name: Release

# Manually triggered ("Run workflow"). On trigger it:

# 1. reads the version from package.json,

# 2. promotes `## [Unreleased]` content into `## [<version>]` in

# CHANGELOG.md (and commits + pushes that change back to main), so

# the published release notes are never sparse just because the

# maintainer didn't pre-stage the [<version>] block by hand,

# 3. builds a self-contained bundle for every platform (one runner — there's no

# native compilation, so cross-packaging is fine),

# 4. creates the GitHub Release (tag v<version>) with all archives, using the

# release notes from CHANGELOG.md,

# 5. publishes the npm thin-installer (shim + per-platform packages).

#

# Before triggering: bump package.json. CHANGELOG.md entries can live under

# `## [Unreleased]` — step 2 takes care of moving them. Set the NPM_TOKEN secret.

on:

workflow_dispatch: {}

permissions:

contents: write # create the GitHub Release + tag, push the CHANGELOG promote

jobs:

release:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v6

with:

# Default checkout is detached at a SHA; we need an actual branch

# so the CHANGELOG-promote commit knows where to push.

ref: ${{ github.ref }}

# Authenticate as the maintainer (admin), not as github-actions[bot].

# The "Require PR approval for main branch" ruleset only lets the

# Admin repo role bypass — and GitHub blocks adding the GitHub

# Actions integration to bypass_actors on user-owned (non-org)

# repos with "Actor GitHub Actions integration must be part of

# the ruleset source or owner organization." So the auto-promote

# and auto-sync `git push origin HEAD:main` steps below both fail

# under the default GITHUB_TOKEN. Using a fine-grained PAT owned

# by the admin makes the push go through cleanly. Set the

# RELEASE_PAT secret with: contents:write on this repo, no other

# scopes. Rotate per your token policy; the workflow only runs

# on manual dispatch so the blast radius is small.

token: ${{ secrets.RELEASE_PAT }}

- uses: actions/setup-node@v6

with:

node-version: 22

registry-url: https://registry.npmjs.org

- name: Sync package-lock.json if version drifted

# When the maintainer bumps the version on package.json only — for

# example via a GitHub web-UI edit — `npm ci` would refuse to run

# with `EUSAGE: npm ci can only install packages when your

# package.json and package-lock.json … are in sync`. This step

# rewrites just the lock-file's version fields (top-level + the

# `packages.""` entry) to match package.json, then auto-commits

# and pushes the result so on-disk truth on `main` stays

# consistent. Idempotent: if the lock file already matches, no

# commit is made.

run: |

set -euo pipefail

PKG_V=$(node -p "require('./package.json').version")

LOCK_V=$(node -p "require('./package-lock.json').version")

if [ "$PKG_V" = "$LOCK_V" ]; then

echo "package-lock.json already at $PKG_V — nothing to sync."

exit 0

fi

echo "Lock-file version drift: lock=$LOCK_V, package=$PKG_V. Syncing."

# `--package-lock-only` rewrites only the lock file, doesn't

# touch node_modules or actually install anything. Cheap.

npm install --package-lock-only --ignore-scripts

# Sanity: lockfile should now report the package version.

NEW_LOCK_V=$(node -p "require('./package-lock.json').version")

if [ "$NEW_LOCK_V" != "$PKG_V" ]; then

echo "::error::lock-file still at $NEW_LOCK_V after sync attempt; expected $PKG_V"; exit 1

fi

if git diff --quiet -- package-lock.json; then

echo "lock file unchanged after sync? bailing"; exit 1

fi

git config user.name "github-actions[bot]"

git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

git add package-lock.json

git commit -m "release: sync package-lock.json to ${PKG_V}" -m "[skip ci] Auto-generated by Release workflow."

git push origin "HEAD:${GITHUB_REF#refs/heads/}"

- run: npm ci

- name: Ensure zip/unzip

run: sudo apt-get update -qq && sudo apt-get install -y -qq zip unzip

- name: Resolve version

id: ver

run: echo "version=$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT"

- name: Promote [Unreleased] → [<version>] in CHANGELOG.md

# Idempotent: a no-op if [Unreleased] is empty OR if the previous

# run already moved everything. Auto-commit + push the change back

# so the version block on main is the source of truth going

# forward (and so subsequent extract-release-notes.mjs calls

# surface the full content even if this run is re-triggered).

run: |

set -euo pipefail

V="${{ steps.ver.outputs.version }}"

before=$(git rev-parse HEAD)

node scripts/prepare-release.mjs "$V"

if git diff --quiet -- CHANGELOG.md; then

echo "CHANGELOG.md unchanged — nothing to commit."

else

git config user.name "github-actions[bot]"

git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

git add CHANGELOG.md

git commit -m "docs(changelog): promote [Unreleased] into [${V}]" -m "[skip ci] Auto-generated by Release workflow."

# Push to the branch the workflow was triggered on (main).

git push origin "HEAD:${GITHUB_REF#refs/heads/}"

fi

- name: Build all platform bundles

run: |

for t in darwin-arm64 darwin-x64 linux-x64 linux-arm64 win32-x64 win32-arm64; do

bash scripts/build-bundle.sh "$t"

done

ls -lh release

- name: Generate SHA256SUMS

# Published as a release asset; the npm launcher verifies downloaded

# bundles against it (basenames only, so its path.basename match works).

run: |

( cd release && sha256sum codegraph-* > SHA256SUMS )

cat release/SHA256SUMS

- name: Release notes from CHANGELOG.md

# The [<version>] block was guaranteed-populated by the

# "Promote" step above, so the [Unreleased] fallback should

# never be needed in practice. Kept for defense-in-depth.

run: |

V="${{ steps.ver.outputs.version }}"

node scripts/extract-release-notes.mjs "$V" > notes.md 2>/dev/null \

|| node scripts/extract-release-notes.mjs Unreleased > notes.md 2>/dev/null || true

if [ ! -s notes.md ]; then

echo "::error::No release notes in CHANGELOG.md for [$V] or [Unreleased]."

exit 1

fi

echo "----- release notes -----"; cat notes.md

- name: Create GitHub Release

env:

GH_TOKEN: ${{ github.token }}

run: |

TAG="v${{ steps.ver.outputs.version }}"

# Idempotent: create the release once, otherwise (re-run) refresh assets.

if gh release view "$TAG" >/dev/null 2>&1; then

gh release upload "$TAG" release/codegraph-* release/SHA256SUMS --clobber

else

gh release create "$TAG" release/codegraph-* release/SHA256SUMS --title "$TAG" --notes-file notes.md

fi

- name: Publish to npm

env:

NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

run: |

V="${{ steps.ver.outputs.version }}"

bash scripts/pack-npm.sh "$V"

# Platform packages first, then the main shim (which depends on them).

# Skip any already on the registry so a re-run only fills in gaps.

for dir in release/npm/codegraph-* release/npm/main; do

name=$(node -p "require('./$dir/package.json').name")

if npm view "$name@$V" version >/dev/null 2>&1; then

echo "skip $name@$V (already published)"

else

echo "publishing $name@$V"

( cd "$dir" && npm publish --access public )

fi

done

- name: Verify every package is actually on the registry

run: |

V="${{ steps.ver.outputs.version }}"

# npm publish can print success without persisting; confirm against the

# registry (with retries for propagation) so green means really shipped.

for dir in release/npm/codegraph-* release/npm/main; do

name=$(node -p "require('./$dir/package.json').name")

ok=

for i in 1 2 3 4 5 6; do

if npm view "$name@$V" version >/dev/null 2>&1; then ok=1; break; fi

echo "waiting for $name@$V to appear ($i)…"; sleep 10

done

[ -n "$ok" ] || { echo "::error::$name@$V never appeared on the registry"; exit 1; }

echo "verified $name@$V"

done

- name: Sync packages to npmmirror

# npmmirror/cnpm mirror lazily and frequently never pull the per-platform

# optionalDependencies on their own, so `npm i` there fails with

# "no prebuilt bundle" (issue #303). Nudge a sync now so mirror users get

# the bundle without waiting. Best-effort — the launcher also self-heals

# from GitHub Releases — so a mirror hiccup never fails the release.

continue-on-error: true

run: |

for dir in release/npm/codegraph-* release/npm/main; do

name=$(node -p "require('./$dir/package.json').name")

enc=$(node -p "encodeURIComponent(require('./$dir/package.json').name)")

echo "sync $name"

curl -s -X PUT "https://registry.npmmirror.com/-/package/$enc/syncs" || true

echo

done