release: cut v2.3.0 — the A2A interoperability surface (RFC 0020) #13
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| # Cut a release by pushing a tag, e.g. `git tag v0.2.0 && git push origin v0.2.0`. | |
| # Produces: static Linux binaries (amd64 + arm64), a multi-arch OCI image on GHCR | |
| # (cosign-signed, SBOM-attested), and a SHA256SUMS. (For a Debian/systemd host, | |
| # `packaging/` ships a hardened unit + env for a manual install.) | |
| on: | |
| push: | |
| tags: ["v*"] | |
| # Least privilege per job; the container job adds packages + id-token for GHCR | |
| # push + keyless signing. | |
| permissions: | |
| contents: read | |
| # All release artifacts ship the dependency-free cloud-native feature set: the | |
| # /healthz+/readyz+/metrics probe surface, served MCP, UTC-cron, and OTLP — still | |
| # a fully static, 3-dependency binary. (Need tls/vsock? build from source; the | |
| # default reaches intelligence over unix: to a TLS-terminating sidecar.) | |
| env: | |
| FEATURES: "metrics,serve-mcp,cron,otel" | |
| jobs: | |
| # Static Linux binaries for the two cloud architectures, cross-compiled in | |
| # docker via `cross` so amd64 and arm64 both produce a fully static musl ELF. | |
| binaries: | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: [x86_64-unknown-linux-musl, aarch64-unknown-linux-musl] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| - uses: taiki-e/install-action@v2 | |
| with: | |
| tool: cross | |
| - run: cross build --release --locked -p agentd --target ${{ matrix.target }} --features "$FEATURES" | |
| - name: Package | |
| run: | | |
| mkdir -p dist | |
| cp "target/${{ matrix.target }}/release/agentd" dist/ | |
| cd dist | |
| tar czf "agentd-${{ github.ref_name }}-${{ matrix.target }}.tar.gz" agentd | |
| rm agentd | |
| - uses: softprops/action-gh-release@v2 | |
| with: | |
| files: dist/* | |
| # Multi-arch OCI image → GHCR, cosign-signed (keyless OIDC) with an SPDX SBOM | |
| # attestation. The Dockerfile defaults FEATURES to the cloud-native set. | |
| container: | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/agentd | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=raw,value=latest | |
| - id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| # metadata-action's labels (applied above) own the canonical | |
| # org.opencontainers.image.* set, including `created`; these args just | |
| # fill the Dockerfile's local-build defaults. | |
| build-args: | | |
| VERSION=${{ github.ref_name }} | |
| REVISION=${{ github.sha }} | |
| - uses: sigstore/cosign-installer@v3 | |
| - name: Sign image (keyless) | |
| env: | |
| DIGEST: ${{ steps.build.outputs.digest }} | |
| run: cosign sign --yes "ghcr.io/${{ github.repository_owner }}/agentd@${DIGEST}" | |
| - name: Generate SPDX SBOM | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: ghcr.io/${{ github.repository_owner }}/agentd@${{ steps.build.outputs.digest }} | |
| format: spdx-json | |
| output-file: sbom.spdx.json | |
| upload-release-assets: false | |
| - name: Attest SBOM | |
| env: | |
| DIGEST: ${{ steps.build.outputs.digest }} | |
| run: cosign attest --yes --predicate sbom.spdx.json --type spdxjson "ghcr.io/${{ github.repository_owner }}/agentd@${DIGEST}" | |
| # Aggregate SHA256 checksums over the released binaries, after they upload. | |
| checksums: | |
| needs: [binaries] | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download release assets | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| mkdir -p dist && cd dist | |
| gh release download "${{ github.ref_name }}" \ | |
| --repo "${{ github.repository }}" \ | |
| --pattern 'agentd-*' | |
| sha256sum * > SHA256SUMS | |
| cat SHA256SUMS | |
| - uses: softprops/action-gh-release@v2 | |
| with: | |
| files: dist/SHA256SUMS |