From 2451f4fe32f5d1514da77e7466b0adefc0966d6c Mon Sep 17 00:00:00 2001 From: webzherd Date: Wed, 6 May 2026 14:19:36 +0200 Subject: [PATCH 1/2] Create draft GitHub Release with installers as assets on tag push MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a third workflow job that runs after both pack jobs on `v*` tag pushes, downloads their artifacts, and creates a draft GitHub Release with each installer file (tarballs, .exe, .pkg) attached as a downloadable asset. Drafts are invisible to non-maintainers; "Publish release" in the Releases UI flips visibility once the contents are reviewed. Workflow artifacts continue to be uploaded for shorter-term inspection (auto-expire in 30 days). The release job is gated on tag pushes only — `workflow_dispatch` runs still produce just artifacts. Adds `permissions: contents: write` at workflow level for the Release create. workflow_dispatch and tag-push are the only triggers, both requiring maintainer access; PRs from forks cannot reach this. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/pack.yml | 24 ++++++++++++++++++++++++ CHANGELOG.md | 3 ++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml index f59b66d..29bc7aa 100644 --- a/.github/workflows/pack.yml +++ b/.github/workflows/pack.yml @@ -5,6 +5,9 @@ on: push: tags: ['v*'] +permissions: + contents: write + jobs: pack-tarballs-and-windows: runs-on: ubuntu-latest @@ -81,3 +84,24 @@ jobs: path: dist/macos/*.pkg if-no-files-found: error retention-days: 30 + + draft-release: + needs: [pack-tarballs-and-windows, pack-macos] + if: startsWith(github.ref, 'refs/tags/v') + runs-on: ubuntu-latest + steps: + - name: Download all build artifacts + uses: actions/download-artifact@v4 + with: + path: artifacts + - name: Create draft release with installer assets + uses: softprops/action-gh-release@v2 + with: + draft: true + generate_release_notes: true + fail_on_unmatched_files: true + files: | + artifacts/bitmovin-cli-tarballs-and-windows/*.tar.gz + artifacts/bitmovin-cli-tarballs-and-windows/*.tar.xz + artifacts/bitmovin-cli-tarballs-and-windows/win32/*.exe + artifacts/bitmovin-cli-macos/*.pkg diff --git a/CHANGELOG.md b/CHANGELOG.md index e8eb9f7..422f286 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added `bitmovin encoding jobs live ` to show live encoding connection details, with JSON output support. Surfaces every assigned stream key (including the per-static-ingest-point keys used by redundant RTMP) and the SRT mode/host/port/path for SRT inputs. JSON shape note for anyone tracking the unreleased branch: the `--json` output now reports `streamKeys: [{value, ingestPointId, status}]` instead of the singular `streamKey` field that earlier iterations exposed. A `streamKey` alias is still emitted (equal to `streamKeys[0]?.value`) for one-off scripts; redundant RTMP setups should read `streamKeys[]` to get every per-ingest-point key. -- CI workflow that builds standalone tarballs (macOS, Linux, Windows) plus macOS `.pkg` (signed with Developer ID Installer) and Windows `.exe` installers via `oclif pack` and uploads them as workflow artifacts for internal testing. macOS `.pkg` signature is verified via `pkgutil --check-signature` in CI. GitHub Release publishing, npm publishing, and macOS notarization will follow in subsequent changes. +- CI workflow that builds standalone tarballs (macOS, Linux, Windows) plus macOS `.pkg` (signed with Developer ID Installer) and Windows `.exe` installers via `oclif pack` and uploads them as workflow artifacts for internal testing. macOS `.pkg` signature is verified via `pkgutil --check-signature` in CI. npm publishing and macOS notarization will follow in subsequent changes. +- Tag-pushed `v*` runs now also create a draft GitHub Release with the tarballs, `.exe`, and signed `.pkg` files attached as individual downloadable assets. Drafts are invisible to non-maintainers; "Publish release" in the Releases UI flips visibility once contents are reviewed. ### Changed From ab1edb8a1acb6a500f1c12c1e628532feccc4292 Mon Sep 17 00:00:00 2001 From: webzherd Date: Wed, 6 May 2026 15:57:58 +0200 Subject: [PATCH 2/2] Address review: gate release on CI status, scope perms, add SHA256SUMS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Review feedback from #14: 1. Add a `ci-passed` job that fails if ci.yml's build-and-test checks on the tagged commit weren't all green. `draft-release` now `needs:` ci-passed, so tagging a red commit produces no release even if the pack jobs themselves succeed. 2. Tighten permissions. Workflow-level is now `contents: read` (default closed for any future job), and only `draft-release` re-grants `contents: write` for the release create. Pack jobs inherit the read default. 3. Generate a `SHA256SUMS` file from all release assets and attach it. Lets downloaders verify bytes match what CI produced — the next-best authenticity signal until macOS notarization lands. Plus the smaller note: download-artifact now uses `pattern: bitmovin-cli-*` so future unrelated artifacts (debug symbols, source maps) don't silently get pulled into releases. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/pack.yml | 44 +++++++++++++++++++++++++++++++++++--- CHANGELOG.md | 2 +- 2 files changed, 42 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml index 29bc7aa..5a476a4 100644 --- a/.github/workflows/pack.yml +++ b/.github/workflows/pack.yml @@ -6,9 +6,31 @@ on: tags: ['v*'] permissions: - contents: write + contents: read jobs: + ci-passed: + if: startsWith(github.ref, 'refs/tags/v') + runs-on: ubuntu-latest + steps: + - name: Verify CI succeeded on tagged commit + env: + GH_TOKEN: ${{ github.token }} + run: | + set -e + conclusions=$(gh api "repos/${{ github.repository }}/commits/${{ github.sha }}/check-runs" \ + --jq '[.check_runs[] | select(.name | startswith("build-and-test")) | .conclusion]') + echo "build-and-test conclusions on ${{ github.sha }}: $conclusions" + if [ "$conclusions" = "[]" ]; then + echo "::error::No build-and-test check runs found for ${{ github.sha }} — was CI ever triggered?" + exit 1 + fi + if echo "$conclusions" | grep -qvE '^\[("success",?\s*)+\]$'; then + echo "::error::At least one build-and-test check on ${{ github.sha }} did not succeed" + exit 1 + fi + echo "CI green on ${{ github.sha }} ✓" + pack-tarballs-and-windows: runs-on: ubuntu-latest steps: @@ -86,14 +108,29 @@ jobs: retention-days: 30 draft-release: - needs: [pack-tarballs-and-windows, pack-macos] + needs: [ci-passed, pack-tarballs-and-windows, pack-macos] if: startsWith(github.ref, 'refs/tags/v') runs-on: ubuntu-latest + permissions: + contents: write steps: - - name: Download all build artifacts + - name: Download build artifacts uses: actions/download-artifact@v4 with: + pattern: bitmovin-cli-* path: artifacts + - name: Compute SHA256SUMS for release assets + run: | + set -e + cd artifacts + { + find bitmovin-cli-tarballs-and-windows -type f \( -name '*.tar.gz' -o -name '*.tar.xz' -o -name '*.exe' \) + find bitmovin-cli-macos -type f -name '*.pkg' + } | while read -r f; do + hash=$(sha256sum "$f" | cut -d' ' -f1) + printf '%s %s\n' "$hash" "$(basename "$f")" + done | LC_ALL=C sort -k2 > SHA256SUMS + cat SHA256SUMS - name: Create draft release with installer assets uses: softprops/action-gh-release@v2 with: @@ -105,3 +142,4 @@ jobs: artifacts/bitmovin-cli-tarballs-and-windows/*.tar.xz artifacts/bitmovin-cli-tarballs-and-windows/win32/*.exe artifacts/bitmovin-cli-macos/*.pkg + artifacts/SHA256SUMS diff --git a/CHANGELOG.md b/CHANGELOG.md index 422f286..f9fcd0d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 JSON shape note for anyone tracking the unreleased branch: the `--json` output now reports `streamKeys: [{value, ingestPointId, status}]` instead of the singular `streamKey` field that earlier iterations exposed. A `streamKey` alias is still emitted (equal to `streamKeys[0]?.value`) for one-off scripts; redundant RTMP setups should read `streamKeys[]` to get every per-ingest-point key. - CI workflow that builds standalone tarballs (macOS, Linux, Windows) plus macOS `.pkg` (signed with Developer ID Installer) and Windows `.exe` installers via `oclif pack` and uploads them as workflow artifacts for internal testing. macOS `.pkg` signature is verified via `pkgutil --check-signature` in CI. npm publishing and macOS notarization will follow in subsequent changes. -- Tag-pushed `v*` runs now also create a draft GitHub Release with the tarballs, `.exe`, and signed `.pkg` files attached as individual downloadable assets. Drafts are invisible to non-maintainers; "Publish release" in the Releases UI flips visibility once contents are reviewed. +- Tag-pushed `v*` runs now also create a draft GitHub Release with the tarballs, `.exe`, and signed `.pkg` files attached as individual downloadable assets, plus a `SHA256SUMS` file so users can verify downloads. Release creation is gated on a `ci-passed` job that asserts `ci.yml` (lint, build, tests) succeeded on the tagged commit. Drafts are invisible to non-maintainers; "Publish release" in the Releases UI flips visibility once contents are reviewed. ### Changed