ci(publish): attach checksums.txt to releases

[khaliqgant]

What

Generate + attach checksums.txt to every release in publish.yml (basename entries for relayfile-mount-* + relayfile-cli-*).

Why

The release workflow uploads the binaries but stopped publishing checksums.txt (regressed from the old goreleaser layout — v0.1.6 had it, no v0.7.x does). agent-relay's relayfile-binary.ts verifyChecksum() is mandatory — it downloads checksums.txt from the release tag and throws on 404. So any consumer pinning a v0.7.x relayfile-mount tag can't install the daemon → the cloud Daytona persona path is stuck on v0.1.6, which predates the workspace-export 413→paginate fallback (v0.7.33/#195) + scoped mount paths (v0.7.39/#206). That's the root blocker for AgentWorkforce/cloud#1028.

Robust, not a point-fix

Restores the supply-chain-verification contract (keeps verification mandatory) so every future release works — not just a one-off backfill of v0.7.39.

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

The publish workflow now generates and uploads a checksums.txt file containing SHA-256 hashes of released binaries before creating the GitHub Release. The checksums file includes entries for all relayfile-mount-* and relayfile-cli-* binaries and is attached as a release asset.

Changes

Release Checksum Generation

Layer / File(s)	Summary
Checksum generation and asset upload .github/workflows/publish.yml	New step generates checksums.txt with SHA-256 hashes for relayfile-mount-* and relayfile-cli-* binaries, and updates the release asset list to include the checksums file.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A checksum for every binary built,
SHA-256 hashes without guilt,
In releases they now dwell,
Verifying files—all is well! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding checksums.txt generation and attachment to the release workflow.
Description check	✅ Passed	The description comprehensively explains what is being changed, why it's necessary, and how it addresses a downstream blocker for agent-relay's mandatory checksum verification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/publish-checksums-txt

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

433-443: ⚡ Quick win

Consider verifying CLI binaries presence for consistency.

The mount binaries are explicitly verified in lines 421-431 with clear error messages, but the CLI binaries in packages/cli/bin are not verified before checksumming. While the step will fail if they're missing (due to set -euo pipefail), an explicit verification would provide clearer error messages and maintain consistency with the mount binary handling pattern.

📋 Suggested verification step

Add a verification step after line 431:

       chmod +x mount-binaries/relayfile-mount-*

+  - name: Verify CLI binaries present
+    run: |
+      set -euo pipefail
+      if [ ! -d "packages/cli/bin" ]; then
+        echo "ERROR: packages/cli/bin directory missing"
+        exit 1
+      fi
+      ls -la packages/cli/bin/
+      if ! ls packages/cli/bin/relayfile-cli-* >/dev/null 2>&1; then
+        echo "ERROR: No relayfile-cli-* binaries found in packages/cli/bin"
+        exit 1
+      fi
+
   - name: Generate checksums

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 433 - 443, The Generate checksums
step omits an explicit existence check for CLI binaries (packages/cli/bin
relayfile-cli-*), unlike the mount-binaries verification; add a pre-check before
running sha256sum that verifies at least one relayfile-cli-* exists (e.g., using
a shell test or ls pattern) and emit a clear error message and non-zero exit if
missing so the failure is explicit and consistent with the mount binary
verification block.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/publish.yml:
- Around line 433-443: The Generate checksums step omits an explicit existence
check for CLI binaries (packages/cli/bin relayfile-cli-*), unlike the
mount-binaries verification; add a pre-check before running sha256sum that
verifies at least one relayfile-cli-* exists (e.g., using a shell test or ls
pattern) and emit a clear error message and non-zero exit if missing so the
failure is explicit and consistent with the mount binary verification block.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7da65085-511a-4ce8-831c-b9c04548a06d

📥 Commits

Reviewing files that changed from the base of the PR and between 97daa36 and 647306b.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}