feat: CI for binaries allowing signing via kokoro

cabljac · cabljac · commit e07967a69fd0 · 2025-07-15T16:03:33.000+01:00
diff --git a/.github/workflows/build-cli-binaries.yml b/.github/workflows/build-cli-binaries.yml
@@ -20,11 +20,16 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: 'Version tag to build (e.g., v1.0.0)'
+        description: 'Version tag to build (e.g., v1.0.0, v1.0.0-rc.1)'
         required: true
         type: string
-      upload_to_release:
-        description: 'Upload binaries to GitHub release and update latest tag'
+      create_rc:
+        description: 'Create release candidate with unsigned binaries'
+        required: false
+        type: boolean
+        default: false
+      promote_rc:
+        description: 'Promote RC to final release (requires signed binaries)'
         required: false
         type: boolean
         default: false
@@ -60,7 +65,7 @@ jobs:
         run: |
           VERSION="${{ inputs.version }}"
           if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$ ]]; then
-            echo "Error: Version '$VERSION' does not follow semantic versioning format (e.g., v1.0.0, v1.0.0-beta.1)"
+            echo "Error: Version '$VERSION' does not follow semantic versioning format (e.g., v1.0.0, v1.0.0-rc.1)"
             exit 1
           fi
           echo "✓ Version format is valid: $VERSION"
@@ -120,7 +125,7 @@ jobs:
         with:
           name: genkit-${{ matrix.target }}
           path: genkit-tools/cli/dist/bin/genkit-${{ matrix.target }}${{ steps.binary.outputs.ext }}
-          retention-days: 1  # TODO: Consider increasing to 7 days for better debugging capability
+          retention-days: 7  # Increased for better debugging and signing workflow
 
   test:
     needs: build
@@ -274,15 +279,178 @@ jobs:
           # Clean up any remaining genkit processes
           Get-Process | Where-Object { $_.ProcessName -match "genkit" } | Stop-Process -Force -ErrorAction SilentlyContinue
 
-  create-release:
+  create-rc:
+    needs: [build, test]
+    runs-on: ubuntu-latest
+    if: inputs.create_rc == 'true'
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Generate changelog
+        id: changelog
+        run: |
+          # Get the previous release tag
+          PREVIOUS_TAG=$(git describe --tags --abbrev=0 HEAD~1 2>/dev/null || echo "")
+          
+          if [[ -n "$PREVIOUS_TAG" ]]; then
+            # Generate changelog from previous tag to current
+            CHANGELOG=$(git log --pretty=format:"- %s" $PREVIOUS_TAG..HEAD | head -20)
+            echo "changelog<<EOF" >> $GITHUB_OUTPUT
+            echo "$CHANGELOG" >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+          else
+            # First release
+            echo "changelog<<EOF" >> $GITHUB_OUTPUT
+            echo "- Initial release" >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+          fi
+      
+      - name: Create Release Candidate
+        id: create_rc
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ inputs.version }}
+          release_name: Genkit CLI ${{ inputs.version }} (Release Candidate)
+          body: |
+            # Genkit CLI ${{ inputs.version }} - Release Candidate
+            
+            ⚠️ **This is a release candidate with unsigned binaries for testing purposes.**
+            
+            ## Downloads (Unsigned - For Testing Only)
+            
+            - [Linux x64](https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-linux-x64)
+            - [Linux ARM64](https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-linux-arm64)
+            - [macOS x64](https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-darwin-x64)
+            - [macOS ARM64](https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-darwin-arm64)
+            - [Windows x64](https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-win32-x64.exe)
+            
+            ## Changes
+            
+            ${{ steps.changelog.outputs.changelog }}
+            
+            ## Next Steps
+            
+            After testing, these binaries will be signed and promoted to the final release.
+            
+            ## Installation (Testing Only)
+            
+            ```bash
+            # Download and test the RC binary
+            curl -Lo genkit https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
+            chmod +x genkit
+            ./genkit --version
+            ```
+          draft: false
+          prerelease: true
+
+  upload-rc-assets:
+    needs: [build, test, create-rc]
+    runs-on: ubuntu-latest
+    if: inputs.create_rc == 'true'
+    strategy:
+      matrix:
+        include:
+          - target: linux-x64
+          - target: linux-arm64
+          - target: darwin-x64
+          - target: darwin-arm64
+          - target: win32-x64
+    
+    steps:
+      - name: Set binary extension
+        id: binary
+        shell: bash
+        run: |
+          if [[ "${{ matrix.target }}" == win32-* ]]; then
+            echo "ext=.exe" >> $GITHUB_OUTPUT
+          else
+            echo "ext=" >> $GITHUB_OUTPUT
+          fi
+      
+      - name: Download binary artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: genkit-${{ matrix.target }}
+          path: ./
+      
+      - name: Upload to GitHub Release Candidate
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-rc.outputs.upload_url }}
+          asset_path: ./genkit-${{ matrix.target }}${{ steps.binary.outputs.ext }}
+          asset_name: genkit-${{ matrix.target }}
+          asset_content_type: application/octet-stream
+
+  promote-to-release:
     needs: [build, test]
     runs-on: ubuntu-latest
-    if: inputs.upload_to_release == 'true'
+    if: inputs.promote_rc == 'true'
     
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
       
+      # Note: After RC creation, signed binaries should be uploaded via Kokoro
+      # before running promote_rc. The promotion assumes signed binaries are
+      # available for the final release.
+      - name: Validate signed binaries exist
+        run: |
+          RC_VERSION="${{ inputs.version }}"
+          FINAL_VERSION="${RC_VERSION%-rc*}"
+          
+          echo "Validating signed binaries exist for RC: $RC_VERSION"
+          echo "Will promote to final version: $FINAL_VERSION"
+          
+          # Expected platforms that should have signed binaries
+          EXPECTED_PLATFORMS=("linux-x64" "linux-arm64" "darwin-x64" "darwin-arm64" "win32-x64")
+          
+          # Check if RC release exists and get its assets
+          RELEASE_INFO=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://api.github.com/repos/firebase/genkit/releases/tags/$RC_VERSION")
+          
+          if [[ $(echo "$RELEASE_INFO" | jq -r '.id') == "null" ]]; then
+            echo "❌ Error: RC release $RC_VERSION not found"
+            exit 1
+          fi
+          
+          echo "✓ RC release $RC_VERSION found"
+          
+          # Get list of assets from the RC release
+          ASSETS=$(echo "$RELEASE_INFO" | jq -r '.assets[].name' | sort)
+          
+          # Check for expected signed binaries
+          MISSING_BINARIES=()
+          for platform in "${EXPECTED_PLATFORMS[@]}"; do
+            if [[ "$platform" == win32-* ]]; then
+              expected_file="genkit-$platform.exe"
+            else
+              expected_file="genkit-$platform"
+            fi
+            
+            if ! echo "$ASSETS" | grep -q "^$expected_file$"; then
+              MISSING_BINARIES+=("$expected_file")
+            else
+              echo "✓ Found signed binary: $expected_file"
+            fi
+          done
+          
+          if [[ ${#MISSING_BINARIES[@]} -gt 0 ]]; then
+            echo "❌ Missing signed binaries:"
+            printf '  - %s\n' "${MISSING_BINARIES[@]}"
+            echo ""
+            echo "Please ensure all binaries are signed before promoting to final release."
+            echo "You can trigger the signing workflow or manually upload signed binaries."
+            exit 1
+          fi
+          
+          echo "✅ All expected signed binaries found in RC release"
+      
       - name: Generate changelog
         id: changelog
         run: |
@@ -302,7 +470,7 @@ jobs:
             echo "EOF" >> $GITHUB_OUTPUT
           fi
       
-      - name: Create Release
+      - name: Create Final Release
         id: create_release
         uses: actions/create-release@v1
         env:
@@ -327,16 +495,48 @@ jobs:
             
             ## Installation
             
+            ### Quick Install (Recommended)
+            
             ```bash
-            TODO: Add installation instructions
+            curl -sL https://genkit.tools | bash
             ```
+            
+            ### Manual Installation
+            
+            ```bash
+            # Download the appropriate binary for your platform
+            curl -Lo genkit https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
+            
+            # Make it executable
+            chmod +x genkit
+            
+            # Move to a directory in your PATH
+            sudo mv genkit /usr/local/bin/
+            
+            # Verify installation
+            genkit --version
+            ```
+            
+            ### Windows Installation
+            
+            ```powershell
+            # Download the Windows binary
+            Invoke-WebRequest -Uri "https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-win32-x64.exe" -OutFile "genkit.exe"
+            
+            # Add to PATH or run from current directory
+            .\genkit.exe --version
+            ```
+            
+            ## Documentation
+            
+            For more information, visit [https://firebase.google.com/docs/genkit/](https://firebase.google.com/docs/genkit/)
           draft: false
           prerelease: false
 
-  upload-assets:
-    needs: [build, test, create-release]
+  upload-release-assets:
+    needs: [build, test, promote-to-release]
     runs-on: ubuntu-latest
-    if: inputs.upload_to_release == 'true'
+    if: inputs.promote_rc == 'true'
     strategy:
       matrix:
         include:
@@ -368,15 +568,15 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          upload_url: ${{ needs.promote-to-release.outputs.upload_url }}
           asset_path: ./genkit-${{ matrix.target }}${{ steps.binary.outputs.ext }}
           asset_name: genkit-${{ matrix.target }}
           asset_content_type: application/octet-stream
 
   update-latest-tag:
-    needs: [create-release, upload-assets]
+    needs: [promote-to-release, upload-release-assets]
     runs-on: ubuntu-latest
-    if: inputs.upload_to_release == 'true'
+    if: inputs.promote_rc == 'true'
     
     steps:
       - name: Checkout code
