Draft GitHub Release with installer assets on tag push#14
Conversation
Adds a third workflow job that runs after both pack jobs on `v*` tag pushes, downloads their artifacts, and creates a draft GitHub Release with each installer file (tarballs, .exe, .pkg) attached as a downloadable asset. Drafts are invisible to non-maintainers; "Publish release" in the Releases UI flips visibility once the contents are reviewed. Workflow artifacts continue to be uploaded for shorter-term inspection (auto-expire in 30 days). The release job is gated on tag pushes only — `workflow_dispatch` runs still produce just artifacts. Adds `permissions: contents: write` at workflow level for the Release create. workflow_dispatch and tag-push are the only triggers, both requiring maintainer access; PRs from forks cannot reach this. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Clean split, exactly the shape I'd hoped for after #11. Three things worth tightening before this comes out of draft:
Smaller note
Approving once (1) and (2) are addressed; (3) is strongly recommended but not strictly blocking. |
Review feedback from #14: 1. Add a `ci-passed` job that fails if ci.yml's build-and-test checks on the tagged commit weren't all green. `draft-release` now `needs:` ci-passed, so tagging a red commit produces no release even if the pack jobs themselves succeed. 2. Tighten permissions. Workflow-level is now `contents: read` (default closed for any future job), and only `draft-release` re-grants `contents: write` for the release create. Pack jobs inherit the read default. 3. Generate a `SHA256SUMS` file from all release assets and attach it. Lets downloaders verify bytes match what CI produced — the next-best authenticity signal until macOS notarization lands. Plus the smaller note: download-artifact now uses `pattern: bitmovin-cli-*` so future unrelated artifacts (debug symbols, source maps) don't silently get pulled into releases. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
lukaskroepfl
left a comment
lukaskroepfl
left a comment
There was a problem hiding this comment.
All three addressed cleanly:
- CI gate — new
ci-passedjob queries the check-runs API forbuild-and-test*on the tagged commit and fails loud if any didn't succeed (or none ran at all).draft-releasenowneeds: [ci-passed, ...]. The empty-array check is the right belt-and-suspenders against "tag pushed but CI never fired." - Permissions scoped to the job — workflow-level
contents: read, job-levelcontents: writeonly ondraft-release. Exactly the least-privilege shape. SHA256SUMSasset — sorted withLC_ALL=C, format compatible withsha256sum --check. Useful authenticity signal while notarization is still pending.
Bonus: pattern: bitmovin-cli-* on download-artifact closes the smaller note about future artifact additions silently slipping into releases.
One thing to keep in mind for later (not blocking): the ci-passed job hard-couples to ci.yml's job name (build-and-test*). If that job is ever renamed it'll fail loud, which is fine — just worth a comment in pack.yml noting why the prefix matters.
Approving.
2 participants
Summary
Adds a
draft-releasejob topack.ymlthat runs after both pack jobs onv*tag pushes, downloads their workflow artifacts, and creates a draft GitHub Release with each installer file attached as a downloadable asset, plus aSHA256SUMSchecksum file:bitmovin-vX.Y.Z-<sha>-{linux,darwin,win32}-*.tar.gz/.tar.xzbitmovin-vX.Y.Z-<sha>-x64.exe(Windows NSIS)bitmovin-vX.Y.Z-<sha>-{x64,arm64}.pkg(macOS, signed with Developer ID Installer)SHA256SUMS— basenames + sha256 hashes, sorted withLC_ALL=Cfor determinismDrafts are only visible to maintainers; clicking "Publish release" in the Releases UI flips visibility. Workflow artifacts continue to upload for short-term inspection (30-day retention) on non-tag runs.
Pre-release CI gate
A
ci-passedjob (only runs onv*tag pushes) queries the GitHub API for the latestbuild-and-testcheck-runs on the tagged SHA and fails if any are notsuccess.draft-releaseneeds:it, so tagging a red commit produces no release. Empty / missing CI run case is handled with an explicit error message rather than passing through.Permissions
Workflow-level is
contents: read(default closed for any future job). Onlydraft-releasere-grantscontents: writefor the release create. Pack jobs andci-passedinherit the read default.Other
actions/download-artifact@v4usespattern: bitmovin-cli-*so future unrelated artifacts (e.g. source maps, debug symbols) don't silently get pulled into releases.Known limitation (deliberate, follow-up)
macOS Sequoia / Sonoma (14+) blocks unnotarized
.pkginstallers at install time even when properly signed ("Apple could not verify ... is free of malware"). Notarization needs a Developer ID Application codesign of the bundlednodebinary plus an App Store Connect API key forxcrun notarytool— that's a separate PR (and an org-side.p8key procurement step).In the meantime, draft releases produced by this workflow are useful for internal testing; do not publish a release publicly until the notarization PR lands (or accept that mac users will see the install-time block).
Test plan
Verified end-to-end on this branch:
v0.0.0-release-test.3; all 4 jobs green (ci-passed,pack-tarballs-and-windows,pack-macos,draft-release)ci-passedcorrectly read the build-and-test conclusions on the tagged SHA:["success","success"]→ ✓.tar.gz+ 5.tar.xz+ 1.exe+ 2.pkg+SHA256SUMSSHA256SUMScontent verified: 13 lines, sorted alphabetically by basename, valid sha256 hex.pkgfiles passpkgutil --check-signature(verified earlier inpack-macos's verify step)Out of scope (follow-ups)
xcrun notarytool submit+xcrun stapler validate. Needs App Store Connect API key (.p8).NPM_TOKENsecret. README install instructions in same change..debviaoclif pack deb..exe(Windows SmartScreen).🤖 Generated with Claude Code