Release automation#127
Conversation
Add x86_64-pc-windows-msvc to the release matrix. Windows ships a .zip (7z) while unix keeps .tar.gz; a portable sha256 helper handles sha256sum/shasum/certutil. Smoke test and packaging now resolve the .exe suffix on Windows. Release attach uses globs to cover both formats.
Vendor the @gitlawb/gl npm wrapper (optionalDependencies platform-package pattern) into npm/, replacing the standalone gl-npm repo. A new npm-publish job downloads the four unix release tarballs from the GitHub release, lays in the binaries, stamps every package.json with the release version, and runs npm publish --provenance. Guarded on NPM_TOKEN so it no-ops until the secret is configured.
Add a homebrew-bump job that regenerates Formula/gl.rb in Gitlawb/homebrew-tap from the release tarballs' sha256 checksums (macOS+Linux, arm64+x64) and pushes the bump. Guarded on HOMEBREW_TAP_PAT so it no-ops until the secret and tap repo exist. Enables 'brew install gitlawb/tap/gl'.
Add install.ps1 (Windows PowerShell installer, source of truth in node). Add a web-sync job that opens a PR to Gitlawb/web on each release syncing install.sh + install.ps1 + public/version.json, plus idempotent drift fixes (remove orphaned public/bin, fix stale skill.md releases link). Guarded on WEB_SYNC_PAT. Vercel deploys on merge.
The gitlawb-node daemon targets Linux/macOS; building it on Windows risks a compile failure that would block the whole release (npm/brew/web jobs all depend on release-binaries). Windows now builds only gl + git-remote-gitlawb; the smoke-test and package loops follow the per-target binary list.
…action to v5 The manifest still said 0.3.8 while the only tag is a manual v0.3.9 and Cargo.toml is 0.3.9, so release-please had no valid baseline (no v0.3.8 tag) and never cut a release. Set the manifest to 0.3.9 so release-please diffs v0.3.9..main and opens a proper release PR for the next version. Also pin release-please-action to v5.0.0 to match the openclaude pipeline.
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds cross-platform release artifacts, a Windows installer, npm platform packages with a postinstall copier, and updated install instructions. The release-please manifest and root version reference are also bumped to 0.3.9. ChangesRelease pipeline and distribution changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
0b99fd8 to
8092c9d
Compare
…b-sync CodeQL flagged both jobs for lacking a permissions block, leaving GITHUB_TOKEN at broad default scopes. Both only need contents: read (cross-repo writes use dedicated PATs).
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (2)
npm/README.md (1)
12-19: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd a language tag to the fenced block.
Lines 12-19 match the markdownlint warning in this PR. Marking the tree as
textkeeps the rendering the same and removes the lint noise.Proposed fix
-``` +```text packages/ gl/ `@gitlawb/gl` wrapper (postinstall, bin shims) gl-darwin-arm64/ `@gitlawb/gl-darwin-arm64` aarch64-apple-darwin gl-darwin-x64/ `@gitlawb/gl-darwin-x64` x86_64-apple-darwin gl-linux-arm64/ `@gitlawb/gl-linux-arm64` aarch64-unknown-linux-musl gl-linux-x64/ `@gitlawb/gl-linux-x64` x86_64-unknown-linux-musl</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.In
@npm/README.mdaround lines 12 - 19, The fenced package tree block in the
README is missing a language tag, which triggers markdownlint noise. Update the
fenced block in the README section showing the packages list to use the
appropriate text language tag so the rendering stays the same while satisfying
the linter.</details> <!-- cr-comment:v1:ba804630984688934a113062 --> _Source: Linters/SAST tools_ </blockquote></details> <details> <summary>.github/workflows/release.yml (1)</summary><blockquote> `249-252`: _🔒 Security & Privacy_ | _🔵 Trivial_ | _⚡ Quick win_ **Disable credential persistence on the read-only checkouts.** These steps only read the release tag; the later `git push` runs from the separate `web` checkout. Set `persist-credentials: false` on both `actions/checkout` invocations to avoid leaving the default token in `.git/config`. <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.In @.github/workflows/release.yml around lines 249 - 252, The read-only checkout
steps are still persisting the default GitHub token in .git/config, which is
unnecessary here. Update both actions/checkout usages in the release workflow,
including the Checkout release tag step and the other read-only checkout, to set
persist-credentials to false. Keep the separate web checkout unchanged for the
later git push flow.</details> <!-- cr-comment:v1:2b33ee6c080b1aadf38634ba --> _Source: Linters/SAST tools_ </blockquote></details> </blockquote></details> <details> <summary>🤖 Prompt for all review comments with AI agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.Inline comments:
In@install.ps1:
- Around line 50-62: The checksum verification block in install.ps1 is failing
open by treating a checksum download error as optional, which allows unverified
installs. Update the try/catch around Invoke-WebRequest and the SHA256
comparison so that checksum fetch or parse failures abort the installation
instead of printing the “skipping verification” message; keep the success path
in the checksum block and make the Install script fail closed when $url.sha256
cannot be retrieved.In
@npm/packages/gl/install.js:
- Around line 55-82: The install flow in install.js can still report success
even when the supported-platform payload is missing or incomplete. Update the
packageDir lookup branch and the BINARIES copy loop so that missing the platform
package or any required binary fails the install instead of warning and
continuing; use the existing install path around packageDir, BINARIES, and the
final success log to ensure@gitlawb/glonly finishes when every expected binary
is present and copied.In
@npm/packages/gl/README.md:
- Line 57: The Windows support note in the README is inconsistent with the
installer flow used by install.js and the later Windows section of the README.
Update the wording in README.md so native Windows users are directed to
install.ps1 via PowerShell, and keep curl/WSL only for non-native or Unix-like
paths. Use the existing Windows guidance around install.js and the later README
Windows instructions as the source of truth.
Nitpick comments:
In @.github/workflows/release.yml:
- Around line 249-252: The read-only checkout steps are still persisting the
default GitHub token in .git/config, which is unnecessary here. Update both
actions/checkout usages in the release workflow, including the Checkout release
tag step and the other read-only checkout, to set persist-credentials to false.
Keep the separate web checkout unchanged for the later git push flow.In
@npm/README.md:
- Around line 12-19: The fenced package tree block in the README is missing a
language tag, which triggers markdownlint noise. Update the fenced block in the
README section showing the packages list to use the appropriate text language
tag so the rendering stays the same while satisfying the linter.</details> <details> <summary>🪄 Autofix (Beta)</summary> Fix all unresolved CodeRabbit comments on this PR: - [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended) - [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes </details> --- <details> <summary>ℹ️ Review info</summary> <details> <summary>⚙️ Run configuration</summary> **Configuration used**: defaults **Review profile**: CHILL **Plan**: Pro **Run ID**: `eecd954e-2767-48e0-bf47-939b69c63847` </details> <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between adc20f9effad7b42fab55002875d209c4ed79518 and 8092c9da38a14f064f19eb6514499eef5fbfca65. </details> <details> <summary>📒 Files selected for processing (14)</summary> * `.github/workflows/release.yml` * `.release-please-manifest.json` * `README.md` * `install.ps1` * `npm/.gitignore` * `npm/README.md` * `npm/packages/gl-darwin-arm64/package.json` * `npm/packages/gl-darwin-x64/package.json` * `npm/packages/gl-linux-arm64/package.json` * `npm/packages/gl-linux-x64/package.json` * `npm/packages/gl/README.md` * `npm/packages/gl/bin/.gitkeep` * `npm/packages/gl/install.js` * `npm/packages/gl/package.json` </details> </details> <!-- This is an auto-generated comment by CodeRabbit for review status -->
- install.ps1: fail closed if the .sha256 cannot be fetched; pure ASCII (no BOM)
- npm install.js: fail (exit 1 / throw) when the platform payload or a binary is
missing instead of reporting a successful but broken install
- workflow: top-level permissions {} + persist-credentials: false on read-only
checkouts
- docs: PowerShell-only Windows note; text language tag on npm/README fenced block
|
@coderabbitai please do a full review again |
|
✅ Action performedFull review finished. |
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (1)
.github/workflows/release.yml (1)
311-319: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winMove the npm token guard before checkout/download work.
With
NPM_TOKENunset, this job still checks out, downloads release assets, and rewrites package metadata before skipping. Add the same early guard pattern used by Homebrew/web so npm publishing is truly inactive until configured.Proposed change
+ - name: Guard on secret + id: guard + env: + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + run: | + if [ -z "${NPM_TOKEN:-}" ]; then + echo "::warning::NPM_TOKEN is not set — skipping npm publish." + echo "enabled=false" >> "$GITHUB_OUTPUT" + else + echo "enabled=true" >> "$GITHUB_OUTPUT" + fi + - name: Publish + if: ${{ steps.guard.outputs.enabled == 'true' }} env: NPM_TOKEN: ${{ secrets.NPM_TOKEN }} run: | set -euo pipefail - if [ -z "${NPM_TOKEN:-}" ]; then - echo "::warning::NPM_TOKEN is not set — skipping npm publish." - exit 0 - fi🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 311 - 319, The Publish step currently waits until after checkout/download and package metadata rewriting before checking NPM_TOKEN, so move the guard to the start of the npm publishing job using the same early-exit pattern used by Homebrew/web. Update the Publish workflow block in release.yml so it checks NPM_TOKEN before any checkout, asset download, or mutation work, and exits immediately with the existing warning when the token is missing.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 153-154: The release workflow’s Windows leg is described as
best-effort, but the current matrix still lets a Windows failure fail the whole
`release-binaries` job and block downstream jobs. In the release workflow,
update the matrix job behavior for the Windows entry using `continue-on-error`
if Windows should remain non-blocking, or revise the existing comment near the
release matrix to remove the best-effort guarantee if failures must still gate
`npm-publish` and `homebrew-bump`. Use the `release-binaries` job and its matrix
definition as the main reference point.
- Around line 347-353: The external-repo checkout steps are persisting the PAT
in the worktree, which leaves cross-repo credentials in .git/config for later
steps. Update the checkout actions used for the tap repo and the other external
repository checkout to set persist-credentials to false, and keep the PAT
available only for the explicit git push step where it is actually needed. Use
the existing Checkout tap repo step and the other checkout block as the anchor
points for the change.
- Around line 431-434: The web-sync job is triggered too early and can update
website install scripts/version metadata before release assets are confirmed.
Update the release workflow so web-sync depends on the release-binaries job
(and/or checks its success) in addition to release-please, using the existing
web-sync and release-binaries job names to locate the workflow condition. Ensure
the website sync only runs after the binaries/assets are available.
In `@install.ps1`:
- Around line 19-22: The architecture check in install.ps1 is using
PROCESSOR_ARCHITECTURE alone, which can misidentify a supported x64 host when
running under 32-bit PowerShell. Update the install script’s architecture
detection logic to first inspect PROCESSOR_ARCHITEW6432 and only fall back to
PROCESSOR_ARCHITECTURE, then keep the existing unsupported-architecture guard
based on the resolved native architecture so x64 installs are not rejected
incorrectly.
- Around line 68-77: The install flow in install.ps1 only treats the release as
invalid when none of the binaries are present, so it can still report success
with an incomplete package. Update the logic around the foreach copy block and
the $installed check to require all CLI binaries needed for the advertised
commands (especially gl.exe and git-remote-gitlawb.exe, plus gitlawb-node.exe if
required) before any PATH/success reporting. If any required binary is missing,
fail early with a clear error instead of copying a partial set and continuing.
---
Nitpick comments:
In @.github/workflows/release.yml:
- Around line 311-319: The Publish step currently waits until after
checkout/download and package metadata rewriting before checking NPM_TOKEN, so
move the guard to the start of the npm publishing job using the same early-exit
pattern used by Homebrew/web. Update the Publish workflow block in release.yml
so it checks NPM_TOKEN before any checkout, asset download, or mutation work,
and exits immediately with the existing warning when the token is missing.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c4879f69-af02-42da-bb68-c1a1b70f0351
📒 Files selected for processing (14)
.github/workflows/release.yml.release-please-manifest.jsonREADME.mdinstall.ps1npm/.gitignorenpm/README.mdnpm/packages/gl-darwin-arm64/package.jsonnpm/packages/gl-darwin-x64/package.jsonnpm/packages/gl-linux-arm64/package.jsonnpm/packages/gl-linux-x64/package.jsonnpm/packages/gl/README.mdnpm/packages/gl/bin/.gitkeepnpm/packages/gl/install.jsnpm/packages/gl/package.json
install.ps1 only failed when zero binaries were present, so a partial archive missing gl.exe could still report success. Require gl.exe + git-remote-gitlawb.exe (gitlawb-node.exe stays optional, matching the Windows build) and fail early if a required binary is absent.
… PATs - release-binaries: continue-on-error for the Windows leg so a failure there no longer fails the job or blocks npm/Homebrew (matches the best-effort intent) - homebrew-bump/web-sync: persist-credentials: false on the PAT-backed checkouts; supply the token only on the git push via an x-access-token URL
…taller - web-sync now needs release-binaries so the site never advertises a release whose artifacts failed to build - install.ps1 reads PROCESSOR_ARCHITEW6432 before PROCESSOR_ARCHITECTURE so a 32-bit PowerShell host on x64 Windows is not wrongly rejected
|
@coderabbitai please check again |
|
✅ Action performedFull review finished. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 314-328: The Publish step is not idempotent because the npm
publish loop in the workflow always republishes each package and will fail on
reruns once any version is already published. Update the release job logic in
the Publish step to check whether each `@gitlawb` package version already exists
before calling npm publish, and skip already-published packages so reruns can
safely continue without stopping on the first existing package. Use the existing
package loop and publish command as the entry point for this change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 01b9ab93-b496-46fc-a999-a16421f33f88
📒 Files selected for processing (14)
.github/workflows/release.yml.release-please-manifest.jsonREADME.mdinstall.ps1npm/.gitignorenpm/README.mdnpm/packages/gl-darwin-arm64/package.jsonnpm/packages/gl-darwin-x64/package.jsonnpm/packages/gl-linux-arm64/package.jsonnpm/packages/gl-linux-x64/package.jsonnpm/packages/gl/README.mdnpm/packages/gl/bin/.gitkeepnpm/packages/gl/install.jsnpm/packages/gl/package.json
Skip any @Gitlawb package version already on the registry so rerunning the job after a partial publish no longer errors on the first existing package and leaves the wrapper/platform packages out of sync.
|
@coderabbitai please do full review again and approve if all is good |
|
✅ Action performedFull review finished. |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 108-110: The Windows matrix leg in the release workflow is
currently marked best-effort, but the website sync step can still publish
PowerShell installer metadata even when the Windows ZIP is missing. Update the
workflow around the Windows artifact build and the `web-sync` publishing steps
so `install.ps1` and `version.json` are only synced when the Windows ZIP
artifact exists. Use the existing matrix/job identifiers for the Windows release
leg and the `web-sync` job to add an explicit guard that blocks website
publication on a failed/missing Windows build.
- Around line 436-440: The release workflow’s no-op check in the generated-files
step is running before the generated file is staged, so untracked first-time
outputs can be missed. Update the relevant shell block(s) in the release job to
stage the generated file(s) before calling git diff --quiet, and apply the same
ordering to the other matching block referenced by the review. Use the existing
generated-file step around git add Formula/gl.rb and the corresponding duplicate
section to ensure newly created files are included in the commit when changes
exist.
- Around line 514-517: The release workflow’s `gh pr create` fallback is too
broad because `|| echo` treats any failure as benign. Update the logic around
the `gh pr create` step to only suppress the case where an open PR already
exists for the branch, using an explicit pre-check or equivalent `gh pr
view`/list verification before continuing. Keep the change localized to the
release job section that creates the sync PR for `$branch`.
In `@npm/packages/gl/README.md`:
- Around line 5-17: The install commands in the README are presented as
cross-platform, but the package’s install flow explicitly rejects native Windows
in install.js. Update the install section to scope the npm/yarn/pnpm/bun
commands to macOS/Linux/WSL, and add a brief pointer that native Windows users
should use the PowerShell installer instead. Keep the wording aligned with the
existing install.js behavior so the docs match the supported path.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: d86e125d-7dc4-4a4e-bb0e-aae36c252622
📒 Files selected for processing (14)
.github/workflows/release.yml.release-please-manifest.jsonREADME.mdinstall.ps1npm/.gitignorenpm/README.mdnpm/packages/gl-darwin-arm64/package.jsonnpm/packages/gl-darwin-x64/package.jsonnpm/packages/gl-linux-arm64/package.jsonnpm/packages/gl-linux-x64/package.jsonnpm/packages/gl/README.mdnpm/packages/gl/bin/.gitkeepnpm/packages/gl/install.jsnpm/packages/gl/package.json
- web-sync: verify the Windows ZIP + .sha256 exist on the release before syncing install.ps1/version.json (Windows is best-effort, so a failed leg must not make the site advertise a missing installer) - stage generated files before the no-op check so brand-new untracked files (formula, version.json) are committed instead of skipped - gh pr create: only swallow the 'PR already exists' case; surface auth/API errors - npm README: scope npm/yarn/pnpm/bun install to macOS/Linux/WSL, point native Windows at the PowerShell installer
|
@coderabbitai pleae do a full review again |
|
✅ Action performedFull review finished. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 248-263: The npm-publish job currently does checkout and
binary/download work before discovering that NPM_TOKEN is missing, so add an
early guard in the npm-publish workflow path to skip the entire job when npm
publishing is not configured. Use the existing npm-publish job and its Publish
step as the location to gate execution, and make sure all subsequent checkout,
release download, extraction, and version rewrite steps only run when the token
is present, matching the inactive behavior already used by Homebrew/web.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 1e7106cb-8d3c-4735-ae94-c2b7706918a2
📒 Files selected for processing (14)
.github/workflows/release.yml.release-please-manifest.jsonREADME.mdinstall.ps1npm/.gitignorenpm/README.mdnpm/packages/gl-darwin-arm64/package.jsonnpm/packages/gl-darwin-x64/package.jsonnpm/packages/gl-linux-arm64/package.jsonnpm/packages/gl-linux-x64/package.jsonnpm/packages/gl/README.mdnpm/packages/gl/bin/.gitkeepnpm/packages/gl/install.jsnpm/packages/gl/package.json
Check NPM_TOKEN in an up-front guard step (like homebrew-bump/web-sync) and skip checkout, release downloads, extraction, version rewrites, and publish when it is absent, instead of doing all that work and bailing in Publish.
|
can you do a full review again please @coderabbitai . approve it if all is good |
|
✅ Action performedFull review finished. |
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/release.yml (1)
121-126: 🩺 Stability & Availability | 🔴 Critical | ⚡ Quick winReplace the retired Intel macOS runner label.
macos-13is retired, so this x86_64 leg will fail before checkout and block the release pipeline. Switch it to a supported Intel label such asmacos-15-intel.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 121 - 126, The release workflow’s x86_64 macOS job is using a retired runner label, so the Intel leg will fail before checkout and block releases. Update the macOS runner setting in the release matrix for the x86_64 target in the workflow so it uses a supported Intel label, keeping the aarch64 and Windows legs unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 553-560: The fallback around gh pr list in the release workflow is
masking auth/API failures because the command substitution result is checked
directly against 0. Update the shell logic in the fallback block to inspect gh
pr list’s exit status separately before evaluating the returned count, and only
print the “PR already exists” message when the command succeeds and the length
is nonzero; otherwise let failures exit nonzero.
In `@install.ps1`:
- Around line 70-88: In install.ps1, the binary copy logic in the
install/upgrade block leaves stale executables behind when an optional binary
disappears from the new archive, causing mixed-version installs. Update the flow
around $requiredBins, $optionalBins, and the foreach copy loop so $InstallDir is
cleaned of previously installed shipped binaries before copying the current
package contents, then copy only what exists in the new archive and report
success from that refreshed set.
---
Outside diff comments:
In @.github/workflows/release.yml:
- Around line 121-126: The release workflow’s x86_64 macOS job is using a
retired runner label, so the Intel leg will fail before checkout and block
releases. Update the macOS runner setting in the release matrix for the x86_64
target in the workflow so it uses a supported Intel label, keeping the aarch64
and Windows legs unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 9557a1cc-c1a8-4a0f-8c8b-8d719809f6a1
📒 Files selected for processing (14)
.github/workflows/release.yml.release-please-manifest.jsonREADME.mdinstall.ps1npm/.gitignorenpm/README.mdnpm/packages/gl-darwin-arm64/package.jsonnpm/packages/gl-darwin-x64/package.jsonnpm/packages/gl-linux-arm64/package.jsonnpm/packages/gl-linux-x64/package.jsonnpm/packages/gl/README.mdnpm/packages/gl/bin/.gitkeepnpm/packages/gl/install.jsnpm/packages/gl/package.json
…ening - web-sync: capture gh pr list output so a real API/auth failure surfaces instead of being misread as 'PR already exists' - install.ps1: enforce TLS 1.2 and use -UseBasicParsing so downloads work on stock Windows PowerShell 5.1; remove binaries no longer shipped on upgrade so an in-place update can't leave a mixed-version install; handle an empty user PATH without a leading separator
Summary
Makes release-please actually cut releases (its manifest baseline was broken) and fans every release out to npm, Homebrew, Windows, and the website — so a single merge of the release PR ships all channels.
Motivation & context
release-please never cut a release here: the manifest said
0.3.8but the only tag is a manual lightweightv0.3.9(PR #12) andCargo.tomlis0.3.9, so there was no valid baseline (v0.3.8doesn't exist) and no release PR was ever opened. On top of that, releases only shipped a Docker image + tarballs — npm/Homebrew were manual and drifting (the standalonegl-npmrepo and the webinstall.shpointed at a stalegitlawb/releasesrepo with the wrong archive naming).Closes #
Kind of change
What changed
No Rust crates are touched — this is CI/release tooling plus a vendored npm wrapper.
.release-please-manifest.json0.3.8 → 0.3.9so release-please diffsv0.3.9..mainand opens a proper release PR; bumprelease-please-actionv4.3.0 → v5.0.0(matches the openclaude pipeline).x86_64-pc-windows-msvctorelease-binaries(ships.zip; unix keeps.tar.gz) with a portable sha256 helper; Windows builds onlygl+git-remote-gitlawbso a daemon compile failure can't block the release.@gitlawb/glwrapper + 4 platform packages intonpm/(replaces the standalonegl-npmrepo); newnpm-publishjob downloads the release tarballs, lays in binaries, stamps versions, andnpm publish --provenance.homebrew-bumpjob regeneratesFormula/gl.rbinGitlawb/homebrew-tapfrom the release checksums (brew install gitlawb/tap/gl).install.ps1(Windows installer);web-syncjob opens a PR toGitlawb/websyncinginstall.sh+install.ps1+public/version.json, removing orphanedpublic/bin, and fixing the staleskill.mdreleases link.release_createdand guarded on their secret, so they no-op until configured.How a reviewer can verify