release: cut v1.3.0 — library split, code-registered tools, AAuth & l… #28
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| # Cut a release by pushing a tag, e.g. `git tag v0.2.0 && git push origin v0.2.0`. | |
| # Produces: static Linux binaries (amd64 + arm64), a multi-arch OCI image on GHCR | |
| # (cosign-signed, SBOM-attested), and a SHA256SUMS. (For a Debian/systemd host, | |
| # `packaging/` ships a hardened unit + env for a manual install.) | |
| on: | |
| push: | |
| tags: ["v*"] | |
| # Least privilege per job; the container job adds packages + id-token for GHCR | |
| # push + keyless signing. | |
| permissions: | |
| contents: read | |
| # Release artifacts ship the full cloud-native surface on the HTTPS-everywhere | |
| # transport (`tls` is a default feature — rustls/ring with bundled roots, so the | |
| # static binary trusts public CAs with no system bundle): the served self-MCP + | |
| # A2A control plane over HTTP(S) with mTLS/bearer, /healthz+/readyz+/metrics, | |
| # UTC-cron, OTLP, horizontal scaling (sharding + work-claim + autoscaling | |
| # signals), SIGHUP/inotify config hot-reload, agent-authored workflows, and the | |
| # AAuth [DRAFT] agent-identity client (`--features aauth`). AAuth ships in the | |
| # artifact because its crypto (`ring`) is ALREADY linked by rustls (the `tls` | |
| # default) — zero marginal dependency, so the minimalism moat is untouched. | |
| # CEL (`--features cel`) is the one dependency-BEARING opt-in and stays | |
| # build-from-source by design (the moat holds in shipped artifacts). | |
| env: | |
| FEATURES: "serve-https,a2a,events,metrics,cron,otel,cluster,hot-reload,config-watch,workflow,aauth" | |
| jobs: | |
| # Static Linux binaries for the two cloud architectures, cross-compiled in | |
| # docker via `cross` so amd64 and arm64 both produce a fully static musl ELF. | |
| binaries: | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: [x86_64-unknown-linux-musl, aarch64-unknown-linux-musl] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| - uses: taiki-e/install-action@v2 | |
| with: | |
| tool: cross | |
| - run: cross build --release --locked -p agentd-cli --target ${{ matrix.target }} --features "$FEATURES" | |
| - name: Package | |
| run: | | |
| mkdir -p dist | |
| cp "target/${{ matrix.target }}/release/agentd" dist/ | |
| cd dist | |
| tar czf "agentd-${{ github.ref_name }}-${{ matrix.target }}.tar.gz" agentd | |
| rm agentd | |
| - uses: softprops/action-gh-release@v2 | |
| with: | |
| files: dist/* | |
| # Multi-arch OCI image → GHCR, cosign-signed (keyless OIDC) with an SPDX SBOM | |
| # attestation. The Dockerfile defaults FEATURES to the cloud-native set. | |
| container: | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/agentd | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=raw,value=latest | |
| - id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| # metadata-action's labels (applied above) own the canonical | |
| # org.opencontainers.image.* set, including `created`; these args just | |
| # fill the Dockerfile's local-build defaults. | |
| build-args: | | |
| VERSION=${{ github.ref_name }} | |
| REVISION=${{ github.sha }} | |
| - uses: sigstore/cosign-installer@v3 | |
| - name: Sign image (keyless) | |
| env: | |
| DIGEST: ${{ steps.build.outputs.digest }} | |
| run: cosign sign --yes "ghcr.io/${{ github.repository_owner }}/agentd@${DIGEST}" | |
| - name: Generate SPDX SBOM | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: ghcr.io/${{ github.repository_owner }}/agentd@${{ steps.build.outputs.digest }} | |
| format: spdx-json | |
| output-file: sbom.spdx.json | |
| upload-release-assets: false | |
| - name: Attest SBOM | |
| env: | |
| DIGEST: ${{ steps.build.outputs.digest }} | |
| run: cosign attest --yes --predicate sbom.spdx.json --type spdxjson "ghcr.io/${{ github.repository_owner }}/agentd@${DIGEST}" | |
| # Aggregate SHA256 checksums over the released binaries, after they upload. | |
| checksums: | |
| needs: [binaries] | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download release assets | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| mkdir -p dist && cd dist | |
| gh release download "${{ github.ref_name }}" \ | |
| --repo "${{ github.repository }}" \ | |
| --pattern 'agentd-*' | |
| sha256sum * > SHA256SUMS | |
| cat SHA256SUMS | |
| - uses: softprops/action-gh-release@v2 | |
| with: | |
| files: dist/SHA256SUMS |