chore: import upstream snapshot with attribution

This commit is contained in:
wehub-resource-sync
2026-07-13 12:38:34 +08:00
commit 0549b088a4
2405 changed files with 810255 additions and 0 deletions
+45
View File
@@ -0,0 +1,45 @@
#!/usr/bin/env bash
#
# Create the GitHub Release as a DRAFT with every asset attached, or resume an existing
# draft by re-uploading (--clobber). Refuse to mutate a tag that is already published.
#
# Drafts fire no `release: published` event and are excluded from `/releases/latest`, so no
# anonymous consumer (install.sh, Homebrew, the redirect) can observe a release before its
# assets are attached and verified. The release is only flipped to published by a later step.
#
# Inputs (env): RELEASE_TAG, RELEASE_NAME, CHECKOUT_REF, PRERELEASE, GH_TOKEN
# BINARIES_DIR (optional, defaults to the CLI dist dir)
set -euo pipefail
binaries_dir="${BINARIES_DIR:-ts/packages/cli/dist/binaries}"
flags=(
--draft
--title "$RELEASE_NAME"
--target "$CHECKOUT_REF"
--generate-notes
)
# Preserve prerelease status on the draft so betas stay prereleases once published.
if [[ "$PRERELEASE" == "true" ]]; then
flags+=(--prerelease)
fi
# Idempotent for re-runs of a not-yet-published release: reuse an existing draft and clobber
# its assets. Refuse to mutate a tag that is already published.
if gh release view "$RELEASE_TAG" --json isDraft --jq '.isDraft' 2>/dev/null | grep -qx true; then
echo "Draft $RELEASE_TAG already exists — re-uploading assets with --clobber"
gh release upload "$RELEASE_TAG" \
"$binaries_dir"/*.zip \
"$binaries_dir/checksums.txt" --clobber
elif gh release view "$RELEASE_TAG" >/dev/null 2>&1; then
# A red ❌ here is EXPECTED, not a bug, when two runs target the same tag (e.g. two quick CLI
# version bumps): per-tag `concurrency` serializes them, the first publishes, and the second —
# finding the tag already published — fails loudly here rather than silently clobbering a live
# release. If you hit this, confirm the tag is genuinely published before re-running.
echo "::error::Release $RELEASE_TAG is already published — refusing to mutate it. Investigate the publish path."
exit 1
else
gh release create "$RELEASE_TAG" "${flags[@]}" \
"$binaries_dir"/*.zip \
"$binaries_dir/checksums.txt"
fi
+148
View File
@@ -0,0 +1,148 @@
#!/usr/bin/env bash
#
# Resolve the CLI release target and write its metadata to $GITHUB_OUTPUT for the
# build/release jobs of build-cli-binaries.yml. Three modes:
#
# - push to `next` with a ts/packages/cli/package.json version bump → stable release
# - push to `next` without a bump, or workflow_dispatch build-beta → rolling beta
# - workflow_dispatch promote-stable <beta tag> → stable promotion
#
# Inputs (env): EVENT_NAME, ACTION_INPUT, BETA_TAG_INPUT, GITHUB_TOKEN,
# REPOSITORY, RUN_NUMBER, COMMIT_SHA
# Output: key=value lines appended to $GITHUB_OUTPUT
set -euo pipefail
# Latest STABLE @composio/cli release tag, by true semver order (empty if none).
#
# A lexical sort is wrong here: "@composio/cli@0.2.9" sorts AFTER "0.2.10", so once a
# patch reaches double digits `last` would pick the older release and beta versions
# would regress. Parse the version triplet to numbers and sort numerically instead.
latest_stable_tag() {
gh release list \
--repo "$REPOSITORY" \
--exclude-drafts \
--limit 1000 \
--json tagName,isPrerelease \
--jq '[.[]
| select(.tagName | startswith("@composio/cli@"))
| select(.isPrerelease == false)]
| sort_by(.tagName | ltrimstr("@composio/cli@") | split(".") | map(tonumber))
| last | .tagName // empty'
}
# Echo the next "<major>.<minor>.<patch+1>" off the latest stable release, falling
# back to the working-tree package.json when no stable release exists yet.
next_beta_base_version() {
local latest current
latest=$(latest_stable_tag)
if [[ -z "$latest" ]]; then
echo "No stable @composio/cli release found, falling back to package.json" >&2
current=$(node -p "require('./ts/packages/cli/package.json').version")
else
current=${latest#@composio/cli@}
fi
local major minor patch
IFS='.' read -r major minor patch <<<"$current"
echo "${major}.${minor}.$((patch + 1))"
}
emit_beta_target() {
local next_version release_tag
next_version=$(next_beta_base_version)
release_tag="@composio/cli@${next_version}-beta.${RUN_NUMBER}"
{
echo "checkout_ref=${COMMIT_SHA}"
echo "release_name=CLI Beta ${release_tag}"
echo "release_tag=${release_tag}"
echo "release_version=${next_version}"
echo "prerelease=true"
echo "make_latest=false"
} >>"$GITHUB_OUTPUT"
}
emit_stable_target() {
local release_tag=$1 release_version=$2 checkout_ref=$3
{
echo "checkout_ref=${checkout_ref}"
echo "release_name=CLI ${release_tag}"
echo "release_tag=${release_tag}"
echo "release_version=${release_version}"
echo "prerelease=false"
echo "make_latest=true"
} >>"$GITHUB_OUTPUT"
}
# ── Push to next ──
if [[ "$EVENT_NAME" == "push" ]]; then
current_version=$(node -p "require('./ts/packages/cli/package.json').version")
previous_version=$(git show HEAD^:ts/packages/cli/package.json 2>/dev/null \
| node -p "JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')).version" 2>/dev/null || echo "")
# A version bump on push is a stable release; anything else is a rolling beta.
if [[ -n "$previous_version" && "$current_version" != "$previous_version" ]]; then
emit_stable_target "@composio/cli@${current_version}" "$current_version" "$COMMIT_SHA"
else
emit_beta_target
fi
exit 0
fi
# ── workflow_dispatch: build-beta ──
if [[ "$EVENT_NAME" == "workflow_dispatch" && "$ACTION_INPUT" == "build-beta" ]]; then
emit_beta_target
exit 0
fi
# ── workflow_dispatch: promote-stable ──
if [[ "$ACTION_INPUT" != "promote-stable" ]]; then
echo "Unknown action: $ACTION_INPUT" >&2
exit 1
fi
if [[ -z "$BETA_TAG_INPUT" ]]; then
echo "beta_tag input is required for promote-stable" >&2
exit 1
fi
encoded_beta_tag=$(python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["BETA_TAG_INPUT"], safe=""))')
release_json=$(curl -fsSL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/${REPOSITORY}/releases/tags/${encoded_beta_tag}")
is_prerelease=$(jq -r '.prerelease' <<<"$release_json")
if [[ "$is_prerelease" != "true" ]]; then
echo "Release ${BETA_TAG_INPUT} is not a beta prerelease" >&2
exit 1
fi
if [[ ! "$BETA_TAG_INPUT" =~ ^@composio/cli@([0-9]+\.[0-9]+\.[0-9]+)-beta\.[0-9]+$ ]]; then
echo "Beta tag must match @composio/cli@<version>-beta.<number>" >&2
exit 1
fi
stable_version="${BASH_REMATCH[1]}"
stable_tag="@composio/cli@${stable_version}"
# Refuse to re-promote an already-PUBLISHED stable release, but allow resuming an
# existing DRAFT (a prior promote run that built assets but did not publish). The
# REST `/releases/tags/{tag}` endpoint returns 404 for drafts, so use `gh release view`
# — it resolves drafts by name and exposes `isDraft`.
if isdraft=$(gh release view "$stable_tag" --json isDraft --jq '.isDraft' 2>/dev/null); then
if [[ "$isdraft" == "true" ]]; then
echo "Stable release ${stable_tag} exists as a draft — resuming (assets will be re-uploaded)."
else
echo "Stable release ${stable_tag} is already published" >&2
exit 1
fi
fi
target_commitish=$(jq -r '.target_commitish' <<<"$release_json")
if [[ -z "$target_commitish" || "$target_commitish" == "null" ]]; then
echo "Beta release ${BETA_TAG_INPUT} does not expose target_commitish" >&2
exit 1
fi
emit_stable_target "$stable_tag" "$stable_version" "$target_commitish"
+48
View File
@@ -0,0 +1,48 @@
#!/usr/bin/env bash
#
# Loud failure gate: assert the full canonical asset set is attached to the release AND fully
# uploaded (state == "uploaded"). An asset can appear in the listing while still processing,
# which is exactly how a release ends up serving 404s — so require state == "uploaded", with a
# bounded retry while uploads settle.
#
# Inputs (env): RELEASE_TAG, GH_TOKEN
# VERIFY_ATTEMPTS / VERIFY_SLEEP_SECONDS (optional, for fast tests)
set -euo pipefail
# Keep this list in lock-step with the build matrix in build-cli-binaries.yml (4 platforms)
# plus the skill bundle and checksums. Adding a platform to the matrix must extend this list.
expected=(
composio-linux-x64.zip
composio-linux-aarch64.zip
composio-darwin-x64.zip
composio-darwin-aarch64.zip
composio-skill.zip
checksums.txt
)
attempts="${VERIFY_ATTEMPTS:-10}"
sleep_seconds="${VERIFY_SLEEP_SECONDS:-15}"
for attempt in $(seq 1 "$attempts"); do
# Single snapshot per attempt — querying names and state separately would open a
# time-of-check/time-of-use gap in the very gate meant to close one.
payload=$(gh release view "$RELEASE_TAG" --json assets)
mapfile -t uploaded < <(jq -r '.assets[] | select(.state == "uploaded") | .name' <<<"$payload" | sort)
missing=()
for want in "${expected[@]}"; do
printf '%s\n' "${uploaded[@]}" | grep -qxF "$want" || missing+=("$want")
done
if [[ ${#missing[@]} -eq 0 ]]; then
echo "✅ All ${#expected[@]} expected assets present and uploaded."
exit 0
fi
echo "Attempt ${attempt}/${attempts} — missing or not-yet-uploaded: ${missing[*]}"
if [[ "$attempt" -eq "$attempts" ]]; then
echo "::error::Release $RELEASE_TAG is incomplete — missing or not uploaded: ${missing[*]}"
exit 1
fi
sleep "$sleep_seconds"
done