From ad5ebd33b99db95b5fef1778614e25090b598c5c Mon Sep 17 00:00:00 2001 From: George Stagg Date: Wed, 25 Mar 2026 17:28:29 -0700 Subject: [PATCH 01/12] Sign releases and include ggsql-jupyter --- .../workflows/actions/sign-files/action.yml | 140 ++++++++++++++++++ .github/workflows/release-packages.yml | 44 ++++-- Packager.toml | 11 ++ 3 files changed, 182 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/actions/sign-files/action.yml create mode 100644 Packager.toml diff --git a/.github/workflows/actions/sign-files/action.yml b/.github/workflows/actions/sign-files/action.yml new file mode 100644 index 00000000..917680fb --- /dev/null +++ b/.github/workflows/actions/sign-files/action.yml @@ -0,0 +1,140 @@ +name: "Signing file" +description: "Install and configure the environment for signing of files." +inputs: + paths: + description: "Paths to sign" + required: true + signtools-extra-args: + description: "Additional arguments to pass to signtool" +outputs: + cert_path: + description: "certificate path" + value: ${{ steps.setup-cert.outputs.SM_CLIENT_CERT_FILE }} + +runs: + using: "composite" + steps: + - name: Setup for SMCTL authentication + id: setup-cert + shell: pwsh + run: | + Write-Output "::group::Check for required environment variable" + if (-not $env:SM_CLIENT_CERT_FILE_B64) { + Write-Output "::error title=Environment Variable Error::SM_CLIENT_CERT_FILE_B64 is not set" + exit 1 + } else { + Write-Output "SM_CLIENT_CERT_FILE_B64 is set correctly" + } + Write-Output "::endgroup::" + Write-Output "::group::Retrieve client certificate for auth" + if (!(Test-Path ".\.build\certificates\codesign.pfx")) { + # Get certificates + New-Item -ItemType Directory -Force -Path .\.build\certificates + Set-Content -Path ".\.build\certificates\codesign.txt" -Value $env:SM_CLIENT_CERT_FILE_B64 + & certutil -decode ".\.build\certificates\codesign.txt" ".\.build\certificates\codesign.pfx" + } else { + Write-Output "Certificate already exists" + } + # Configure environment for next step + "SM_CLIENT_CERT_FILE=.\.build\certificates\codesign.pfx" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + Write-Output "::endgroup::" + + - name: Install SMCTL + shell: pwsh + run: | + Write-Output "::group::Install smctl if needed" + if (!(Get-Command smctl -ErrorAction SilentlyContinue)) { + # Download with retry (transient S3 failures cause silent install failures) + $maxRetries = 3 + $downloaded = $false + for ($i = 1; $i -le $maxRetries; $i++) { + Write-Output "Downloading smtools MSI (attempt $i/$maxRetries)..." + curl -o smtools-windows-x64.msi "https://rstudio-buildtools.s3.amazonaws.com/posit-dev/smtools-windows-x64.msi" + if ($LASTEXITCODE -ne 0) { + Write-Output "::warning::curl failed with exit code $LASTEXITCODE" + continue + } + $fileSize = (Get-Item smtools-windows-x64.msi).Length + if ($fileSize -lt 1MB) { + Write-Output "::warning::Downloaded file is only $fileSize bytes, expected ~90MB" + continue + } + $downloaded = $true + Write-Output "Download successful ($fileSize bytes)" + break + } + if (-not $downloaded) { + Write-Output "::error title=Download Error::Failed to download smtools MSI after $maxRetries attempts" + exit 1 + } + # Install synchronously (msiexec can return before install completes without -Wait) + $process = Start-Process msiexec -ArgumentList '/i', 'smtools-windows-x64.msi', '/quiet', '/qn', '/log', 'smtools-windows-x64.log' -Wait -PassThru + if ($process.ExitCode -ne 0) { + Write-Output "::error title=Install Error::msiexec failed with exit code $($process.ExitCode)" + if (Test-Path smtools-windows-x64.log) { Get-Content smtools-windows-x64.log -Tail 50 } + exit 1 + } + # Verify smctl is actually on disk before declaring success + $smctlPath = "C:/Program Files/DigiCert/DigiCert One Signing Manager Tools" + if (!(Test-Path "$smctlPath/smctl.exe")) { + Write-Output "::error title=Install Error::smctl.exe not found at $smctlPath after install" + exit 1 + } + $smctlPath | Out-File -FilePath $env:GITHUB_PATH -Append + Write-Output "SMCTL installed and added on PATH" + } else { + Write-Output "SMCTL already installed and on PATH" + } + Write-Output "::endgroup::" + Write-Output "::group::Add signtools in PATH" + if (!(Get-Command signtool -ErrorAction SilentlyContinue)) { + "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" | Out-File -FilePath $env:GITHUB_PATH -Append + Write-Output "signtool added on PATH" + } else { + Write-Output "signtool already installed and on PATH" + } + Write-Output "::endgroup::" + + - name: Sign files with signtool + shell: pwsh + env: + SM_CLIENT_CERT_FILE: ${{ steps.setup-cert.outputs.SM_CLIENT_CERT_FILE }} + run: | + Write-Output "::group::Check for required environment variables" + $requiredEnvVars = @('SM_HOST', 'SM_API_KEY', 'SM_CLIENT_CERT_FILE', 'SM_CLIENT_CERT_PASSWORD', 'SM_CLIENT_CERT_FINGERPRINT') + foreach ($envVar in $requiredEnvVars) { + if (-not $(Get-Item -Path "Env:$envVar" -ErrorAction SilentlyContinue)) { + Write-Output "::error title=Missing environment variable::Environment variable $envVar is not set." + exit 1 + } + Write-Output "All env var correctly set." + } + Write-Output "::endgroup::" + Write-Output "::group::Sync certificates" + smctl windows certsync + Write-Output "::endgroup::" + # Sign each file that will be bundled in the installer + $rawPaths = "${{ inputs.paths }}" -split "`n" | ForEach-Object { $_.Trim() } | Where-Object { $_ -ne "" } + $paths = @() + foreach ($raw in $rawPaths) { + $resolved = Resolve-Path -Path $raw -ErrorAction SilentlyContinue + if (-not $resolved) { + Write-Output "::error title=Signing error::No files matched pattern: ${raw}" + exit 1 + } + $paths += $resolved.Path + } + foreach ($path in $paths) { + Write-Output "::group::Signing ${path}" + signtool.exe sign /sha1 $env:SM_CLIENT_CERT_FINGERPRINT /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ${{ inputs.signtools-extra-args }} $path + if ($LASTEXITCODE -ne 0) { + Write-Output "::error title=Signing error::Error while signing ${path}" + exit 1 + } + signtool.exe verify /v /pa $path + if ($LASTEXITCODE -ne 0) { + Write-Output "::error title=Verify signature error::Error while verifying ${path}" + exit 1 + } + Write-Output "::endgroup::" + } diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml index 55ddace0..e790f2c9 100644 --- a/.github/workflows/release-packages.yml +++ b/.github/workflows/release-packages.yml @@ -35,28 +35,49 @@ jobs: run: cargo install cargo-packager --locked - name: Build ggsql binary - run: cargo build --release --package ggsql --bin ggsql + run: cargo build --release --bin ggsql --bin ggsql-jupyter + + - name: Sign files before making NSIS and MSI installer + id: sign-files + uses: ./.github/workflows/actions/sign-files + with: + paths: | + ./target/release/ggsql.exe + ./target/release/ggsql-jupyter.exe + env: + # environment variables required to sign with signtool + SM_HOST: ${{ secrets.SM_HOST }} + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }} + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} + SM_CLIENT_CERT_FINGERPRINT: ${{ secrets.SM_CLIENT_CERT_FINGERPRINT }} - name: Build NSIS installer run: cargo packager --release --formats nsis - working-directory: src - name: Build MSI installer run: cargo packager --release --formats wix - working-directory: src + + - name: Sign installers + id: sign-files + uses: ./.github/workflows/actions/sign-files + with: + paths: | + ./target/release/packager/*.exe + ./target/release/packager/*.msi - name: Upload NSIS installer uses: actions/upload-artifact@v4 with: name: ggsql-windows-nsis - path: src/target/release/packager/*.exe + path: target/release/packager/*.exe retention-days: 30 - name: Upload MSI installer uses: actions/upload-artifact@v4 with: name: ggsql-windows-msi - path: src/target/release/packager/*.msi + path: target/release/packager/*.msi retention-days: 30 build-macos: @@ -84,24 +105,22 @@ jobs: run: cargo install cargo-packager --locked - name: Build ggsql binary (x86_64) - run: cargo build --release --package ggsql --bin ggsql + run: cargo build --release --bin ggsql --bin ggsql-jupyter - name: Build DMG installer (x86_64) run: cargo packager --release --formats dmg - working-directory: src - name: Build ggsql binary (aarch64) - run: cargo build --release --package ggsql --bin ggsql --target aarch64-apple-darwin + run: cargo build --release --bin ggsql --bin ggsql-jupyter --target aarch64-apple-darwin - name: Build DMG installer (aarch64) run: cargo packager --release --target aarch64-apple-darwin --formats dmg - working-directory: src - name: Upload DMG installers uses: actions/upload-artifact@v4 with: name: ggsql-macos-dmg - path: src/target/release/packager/*.dmg + path: target/release/packager/*.dmg retention-days: 30 build-linux: @@ -139,17 +158,16 @@ jobs: run: cargo install cargo-packager --locked - name: Build ggsql binary - run: cargo build --release --package ggsql --bin ggsql + run: cargo build --release --bin ggsql --bin ggsql-jupyter - name: Build Debian package run: cargo packager --release --formats deb - working-directory: src - name: Upload Debian package uses: actions/upload-artifact@v4 with: name: ggsql-linux-deb - path: src/target/release/packager/*.deb + path: target/release/packager/*.deb retention-days: 30 build-cargo: diff --git a/Packager.toml b/Packager.toml new file mode 100644 index 00000000..db1f2f7f --- /dev/null +++ b/Packager.toml @@ -0,0 +1,11 @@ +name = "ggsql" + +[[bin]] +name = "ggsql" +path = "target/release/ggsql" +main = true + +[[bin]] +name = "ggsql-jupyter" +path = "target/release/ggsql-jupyter" +main = false From 83273300125c5ecb07f816556f4dce3706e943cc Mon Sep 17 00:00:00 2001 From: George Stagg Date: Wed, 25 Mar 2026 17:30:07 -0700 Subject: [PATCH 02/12] WIP: TESTING DRY RUN --- .github/workflows/release-packages.yml | 80 +------------------------- 1 file changed, 2 insertions(+), 78 deletions(-) diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml index e790f2c9..77db1c20 100644 --- a/.github/workflows/release-packages.yml +++ b/.github/workflows/release-packages.yml @@ -4,6 +4,8 @@ on: push: tags: - "v*" + pull_request: + branches: [main] workflow_dispatch: env: @@ -169,81 +171,3 @@ jobs: name: ggsql-linux-deb path: target/release/packager/*.deb retention-days: 30 - - build-cargo: - name: Publish to crates.io - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install Node.js - uses: actions/setup-node@v4 - with: - node-version: "22" - - - name: Install tree-sitter-cli - run: npm install -g tree-sitter-cli - - - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable - - - name: Get crates.io publish token - uses: rust-lang/crates-io-auth-action@v1 - id: auth - - - name: Build tree-sitter-ggsql - run: cargo build --package tree-sitter-ggsql - - - name: Publish tree-sitter-ggsql - run: cargo publish --package tree-sitter-ggsql --allow-dirty - env: - CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} - - - name: Wait for crates.io index update - run: sleep 30 - - - name: Publish ggsql - run: cargo publish --package ggsql - env: - CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} - - - name: Wait for crates.io index update - run: sleep 30 - - - name: Publish ggsql-jupyter - run: cargo publish --package ggsql-jupyter - env: - CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} - - create-release: - name: Create GitHub Release - needs: [build-windows, build-macos, build-linux, build-cargo] - runs-on: ubuntu-latest - permissions: - contents: write - if: startsWith(github.ref, 'refs/tags/v') - - steps: - - name: Download all artifacts - uses: actions/download-artifact@v4 - with: - path: artifacts - - - name: Display structure of downloaded files - run: ls -R artifacts - - - name: Create release and upload installers - uses: softprops/action-gh-release@v2 - with: - files: | - artifacts/**/*.exe - artifacts/**/*.msi - artifacts/**/*.dmg - artifacts/**/*.deb - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 422c139b76d2f749d4a9b05a3361d407ee5d43aa Mon Sep 17 00:00:00 2001 From: George Stagg Date: Wed, 25 Mar 2026 17:31:54 -0700 Subject: [PATCH 03/12] WIP: TESTING DRY RUN --- .github/workflows/release-packages.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml index 77db1c20..7be14aba 100644 --- a/.github/workflows/release-packages.yml +++ b/.github/workflows/release-packages.yml @@ -4,8 +4,7 @@ on: push: tags: - "v*" - pull_request: - branches: [main] + - "sign-win" workflow_dispatch: env: From 98cddf2b7546b626a73c632be1a34864abf1d611 Mon Sep 17 00:00:00 2001 From: George Stagg Date: Wed, 25 Mar 2026 17:32:58 -0700 Subject: [PATCH 04/12] WIP --- .github/workflows/release-packages.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml index 7be14aba..d513a76c 100644 --- a/.github/workflows/release-packages.yml +++ b/.github/workflows/release-packages.yml @@ -60,7 +60,6 @@ jobs: run: cargo packager --release --formats wix - name: Sign installers - id: sign-files uses: ./.github/workflows/actions/sign-files with: paths: | From aa3a6619c3bb79fead0dde9fe7d12af635b0dd4e Mon Sep 17 00:00:00 2001 From: George Stagg Date: Wed, 25 Mar 2026 22:15:16 -0700 Subject: [PATCH 05/12] Add name for build.yaml --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8dd8f192..0937dc62 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,4 +1,4 @@ -name: build-test.yaml +name: Build and Test on: push: From 2da71cefa95ec67338a504ce5cc51abf60f7b960 Mon Sep 17 00:00:00 2001 From: George Stagg Date: Wed, 25 Mar 2026 22:17:46 -0700 Subject: [PATCH 06/12] Tweak signing script --- .github/workflows/release-packages.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml index d513a76c..9636029c 100644 --- a/.github/workflows/release-packages.yml +++ b/.github/workflows/release-packages.yml @@ -63,8 +63,15 @@ jobs: uses: ./.github/workflows/actions/sign-files with: paths: | - ./target/release/packager/*.exe - ./target/release/packager/*.msi + ./src/target/release/packager/*.exe + ./src/target/release/packager/*.msi + env: + # environment variables required to sign with signtool + SM_HOST: ${{ secrets.SM_HOST }} + SM_API_KEY: ${{ secrets.SM_API_KEY }} + SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }} + SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} + SM_CLIENT_CERT_FINGERPRINT: ${{ secrets.SM_CLIENT_CERT_FINGERPRINT }} - name: Upload NSIS installer uses: actions/upload-artifact@v4 @@ -120,7 +127,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: ggsql-macos-dmg - path: target/release/packager/*.dmg + path: src/target/release/packager/*.dmg retention-days: 30 build-linux: @@ -167,5 +174,5 @@ jobs: uses: actions/upload-artifact@v4 with: name: ggsql-linux-deb - path: target/release/packager/*.deb + path: src/target/release/packager/*.deb retention-days: 30 From 7cd327a1e3322a55e9f196d536d8dadc8ca97688 Mon Sep 17 00:00:00 2001 From: George Stagg Date: Thu, 26 Mar 2026 10:13:42 -0700 Subject: [PATCH 07/12] Upload paths --- .github/workflows/release-packages.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml index 9636029c..ccc007b5 100644 --- a/.github/workflows/release-packages.yml +++ b/.github/workflows/release-packages.yml @@ -77,14 +77,14 @@ jobs: uses: actions/upload-artifact@v4 with: name: ggsql-windows-nsis - path: target/release/packager/*.exe + path: src/target/release/packager/*.exe retention-days: 30 - name: Upload MSI installer uses: actions/upload-artifact@v4 with: name: ggsql-windows-msi - path: target/release/packager/*.msi + path: src/target/release/packager/*.msi retention-days: 30 build-macos: From 89df07ee7915c9863e66f80f2c973ae5b156f094 Mon Sep 17 00:00:00 2001 From: George Stagg Date: Thu, 26 Mar 2026 10:19:25 -0700 Subject: [PATCH 08/12] Update Packager.toml --- Packager.toml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/Packager.toml b/Packager.toml index db1f2f7f..0d86bbf7 100644 --- a/Packager.toml +++ b/Packager.toml @@ -1,11 +1,9 @@ -name = "ggsql" +product_name = "ggsql" -[[bin]] -name = "ggsql" +[[binaries]] path = "target/release/ggsql" main = true -[[bin]] -name = "ggsql-jupyter" +[[binaries]] path = "target/release/ggsql-jupyter" main = false From 88aa63409c691d940f2669f93dd0add0ab911a90 Mon Sep 17 00:00:00 2001 From: George Stagg Date: Thu, 26 Mar 2026 13:10:01 -0700 Subject: [PATCH 09/12] Fixup packager config --- Packager.toml | 9 --------- src/Cargo.toml | 1 + 2 files changed, 1 insertion(+), 9 deletions(-) delete mode 100644 Packager.toml diff --git a/Packager.toml b/Packager.toml deleted file mode 100644 index 0d86bbf7..00000000 --- a/Packager.toml +++ /dev/null @@ -1,9 +0,0 @@ -product_name = "ggsql" - -[[binaries]] -path = "target/release/ggsql" -main = true - -[[binaries]] -path = "target/release/ggsql-jupyter" -main = false diff --git a/src/Cargo.toml b/src/Cargo.toml index ef5e9ba8..4f45fea2 100644 --- a/src/Cargo.toml +++ b/src/Cargo.toml @@ -108,6 +108,7 @@ copyright = "Copyright (c) 2026 ggsql Team" # Binaries to include in the package binaries = [ { path = "ggsql", main = true }, + { path = "ggsql-jupyter", main = false }, ] # Resources to bundle (optional) From 2f7c0f2da65b44c9f11243276a40a9739e0557c6 Mon Sep 17 00:00:00 2001 From: George Stagg Date: Fri, 27 Mar 2026 16:45:22 -0700 Subject: [PATCH 10/12] Add macOS signing and notorisation env vars --- .github/workflows/release-packages.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml index ccc007b5..2f40c4c4 100644 --- a/.github/workflows/release-packages.yml +++ b/.github/workflows/release-packages.yml @@ -108,6 +108,15 @@ jobs: with: targets: x86_64-apple-darwin, aarch64-apple-darwin + - name: Set up Apple notarization key + run: | + mkdir -p ~/.private_keys + echo -n "$APPLE_API_KEY_BASE64" | base64 --decode -o ~/.private_keys/AuthKey_${APPLE_API_KEY}.p8 + chmod 600 ~/.private_keys/AuthKey_${APPLE_API_KEY}.p8 + env: + APPLE_API_KEY_BASE64: ${{ secrets.GWS_APPLE_API_KEY_BASE64 }} + APPLE_API_KEY: ${{ secrets.GWS_APPLE_API_KEY }} + - name: Install cargo-packager run: cargo install cargo-packager --locked @@ -116,12 +125,22 @@ jobs: - name: Build DMG installer (x86_64) run: cargo packager --release --formats dmg + env: + APPLE_CERTIFICATE: ${{ secrets.GWS_APPLE_SIGN_P12 }} + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.GWS_APPLE_SIGN_PW }} + APPLE_API_KEY: ${{ secrets.GWS_APPLE_API_KEY }} + APPLE_API_ISSUER: ${{ secrets.GWS_APPLE_API_ISSUER }} - name: Build ggsql binary (aarch64) run: cargo build --release --bin ggsql --bin ggsql-jupyter --target aarch64-apple-darwin - name: Build DMG installer (aarch64) run: cargo packager --release --target aarch64-apple-darwin --formats dmg + env: + APPLE_CERTIFICATE: ${{ secrets.GWS_APPLE_SIGN_P12 }} + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.GWS_APPLE_SIGN_PW }} + APPLE_API_KEY: ${{ secrets.GWS_APPLE_API_KEY }} + APPLE_API_ISSUER: ${{ secrets.GWS_APPLE_API_ISSUER }} - name: Upload DMG installers uses: actions/upload-artifact@v4 From d4db8a854db308b667ca1ee01cafe1e2acaca51f Mon Sep 17 00:00:00 2001 From: George Stagg Date: Fri, 27 Mar 2026 17:43:47 -0700 Subject: [PATCH 11/12] Configure apple sign identity in src/Cargo.toml --- .github/workflows/release-packages.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml index 2f40c4c4..90084bbb 100644 --- a/.github/workflows/release-packages.yml +++ b/.github/workflows/release-packages.yml @@ -117,6 +117,16 @@ jobs: APPLE_API_KEY_BASE64: ${{ secrets.GWS_APPLE_API_KEY_BASE64 }} APPLE_API_KEY: ${{ secrets.GWS_APPLE_API_KEY }} + - name: Configure macOS installer signing + env: + APPLE_SIGN_IDENTITY: ${{ secrets.GWS_APPLE_SIGN_IDENTITY }} + run: | + cat <> src/Cargo.toml + + [package.metadata.packager.macos] + signing-identity = "${APPLE_SIGN_IDENTITY}" + EOF + - name: Install cargo-packager run: cargo install cargo-packager --locked From 5a0b542397d7cb76e7ed2993c89c7911c752b749 Mon Sep 17 00:00:00 2001 From: George Stagg Date: Fri, 27 Mar 2026 18:44:14 -0700 Subject: [PATCH 12/12] Remove dry-run release workflow --- .github/workflows/release-packages.yml | 79 +++++++++++++++++++++++++- 1 file changed, 78 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml index 90084bbb..cf01e0d4 100644 --- a/.github/workflows/release-packages.yml +++ b/.github/workflows/release-packages.yml @@ -4,7 +4,6 @@ on: push: tags: - "v*" - - "sign-win" workflow_dispatch: env: @@ -205,3 +204,81 @@ jobs: name: ggsql-linux-deb path: src/target/release/packager/*.deb retention-days: 30 + + build-cargo: + name: Publish to crates.io + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install Node.js + uses: actions/setup-node@v4 + with: + node-version: "22" + + - name: Install tree-sitter-cli + run: npm install -g tree-sitter-cli + + - name: Install Rust toolchain + uses: dtolnay/rust-toolchain@stable + + - name: Get crates.io publish token + uses: rust-lang/crates-io-auth-action@v1 + id: auth + + - name: Build tree-sitter-ggsql + run: cargo build --package tree-sitter-ggsql + + - name: Publish tree-sitter-ggsql + run: cargo publish --package tree-sitter-ggsql --allow-dirty + env: + CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} + + - name: Wait for crates.io index update + run: sleep 30 + + - name: Publish ggsql + run: cargo publish --package ggsql + env: + CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} + + - name: Wait for crates.io index update + run: sleep 30 + + - name: Publish ggsql-jupyter + run: cargo publish --package ggsql-jupyter + env: + CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} + + create-release: + name: Create GitHub Release + needs: [build-windows, build-macos, build-linux, build-cargo] + runs-on: ubuntu-latest + permissions: + contents: write + if: startsWith(github.ref, 'refs/tags/v') + + steps: + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: artifacts + + - name: Display structure of downloaded files + run: ls -R artifacts + + - name: Create release and upload installers + uses: softprops/action-gh-release@v2 + with: + files: | + artifacts/**/*.exe + artifacts/**/*.msi + artifacts/**/*.dmg + artifacts/**/*.deb + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}