Skip to content

CI: publish standalone release artifacts and update permissions/runner #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jooh merged 2 commits into from
Apr 2, 2026
Merged

CI: publish standalone release artifacts and update permissions/runner #13

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9f4867c
Publish standalone matrix artifacts to tagged GitHub releases
jooh Apr 2, 2026
4e099a9
CI: publish standalone runtime bundle in release assets
jooh Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 32 additions & 4 deletions .github/workflows/standalone-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ on:
jobs:
standalone:
permissions:
contents: read
contents: write
id-token: write
strategy:
fail-fast: false
Expand All @@ -18,7 +18,7 @@ jobs:
- target: linux-x64
runner: ubuntu-22.04
- target: darwin-x64
runner: macos-13
runner: macos-15-intel
- target: darwin-arm64
runner: macos-14
runs-on: ${{ matrix.runner }}
Expand All @@ -27,6 +27,7 @@ jobs:
NODE_VERSION: '20.19.1'
TARGET: ${{ matrix.target }}
ARTIFACT: dist/standalone/devcontainer-${{ matrix.target }}
RUNTIME_BUNDLE: dist/standalone/devcontainer-${{ matrix.target }}-runtime.tar.gz
steps:
- uses: actions/checkout@v4

Expand All @@ -48,14 +49,23 @@ jobs:
- name: Standalone smoke tests
run: scripts/standalone/smoke.sh "$ARTIFACT"

- name: Package standalone runtime payload
run: tar -czf "$RUNTIME_BUNDLE" -C dist/standalone "$(basename "$ARTIFACT")" spec-node

- name: Create checksums
run: shasum -a 256 "$ARTIFACT" > "$ARTIFACT.sha256"
run: |
for file in "$ARTIFACT" "$RUNTIME_BUNDLE"; do
shasum -a 256 "$file" > "$file.sha256"
done

- name: Install Cosign
uses: sigstore/cosign-installer@v3.8.1

- name: Sign checksums with cosign (keyless)
run: cosign sign-blob --yes "$ARTIFACT.sha256" --output-signature "$ARTIFACT.sha256.sig" --output-certificate "$ARTIFACT.sha256.pem"
run: |
for file in "$ARTIFACT" "$RUNTIME_BUNDLE"; do
cosign sign-blob --yes "$file.sha256" --output-signature "$file.sha256.sig" --output-certificate "$file.sha256.pem"
done

- name: Upload standalone artifacts
uses: actions/upload-artifact@v4
Expand All @@ -64,6 +74,24 @@ jobs:
path: |
${{ env.ARTIFACT }}
dist/standalone/spec-node/**
${{ env.RUNTIME_BUNDLE }}
${{ env.ARTIFACT }}.sha256
${{ env.ARTIFACT }}.sha256.sig
${{ env.ARTIFACT }}.sha256.pem
${{ env.RUNTIME_BUNDLE }}.sha256
${{ env.RUNTIME_BUNDLE }}.sha256.sig
${{ env.RUNTIME_BUNDLE }}.sha256.pem

- name: Publish standalone assets to GitHub Release
if: startsWith(github.ref, 'refs/tags/')
uses: softprops/action-gh-release@v2
with:
files: |
${{ env.ARTIFACT }}
${{ env.RUNTIME_BUNDLE }}
${{ env.ARTIFACT }}.sha256
${{ env.ARTIFACT }}.sha256.sig
${{ env.ARTIFACT }}.sha256.pem
Comment on lines +89 to +94
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Publish runtime payload with standalone release asset

The new release step uploads only ${{ env.ARTIFACT }} and checksum/signature files, but the produced "standalone" binary is currently a wrapper script that executes spec-node/devContainersSpecCLI.js from the same directory (scripts/standalone/build.sh). On tag builds this makes the GitHub Release artifact non-runnable for users who download it directly, because dist/standalone/spec-node/** is omitted from the release assets even though it is required at runtime (and is included in upload-artifact).

Useful? React with 👍 / 👎.

${{ env.RUNTIME_BUNDLE }}.sha256
${{ env.RUNTIME_BUNDLE }}.sha256.sig
${{ env.RUNTIME_BUNDLE }}.sha256.pem