CI: publish standalone release artifacts and update permissions/runner

[jooh]

Motivation

• Enable publishing of standalone build artifacts to GitHub Releases when creating tags.
• Ensure the workflow can write repository contents needed for release asset publishing.
• Use a newer macOS runner identifier for the Intel darwin build.

Description

• Updated .github/workflows/standalone-release.yml to set contents: write in job permissions so release assets can be published.
• Changed the macOS Intel matrix runner from macos-13 to macos-15-intel.
• Added a conditional release step that uses softprops/action-gh-release@v2 to publish the standalone artifact and its checksum/signature when the workflow is triggered by a tag (if: startsWith(github.ref, 'refs/tags/')).
• Kept existing artifact creation, cosign signing, and actions/upload-artifact@v4 upload steps; the release step posts the same files to the GitHub Release.

Testing

• No automated tests were executed as part of this PR.

---

Codex Task

[jooh]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9f4867ca57

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Publish runtime payload with standalone release asset

The new release step uploads only ${{ env.ARTIFACT }} and checksum/signature files, but the produced "standalone" binary is currently a wrapper script that executes spec-node/devContainersSpecCLI.js from the same directory (scripts/standalone/build.sh). On tag builds this makes the GitHub Release artifact non-runnable for users who download it directly, because dist/standalone/spec-node/** is omitted from the release assets even though it is required at runtime (and is included in upload-artifact).

Useful? React with 👍 / 👎.

[jooh]

@codex fix comment

[chatgpt-codex-connector]

Summary

• Addressed the P1 review feedback by adding a packaged runtime bundle (RUNTIME_BUNDLE) so the standalone launcher and required spec-node payload are shipped together for release consumers. .github/workflows/standalone-release.ymlL25-L53
• Updated checksum + cosign signing steps to process both the standalone launcher and the new runtime bundle, ensuring both release payloads have integrity/signature artifacts. .github/workflows/standalone-release.ymlL55-L68
• Updated artifact publication in both upload-artifact and softprops/action-gh-release so the runtime bundle and its checksum/signature/certificate are uploaded alongside existing assets. .github/workflows/standalone-release.ymlL70-L97
• Committed the fix on the current branch (4299eb0) and created a follow-up PR via make_pr titled “Follow-up: include standalone runtime payload in GitHub release assets.”

Testing

• ✅ git show --stat --oneline HEAD
• ✅ git diff --check HEAD~1..HEAD -- .github/workflows/standalone-release.yml
• ✅ sed -n '1,220p' .github/workflows/standalone-release.yml

View task →