lib

Core libraries for Radroots
git clone https://radroots.dev/git/lib.git
Log | Files | Refs | README | LICENSE

commit a56f203b325a094c6245a51aff05796d18944656
parent 8ae6fb8e9aeb0aa4e5996ddd60ce031b2bd444b6
Author: triesap <tyson@radroots.org>
Date:   Fri, 20 Mar 2026 17:32:18 +0000

release: remove github workflow automation

Diffstat:
D.github/workflows/nix-flake-ci.yml | 33---------------------------------
D.github/workflows/publish-crates.yml | 68--------------------------------------------------------------------
D.github/workflows/release-preflight.yml | 35-----------------------------------
D.github/workflows/sdk-contract-ci.yml | 32--------------------------------
D.github/workflows/sdk-core-sync-pr.yml | 123-------------------------------------------------------------------------------
D.github/workflows/sdk-coverage-ci.yml | 44--------------------------------------------
D.github/workflows/update-flake-lock.yml | 32--------------------------------
MAGENTS.md | 1+
MAGENT_INSTRUCTIONS.md | 7+++++++
Mcontract/release/runbook.md | 28+++++++++++++---------------
Mdocs/nix.md | 1-
Mnix/checks.nix | 12------------
12 files changed, 21 insertions(+), 395 deletions(-)

diff --git a/.github/workflows/nix-flake-ci.yml b/.github/workflows/nix-flake-ci.yml @@ -1,33 +0,0 @@ -name: nix-flake-ci - -on: - workflow_dispatch: - pull_request: - push: - branches: - - master - -permissions: - contents: read - -jobs: - flake-check: - strategy: - fail-fast: false - matrix: - runner: - - ubuntu-latest - - macos-latest - runs-on: ${{ matrix.runner }} - steps: - - name: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - - name: install nix - uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934 - with: - extra_nix_config: | - experimental-features = nix-command flakes - - - name: run flake check - run: nix flake check diff --git a/.github/workflows/publish-crates.yml b/.github/workflows/publish-crates.yml @@ -1,68 +0,0 @@ -name: publish crates - -on: - workflow_dispatch: - inputs: - crates: - description: "space or comma separated crate names (empty = full release order)" - required: false - default: "" - dry_run: - description: "run cargo publish --dry-run" - type: boolean - required: false - default: false - push: - tags: - - "v*.*.*" - -permissions: - contents: read - -concurrency: - group: publish-crates - cancel-in-progress: false - -jobs: - publish: - runs-on: ubuntu-latest - steps: - - name: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - - name: install nix - uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934 - with: - extra_nix_config: | - experimental-features = nix-command flakes - - - name: verify workspace - run: nix run .#check - - - name: publish crates - env: - EVENT_NAME: ${{ github.event_name }} - CRATES_INPUT: ${{ github.event.inputs.crates }} - DRY_RUN_INPUT: ${{ github.event.inputs.dry_run }} - CRATES_IO_TOKEN: ${{ secrets.CRATES_IO_TOKEN }} - CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} - run: | - set -euo pipefail - - dry_run="false" - crates_input="" - if [ "${EVENT_NAME}" = "workflow_dispatch" ]; then - crates_input="${CRATES_INPUT:-}" - dry_run="${DRY_RUN_INPUT:-false}" - fi - - mode="--publish" - if [ "${dry_run}" = "true" ]; then - mode="--dry-run" - fi - - if [ -n "${crates_input}" ]; then - nix run .#publish-crates -- "${mode}" "${crates_input}" - else - nix run .#publish-crates -- "${mode}" - fi diff --git a/.github/workflows/release-preflight.yml b/.github/workflows/release-preflight.yml @@ -1,35 +0,0 @@ -name: release-preflight - -on: - workflow_dispatch: - -permissions: - contents: read - -jobs: - preflight: - runs-on: ubuntu-latest - steps: - - name: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - - name: install nix - uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934 - with: - extra_nix_config: | - experimental-features = nix-command flakes - - - name: run repo guards - run: nix run .#guards - - - name: run release preflight - run: nix run .#release-preflight - - - name: upload release preflight artifacts - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f - with: - name: release-preflight - path: | - target/coverage/coverage-refresh.tsv - target/coverage/coverage-refresh-status.tsv - target/coverage/**/gate-report.json diff --git a/.github/workflows/sdk-contract-ci.yml b/.github/workflows/sdk-contract-ci.yml @@ -1,32 +0,0 @@ -name: sdk-contract-ci - -on: - pull_request: - push: - branches: - - master - -permissions: - contents: read - -jobs: - contract: - runs-on: ubuntu-latest - steps: - - name: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - - name: install nix - uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934 - with: - extra_nix_config: | - experimental-features = nix-command flakes - - - name: run contract lane - run: nix run .#contract - - - name: upload export manifest - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f - with: - name: sdk-export-manifest - path: target/sdk-export-ci/ts/export-manifest.json diff --git a/.github/workflows/sdk-core-sync-pr.yml b/.github/workflows/sdk-core-sync-pr.yml @@ -1,123 +0,0 @@ -name: sdk-models-sync-pr - -on: - workflow_dispatch: - push: - branches: - - master - paths: - - "flake.nix" - - "flake.lock" - - "treefmt.nix" - - "nix/**" - - "rust-toolchain.toml" - - "crates/core/**" - - "crates/types/**" - - "crates/events/**" - - "crates/trade/**" - - "crates/identity/**" - - "crates/events-codec-wasm/**" - - "crates/xtask/**" - - "contract/**" - - ".github/workflows/sdk-core-sync-pr.yml" - -permissions: - contents: read - -jobs: - sync-models: - runs-on: ubuntu-latest - steps: - - name: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - - name: install nix - uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934 - with: - extra_nix_config: | - experimental-features = nix-command flakes - - - name: run repo guards - run: nix run .#guards - - - name: detect sync token - id: sync_token - run: | - if test -n "${{ secrets.RADROOTS_SDK_SYNC_TOKEN }}"; then - echo "configured=true" >> "$GITHUB_OUTPUT" - else - echo "configured=false" >> "$GITHUB_OUTPUT" - fi - - - name: skip sync when token is unavailable - if: steps.sync_token.outputs.configured != 'true' - run: echo "radroots_sdk_sync_token is not configured; skipping sdk sync workflow" - - - name: export ts sdk artifacts - if: steps.sync_token.outputs.configured == 'true' - run: | - export_dir="${{ runner.temp }}/sdk-export" - nix run .#export-ts -- --out "${export_dir}" - test -f "${export_dir}/ts/export-manifest.json" - - - name: check required export artifacts - if: steps.sync_token.outputs.configured == 'true' - run: | - test -f "${{ runner.temp }}/sdk-export/ts/packages/core/src/generated/types.ts" - test -f "${{ runner.temp }}/sdk-export/ts/packages/types/src/generated/types.ts" - test -f "${{ runner.temp }}/sdk-export/ts/packages/events/src/generated/types.ts" - test -f "${{ runner.temp }}/sdk-export/ts/packages/trade/src/generated/types.ts" - test -f "${{ runner.temp }}/sdk-export/ts/packages/events/src/generated/constants.ts" - test -f "${{ runner.temp }}/sdk-export/ts/packages/events/src/generated/kinds.ts" - - - name: upload sdk export artifact - if: steps.sync_token.outputs.configured == 'true' - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f - with: - name: sdk-export-ts-bundle - path: ${{ runner.temp }}/sdk-export/ts - - - name: checkout sdk-typescript - if: steps.sync_token.outputs.configured == 'true' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - with: - repository: radrootslabs/sdk-typescript - ref: master - token: ${{ secrets.RADROOTS_SDK_SYNC_TOKEN }} - path: sdk-typescript - fetch-depth: 0 - - - name: apply generated model artifacts - if: steps.sync_token.outputs.configured == 'true' - run: | - for package in core types events trade identity; do - src_dir="${{ runner.temp }}/sdk-export/ts/packages/${package}/src/generated" - if test -d "${src_dir}"; then - install -d "sdk-typescript/packages/${package}/src/generated" - rsync -a --delete "${src_dir}/" "sdk-typescript/packages/${package}/src/generated/" - fi - done - wasm_src="${{ runner.temp }}/sdk-export/ts/packages/events-codec-wasm/dist" - if test -d "${wasm_src}"; then - install -d sdk-typescript/packages/events-codec-wasm/dist - rsync -a --delete "${wasm_src}/" sdk-typescript/packages/events-codec-wasm/dist/ - fi - - - name: validate sdk-typescript - if: steps.sync_token.outputs.configured == 'true' - run: nix run .#validate-sdk-typescript -- sdk-typescript - - - name: create pull request - if: steps.sync_token.outputs.configured == 'true' - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 - with: - token: ${{ secrets.RADROOTS_SDK_SYNC_TOKEN }} - path: sdk-typescript - commit-message: "sdk: sync generated models from rust sdk contract" - branch: sync/models-${{ github.run_id }}-${{ github.run_attempt }} - delete-branch: true - title: "sdk: sync generated models from rust sdk contract" - body: | - - sync generated model types for @radroots/core, @radroots/types, @radroots/events, and @radroots/trade - - sync @radroots/identity generated types when present in rust export output - - source revision: ${{ github.sha }} diff --git a/.github/workflows/sdk-coverage-ci.yml b/.github/workflows/sdk-coverage-ci.yml @@ -1,44 +0,0 @@ -name: sdk-coverage-ci - -on: - pull_request: - push: - branches: - - master - paths: - - "flake.nix" - - "flake.lock" - - "treefmt.nix" - - "nix/**" - - "rust-toolchain.toml" - - ".github/workflows/sdk-coverage-ci.yml" - - "crates/xtask/**" - - "crates/**" - -permissions: - contents: read - -jobs: - coverage-report: - runs-on: ubuntu-latest - steps: - - name: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - - name: install nix - uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934 - with: - extra_nix_config: | - experimental-features = nix-command flakes - - - name: run sdk coverage report set - run: nix run .#coverage-report - - - name: upload sdk coverage reports - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f - with: - name: sdk-coverage-reports - path: | - target/sdk-coverage/**/coverage-gate-summary.json - target/sdk-coverage/**/coverage-gate-blocking.json - target/sdk-coverage/coverage-report-status.txt diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml @@ -1,32 +0,0 @@ -name: update-flake-lock - -on: - workflow_dispatch: - schedule: - - cron: "0 9 * * 1" - -permissions: - contents: write - id-token: write - issues: write - pull-requests: write - -jobs: - update: - runs-on: ubuntu-latest - steps: - - name: checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - - name: install determinate nix - uses: DeterminateSystems/determinate-nix-action@131015bad844610e5e6300f8a143bf625d3e74f4 - - - name: update flake lock - uses: DeterminateSystems/update-flake-lock@834c491b2ece4de0bbd00d85214bb5e83b4da5c6 - with: - branch: ci/update-flake-lock - commit-msg: "ci: update flake lock" - pr-title: "ci: update flake lock" - pr-labels: | - dependencies - automated diff --git a/AGENTS.md b/AGENTS.md @@ -14,6 +14,7 @@ This file exists for compatibility with tools that look for AGENTS.md. ## 2. Repository operating model - This is a public open-source library workspace; optimize for durable library design, portability, determinism, and explicit contracts. +- Keep release and validation automation forge-agnostic; repo-owned scripts, Nix apps, tags, and contract metadata are canonical, while committed provider-specific workflow automation is not. - Prefer clean target-state changes over compatibility scaffolding unless compatibility is explicitly required. - Stay within the requested scope and the smallest coherent file set. - Do not fold unrelated cleanup, speculative refactors, or roadmap work into the same change. diff --git a/AGENT_INSTRUCTIONS.md b/AGENT_INSTRUCTIONS.md @@ -32,6 +32,7 @@ Stay disciplined: - do not leave dead paths, temporary adapters, or silent fallback behavior behind This repo is a library workspace, not an app monolith. The right default is small, durable changes that preserve clean crate boundaries. +Release automation should stay forge-agnostic. Keep release truth in repo-owned scripts, Nix apps, tags, and contract metadata rather than committed provider-specific workflow files. ## 3. Preflight workflow @@ -168,6 +169,12 @@ Validation rules: - deterministic tests are required for new behavior and edge cases - do not rely on wall-clock time, random order, external network access, or ambient machine state in unit tests +Release discipline: + +- create annotated release tags that match `contract/release/publish-set.toml` +- keep repo-owned release commands runnable without depending on GitHub-specific workflow files +- when documenting release flow here, document the local repo contract rather than forge-specific orchestration + ## 8. Commit and handoff guidance Commit messages in this repo are part of the public open-source surface. diff --git a/contract/release/runbook.md b/contract/release/runbook.md @@ -16,35 +16,33 @@ This command validates: - required crate coverage at `100/100/100` - publish crate metadata required for crates.io -## publish simulation +## release tag + +Create an annotated tag whose version matches `release.version` in `contract/release/publish-set.toml`. + +Recommended form: ```bash -./scripts/ci/release_publish_order.sh dry-run +git tag -a "v$(awk -F '\"' '/^version = / { print $2; exit }' contract/release/publish-set.toml)" -m "release" ``` -This runs `cargo publish --dry-run` in release order and reports deferred crates when they depend on earlier crates that are not yet published. +## publish simulation -GitHub Actions equivalent: +```bash +./publish-crates.sh --dry-run +``` -- run workflow `publish crates` -- set `dry_run = true` -- optionally set `crates` (space or comma separated) to test a subset in release order +This runs `cargo publish --dry-run` in release order and reports deferred crates when they depend on earlier crates that are not yet published. ## publish ```bash -./scripts/ci/release_publish_order.sh publish +./publish-crates.sh --publish ``` This publishes in `publish_order` and waits for each crate version to become visible on crates.io before continuing. -GitHub Actions equivalent: - -- run workflow `publish crates` -- set `dry_run = false` -- ensure repository secret `CRATES_IO_TOKEN` is configured - -The workflow also accepts `CARGO_REGISTRY_TOKEN`; either secret can provide the cargo publish token. +Set `CARGO_REGISTRY_TOKEN` or `CRATES_IO_TOKEN` in the runtime environment before the publish step. ## post-release verification diff --git a/docs/nix.md b/docs/nix.md @@ -96,7 +96,6 @@ nix run .#publish-crates -- --dry-run - Nix, shell, and TOML formatting through `treefmt` - Rust formatting through `cargo fmt --check` -- GitHub Actions workflow validation through `actionlint` - pure cargo check/test derivations for the contract crate set - repo guards that can run without cargo registry network access diff --git a/nix/checks.nix b/nix/checks.nix @@ -25,20 +25,8 @@ let installPhaseCommand = "mkdir -p $out"; } ); - actionlint = common.mkRepoCheck { - name = "actionlint"; - runtimeInputs = [ - pkgs.actionlint - pkgs.shellcheck - ]; - initGit = true; - command = '' - actionlint - ''; - }; in { - actionlint = actionlint; cargo-fmt = cargoFmt; cargo-check = cargoCheck; cargo-test = cargoTest;