cryptohopper-cli/.github/workflows/cli-release.yml at main · cryptohopper/cryptohopper-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: CLI Release

# Triggered by pushing a tag like `cli-v0.1.0`. Builds standalone binaries for
# linux-x64, darwin-x64+arm64, and windows-x64 using Bun's --compile, then
# attaches them to a GitHub Release alongside SHA256SUMS for verification.
#
# Bun cross-compiles from any host, so we run the whole matrix on one Linux
# runner.

on:
  push:
    tags:
      - "cli-v*"
  workflow_dispatch:
    inputs:
      tag:
        description: "Release tag (e.g. cli-v0.1.0). When run via workflow_dispatch, no GitHub Release is created — artifacts are uploaded for manual download only."
        required: true

jobs:
  compile:
    name: Compile binaries
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write  # npm provenance
    steps:
      - uses: actions/checkout@v6

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - uses: actions/setup-node@v6
        with:
          node-version: "20"
          cache: "npm"
          registry-url: "https://registry.npmjs.org"
          scope: "@cryptohopper"

      - name: Install CLI deps
        run: npm ci

      - name: Typecheck
        run: npx tsc --noEmit

      - name: Verify package version matches tag
        if: startsWith(github.ref, 'refs/tags/cli-v')
        run: |
          TAG="${GITHUB_REF_NAME#cli-v}"
          PKG=$(node -p "require('./package.json').version")
          if [ "$TAG" != "$PKG" ]; then
            echo "Tag $GITHUB_REF_NAME (→ $TAG) does not match package.json $PKG"
            exit 1
          fi

      - name: Build Node dist (tsup)
        run: npm run build

      - name: Publish to npm with provenance
        if: startsWith(github.ref, 'refs/tags/cli-v')
        run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

      - name: Compile (linux-x64)
        run: npm run compile:linux-x64

      - name: Compile (darwin-x64)
        run: npm run compile:darwin-x64

      - name: Compile (darwin-arm64)
        run: npm run compile:darwin-arm64

      - name: Compile (windows-x64)
        run: npm run compile:windows-x64

      - name: Generate SHA256SUMS
        working-directory: dist
        run: |
          sha256sum cryptohopper-linux-x64 cryptohopper-darwin-x64 cryptohopper-darwin-arm64 cryptohopper-windows-x64.exe > SHA256SUMS
          cat SHA256SUMS

      - name: List build artifacts
        working-directory: dist
        run: ls -lh cryptohopper-* SHA256SUMS

      - name: Upload artifacts (workflow_dispatch only)
        if: github.event_name == 'workflow_dispatch'
        uses: actions/upload-artifact@v7
        with:
          name: cryptohopper-cli-binaries
          path: |
            dist/cryptohopper-linux-x64
            dist/cryptohopper-darwin-x64
            dist/cryptohopper-darwin-arm64
            dist/cryptohopper-windows-x64.exe
            dist/SHA256SUMS
          retention-days: 14

      - name: Create GitHub Release
        if: startsWith(github.ref, 'refs/tags/cli-v')
        uses: softprops/action-gh-release@v3
        with:
          name: ${{ github.ref_name }}
          prerelease: ${{ contains(github.ref_name, '-alpha') || contains(github.ref_name, '-beta') || contains(github.ref_name, '-rc') }}
          generate_release_notes: true
          fail_on_unmatched_files: true
          files: |
            dist/cryptohopper-linux-x64
            dist/cryptohopper-darwin-x64
            dist/cryptohopper-darwin-arm64
            dist/cryptohopper-windows-x64.exe
            dist/SHA256SUMS
          body: |
            ## Install

            **npm (any platform with Node 20+)**
            ```bash
            npm i -g @cryptohopper/cli
            # or one-shot:
            npx @cryptohopper/cli login
            ```

            The Bun-compiled binaries below are the recommended path for non-Node users (faster cold start, no Node dependency).

            **macOS (Apple Silicon)**
            ```bash
            curl -L https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/cryptohopper-darwin-arm64 -o /usr/local/bin/cryptohopper
            chmod +x /usr/local/bin/cryptohopper
            ```

            **macOS (Intel)**
            ```bash
            curl -L https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/cryptohopper-darwin-x64 -o /usr/local/bin/cryptohopper
            chmod +x /usr/local/bin/cryptohopper
            ```

            **Linux x64**
            ```bash
            curl -L https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/cryptohopper-linux-x64 -o /usr/local/bin/cryptohopper
            chmod +x /usr/local/bin/cryptohopper
            ```

            **Windows x64**

            Download `cryptohopper-windows-x64.exe`, rename to `cryptohopper.exe`, put it on `%PATH%`.

            > **First-launch warnings:** these binaries are **not yet code-signed**. macOS will block them with a Gatekeeper prompt — right-click → Open the first time, or run `xattr -d com.apple.quarantine /usr/local/bin/cryptohopper`. Windows will show a SmartScreen warning — click "More info" → "Run anyway".

            ## Verify

            ```bash
            sha256sum -c SHA256SUMS
            ```

            Then run `cryptohopper login`.