Files
wehub-resource-sync d68f003000
CI / Change detection (push) Has been cancelled
CI / Version drift (push) Has been cancelled
CI / Lint (push) Has been cancelled
CI / Workflow RLM cache (push) Has been cancelled
CI / Test (macos-latest) (push) Has been cancelled
CI / Test (ubuntu-latest) (push) Has been cancelled
CI / Test (windows-latest) (push) Has been cancelled
CI / npm wrapper smoke (push) Has been cancelled
CI / Mobile runtime smoke (push) Has been cancelled
CI / Workflow lint (push) Has been cancelled
CI / Documentation (push) Has been cancelled
Web Frontend / Lint & Type Check (push) Failing after 1s
Auto-close harvested PRs / close (push) Failing after 1s
cargo-deny / cargo-deny (bans licenses sources) (push) Failing after 1s
Security audit / cargo-audit (push) Failing after 1s
Sync to CNB / sync (push) Failing after 1s
cargo-deny / cargo-deny (advisories) (push) Failing after 3s
Web Frontend / Deploy to Cloudflare (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:08:23 +08:00

193 lines
7.8 KiB
Markdown

# CNB Cool mirror
`cnb.cool/codewhale.net/codewhale` is a one-way mirror of this
GitHub repository for users on networks where GitHub is slow or blocked
(primarily mainland China). The mirror receives every push to `main`, every
`fix/*`, `rebrand/*`, and `work/v*` branch used for first-party release work,
and every `v*` release tag.
## Provenance
**GitHub is the sole canonical source.** All releases, tags, and source code
originate at `github.com/Hmbown/CodeWhale`. The CNB mirror is a read-only
replica maintained by the `Sync to CNB` workflow — it exists solely to serve
users behind GFW-blocked or slow GitHub connections.
Every CNB release includes `codewhale-artifacts-sha256.txt` — a SHA256 manifest
of the CNB-built Linux x64 binaries, generated from the same source commit that
is tagged on GitHub. (CNB builds from source, so these checksums cover the
CNB-built artifacts, not GitHub's release assets.) Verify a downloaded binary
against it:
```bash
# Verify a downloaded CNB binary against the CNB manifest
sha256sum -c codewhale-artifacts-sha256.txt
```
## How it works
The mirror is maintained by the [`Sync to CNB`](../.github/workflows/sync-cnb.yml)
GitHub Actions workflow:
- **Trigger:** `push` to `main`, `push` of any `v*` tag,
release work branches matching `work/v*`, first-party fix and rebrand
branches matching `fix/*` and `rebrand/*`, or `workflow_dispatch` for manual
recovery.
- **Auth:** HTTPS basic auth as user `cnb` with the `CNB_GIT_TOKEN`
repository secret as the password.
- **Scope:** only the ref that triggered the run is pushed. Tag pushes
push exactly that tag. Branch pushes mirror `main`, first-party
`fix/*`/`rebrand/*` branches, or explicitly matched release branches. Other
feature branches and dependabot refs are intentionally *not* mirrored.
- **Concurrency:** runs are serialized via a `cnb-sync` concurrency
group so the back-to-back `main` push and tag push from
`auto-tag.yml` cannot race each other.
- **Retry:** each push is retried up to three times with linear
backoff (5s, 10s) before the workflow gives up.
CNB pipeline configuration is also source-controlled in GitHub at
[`/.cnb.yml`](../.cnb.yml). This is deliberate: the sync workflow force-mirrors
GitHub refs to CNB, so pipeline files created only on the CNB side will be
overwritten. Submit `.cnb.yml` changes through GitHub PRs and let the one-way
mirror carry them to CNB.
## CNB tag releases
When CNB receives a `v*` tag, the root `.cnb.yml` tag pipeline builds Linux x64
release assets from source and publishes a CNB release with:
- `codewhale-linux-x64`
- `codewhale-tui-linux-x64`
- `codewhale-artifacts-sha256.txt`
This gives users who can reach CNB but not GitHub a CNB-native release path.
GitHub remains the canonical macOS/Windows release matrix; the CNB tag pipeline
is the China-friendly Linux x64 fallback.
## CNB Linux CI and release preflight
First-party `fix/*` and `rebrand/*` branches are mirrored to CNB so the heavy
Linux Rust gates run on Tencent-hosted runners instead of GitHub Actions:
- `./scripts/release/check-versions.sh`
- `cargo fmt --all -- --check`
- `cargo check --workspace --all-targets --locked`
- `cargo clippy --workspace --all-targets --all-features --locked -- -D warnings`
- `cargo test --workspace --all-features --locked`
- `cargo build --release --locked -p codewhale-cli -p codewhale-tui`
- `node scripts/release/npm-wrapper-smoke.js`
Release branches matching `work/v*` also run
`./scripts/release/publish-crates.sh dry-run`. GitHub Actions keeps the cheap
drift/fmt statuses plus the macOS and Windows jobs that CNB cannot replace.
## Verifying the mirror after a release
After `release.yml` completes for a `vX.Y.Z` tag, the CNB mirror
should have both the new commit on `main` and the new tag:
```bash
# Quick check: does the new tag exist on CNB?
git ls-remote https://cnb.cool/codewhale.net/codewhale.git \
refs/tags/vX.Y.Z
# Quick check: is CNB's main at the same commit as origin/main?
gh_main=$(git ls-remote https://github.com/Hmbown/CodeWhale.git refs/heads/main | awk '{print $1}')
cnb_main=$(git ls-remote https://cnb.cool/codewhale.net/codewhale.git refs/heads/main | awk '{print $1}')
test "$gh_main" = "$cnb_main" && echo "in sync" || echo "DIVERGED: gh=$gh_main cnb=$cnb_main"
```
Or check the workflow run directly:
```bash
gh run list --workflow=sync-cnb.yml --repo Hmbown/CodeWhale --limit 5
```
If the most recent run for the release tag is `success`, the mirror
caught it. If it's `failure`, fix or re-run the mirror workflow before
directing users to the mirrored tag.
## Manual fallback
Manual mirror repair is maintainer-only. Do not put PATs in remote URLs or
publish force-push recipes in contributor-facing docs. Use the configured
GitHub Actions secret and the workflow dispatch path whenever possible.
### Re-trigger the workflow manually
If the workflow is healthy but happened to fail on the release run
(e.g. a transient CNB outage that's since cleared), retrigger it
without pushing anything:
```bash
gh workflow run sync-cnb.yml --repo Hmbown/CodeWhale
```
`workflow_dispatch` runs against the workflow's default branch
(`main`), so this will sync the current `main` to CNB. To re-sync
a specific tag, the manual `git push cnb` path above is the way.
## Rotating `CNB_GIT_TOKEN`
If the workflow starts failing with auth errors and the token has
expired:
1. Log in to `cnb.cool` and generate a new personal access token
with `repo` (push) scope.
2. Update the `CNB_GIT_TOKEN` repository secret:
```bash
gh secret set CNB_GIT_TOKEN --repo Hmbown/CodeWhale
```
3. Re-trigger the workflow on a recent commit:
```bash
gh workflow run sync-cnb.yml --repo Hmbown/CodeWhale
```
4. Confirm the run succeeds via `gh run list --workflow=sync-cnb.yml`.
## Binary release assets and `codewhale update`
CNB now builds Linux x64 assets for `v*` tags from the source-controlled
`.cnb.yml` pipeline. GitHub remains the canonical macOS/Windows release matrix. Users
behind GitHub-blocking networks should use one of these paths:
- **`cargo install`** from the CNB mirror:
```bash
cargo install --git https://cnb.cool/codewhale.net/codewhale --tag vX.Y.Z codewhale-cli
cargo install --git https://cnb.cool/codewhale.net/codewhale --tag vX.Y.Z codewhale-tui
```
(Both binaries are required — the dispatcher and the TUI ship
separately; see `AGENTS.md` for the two-binary install rationale.)
Linux build-time dependencies (`build-essential`, `pkg-config`,
`libdbus-1-dev` on Debian/Ubuntu) are required — see
[INSTALL.md](INSTALL.md#4-install-via-cargo-any-tier-1-rust-target).
- **CNB release assets** for Linux x64, when the matching CNB tag pipeline has
completed successfully. Download `codewhale-linux-x64`,
`codewhale-tui-linux-x64`, and `codewhale-artifacts-sha256.txt` from the CNB
release for `vX.Y.Z`, then verify the binaries against the manifest.
- **`DEEPSEEK_TUI_RELEASE_BASE_URL`** environment variable, if a
CDN mirror of release assets exists. The npm
wrapper installer and `codewhale update` read this variable to redirect
binary downloads. For `codewhale update`, also set
`DEEPSEEK_TUI_VERSION=X.Y.Z` so the updater can label the mirrored
release without contacting GitHub. The directory pointed to must contain
`codewhale-artifacts-sha256.txt` and the platform binaries; format matches
a GitHub Release asset directory.
## Clone from CNB
For a stable install, clone `main` or a release tag from:
```bash
https://cnb.cool/codewhale.net/codewhale.git
```
The mirror receives `main`, release tags, and matched release branches. GitHub
is the fallback when the CNB workflow or credentials are unhealthy.
CNB deploy-button examples live in `deploy/tencent-lighthouse/cnb/`. They are
not active until copied into `.cnb.yml` and `.cnb/tag_deploy.yml`, because live
deploy jobs require a Lighthouse deploy key, target host, and explicit CNB
quota/billing policy.