ci: unify varlock CLI binary release into the main release workflow#834
Merged
Conversation
Build + sign + notarize the native binaries once (in release.yaml) and reuse them for the npm package AND the SEA/CLI binaries, instead of rebuilding and re-signing them in a separate release-triggered workflow. - release.yaml: publish the in-run signed/notarized native-bins as an artifact, then two plan-gated jobs (release-binaries: SEA build -> GitHub release upload -> homebrew; release-docker) consume it. No rebuild, no re-sign, no Azure/Apple on this path -- which removes the tag-subject OIDC problem entirely. - binary-release.yaml: now a manual workflow_dispatch re-cut path that pulls the signed native binaries from the published npm package (varlock's files include /native-bins) for re-cutting an existing version.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Today the native binaries get built + signed + notarized twice: once in
release.yaml(for the npm package) and again inbinary-release.yaml(triggered by the GitHub release, for the SEA/CLI binaries). The second run was the source of the tag-subject OIDC failures, re-notarization, and the partial-release window we just worked through.What
Build + sign + notarize once, reuse everywhere.
release.yaml— thereleasejob already stages the signed/notarized native-bins (for npm). It now also uploads them as anative-bins-stagedartifact (one step, after the bumpy publish, so npm publish is never gated on it). Two new plan-gated jobs consume that artifact:release-binaries: build SEA binaries → upload to thevarlock@<version>release bumpy created → update homebrew taprelease-docker: build + push the Docker imageThese run on a single ubuntu runner with no macOS/Windows runner, no Azure, no Apple — so the tag-subject OIDC problem is gone by construction.
binary-release.yaml— drops therelease: publishedtrigger and the three native-build jobs. It's now a manualworkflow_dispatchre-cut path that pulls the signed native binaries from the published npm package (varlock'sfilesincludes/native-bins) for re-cutting an existing version.This is also the first concrete sketch of the "release targets" model we discussed (binaries / homebrew / docker as discrete, plan-gated jobs consuming a built-once artifact) — the build plane (native binaries) feeding the publish plane.
Review / rollout notes
binary-releasedispatch.release-binariesjob (version resolution, the GH release upload target, homebrew env) before merging.varlock@*tag federated credential is no longer needed (nothing signs on the tag path).