chore: import upstream snapshot with attribution
This commit is contained in:
Executable
+111
@@ -0,0 +1,111 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Bump version, release-tag URLs, and per-platform sha256 in a Composio Homebrew formula.
|
||||
|
||||
Used by .github/workflows/cli.bump-homebrew-tap.yml. Reads inputs from env vars
|
||||
so the bash side has a clean interface; can be run locally for testing:
|
||||
|
||||
TAG=@composio/cli@0.2.29 VERSION=0.2.29 \\
|
||||
DARWIN_ARM=<sha> DARWIN_X86=<sha> LINUX_ARM=<sha> LINUX_X86=<sha> \\
|
||||
.github/scripts/bump-homebrew-formula.py path/to/Formula/composio.rb
|
||||
|
||||
Exits non-zero if any required env var is missing/invalid or if no edits land.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
|
||||
|
||||
REQUIRED_ENV = ("TAG", "VERSION", "DARWIN_ARM", "DARWIN_X86", "LINUX_ARM", "LINUX_X86")
|
||||
SHA256_RE = re.compile(r"[0-9a-f]{64}")
|
||||
|
||||
|
||||
def main(argv: list[str]) -> int:
|
||||
if len(argv) != 2:
|
||||
print(f"usage: {argv[0]} <formula-path>", file=sys.stderr)
|
||||
return 2
|
||||
|
||||
path = argv[1]
|
||||
missing = [k for k in REQUIRED_ENV if not os.environ.get(k)]
|
||||
if missing:
|
||||
print(f"missing env vars: {', '.join(missing)}", file=sys.stderr)
|
||||
return 2
|
||||
|
||||
tag = os.environ["TAG"]
|
||||
version = os.environ["VERSION"]
|
||||
shas = {
|
||||
"darwin-aarch64": os.environ["DARWIN_ARM"],
|
||||
"darwin-x64": os.environ["DARWIN_X86"],
|
||||
"linux-aarch64": os.environ["LINUX_ARM"],
|
||||
"linux-x64": os.environ["LINUX_X86"],
|
||||
}
|
||||
for plat, sha in shas.items():
|
||||
if not SHA256_RE.fullmatch(sha):
|
||||
print(f"invalid sha for {plat}: {sha!r}", file=sys.stderr)
|
||||
return 2
|
||||
|
||||
with open(path) as f:
|
||||
src = f.read()
|
||||
|
||||
# Bump version line. Lambda avoids replacement-string backreference parsing
|
||||
# (e.g. a hostile tag containing \g<1>); same defense on tag/sha below.
|
||||
src, n_ver = re.subn(
|
||||
r'^(\s*version\s+)"[^"]+"',
|
||||
lambda m: f'{m.group(1)}"{version}"',
|
||||
src,
|
||||
count=1,
|
||||
flags=re.M,
|
||||
)
|
||||
|
||||
# Bump the release-tag segment of each download URL.
|
||||
src, n_url = re.subn(
|
||||
r"(releases/download/)@composio/cli@[^/]+(/composio-)",
|
||||
lambda m: f"{m.group(1)}{tag}{m.group(2)}",
|
||||
src,
|
||||
)
|
||||
|
||||
# Bump each sha256 by pairing it with the URL line directly above.
|
||||
updated_platforms: set[str] = set()
|
||||
|
||||
def repl_sha(match: re.Match[str]) -> str:
|
||||
url_line, sha_line = match.group(1), match.group(2)
|
||||
for plat, sha in shas.items():
|
||||
if f"composio-{plat}.zip" in url_line:
|
||||
updated_platforms.add(plat)
|
||||
return url_line + re.sub(
|
||||
r'"[0-9a-f]{64}"',
|
||||
lambda _m: f'"{sha}"',
|
||||
sha_line,
|
||||
)
|
||||
return match.group(0)
|
||||
|
||||
src, n_sha = re.subn(
|
||||
r'(url\s+"[^"]+"\s*\n)(\s*sha256\s+"[0-9a-f]{64}")',
|
||||
repl_sha,
|
||||
src,
|
||||
)
|
||||
|
||||
expected_platforms = set(shas)
|
||||
if (
|
||||
n_ver != 1
|
||||
or n_url != len(shas)
|
||||
or n_sha != len(shas)
|
||||
or updated_platforms != expected_platforms
|
||||
):
|
||||
print(
|
||||
"bump produced unexpected edits "
|
||||
f"(version={n_ver}, url={n_url}, sha={n_sha}, "
|
||||
f"updated_platforms={sorted(updated_platforms)})",
|
||||
file=sys.stderr,
|
||||
)
|
||||
return 1
|
||||
|
||||
with open(path, "w") as f:
|
||||
f.write(src)
|
||||
return 0
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main(sys.argv))
|
||||
Executable
+135
@@ -0,0 +1,135 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Check the validity of all actions used in the workflows.
|
||||
#
|
||||
# Example output:
|
||||
#
|
||||
# ❯ .github/scripts/check-action-repos.sh
|
||||
# Found 18 unique uses: entries
|
||||
# WARN: unrecognized uses format: ---
|
||||
# ERROR: ref not found (tag/branch/commit): peter-evans/create-pull-request@271a8d0340265f705b14b601f8cf3c8c27d2d6cf
|
||||
# ERROR: ref not found (tag/branch/commit): slackapi/slack-github-action@b4590ed38561d3cb7512cbee19cef0e0a6064ff1
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
fail=0
|
||||
|
||||
# Collect all `uses:` entries
|
||||
mapfile -t USES < <(
|
||||
yq -r '
|
||||
.jobs[]?.steps[]? |
|
||||
select(has("uses")) |
|
||||
.uses
|
||||
' .github/workflows/*.yml .github/workflows/*.yaml 2>/dev/null \
|
||||
| sed '/^null$/d' \
|
||||
| sort -u
|
||||
)
|
||||
|
||||
if [[ ${#USES[@]} -eq 0 ]]; then
|
||||
echo "No uses: entries found."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Found ${#USES[@]} unique uses: entries"
|
||||
|
||||
check_local() {
|
||||
local p="$1"
|
||||
if [[ ! -e "$p" ]]; then
|
||||
echo "ERROR: local action path does not exist: $p"
|
||||
return 1
|
||||
fi
|
||||
if [[ -d "$p" ]]; then
|
||||
if [[ -f "$p/action.yml" || -f "$p/action.yaml" ]]; then
|
||||
return 0
|
||||
fi
|
||||
echo "ERROR: local action dir missing action.yml/action.yaml: $p"
|
||||
return 1
|
||||
fi
|
||||
# If a file is used directly (rare), just ensure it exists
|
||||
return 0
|
||||
}
|
||||
|
||||
# For remote actions, verify:
|
||||
# - repo exists
|
||||
# - ref exists (tag/branch/sha)
|
||||
# - action.yml or action.yaml exists at path (or root) at that ref
|
||||
check_remote() {
|
||||
local spec="$1" # owner/repo/path@ref OR owner/repo@ref
|
||||
local before_at="${spec%@*}"
|
||||
local ref="${spec#*@}"
|
||||
|
||||
local owner_repo="${before_at%%/*}/${before_at#*/}"
|
||||
owner_repo="${owner_repo%%/*}/${owner_repo#*/}" # keep first two segments
|
||||
|
||||
local owner="${before_at%%/*}"
|
||||
local rest="${before_at#*/}"
|
||||
local repo="${rest%%/*}"
|
||||
|
||||
local path=""
|
||||
if [[ "$before_at" == */*/* ]]; then
|
||||
path="${before_at#"$owner/$repo/"}"
|
||||
fi
|
||||
|
||||
# 1) repo exists
|
||||
if ! gh api -H "Accept: application/vnd.github+json" "/repos/$owner/$repo" >/dev/null 2>&1; then
|
||||
echo "ERROR: repo not found or inaccessible: $owner/$repo (from $spec)"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# 2) ref exists (try tag, branch, then commit)
|
||||
if ! gh api -H "Accept: application/vnd.github+json" "/repos/$owner/$repo/git/ref/tags/$ref" >/dev/null 2>&1 \
|
||||
&& ! gh api -H "Accept: application/vnd.github+json" "/repos/$owner/$repo/git/ref/heads/$ref" >/dev/null 2>&1 \
|
||||
&& ! gh api -H "Accept: application/vnd.github+json" "/repos/$owner/$repo/commits/$ref" >/dev/null 2>&1
|
||||
then
|
||||
echo "ERROR: ref not found (tag/branch/commit): $spec"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# 3) action metadata exists at path (or root)
|
||||
local base_path="${path}"
|
||||
if [[ -z "$base_path" ]]; then
|
||||
base_path=""
|
||||
fi
|
||||
|
||||
local try_paths=()
|
||||
if [[ -z "$base_path" ]]; then
|
||||
try_paths=("action.yml" "action.yaml")
|
||||
else
|
||||
try_paths=("$base_path/action.yml" "$base_path/action.yaml")
|
||||
fi
|
||||
|
||||
for p in "${try_paths[@]}"; do
|
||||
if gh api -H "Accept: application/vnd.github+json" \
|
||||
"/repos/$owner/$repo/contents/$p?ref=$ref" >/dev/null 2>&1
|
||||
then
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
|
||||
echo "ERROR: action metadata not found at ref: $spec (looked for action.yml/action.yaml under '${base_path:-repo root}')"
|
||||
return 1
|
||||
}
|
||||
|
||||
for u in "${USES[@]}"; do
|
||||
# Ignore reusable workflows here: they also use `uses:` but are `./.github/workflows/x.yml` or `owner/repo/.github/workflows/x.yml@ref`
|
||||
# If you want to validate those too, add logic similar to check_local/check_remote for workflow files.
|
||||
if [[ "$u" == docker://* ]]; then
|
||||
echo "SKIP (docker image): $u"
|
||||
continue
|
||||
fi
|
||||
|
||||
if [[ "$u" == ./* ]]; then
|
||||
if ! check_local "$u"; then fail=1; fi
|
||||
continue
|
||||
fi
|
||||
|
||||
# Remote action or reusable workflow reference (both look like owner/repo/...@ref)
|
||||
if [[ "$u" == *@* && "$u" == */* ]]; then
|
||||
if ! check_remote "$u"; then fail=1; fi
|
||||
continue
|
||||
fi
|
||||
|
||||
echo "WARN: unrecognized uses format: $u"
|
||||
done
|
||||
|
||||
exit $fail
|
||||
Executable
+71
@@ -0,0 +1,71 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Report orphaned CI plumbing — the GitHub Actions analogue of the "dead file"
|
||||
# problem knip/vulture catch for TS/Python:
|
||||
#
|
||||
# * composite actions under .github/actions/* that no workflow `uses:`
|
||||
# * reusable workflows (on: workflow_call) that nothing calls AND that have
|
||||
# no self-trigger (push/pull_request/schedule/...), i.e. truly unreachable
|
||||
#
|
||||
# Report-only: prints findings and always exits 0 so it never blocks CI on a
|
||||
# heuristic. Vet anything it prints by hand before deleting.
|
||||
|
||||
set -uo pipefail
|
||||
|
||||
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
|
||||
workflows_dir="$repo_root/.github/workflows"
|
||||
actions_dir="$repo_root/.github/actions"
|
||||
|
||||
findings=0
|
||||
|
||||
note() {
|
||||
findings=$((findings + 1))
|
||||
echo " - $1"
|
||||
}
|
||||
|
||||
echo "### Orphaned CI check"
|
||||
echo ""
|
||||
echo "Composite actions with no callers:"
|
||||
|
||||
if [[ -d "$actions_dir" ]]; then
|
||||
for action_yml in "$actions_dir"/*/action.yml "$actions_dir"/*/action.yaml; do
|
||||
[[ -f "$action_yml" ]] || continue
|
||||
name="$(basename "$(dirname "$action_yml")")"
|
||||
# A caller references it as `uses: ./.github/actions/<name>`.
|
||||
if ! grep -rqs "uses:.*\.github/actions/$name\b" "$workflows_dir" "$actions_dir"; then
|
||||
note "action \`$name\` (.github/actions/$name) is referenced by no workflow"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
[[ $findings -eq 0 ]] && echo " _(none)_"
|
||||
|
||||
before_wf=$findings
|
||||
echo ""
|
||||
echo "Reusable workflows that are unreachable:"
|
||||
|
||||
for wf in "$workflows_dir"/*.yml "$workflows_dir"/*.yaml; do
|
||||
[[ -f "$wf" ]] || continue
|
||||
# Only reusable workflows are candidates.
|
||||
grep -qs "workflow_call:" "$wf" || continue
|
||||
base="$(basename "$wf")"
|
||||
# Called by another workflow?
|
||||
if grep -rqs "uses:.*\.github/workflows/$base\b" "$workflows_dir"; then
|
||||
continue
|
||||
fi
|
||||
# Self-triggering (has a real event trigger besides workflow_call)?
|
||||
if grep -Eqs "^[[:space:]]+(push|pull_request|schedule|workflow_dispatch|release|issues|issue_comment|repository_dispatch|merge_group):" "$wf"; then
|
||||
continue
|
||||
fi
|
||||
note "workflow \`$base\` exposes workflow_call but has no caller and no self-trigger"
|
||||
done
|
||||
[[ $findings -eq $before_wf ]] && echo " _(none)_"
|
||||
|
||||
echo ""
|
||||
if [[ $findings -eq 0 ]]; then
|
||||
echo "No orphaned CI plumbing found."
|
||||
else
|
||||
echo "Found $findings orphaned CI item(s) above — review before removing."
|
||||
fi
|
||||
|
||||
# Report-only.
|
||||
exit 0
|
||||
+45
@@ -0,0 +1,45 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Create the GitHub Release as a DRAFT with every asset attached, or resume an existing
|
||||
# draft by re-uploading (--clobber). Refuse to mutate a tag that is already published.
|
||||
#
|
||||
# Drafts fire no `release: published` event and are excluded from `/releases/latest`, so no
|
||||
# anonymous consumer (install.sh, Homebrew, the redirect) can observe a release before its
|
||||
# assets are attached and verified. The release is only flipped to published by a later step.
|
||||
#
|
||||
# Inputs (env): RELEASE_TAG, RELEASE_NAME, CHECKOUT_REF, PRERELEASE, GH_TOKEN
|
||||
# BINARIES_DIR (optional, defaults to the CLI dist dir)
|
||||
set -euo pipefail
|
||||
|
||||
binaries_dir="${BINARIES_DIR:-ts/packages/cli/dist/binaries}"
|
||||
|
||||
flags=(
|
||||
--draft
|
||||
--title "$RELEASE_NAME"
|
||||
--target "$CHECKOUT_REF"
|
||||
--generate-notes
|
||||
)
|
||||
# Preserve prerelease status on the draft so betas stay prereleases once published.
|
||||
if [[ "$PRERELEASE" == "true" ]]; then
|
||||
flags+=(--prerelease)
|
||||
fi
|
||||
|
||||
# Idempotent for re-runs of a not-yet-published release: reuse an existing draft and clobber
|
||||
# its assets. Refuse to mutate a tag that is already published.
|
||||
if gh release view "$RELEASE_TAG" --json isDraft --jq '.isDraft' 2>/dev/null | grep -qx true; then
|
||||
echo "Draft $RELEASE_TAG already exists — re-uploading assets with --clobber"
|
||||
gh release upload "$RELEASE_TAG" \
|
||||
"$binaries_dir"/*.zip \
|
||||
"$binaries_dir/checksums.txt" --clobber
|
||||
elif gh release view "$RELEASE_TAG" >/dev/null 2>&1; then
|
||||
# A red ❌ here is EXPECTED, not a bug, when two runs target the same tag (e.g. two quick CLI
|
||||
# version bumps): per-tag `concurrency` serializes them, the first publishes, and the second —
|
||||
# finding the tag already published — fails loudly here rather than silently clobbering a live
|
||||
# release. If you hit this, confirm the tag is genuinely published before re-running.
|
||||
echo "::error::Release $RELEASE_TAG is already published — refusing to mutate it. Investigate the publish path."
|
||||
exit 1
|
||||
else
|
||||
gh release create "$RELEASE_TAG" "${flags[@]}" \
|
||||
"$binaries_dir"/*.zip \
|
||||
"$binaries_dir/checksums.txt"
|
||||
fi
|
||||
+148
@@ -0,0 +1,148 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Resolve the CLI release target and write its metadata to $GITHUB_OUTPUT for the
|
||||
# build/release jobs of build-cli-binaries.yml. Three modes:
|
||||
#
|
||||
# - push to `next` with a ts/packages/cli/package.json version bump → stable release
|
||||
# - push to `next` without a bump, or workflow_dispatch build-beta → rolling beta
|
||||
# - workflow_dispatch promote-stable <beta tag> → stable promotion
|
||||
#
|
||||
# Inputs (env): EVENT_NAME, ACTION_INPUT, BETA_TAG_INPUT, GITHUB_TOKEN,
|
||||
# REPOSITORY, RUN_NUMBER, COMMIT_SHA
|
||||
# Output: key=value lines appended to $GITHUB_OUTPUT
|
||||
set -euo pipefail
|
||||
|
||||
# Latest STABLE @composio/cli release tag, by true semver order (empty if none).
|
||||
#
|
||||
# A lexical sort is wrong here: "@composio/cli@0.2.9" sorts AFTER "0.2.10", so once a
|
||||
# patch reaches double digits `last` would pick the older release and beta versions
|
||||
# would regress. Parse the version triplet to numbers and sort numerically instead.
|
||||
latest_stable_tag() {
|
||||
gh release list \
|
||||
--repo "$REPOSITORY" \
|
||||
--exclude-drafts \
|
||||
--limit 1000 \
|
||||
--json tagName,isPrerelease \
|
||||
--jq '[.[]
|
||||
| select(.tagName | startswith("@composio/cli@"))
|
||||
| select(.isPrerelease == false)]
|
||||
| sort_by(.tagName | ltrimstr("@composio/cli@") | split(".") | map(tonumber))
|
||||
| last | .tagName // empty'
|
||||
}
|
||||
|
||||
# Echo the next "<major>.<minor>.<patch+1>" off the latest stable release, falling
|
||||
# back to the working-tree package.json when no stable release exists yet.
|
||||
next_beta_base_version() {
|
||||
local latest current
|
||||
latest=$(latest_stable_tag)
|
||||
if [[ -z "$latest" ]]; then
|
||||
echo "No stable @composio/cli release found, falling back to package.json" >&2
|
||||
current=$(node -p "require('./ts/packages/cli/package.json').version")
|
||||
else
|
||||
current=${latest#@composio/cli@}
|
||||
fi
|
||||
|
||||
local major minor patch
|
||||
IFS='.' read -r major minor patch <<<"$current"
|
||||
echo "${major}.${minor}.$((patch + 1))"
|
||||
}
|
||||
|
||||
emit_beta_target() {
|
||||
local next_version release_tag
|
||||
next_version=$(next_beta_base_version)
|
||||
release_tag="@composio/cli@${next_version}-beta.${RUN_NUMBER}"
|
||||
{
|
||||
echo "checkout_ref=${COMMIT_SHA}"
|
||||
echo "release_name=CLI Beta ${release_tag}"
|
||||
echo "release_tag=${release_tag}"
|
||||
echo "release_version=${next_version}"
|
||||
echo "prerelease=true"
|
||||
echo "make_latest=false"
|
||||
} >>"$GITHUB_OUTPUT"
|
||||
}
|
||||
|
||||
emit_stable_target() {
|
||||
local release_tag=$1 release_version=$2 checkout_ref=$3
|
||||
{
|
||||
echo "checkout_ref=${checkout_ref}"
|
||||
echo "release_name=CLI ${release_tag}"
|
||||
echo "release_tag=${release_tag}"
|
||||
echo "release_version=${release_version}"
|
||||
echo "prerelease=false"
|
||||
echo "make_latest=true"
|
||||
} >>"$GITHUB_OUTPUT"
|
||||
}
|
||||
|
||||
# ── Push to next ──
|
||||
if [[ "$EVENT_NAME" == "push" ]]; then
|
||||
current_version=$(node -p "require('./ts/packages/cli/package.json').version")
|
||||
previous_version=$(git show HEAD^:ts/packages/cli/package.json 2>/dev/null \
|
||||
| node -p "JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')).version" 2>/dev/null || echo "")
|
||||
|
||||
# A version bump on push is a stable release; anything else is a rolling beta.
|
||||
if [[ -n "$previous_version" && "$current_version" != "$previous_version" ]]; then
|
||||
emit_stable_target "@composio/cli@${current_version}" "$current_version" "$COMMIT_SHA"
|
||||
else
|
||||
emit_beta_target
|
||||
fi
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# ── workflow_dispatch: build-beta ──
|
||||
if [[ "$EVENT_NAME" == "workflow_dispatch" && "$ACTION_INPUT" == "build-beta" ]]; then
|
||||
emit_beta_target
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# ── workflow_dispatch: promote-stable ──
|
||||
if [[ "$ACTION_INPUT" != "promote-stable" ]]; then
|
||||
echo "Unknown action: $ACTION_INPUT" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ -z "$BETA_TAG_INPUT" ]]; then
|
||||
echo "beta_tag input is required for promote-stable" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
encoded_beta_tag=$(python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["BETA_TAG_INPUT"], safe=""))')
|
||||
|
||||
release_json=$(curl -fsSL \
|
||||
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
"https://api.github.com/repos/${REPOSITORY}/releases/tags/${encoded_beta_tag}")
|
||||
|
||||
is_prerelease=$(jq -r '.prerelease' <<<"$release_json")
|
||||
if [[ "$is_prerelease" != "true" ]]; then
|
||||
echo "Release ${BETA_TAG_INPUT} is not a beta prerelease" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! "$BETA_TAG_INPUT" =~ ^@composio/cli@([0-9]+\.[0-9]+\.[0-9]+)-beta\.[0-9]+$ ]]; then
|
||||
echo "Beta tag must match @composio/cli@<version>-beta.<number>" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
stable_version="${BASH_REMATCH[1]}"
|
||||
stable_tag="@composio/cli@${stable_version}"
|
||||
|
||||
# Refuse to re-promote an already-PUBLISHED stable release, but allow resuming an
|
||||
# existing DRAFT (a prior promote run that built assets but did not publish). The
|
||||
# REST `/releases/tags/{tag}` endpoint returns 404 for drafts, so use `gh release view`
|
||||
# — it resolves drafts by name and exposes `isDraft`.
|
||||
if isdraft=$(gh release view "$stable_tag" --json isDraft --jq '.isDraft' 2>/dev/null); then
|
||||
if [[ "$isdraft" == "true" ]]; then
|
||||
echo "Stable release ${stable_tag} exists as a draft — resuming (assets will be re-uploaded)."
|
||||
else
|
||||
echo "Stable release ${stable_tag} is already published" >&2
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
target_commitish=$(jq -r '.target_commitish' <<<"$release_json")
|
||||
if [[ -z "$target_commitish" || "$target_commitish" == "null" ]]; then
|
||||
echo "Beta release ${BETA_TAG_INPUT} does not expose target_commitish" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
emit_stable_target "$stable_tag" "$stable_version" "$target_commitish"
|
||||
Executable
+48
@@ -0,0 +1,48 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Loud failure gate: assert the full canonical asset set is attached to the release AND fully
|
||||
# uploaded (state == "uploaded"). An asset can appear in the listing while still processing,
|
||||
# which is exactly how a release ends up serving 404s — so require state == "uploaded", with a
|
||||
# bounded retry while uploads settle.
|
||||
#
|
||||
# Inputs (env): RELEASE_TAG, GH_TOKEN
|
||||
# VERIFY_ATTEMPTS / VERIFY_SLEEP_SECONDS (optional, for fast tests)
|
||||
set -euo pipefail
|
||||
|
||||
# Keep this list in lock-step with the build matrix in build-cli-binaries.yml (4 platforms)
|
||||
# plus the skill bundle and checksums. Adding a platform to the matrix must extend this list.
|
||||
expected=(
|
||||
composio-linux-x64.zip
|
||||
composio-linux-aarch64.zip
|
||||
composio-darwin-x64.zip
|
||||
composio-darwin-aarch64.zip
|
||||
composio-skill.zip
|
||||
checksums.txt
|
||||
)
|
||||
|
||||
attempts="${VERIFY_ATTEMPTS:-10}"
|
||||
sleep_seconds="${VERIFY_SLEEP_SECONDS:-15}"
|
||||
|
||||
for attempt in $(seq 1 "$attempts"); do
|
||||
# Single snapshot per attempt — querying names and state separately would open a
|
||||
# time-of-check/time-of-use gap in the very gate meant to close one.
|
||||
payload=$(gh release view "$RELEASE_TAG" --json assets)
|
||||
mapfile -t uploaded < <(jq -r '.assets[] | select(.state == "uploaded") | .name' <<<"$payload" | sort)
|
||||
|
||||
missing=()
|
||||
for want in "${expected[@]}"; do
|
||||
printf '%s\n' "${uploaded[@]}" | grep -qxF "$want" || missing+=("$want")
|
||||
done
|
||||
|
||||
if [[ ${#missing[@]} -eq 0 ]]; then
|
||||
echo "✅ All ${#expected[@]} expected assets present and uploaded."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Attempt ${attempt}/${attempts} — missing or not-yet-uploaded: ${missing[*]}"
|
||||
if [[ "$attempt" -eq "$attempts" ]]; then
|
||||
echo "::error::Release $RELEASE_TAG is incomplete — missing or not uploaded: ${missing[*]}"
|
||||
exit 1
|
||||
fi
|
||||
sleep "$sleep_seconds"
|
||||
done
|
||||
Reference in New Issue
Block a user