Skip to content

release: cut v1.3.0 — library split, code-registered tools, AAuth & l… #28

release: cut v1.3.0 — library split, code-registered tools, AAuth & l…

release: cut v1.3.0 — library split, code-registered tools, AAuth & l… #28

Workflow file for this run

name: release
# Cut a release by pushing a tag, e.g. `git tag v0.2.0 && git push origin v0.2.0`.
# Produces: static Linux binaries (amd64 + arm64), a multi-arch OCI image on GHCR
# (cosign-signed, SBOM-attested), and a SHA256SUMS. (For a Debian/systemd host,
# `packaging/` ships a hardened unit + env for a manual install.)
on:
push:
tags: ["v*"]
# Least privilege per job; the container job adds packages + id-token for GHCR
# push + keyless signing.
permissions:
contents: read
# Release artifacts ship the full cloud-native surface on the HTTPS-everywhere
# transport (`tls` is a default feature — rustls/ring with bundled roots, so the
# static binary trusts public CAs with no system bundle): the served self-MCP +
# A2A control plane over HTTP(S) with mTLS/bearer, /healthz+/readyz+/metrics,
# UTC-cron, OTLP, horizontal scaling (sharding + work-claim + autoscaling
# signals), SIGHUP/inotify config hot-reload, agent-authored workflows, and the
# AAuth [DRAFT] agent-identity client (`--features aauth`). AAuth ships in the
# artifact because its crypto (`ring`) is ALREADY linked by rustls (the `tls`
# default) — zero marginal dependency, so the minimalism moat is untouched.
# CEL (`--features cel`) is the one dependency-BEARING opt-in and stays
# build-from-source by design (the moat holds in shipped artifacts).
env:
FEATURES: "serve-https,a2a,events,metrics,cron,otel,cluster,hot-reload,config-watch,workflow,aauth"
jobs:
# Static Linux binaries for the two cloud architectures, cross-compiled in
# docker via `cross` so amd64 and arm64 both produce a fully static musl ELF.
binaries:
permissions:
contents: write
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target: [x86_64-unknown-linux-musl, aarch64-unknown-linux-musl]
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- uses: taiki-e/install-action@v2
with:
tool: cross
- run: cross build --release --locked -p agentd-cli --target ${{ matrix.target }} --features "$FEATURES"
- name: Package
run: |
mkdir -p dist
cp "target/${{ matrix.target }}/release/agentd" dist/
cd dist
tar czf "agentd-${{ github.ref_name }}-${{ matrix.target }}.tar.gz" agentd
rm agentd
- uses: softprops/action-gh-release@v2
with:
files: dist/*
# Multi-arch OCI image → GHCR, cosign-signed (keyless OIDC) with an SPDX SBOM
# attestation. The Dockerfile defaults FEATURES to the cloud-native set.
container:
permissions:
contents: read
packages: write
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/agentd
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=raw,value=latest
- id: build
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# metadata-action's labels (applied above) own the canonical
# org.opencontainers.image.* set, including `created`; these args just
# fill the Dockerfile's local-build defaults.
build-args: |
VERSION=${{ github.ref_name }}
REVISION=${{ github.sha }}
- uses: sigstore/cosign-installer@v3
- name: Sign image (keyless)
env:
DIGEST: ${{ steps.build.outputs.digest }}
run: cosign sign --yes "ghcr.io/${{ github.repository_owner }}/agentd@${DIGEST}"
- name: Generate SPDX SBOM
uses: anchore/sbom-action@v0
with:
image: ghcr.io/${{ github.repository_owner }}/agentd@${{ steps.build.outputs.digest }}
format: spdx-json
output-file: sbom.spdx.json
upload-release-assets: false
- name: Attest SBOM
env:
DIGEST: ${{ steps.build.outputs.digest }}
run: cosign attest --yes --predicate sbom.spdx.json --type spdxjson "ghcr.io/${{ github.repository_owner }}/agentd@${DIGEST}"
# Aggregate SHA256 checksums over the released binaries, after they upload.
checksums:
needs: [binaries]
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Download release assets
env:
GH_TOKEN: ${{ github.token }}
run: |
mkdir -p dist && cd dist
gh release download "${{ github.ref_name }}" \
--repo "${{ github.repository }}" \
--pattern 'agentd-*'
sha256sum * > SHA256SUMS
cat SHA256SUMS
- uses: softprops/action-gh-release@v2
with:
files: dist/SHA256SUMS