feat: Phase 6 cutover — delete Java reference, ship v1.0.0 (#132) #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release-go | |
| # Tag-triggered release pipeline for the codeiq Go binary. | |
| # | |
| # Trigger: push a tag matching `v*.*.*` (e.g. `git tag v1.0.0 && git push --tags`). | |
| # Cross-OS build via per-runner matrix (CGO + native kuzudb/sqlite means | |
| # we can't cross-compile cleanly from a single host). | |
| # | |
| # Phase 5 of the Java→Go port. Replaces release-java.yml (kept around | |
| # until Phase 6 cutover for any emergency Java release). | |
| on: | |
| push: | |
| tags: | |
| - 'v*.*.*' | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: 'Tag to release (e.g. v1.0.0). Must already exist.' | |
| required: true | |
| permissions: | |
| contents: write | |
| id-token: write # Sigstore keyless via GitHub OIDC | |
| packages: write | |
| attestations: write | |
| jobs: | |
| # Per-target release. Runs the same .goreleaser.yml on each runner; | |
| # archives are merged in the publish job below. | |
| build: | |
| name: build (${{ matrix.os }} / ${{ matrix.goarch }}) | |
| runs-on: ${{ matrix.runner }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: linux | |
| goarch: amd64 | |
| runner: ubuntu-latest | |
| - os: linux | |
| goarch: arm64 | |
| runner: ubuntu-24.04-arm | |
| - os: darwin | |
| goarch: arm64 | |
| runner: macos-14 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: '1.25.10' | |
| cache: true | |
| cache-dependency-path: go/go.sum | |
| - name: Install build deps (linux) | |
| if: runner.os == 'Linux' | |
| run: sudo apt-get update -y && sudo apt-get install -y build-essential | |
| - name: Install Syft (SBOM) | |
| uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 | |
| - name: Install Cosign (signing) | |
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 | |
| - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1 | |
| with: | |
| distribution: goreleaser | |
| version: '~> v2' | |
| # Single-target build per runner; combined publish runs in a | |
| # separate job that consumes all three artifact bundles. | |
| args: build --single-target --clean --snapshot | |
| env: | |
| GOOS: ${{ matrix.os }} | |
| GOARCH: ${{ matrix.goarch }} | |
| - name: Upload binary artifact | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: codeiq-${{ matrix.os }}-${{ matrix.goarch }} | |
| path: dist/codeiq_*/codeiq* | |
| retention-days: 1 | |
| # Combined publish: pulls the three binaries built above, packages | |
| # them with SBOMs, signs the checksum manifest via Sigstore keyless, | |
| # and uploads the GitHub Release. Runs on linux only. | |
| release: | |
| name: publish release | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: '1.25.10' | |
| cache: true | |
| cache-dependency-path: go/go.sum | |
| - name: Install build deps | |
| run: sudo apt-get update -y && sudo apt-get install -y build-essential | |
| - name: Install Syft (SBOM) | |
| uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 | |
| - name: Install Cosign (signing) | |
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 | |
| - name: Download pre-built binaries | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: codeiq-* | |
| path: prebuilt | |
| - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1 | |
| with: | |
| distribution: goreleaser | |
| version: '~> v2' | |
| # Full release: archives + SBOMs + cosign sigs + GitHub Release | |
| # draft + (optional) Homebrew tap. The owning org sets | |
| # HOMEBREW_TAP_GITHUB_TOKEN to publish to homebrew-codeiq; | |
| # forks leave it unset and the brew step skips silently. | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| HOMEBREW_TAP_OWNER: RandomCodeSpace | |
| HOMEBREW_TAP_REPO: homebrew-codeiq | |
| HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }} | |
| - name: Attest release artifacts (build provenance) | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| with: | |
| subject-path: 'dist/codeiq_*.tar.gz' |