
Expand All @@ -196,7 +202,6 @@ jobs:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: v${{ needs.check-release.outputs.version }}
persist-credentials: false

- name: Install Rust
Expand Down Expand Up @@ -225,7 +230,8 @@ jobs:
CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token }}

npm-publish:
needs: [check-release, build]
needs: [version, build]
if: ${{ !inputs.dry-run }}
runs-on: ubuntu-latest
permissions:
contents: read
Expand All @@ -234,7 +240,6 @@ jobs:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: v${{ needs.check-release.outputs.version }}
persist-credentials: false

- name: Configure git for HTTPS
Expand All @@ -250,6 +255,7 @@ jobs:
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: '22'
registry-url: 'https://registry.npmjs.org'

- name: Update npm for trusted publishing
run: npm install -g npm@latest
Expand Down Expand Up @@ -285,6 +291,8 @@ jobs:
stage_win socket-patch-aarch64-pc-windows-msvc npm/socket-patch-win32-arm64

- name: Publish platform packages
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
for pkg_dir in npm/socket-patch-*/; do
echo "Publishing ${pkg_dir}..."
Expand All @@ -298,10 +306,13 @@ jobs:
run: cp README.md npm/socket-patch/README.md

- name: Publish main package
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm publish ./npm/socket-patch --provenance --access public

pypi-publish:
needs: [check-release, build]
needs: [version, build]
if: ${{ !inputs.dry-run }}
runs-on: ubuntu-latest
permissions:
contents: read
Expand All @@ -310,7 +321,6 @@ jobs:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: v${{ needs.check-release.outputs.version }}
persist-credentials: false

- name: Download all artifacts
Expand All @@ -329,7 +339,7 @@ jobs:

- name: Build platform wheels
run: |
VERSION="${{ needs.check-release.outputs.version }}"
VERSION="${{ needs.version.outputs.version }}"
python scripts/build-pypi-wheels.py --version "$VERSION" --artifacts artifacts --dist dist

- name: Publish to PyPI
Expand Down
Loading