From 9ae8e1dad89bccf0843030d71d4dcb91eab598af Mon Sep 17 00:00:00 2001 From: Nelson Osacky Date: Thu, 12 Mar 2026 13:06:51 +0100 Subject: [PATCH 1/7] ci(build): Add snapshot release workflow Add a workflow_dispatch-triggered snapshot release pipeline that reuses the existing build workflow. Snapshot builds skip macOS code signing, override versions with a snapshot identifier, and publish to npm under the `snapshot` tag. - Add `workflow_call` inputs to build.yml for `skip-signing` and `snapshot-version` - Add `override-version` composite action to patch Cargo.toml, package.json, and npm-binary-distributions - Add `snapshot.yml` workflow that computes a snapshot version, triggers the build, and publishes to npm - Skip Python, Docker, and merge jobs for snapshot builds Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/actions/override-version/action.yml | 55 ++++++++++++++++ .github/workflows/build.yml | 55 +++++++++++++++- .github/workflows/snapshot.yml | 72 +++++++++++++++++++++ 3 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 .github/actions/override-version/action.yml create mode 100644 .github/workflows/snapshot.yml diff --git a/.github/actions/override-version/action.yml b/.github/actions/override-version/action.yml new file mode 100644 index 0000000000..9ad4c80e1e --- /dev/null +++ b/.github/actions/override-version/action.yml @@ -0,0 +1,55 @@ +name: Override Version +description: Patch version strings for snapshot builds + +inputs: + version: + required: true + description: The version string to set + target: + required: true + description: 'What to patch: cargo, npm, npm-distributions' + +runs: + using: composite + steps: + - name: Patch Cargo.toml and lockfile + if: inputs.target == 'cargo' + shell: bash + run: | + VERSION="${{ inputs.version }}" + + sed -i.bak "s/^version = \".*\"/version = \"$VERSION\"/" Cargo.toml + rm -f Cargo.toml.bak + + awk -v ver="$VERSION" ' + /^name = "sentry-cli"/ { found = 1 } + found && /^version = "/ { $0 = "version = \"" ver "\""; found = 0 } + { print } + ' Cargo.lock > Cargo.lock.tmp && mv Cargo.lock.tmp Cargo.lock + + - name: Patch package.json + if: inputs.target == 'npm' + shell: bash + run: | + node -e " + const fs = require('fs'); + const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8')); + pkg.version = '${{ inputs.version }}'; + for (const dep of Object.keys(pkg.optionalDependencies || {})) { + pkg.optionalDependencies[dep] = '${{ inputs.version }}'; + } + fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n'); + " + + - name: Patch npm binary distribution packages + if: inputs.target == 'npm-distributions' + shell: bash + run: | + for pkgjson in npm-binary-distributions/*/package.json; do + node -e " + const fs = require('fs'); + const pkg = JSON.parse(fs.readFileSync('$pkgjson', 'utf8')); + pkg.version = '${{ inputs.version }}'; + fs.writeFileSync('$pkgjson', JSON.stringify(pkg, null, 2) + '\n'); + " + done diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 36cb00d86d..ad5316a4dc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,6 +4,14 @@ on: push: branches: - release/** + workflow_call: + inputs: + skip-signing: + type: boolean + default: false + snapshot-version: + type: string + default: '' jobs: linux: @@ -33,6 +41,13 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + - name: Override version + if: ${{ inputs.snapshot-version != '' }} + uses: ./.github/actions/override-version + with: + version: ${{ inputs.snapshot-version }} + target: cargo + - name: Add Rustup Target run: | rustup set profile minimal @@ -69,6 +84,13 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + - name: Override version + if: ${{ inputs.snapshot-version != '' }} + uses: ./.github/actions/override-version + with: + version: ${{ inputs.snapshot-version }} + target: cargo + - name: Add Rustup Target run: rustup target add ${{ matrix.target }} @@ -154,9 +176,11 @@ jobs: steps: - name: Checkout repository + if: ${{ !inputs.skip-signing }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - name: Install `rcodesign` + if: ${{ !inputs.skip-signing }} run: | curl -L https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.29.0/apple-codesign-0.29.0-x86_64-unknown-linux-musl.tar.gz \ -o rcodesign.tar.gz @@ -166,6 +190,7 @@ jobs: rm rcodesign.tar.gz - name: Decode Apple signing certificate and API key + if: ${{ !inputs.skip-signing }} env: APPLE_CERT_DATA: ${{ secrets.APPLE_CERT_DATA }} APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} @@ -179,6 +204,7 @@ jobs: name: unsigned-bin-macos-${{ matrix.arch }} - name: Sign binary + if: ${{ !inputs.skip-signing }} run: | rcodesign sign \ --for-notarization \ @@ -188,17 +214,19 @@ jobs: sentry-cli-Darwin-${{ matrix.arch }} - name: Zip signed binary + if: ${{ !inputs.skip-signing }} run: | zip sentry-cli-Darwin-${{ matrix.arch }}.zip sentry-cli-Darwin-${{ matrix.arch }} - name: Notarize binary + if: ${{ !inputs.skip-signing }} run: | rcodesign notary-submit \ --api-key-file ${{ env.APPLE_API_KEY_PATH }} \ --wait \ sentry-cli-Darwin-${{ matrix.arch }}.zip - - name: Upload signed binary + - name: Upload binary uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # 7.0.0 with: name: artifact-bin-macos-${{ matrix.arch }} @@ -220,6 +248,13 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + - name: Override version + if: ${{ inputs.snapshot-version != '' }} + uses: ./.github/actions/override-version + with: + version: ${{ inputs.snapshot-version }} + target: cargo + # When rustup is updated, it tries to replace its binary, which on Windows is somehow locked. # This can result in the CI failure, see: https://github.com/rust-lang/rustup/issues/3029 - name: Disable rustup self-update @@ -259,6 +294,13 @@ jobs: - name: Install dependencies run: npm ci --ignore-scripts + - name: Override version + if: ${{ inputs.snapshot-version != '' }} + uses: ./.github/actions/override-version + with: + version: ${{ inputs.snapshot-version }} + target: npm + - name: Download compiled binaries uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # 8.0.0 with: @@ -280,6 +322,7 @@ jobs: if-no-files-found: 'error' python-base: + if: ${{ !inputs.snapshot-version }} name: python (base) runs-on: ubuntu-24.04 steps: @@ -297,6 +340,7 @@ jobs: if-no-files-found: 'error' python: + if: ${{ !inputs.snapshot-version }} name: python runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows, python-base] @@ -331,6 +375,12 @@ jobs: - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # 6.2.0 with: node-version: '20.10.0' + - name: Override version + if: ${{ inputs.snapshot-version != '' }} + uses: ./.github/actions/override-version + with: + version: ${{ inputs.snapshot-version }} + target: npm-distributions - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # 8.0.0 with: pattern: artifact-bin-* @@ -366,6 +416,7 @@ jobs: if-no-files-found: 'error' platform-specific-docker: + if: ${{ !inputs.snapshot-version }} name: Build Docker Image (${{ matrix.platform }}) strategy: matrix: @@ -402,6 +453,7 @@ jobs: cache-to: type=gha,mode=max,scope=${{ matrix.platform }} multiarch-docker: + if: ${{ !inputs.snapshot-version }} name: Create Multi-Architecture Docker Image needs: platform-specific-docker runs-on: ubuntu-24.04 @@ -422,6 +474,7 @@ jobs: ghcr.io/${{ github.repository }}:${{ github.sha }}-arm64 merge: + if: ${{ !inputs.snapshot-version }} name: Create Release Artifact runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows, npm-distributions, node, python] diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml new file mode 100644 index 0000000000..a5d52c7b34 --- /dev/null +++ b/.github/workflows/snapshot.yml @@ -0,0 +1,72 @@ +name: Snapshot Release + +on: + workflow_dispatch: + +jobs: + compute-version: + name: Compute Snapshot Version + runs-on: ubuntu-24.04 + outputs: + version: ${{ steps.version.outputs.version }} + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + + - name: Compute snapshot version + id: version + run: | + CURRENT=$(grep '^version = ' Cargo.toml | head -1 | sed 's/version = "\(.*\)"/\1/') + MAJOR=$(echo "$CURRENT" | cut -d. -f1) + MINOR=$(echo "$CURRENT" | cut -d. -f2) + NEXT_MINOR=$((MINOR + 1)) + DATE=$(date -u +%Y%m%d) + SHORT_SHA=$(git rev-parse --short HEAD) + VERSION="${MAJOR}.${NEXT_MINOR}.0-snapshot.${DATE}.${SHORT_SHA}" + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + echo "Snapshot version: $VERSION" + + build: + name: Build + needs: compute-version + uses: ./.github/workflows/build.yml + with: + skip-signing: true + snapshot-version: ${{ needs.compute-version.outputs.version }} + secrets: inherit + + publish-npm: + name: Publish to npm + needs: [compute-version, build] + runs-on: ubuntu-24.04 + steps: + - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # 6.2.0 + with: + node-version: '20.10.0' + registry-url: 'https://registry.npmjs.org' + + - name: Download npm binary distributions + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # 8.0.0 + with: + name: artifact-npm-binary-distributions + path: npm-distributions + + - name: Download node package + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # 8.0.0 + with: + name: artifact-pkg-node + path: node-package + + - name: Publish platform packages + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + run: | + for pkg in npm-distributions/*.tgz; do + echo "Publishing $pkg" + npm publish "$pkg" --tag snapshot + done + + - name: Publish main package + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + run: | + npm publish node-package/*.tgz --tag snapshot From 9947a3cdd614fa93c2786c7db6488f2abfcb2c85 Mon Sep 17 00:00:00 2001 From: Nelson Osacky Date: Thu, 12 Mar 2026 15:01:21 +0100 Subject: [PATCH 2/7] ref(ci): Align snapshot versioning with release workflow Instead of patching version files at build time via the override-version composite action, snapshots now follow the same pattern as releases: bump all version files upfront using bump-version.sh, commit to a temporary snapshot branch, and let build.yml build from correct source. This removes the fragile override-version action (called 5 times across different jobs with sed/awk/node), replaces the snapshot-version input with checkout-ref and is-snapshot, and adds a cleanup job to delete the temporary branch after publish. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/actions/override-version/action.yml | 55 ------------------- .github/workflows/build.yml | 61 ++++++++------------- .github/workflows/snapshot.yml | 52 ++++++++++++++++-- 3 files changed, 71 insertions(+), 97 deletions(-) delete mode 100644 .github/actions/override-version/action.yml diff --git a/.github/actions/override-version/action.yml b/.github/actions/override-version/action.yml deleted file mode 100644 index 9ad4c80e1e..0000000000 --- a/.github/actions/override-version/action.yml +++ /dev/null @@ -1,55 +0,0 @@ -name: Override Version -description: Patch version strings for snapshot builds - -inputs: - version: - required: true - description: The version string to set - target: - required: true - description: 'What to patch: cargo, npm, npm-distributions' - -runs: - using: composite - steps: - - name: Patch Cargo.toml and lockfile - if: inputs.target == 'cargo' - shell: bash - run: | - VERSION="${{ inputs.version }}" - - sed -i.bak "s/^version = \".*\"/version = \"$VERSION\"/" Cargo.toml - rm -f Cargo.toml.bak - - awk -v ver="$VERSION" ' - /^name = "sentry-cli"/ { found = 1 } - found && /^version = "/ { $0 = "version = \"" ver "\""; found = 0 } - { print } - ' Cargo.lock > Cargo.lock.tmp && mv Cargo.lock.tmp Cargo.lock - - - name: Patch package.json - if: inputs.target == 'npm' - shell: bash - run: | - node -e " - const fs = require('fs'); - const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8')); - pkg.version = '${{ inputs.version }}'; - for (const dep of Object.keys(pkg.optionalDependencies || {})) { - pkg.optionalDependencies[dep] = '${{ inputs.version }}'; - } - fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n'); - " - - - name: Patch npm binary distribution packages - if: inputs.target == 'npm-distributions' - shell: bash - run: | - for pkgjson in npm-binary-distributions/*/package.json; do - node -e " - const fs = require('fs'); - const pkg = JSON.parse(fs.readFileSync('$pkgjson', 'utf8')); - pkg.version = '${{ inputs.version }}'; - fs.writeFileSync('$pkgjson', JSON.stringify(pkg, null, 2) + '\n'); - " - done diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ad5316a4dc..e662e3f883 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,7 +9,10 @@ on: skip-signing: type: boolean default: false - snapshot-version: + is-snapshot: + type: boolean + default: false + checkout-ref: type: string default: '' @@ -40,13 +43,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - - - name: Override version - if: ${{ inputs.snapshot-version != '' }} - uses: ./.github/actions/override-version with: - version: ${{ inputs.snapshot-version }} - target: cargo + ref: ${{ inputs.checkout-ref }} - name: Add Rustup Target run: | @@ -83,13 +81,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - - - name: Override version - if: ${{ inputs.snapshot-version != '' }} - uses: ./.github/actions/override-version with: - version: ${{ inputs.snapshot-version }} - target: cargo + ref: ${{ inputs.checkout-ref }} - name: Add Rustup Target run: rustup target add ${{ matrix.target }} @@ -178,6 +171,8 @@ jobs: - name: Checkout repository if: ${{ !inputs.skip-signing }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ inputs.checkout-ref }} - name: Install `rcodesign` if: ${{ !inputs.skip-signing }} @@ -247,13 +242,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - - - name: Override version - if: ${{ inputs.snapshot-version != '' }} - uses: ./.github/actions/override-version with: - version: ${{ inputs.snapshot-version }} - target: cargo + ref: ${{ inputs.checkout-ref }} # When rustup is updated, it tries to replace its binary, which on Windows is somehow locked. # This can result in the CI failure, see: https://github.com/rust-lang/rustup/issues/3029 @@ -286,6 +276,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ inputs.checkout-ref }} - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # 6.2.0 with: @@ -294,13 +286,6 @@ jobs: - name: Install dependencies run: npm ci --ignore-scripts - - name: Override version - if: ${{ inputs.snapshot-version != '' }} - uses: ./.github/actions/override-version - with: - version: ${{ inputs.snapshot-version }} - target: npm - - name: Download compiled binaries uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # 8.0.0 with: @@ -322,11 +307,13 @@ jobs: if-no-files-found: 'error' python-base: - if: ${{ !inputs.snapshot-version }} + if: ${{ !inputs.is-snapshot }} name: python (base) runs-on: ubuntu-24.04 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ inputs.checkout-ref }} - name: Add Rustup Target run: rustup target add x86_64-unknown-linux-musl - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # 6.2.0 @@ -340,12 +327,14 @@ jobs: if-no-files-found: 'error' python: - if: ${{ !inputs.snapshot-version }} + if: ${{ !inputs.is-snapshot }} name: python runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows, python-base] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ inputs.checkout-ref }} - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # 6.2.0 with: python-version: '3.11' @@ -372,15 +361,11 @@ jobs: needs: [linux, sign-macos-binaries, windows] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ inputs.checkout-ref }} - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # 6.2.0 with: node-version: '20.10.0' - - name: Override version - if: ${{ inputs.snapshot-version != '' }} - uses: ./.github/actions/override-version - with: - version: ${{ inputs.snapshot-version }} - target: npm-distributions - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # 8.0.0 with: pattern: artifact-bin-* @@ -416,7 +401,7 @@ jobs: if-no-files-found: 'error' platform-specific-docker: - if: ${{ !inputs.snapshot-version }} + if: ${{ !inputs.is-snapshot }} name: Build Docker Image (${{ matrix.platform }}) strategy: matrix: @@ -431,6 +416,8 @@ jobs: packages: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ inputs.checkout-ref }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # 3.12.0 @@ -453,7 +440,7 @@ jobs: cache-to: type=gha,mode=max,scope=${{ matrix.platform }} multiarch-docker: - if: ${{ !inputs.snapshot-version }} + if: ${{ !inputs.is-snapshot }} name: Create Multi-Architecture Docker Image needs: platform-specific-docker runs-on: ubuntu-24.04 @@ -474,7 +461,7 @@ jobs: ghcr.io/${{ github.repository }}:${{ github.sha }}-arm64 merge: - if: ${{ !inputs.snapshot-version }} + if: ${{ !inputs.is-snapshot }} name: Create Release Artifact runs-on: ubuntu-24.04 needs: [linux, sign-macos-binaries, windows, npm-distributions, node, python] diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml index a5d52c7b34..0dd217bf00 100644 --- a/.github/workflows/snapshot.yml +++ b/.github/workflows/snapshot.yml @@ -3,15 +3,24 @@ name: Snapshot Release on: workflow_dispatch: +permissions: + contents: write + jobs: - compute-version: - name: Compute Snapshot Version + prepare: + name: Prepare Snapshot runs-on: ubuntu-24.04 outputs: version: ${{ steps.version.outputs.version }} + ref: ${{ steps.push.outputs.ref }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + # Computes a semver-compliant snapshot version based on the current + # version in Cargo.toml. The minor version is bumped so that the + # snapshot sorts higher than the current release but lower than the + # next real release. For example, if Cargo.toml has 3.3.1, the + # snapshot version will be 3.4.0-snapshot.20260312.abc1234. - name: Compute snapshot version id: version run: | @@ -23,20 +32,41 @@ jobs: SHORT_SHA=$(git rev-parse --short HEAD) VERSION="${MAJOR}.${NEXT_MINOR}.0-snapshot.${DATE}.${SHORT_SHA}" echo "version=$VERSION" >> "$GITHUB_OUTPUT" + echo "current=$CURRENT" >> "$GITHUB_OUTPUT" echo "Snapshot version: $VERSION" + - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # 6.2.0 + with: + node-version: '20.10.0' + + - name: Bump versions + run: scripts/bump-version.sh "${{ steps.version.outputs.current }}" "${{ steps.version.outputs.version }}" + + - name: Push snapshot branch + id: push + run: | + BRANCH="snapshot/${{ steps.version.outputs.version }}" + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git checkout -b "$BRANCH" + git add -A + git commit -m "snapshot: ${{ steps.version.outputs.version }}" + git push origin "$BRANCH" + echo "ref=$BRANCH" >> "$GITHUB_OUTPUT" + build: name: Build - needs: compute-version + needs: prepare uses: ./.github/workflows/build.yml with: skip-signing: true - snapshot-version: ${{ needs.compute-version.outputs.version }} + is-snapshot: true + checkout-ref: ${{ needs.prepare.outputs.ref }} secrets: inherit publish-npm: name: Publish to npm - needs: [compute-version, build] + needs: [prepare, build] runs-on: ubuntu-24.04 steps: - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # 6.2.0 @@ -70,3 +100,15 @@ jobs: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: | npm publish node-package/*.tgz --tag snapshot + + cleanup: + name: Cleanup + needs: [prepare, publish-npm] + if: always() + runs-on: ubuntu-24.04 + steps: + - name: Delete snapshot branch + env: + GH_TOKEN: ${{ github.token }} + run: | + gh api -X DELETE "repos/${{ github.repository }}/git/refs/heads/${{ needs.prepare.outputs.ref }}" || true From 163d174c9f76fb2d903433b250bbd8afbcd38746 Mon Sep 17 00:00:00 2001 From: Nelson Osacky Date: Thu, 12 Mar 2026 16:12:59 +0100 Subject: [PATCH 3/7] fix(ci): Fix glob for platform package publish in snapshot The upload artifact preserves the platform subdirectory structure (e.g., darwin/, linux-x64/), so after download the tarballs land at npm-distributions//*.tgz, not npm-distributions/*.tgz. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/snapshot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml index 0dd217bf00..4220152a33 100644 --- a/.github/workflows/snapshot.yml +++ b/.github/workflows/snapshot.yml @@ -90,7 +90,7 @@ jobs: env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: | - for pkg in npm-distributions/*.tgz; do + for pkg in npm-distributions/*/*.tgz; do echo "Publishing $pkg" npm publish "$pkg" --tag snapshot done From 2cea920818e1d54a267e6638d7fd4d86ee666dde Mon Sep 17 00:00:00 2001 From: Nelson Osacky Date: Thu, 12 Mar 2026 16:33:16 +0100 Subject: [PATCH 4/7] fix(ci): Fix node job race condition with sign-macos-binaries The node job downloads artifact-bin-* which includes macOS artifacts uploaded by sign-macos-binaries, but didn't declare that dependency. This could cause the npm package to be built with incomplete checksums (missing macOS entries). sign-macos-binaries already depends on macos and macos_universal, so those are covered transitively. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e662e3f883..734765b1a3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -272,7 +272,7 @@ jobs: node: name: NPM Package runs-on: ubuntu-24.04 - needs: [linux, macos, macos_universal, windows] + needs: [linux, sign-macos-binaries, windows] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 From 195fbf0bf44706619b37e8745ab2e57242172982 Mon Sep 17 00:00:00 2001 From: Nelson Osacky Date: Wed, 18 Mar 2026 15:08:45 +0100 Subject: [PATCH 5/7] ref(ci): Remove skip-signing and fix snapshot versioning Remove the skip-signing input from build.yml since snapshots should go through the same signing pipeline as releases. Also switch snapshot versioning from minor bump to patch bump and use cargo metadata for more reliable version parsing. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/build.yml | 9 --------- .github/workflows/snapshot.yml | 16 +++++++++------- 2 files changed, 9 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 734765b1a3..280c2fcf3b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,9 +6,6 @@ on: - release/** workflow_call: inputs: - skip-signing: - type: boolean - default: false is-snapshot: type: boolean default: false @@ -169,13 +166,11 @@ jobs: steps: - name: Checkout repository - if: ${{ !inputs.skip-signing }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 with: ref: ${{ inputs.checkout-ref }} - name: Install `rcodesign` - if: ${{ !inputs.skip-signing }} run: | curl -L https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.29.0/apple-codesign-0.29.0-x86_64-unknown-linux-musl.tar.gz \ -o rcodesign.tar.gz @@ -185,7 +180,6 @@ jobs: rm rcodesign.tar.gz - name: Decode Apple signing certificate and API key - if: ${{ !inputs.skip-signing }} env: APPLE_CERT_DATA: ${{ secrets.APPLE_CERT_DATA }} APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} @@ -199,7 +193,6 @@ jobs: name: unsigned-bin-macos-${{ matrix.arch }} - name: Sign binary - if: ${{ !inputs.skip-signing }} run: | rcodesign sign \ --for-notarization \ @@ -209,12 +202,10 @@ jobs: sentry-cli-Darwin-${{ matrix.arch }} - name: Zip signed binary - if: ${{ !inputs.skip-signing }} run: | zip sentry-cli-Darwin-${{ matrix.arch }}.zip sentry-cli-Darwin-${{ matrix.arch }} - name: Notarize binary - if: ${{ !inputs.skip-signing }} run: | rcodesign notary-submit \ --api-key-file ${{ env.APPLE_API_KEY_PATH }} \ diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml index 4220152a33..ccc467afd2 100644 --- a/.github/workflows/snapshot.yml +++ b/.github/workflows/snapshot.yml @@ -17,20 +17,22 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 # Computes a semver-compliant snapshot version based on the current - # version in Cargo.toml. The minor version is bumped so that the + # version in Cargo.toml. The patch version is bumped so that the # snapshot sorts higher than the current release but lower than the # next real release. For example, if Cargo.toml has 3.3.1, the - # snapshot version will be 3.4.0-snapshot.20260312.abc1234. + # snapshot version will be 3.3.2-snapshot.20260312.abc1234. - name: Compute snapshot version id: version run: | - CURRENT=$(grep '^version = ' Cargo.toml | head -1 | sed 's/version = "\(.*\)"/\1/') + CURRENT=$(cargo metadata --no-deps --format-version 1 \ + | jq -er '(.workspace_default_members[0]) as $id | .packages[] | select(.id == $id) | .version') MAJOR=$(echo "$CURRENT" | cut -d. -f1) MINOR=$(echo "$CURRENT" | cut -d. -f2) - NEXT_MINOR=$((MINOR + 1)) + PATCH=$(echo "$CURRENT" | cut -d. -f3) + NEXT_PATCH=$((PATCH + 1)) DATE=$(date -u +%Y%m%d) SHORT_SHA=$(git rev-parse --short HEAD) - VERSION="${MAJOR}.${NEXT_MINOR}.0-snapshot.${DATE}.${SHORT_SHA}" + VERSION="${MAJOR}.${MINOR}.${NEXT_PATCH}-snapshot.${DATE}.${SHORT_SHA}" echo "version=$VERSION" >> "$GITHUB_OUTPUT" echo "current=$CURRENT" >> "$GITHUB_OUTPUT" echo "Snapshot version: $VERSION" @@ -59,7 +61,6 @@ jobs: needs: prepare uses: ./.github/workflows/build.yml with: - skip-signing: true is-snapshot: true checkout-ref: ${{ needs.prepare.outputs.ref }} secrets: inherit @@ -108,7 +109,8 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Delete snapshot branch + if: needs.prepare.outputs.ref != '' env: GH_TOKEN: ${{ github.token }} run: | - gh api -X DELETE "repos/${{ github.repository }}/git/refs/heads/${{ needs.prepare.outputs.ref }}" || true + gh api -X DELETE "repos/${{ github.repository }}/git/refs/heads/${{ needs.prepare.outputs.ref }}" From c24fc49e9d01fc09a770f0b513fc50222d65ef74 Mon Sep 17 00:00:00 2001 From: Nelson Osacky Date: Thu, 19 Mar 2026 15:56:10 +0100 Subject: [PATCH 6/7] Update .github/workflows/build.yml Co-authored-by: Daniel Szoke <7881302+szokeasaurusrex@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 280c2fcf3b..4858c0b2a0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -212,7 +212,7 @@ jobs: --wait \ sentry-cli-Darwin-${{ matrix.arch }}.zip - - name: Upload binary + - name: Upload signed binary uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # 7.0.0 with: name: artifact-bin-macos-${{ matrix.arch }} From 47c47753bf185b80afc56b4fd5bbb6dd65a885e5 Mon Sep 17 00:00:00 2001 From: Nelson Osacky Date: Thu, 19 Mar 2026 16:00:16 +0100 Subject: [PATCH 7/7] ci(snapshot): Trigger snapshot release on every push to master Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/snapshot.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml index ccc467afd2..9ab5add368 100644 --- a/.github/workflows/snapshot.yml +++ b/.github/workflows/snapshot.yml @@ -1,7 +1,8 @@ name: Snapshot Release on: - workflow_dispatch: + push: + branches: [master] permissions: contents: write