ci: cut over release-please to Rust binary + npm trusted publishing

.github/workflows/release-please.yml

@@ -61,90 +61,75 @@ jobs:
             git push origin HEAD:${{ fromJson(steps.release.outputs.pr).headBranchName }}
           fi
 
-  build-binaries:
+  # Build the Rust binaries (6 targets) and upload them to the release that
+  # release-please just created. Reuses release-rust.yml so the cross-compile
+  # matrix lives in one place (ADR-0003 cut-over — this replaces the former
+  # TypeScript `bun build src/cli.ts` job).
+  build-and-upload:
     needs: release-please
     if: ${{ needs.release-please.outputs.release_created }}
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        # csp embeds platform-specific native addons (onnxruntime-node,
-        # @kreuzberg/tree-sitter-language-pack). `bun build --compile` bundles
-        # the *host* platform's .node files, so each target MUST build on a
-        # native runner — cross-compiling with `--target` produces a binary
-        # with the wrong-arch addons ("bad CPU type in executable").
-        include:
-          - os: macos-13 # Intel
-            target: darwin-x64
-          - os: macos-14 # Apple Silicon
-            target: darwin-arm64
-          - os: ubuntu-latest # x64
-            target: linux-x64
-          - os: ubuntu-24.04-arm # arm64
-            target: linux-arm64
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
-        with:
-          bun-version: 1.3.14
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile
-
-      - name: Build binary (native target)
-        run: |
-          bun build src/cli.ts --compile --outfile csp-${{ matrix.target }}
-
-      - name: Smoke test binary
-        run: |
-          ./csp-${{ matrix.target }} --version
-
-      - name: Generate checksum
-        run: |
-          shasum -a 256 csp-${{ matrix.target }} > csp-${{ matrix.target }}.sha256
-
-      - name: Upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: csp-${{ matrix.target }}
-          path: |
-            csp-${{ matrix.target }}
-            csp-${{ matrix.target }}.sha256
-
-  upload-release-assets:
-    needs: [release-please, build-binaries]
+    permissions:
+      contents: write
+    uses: ./.github/workflows/release-rust.yml
+    with:
+      tag: ${{ needs.release-please.outputs.tag_name }}
+
+  # Generate the per-platform npm packages from the released binaries and
+  # publish the wrapper + platform packages via npm Trusted Publishing (OIDC).
+  # No NPM_TOKEN needed — auth is the OIDC id-token, and provenance is generated
+  # automatically. Each package must have a trusted publisher configured on
+  # npmjs.com pointing at this repo + workflow (release-please.yml).
+  publish-npm:
+    needs: [release-please, build-and-upload]
     if: ${{ needs.release-please.outputs.release_created }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - name: Checkout code
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-
-      - name: Download all artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
-          path: artifacts
+          # This job only reads + publishes to npm; it never pushes to git, so
+          # don't leave the checkout token persisted in .git/config.
+          persist-credentials: false
 
-      - name: Prepare release assets
-        run: |
-          mkdir -p release
-          find artifacts -type f -exec cp {} release/ \;
-          ls -lh release/
+      # Trusted Publishing requires npm >= 11.5.1; ubuntu-latest ships npm 10.x
+      # with Node 22, so upgrade the CLI before publishing.
+      - name: Upgrade npm for Trusted Publishing
+        run: npm install -g npm@latest
 
-      - name: Upload release artifacts
+      - name: Download released binaries
         env:
           GH_TOKEN: ${{ github.token }}
+          RELEASE_TAG: ${{ needs.release-please.outputs.tag_name }}
+        run: |
+          mkdir -p assets
+          gh release download "$RELEASE_TAG" --repo "$GITHUB_REPOSITORY" \
+            --pattern 'csp-*' --dir assets
+          ls -lh assets
+
+      - name: Generate platform packages
+        env:
+          RELEASE_TAG: ${{ needs.release-please.outputs.tag_name }}
+        run: node npm/scripts/generate-platform-packages.mjs "${RELEASE_TAG#v}" assets
+
+      # Trusted Publishing supplies auth via OIDC and generates provenance
+      # automatically, so no token or --provenance flag is needed.
+      - name: Publish to npm
         run: |
-          gh release upload ${{ needs.release-please.outputs.tag_name }} \
-            release/* \
-            --clobber
+          set -e
+          # Platform packages first, then the wrapper last (its
+          # optionalDependencies pin the platform packages by version).
+          for dir in npm/dist/@pleaseai__*; do
+            echo "publishing $dir"
+            npm publish "$dir" --access public
+          done
+          npm publish npm/dist/csp --access public
 
   update-homebrew-formula:
-    needs: [release-please, upload-release-assets]
+    needs: [release-please, build-and-upload]
     if: ${{ needs.release-please.outputs.release_created }}
     runs-on: ubuntu-latest
 

.github/workflows/release-rust.yml

@@ -1,12 +1,11 @@
 # Rust release pipeline (ADR-0003 / track rust-rewrite-20260618, T022).
 #
 # This builds the cross-compiled `csp` binaries from the Rust workspace
-# (crates/csp-cli). It is **manually triggered** (workflow_dispatch) and does NOT
-# fire on release, so it coexists with the live TypeScript release pipeline in
-# release-please.yml without overriding it. Flipping the published product from
-# the Bun-compiled binary to the Rust binary is a deliberate, separate cut-over
-# (T023/T024) gated on full runtime parity — not something this workflow does on
-# its own.
+# (crates/csp-cli). It runs in two ways: **manually** (workflow_dispatch) for
+# ad-hoc rebuilds, and **as a reusable workflow** (workflow_call) invoked by
+# release-please.yml on release_created — the latter is the live cut-over
+# (T023/T024) that makes Rust the published product (GitHub release assets +
+# npm-distributed binary), replacing the former Bun-compiled TypeScript binary.
 #
 # Unlike the TS pipeline (which must build on native runners because
 # `bun build --compile` bundles host-platform native addons), the Rust binary is
@@ -24,6 +23,14 @@ on:
         description: 'Release tag to upload assets to (e.g. v0.1.0). Leave blank to only build + upload artifacts.'
         required: false
         type: string
+  # Reused by release-please.yml on release_created to build the Rust binaries
+  # and upload them to the freshly-created GitHub release (ADR-0003 cut-over).
+  workflow_call:
+    inputs:
+      tag:
+        description: Release tag to upload assets to (e.g. v0.1.0).
+        required: false
+        type: string
 
 permissions:
   contents: read

Cargo.toml

@@ -8,7 +8,7 @@ resolver = "2"
 members = ["crates/csp", "crates/csp-cli"]
 
 [workspace.package]
-version = "0.0.0"
+version = "0.0.0" # x-release-please-version
 edition = "2021"
 license = "MIT"
 repository = "https://github.com/pleaseai/code-search"

package.json

@@ -2,6 +2,7 @@
   "name": "@pleaseai/csp",
   "type": "module",
   "version": "0.0.0",
+  "private": true,
   "packageManager": "bun@1.3.14",
   "description": "Fast and Accurate Code Search for Agents — TypeScript port of MinishLab/semble",
   "author": "Minsu Lee <minsu.lee@dietfriends.kr>",

release-please-config.json

@@ -6,6 +6,7 @@
       "package-name": "@pleaseai/csp",
       "include-component-in-tag": false,
       "include-v-in-tag": true,
+      "initial-version": "0.1.0",
       "bump-minor-pre-major": true,
       "bump-patch-for-minor-pre-major": true,
       "changelog-sections": [
@@ -22,6 +23,15 @@
         { "type": "ci", "section": "Continuous Integration", "hidden": true }
       ],
       "extra-files": [
+        {
+          "type": "json",
+          "path": "npm/csp/package.json",
+          "jsonpath": "$.version"
+        },
+        {
+          "type": "generic",
+          "path": "Cargo.toml"
+        },
         {
           "type": "generic",
           "path": "src/version.ts"