ci: add apisix-runtime release assets workflow

[jarvis9443]

Add a release workflow for reusable apisix-runtime Debian assets.

The workflow now runs automatically when an apisix-runtime/<version> GitHub release is published, and still supports manual dispatch for reruns. It builds normal and debug Debian packages for amd64 and arm64 on Debian bookworm-slim, then uploads the resulting assets to the existing release.

This lets downstream images install prebuilt runtime packages from the release instead of rebuilding OpenResty during their own image builds.

Compatibility notes:

• only apisix-runtime/* releases run the job
• manual dispatch accepts the bare runtime version and uploads to apisix-runtime/<version>
• the release must already exist before assets are uploaded

Summary by CodeRabbit

• Chores
  • Added an on-demand release workflow to build and publish apisix-runtime Debian packages for amd64 and arm64 (manual or tagged release), producing normal and debug packages and uploading them to a GitHub Release.
  • Build process now supports a "latest" build flag.
  • Generated Debian package filenames consistently include the distribution suffix and dynamic versioning.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a manual GitHub Actions workflow to build apisix-runtime Debian packages for amd64 and arm64, sets VERSION from the trigger, runs make (with a new BUILD_LATEST build-arg), renames the .deb artifact consistently, and creates/targets a apisix-runtime/<version> GitHub Release to upload the artifacts.

Changes

Release Workflow for apisix-runtime

Layer / File(s)	Summary
Workflow trigger and configuration .github/workflows/release-apisix-runtime.yml	Workflow metadata, manual workflow_dispatch with required version input, and contents: write permission for releases.
Job matrix and environment .github/workflows/release-apisix-runtime.yml	release job with amd64/arm64 matrix and 90-minute timeout.
Checkout, deps, and version resolution .github/workflows/release-apisix-runtime.yml	Checks out repo with persist-credentials: false, installs build dependencies, extracts and validates VERSION/RELEASE_TAG from the release tag or workflow input.
Build args, packaging, build and release upload Makefile, .github/workflows/release-apisix-runtime.yml, package-apisix-runtime.sh	Makefile exposes BUILD_LATEST build-arg and threads it into Docker build commands; packaging script renames the generated .deb using the dynamic artifact prefix and ${dist} suffix; workflow runs make package for apisix-runtime and apisix-runtime-debug per-arch and uploads resulting ./output/*.deb to the apisix-runtime/<VERSION> release with gh release upload --clobber.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• nic-6443

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a GitHub Actions workflow for apisix-runtime release assets.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
E2e Test Quality Review	✅ Passed	PR adds CI workflow for packaging apisix-runtime, not application code. No E2E tests required. Version validation, error handling via GitHub Actions defaults, and artifact naming are correct.
Security Check	✅ Passed	No security vulnerabilities found. Version input is validated with regex, variables are properly quoted, GH_TOKEN uses GitHub's safe temporary token, and no secrets are logged or exposed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-apisix-runtime-release-assets

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-apisix-runtime.yml:
- Around line 28-30: Replace the unpinned checkout action "uses:
actions/checkout@v4" with a pinned commit SHA and add the `persist-credentials:
false` option in its `with` block; specifically, locate the step that references
uses: actions/checkout@v4 and change it to uses: actions/checkout@<COMMIT_SHA>
and add a with: persist-credentials: false (and any other existing with keys) to
prevent credential persistence.
- Around line 44-54: Update the "Upload release assets" step that currently uses
softprops/action-gh-release@v2: replace the floating tag with a specific commit
SHA for softprops/action-gh-release (i.e.
softprops/action-gh-release@<commit-sha>) and verify the entries under files:
exactly match the produced .deb artifact names in ./output/ (including any
debug/non-debug variants and architecture suffixes) so that
fail_on_unmatched_files: true will not fail; adjust the filenames or the build
artifact naming to ensure exact string equality and keep overwrite_files: true
as needed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8867c2b6-2f66-40d1-9412-b9294b21af9f

📥 Commits

Reviewing files that changed from the base of the PR and between 95f2a79 and 7b18dd2.

📒 Files selected for processing (1)

• .github/workflows/release-apisix-runtime.yml

[Copilot]

Pull request overview

Adds a manually triggered GitHub Actions workflow to build apisix-runtime Debian packages (amd64/arm64) and upload them as assets to the apisix-runtime/<version> GitHub Release, to support downstream gateway image builds consuming prebuilt runtime artifacts.

Changes:

• Introduces a workflow_dispatch workflow that accepts a runtime version input.
• Builds Debian bookworm-slim .deb assets for amd64 and arm64 via make package.
• Uploads the generated artifacts to the apisix-runtime/<version> release tag.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-apisix-runtime.yml:
- Around line 53-55: The release creation can race between matrix jobs: keep the
existing check using the tag variable and gh release view "$tag", but make the
create step tolerant of a concurrent creator by changing the gh release create
"$tag" --title "$tag" --notes "Release apisix-runtime ${VERSION}" invocation so
it does not cause the job to fail if the release already exists (e.g., append a
no-fail fallback like || true or retry/ignore an "already exists" error),
ensuring tag, gh release view and gh release create remain but the create is
idempotent across parallel matrix jobs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5bf66359-a39f-4771-aea9-8ae1044f751a

📥 Commits

Reviewing files that changed from the base of the PR and between 7b18dd2 and d769e66.

📒 Files selected for processing (1)

• .github/workflows/release-apisix-runtime.yml

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.