commit a56f203b325a094c6245a51aff05796d18944656
parent 8ae6fb8e9aeb0aa4e5996ddd60ce031b2bd444b6
Author: triesap <tyson@radroots.org>
Date: Fri, 20 Mar 2026 17:32:18 +0000
release: remove github workflow automation
Diffstat:
12 files changed, 21 insertions(+), 395 deletions(-)
diff --git a/.github/workflows/nix-flake-ci.yml b/.github/workflows/nix-flake-ci.yml
@@ -1,33 +0,0 @@
-name: nix-flake-ci
-
-on:
- workflow_dispatch:
- pull_request:
- push:
- branches:
- - master
-
-permissions:
- contents: read
-
-jobs:
- flake-check:
- strategy:
- fail-fast: false
- matrix:
- runner:
- - ubuntu-latest
- - macos-latest
- runs-on: ${{ matrix.runner }}
- steps:
- - name: checkout
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-
- - name: install nix
- uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
- with:
- extra_nix_config: |
- experimental-features = nix-command flakes
-
- - name: run flake check
- run: nix flake check
diff --git a/.github/workflows/publish-crates.yml b/.github/workflows/publish-crates.yml
@@ -1,68 +0,0 @@
-name: publish crates
-
-on:
- workflow_dispatch:
- inputs:
- crates:
- description: "space or comma separated crate names (empty = full release order)"
- required: false
- default: ""
- dry_run:
- description: "run cargo publish --dry-run"
- type: boolean
- required: false
- default: false
- push:
- tags:
- - "v*.*.*"
-
-permissions:
- contents: read
-
-concurrency:
- group: publish-crates
- cancel-in-progress: false
-
-jobs:
- publish:
- runs-on: ubuntu-latest
- steps:
- - name: checkout
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-
- - name: install nix
- uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
- with:
- extra_nix_config: |
- experimental-features = nix-command flakes
-
- - name: verify workspace
- run: nix run .#check
-
- - name: publish crates
- env:
- EVENT_NAME: ${{ github.event_name }}
- CRATES_INPUT: ${{ github.event.inputs.crates }}
- DRY_RUN_INPUT: ${{ github.event.inputs.dry_run }}
- CRATES_IO_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
- CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
- run: |
- set -euo pipefail
-
- dry_run="false"
- crates_input=""
- if [ "${EVENT_NAME}" = "workflow_dispatch" ]; then
- crates_input="${CRATES_INPUT:-}"
- dry_run="${DRY_RUN_INPUT:-false}"
- fi
-
- mode="--publish"
- if [ "${dry_run}" = "true" ]; then
- mode="--dry-run"
- fi
-
- if [ -n "${crates_input}" ]; then
- nix run .#publish-crates -- "${mode}" "${crates_input}"
- else
- nix run .#publish-crates -- "${mode}"
- fi
diff --git a/.github/workflows/release-preflight.yml b/.github/workflows/release-preflight.yml
@@ -1,35 +0,0 @@
-name: release-preflight
-
-on:
- workflow_dispatch:
-
-permissions:
- contents: read
-
-jobs:
- preflight:
- runs-on: ubuntu-latest
- steps:
- - name: checkout
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-
- - name: install nix
- uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
- with:
- extra_nix_config: |
- experimental-features = nix-command flakes
-
- - name: run repo guards
- run: nix run .#guards
-
- - name: run release preflight
- run: nix run .#release-preflight
-
- - name: upload release preflight artifacts
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
- with:
- name: release-preflight
- path: |
- target/coverage/coverage-refresh.tsv
- target/coverage/coverage-refresh-status.tsv
- target/coverage/**/gate-report.json
diff --git a/.github/workflows/sdk-contract-ci.yml b/.github/workflows/sdk-contract-ci.yml
@@ -1,32 +0,0 @@
-name: sdk-contract-ci
-
-on:
- pull_request:
- push:
- branches:
- - master
-
-permissions:
- contents: read
-
-jobs:
- contract:
- runs-on: ubuntu-latest
- steps:
- - name: checkout
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-
- - name: install nix
- uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
- with:
- extra_nix_config: |
- experimental-features = nix-command flakes
-
- - name: run contract lane
- run: nix run .#contract
-
- - name: upload export manifest
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
- with:
- name: sdk-export-manifest
- path: target/sdk-export-ci/ts/export-manifest.json
diff --git a/.github/workflows/sdk-core-sync-pr.yml b/.github/workflows/sdk-core-sync-pr.yml
@@ -1,123 +0,0 @@
-name: sdk-models-sync-pr
-
-on:
- workflow_dispatch:
- push:
- branches:
- - master
- paths:
- - "flake.nix"
- - "flake.lock"
- - "treefmt.nix"
- - "nix/**"
- - "rust-toolchain.toml"
- - "crates/core/**"
- - "crates/types/**"
- - "crates/events/**"
- - "crates/trade/**"
- - "crates/identity/**"
- - "crates/events-codec-wasm/**"
- - "crates/xtask/**"
- - "contract/**"
- - ".github/workflows/sdk-core-sync-pr.yml"
-
-permissions:
- contents: read
-
-jobs:
- sync-models:
- runs-on: ubuntu-latest
- steps:
- - name: checkout
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-
- - name: install nix
- uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
- with:
- extra_nix_config: |
- experimental-features = nix-command flakes
-
- - name: run repo guards
- run: nix run .#guards
-
- - name: detect sync token
- id: sync_token
- run: |
- if test -n "${{ secrets.RADROOTS_SDK_SYNC_TOKEN }}"; then
- echo "configured=true" >> "$GITHUB_OUTPUT"
- else
- echo "configured=false" >> "$GITHUB_OUTPUT"
- fi
-
- - name: skip sync when token is unavailable
- if: steps.sync_token.outputs.configured != 'true'
- run: echo "radroots_sdk_sync_token is not configured; skipping sdk sync workflow"
-
- - name: export ts sdk artifacts
- if: steps.sync_token.outputs.configured == 'true'
- run: |
- export_dir="${{ runner.temp }}/sdk-export"
- nix run .#export-ts -- --out "${export_dir}"
- test -f "${export_dir}/ts/export-manifest.json"
-
- - name: check required export artifacts
- if: steps.sync_token.outputs.configured == 'true'
- run: |
- test -f "${{ runner.temp }}/sdk-export/ts/packages/core/src/generated/types.ts"
- test -f "${{ runner.temp }}/sdk-export/ts/packages/types/src/generated/types.ts"
- test -f "${{ runner.temp }}/sdk-export/ts/packages/events/src/generated/types.ts"
- test -f "${{ runner.temp }}/sdk-export/ts/packages/trade/src/generated/types.ts"
- test -f "${{ runner.temp }}/sdk-export/ts/packages/events/src/generated/constants.ts"
- test -f "${{ runner.temp }}/sdk-export/ts/packages/events/src/generated/kinds.ts"
-
- - name: upload sdk export artifact
- if: steps.sync_token.outputs.configured == 'true'
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
- with:
- name: sdk-export-ts-bundle
- path: ${{ runner.temp }}/sdk-export/ts
-
- - name: checkout sdk-typescript
- if: steps.sync_token.outputs.configured == 'true'
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- with:
- repository: radrootslabs/sdk-typescript
- ref: master
- token: ${{ secrets.RADROOTS_SDK_SYNC_TOKEN }}
- path: sdk-typescript
- fetch-depth: 0
-
- - name: apply generated model artifacts
- if: steps.sync_token.outputs.configured == 'true'
- run: |
- for package in core types events trade identity; do
- src_dir="${{ runner.temp }}/sdk-export/ts/packages/${package}/src/generated"
- if test -d "${src_dir}"; then
- install -d "sdk-typescript/packages/${package}/src/generated"
- rsync -a --delete "${src_dir}/" "sdk-typescript/packages/${package}/src/generated/"
- fi
- done
- wasm_src="${{ runner.temp }}/sdk-export/ts/packages/events-codec-wasm/dist"
- if test -d "${wasm_src}"; then
- install -d sdk-typescript/packages/events-codec-wasm/dist
- rsync -a --delete "${wasm_src}/" sdk-typescript/packages/events-codec-wasm/dist/
- fi
-
- - name: validate sdk-typescript
- if: steps.sync_token.outputs.configured == 'true'
- run: nix run .#validate-sdk-typescript -- sdk-typescript
-
- - name: create pull request
- if: steps.sync_token.outputs.configured == 'true'
- uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
- with:
- token: ${{ secrets.RADROOTS_SDK_SYNC_TOKEN }}
- path: sdk-typescript
- commit-message: "sdk: sync generated models from rust sdk contract"
- branch: sync/models-${{ github.run_id }}-${{ github.run_attempt }}
- delete-branch: true
- title: "sdk: sync generated models from rust sdk contract"
- body: |
- - sync generated model types for @radroots/core, @radroots/types, @radroots/events, and @radroots/trade
- - sync @radroots/identity generated types when present in rust export output
- - source revision: ${{ github.sha }}
diff --git a/.github/workflows/sdk-coverage-ci.yml b/.github/workflows/sdk-coverage-ci.yml
@@ -1,44 +0,0 @@
-name: sdk-coverage-ci
-
-on:
- pull_request:
- push:
- branches:
- - master
- paths:
- - "flake.nix"
- - "flake.lock"
- - "treefmt.nix"
- - "nix/**"
- - "rust-toolchain.toml"
- - ".github/workflows/sdk-coverage-ci.yml"
- - "crates/xtask/**"
- - "crates/**"
-
-permissions:
- contents: read
-
-jobs:
- coverage-report:
- runs-on: ubuntu-latest
- steps:
- - name: checkout
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-
- - name: install nix
- uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
- with:
- extra_nix_config: |
- experimental-features = nix-command flakes
-
- - name: run sdk coverage report set
- run: nix run .#coverage-report
-
- - name: upload sdk coverage reports
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
- with:
- name: sdk-coverage-reports
- path: |
- target/sdk-coverage/**/coverage-gate-summary.json
- target/sdk-coverage/**/coverage-gate-blocking.json
- target/sdk-coverage/coverage-report-status.txt
diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml
@@ -1,32 +0,0 @@
-name: update-flake-lock
-
-on:
- workflow_dispatch:
- schedule:
- - cron: "0 9 * * 1"
-
-permissions:
- contents: write
- id-token: write
- issues: write
- pull-requests: write
-
-jobs:
- update:
- runs-on: ubuntu-latest
- steps:
- - name: checkout
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-
- - name: install determinate nix
- uses: DeterminateSystems/determinate-nix-action@131015bad844610e5e6300f8a143bf625d3e74f4
-
- - name: update flake lock
- uses: DeterminateSystems/update-flake-lock@834c491b2ece4de0bbd00d85214bb5e83b4da5c6
- with:
- branch: ci/update-flake-lock
- commit-msg: "ci: update flake lock"
- pr-title: "ci: update flake lock"
- pr-labels: |
- dependencies
- automated
diff --git a/AGENTS.md b/AGENTS.md
@@ -14,6 +14,7 @@ This file exists for compatibility with tools that look for AGENTS.md.
## 2. Repository operating model
- This is a public open-source library workspace; optimize for durable library design, portability, determinism, and explicit contracts.
+- Keep release and validation automation forge-agnostic; repo-owned scripts, Nix apps, tags, and contract metadata are canonical, while committed provider-specific workflow automation is not.
- Prefer clean target-state changes over compatibility scaffolding unless compatibility is explicitly required.
- Stay within the requested scope and the smallest coherent file set.
- Do not fold unrelated cleanup, speculative refactors, or roadmap work into the same change.
diff --git a/AGENT_INSTRUCTIONS.md b/AGENT_INSTRUCTIONS.md
@@ -32,6 +32,7 @@ Stay disciplined:
- do not leave dead paths, temporary adapters, or silent fallback behavior behind
This repo is a library workspace, not an app monolith. The right default is small, durable changes that preserve clean crate boundaries.
+Release automation should stay forge-agnostic. Keep release truth in repo-owned scripts, Nix apps, tags, and contract metadata rather than committed provider-specific workflow files.
## 3. Preflight workflow
@@ -168,6 +169,12 @@ Validation rules:
- deterministic tests are required for new behavior and edge cases
- do not rely on wall-clock time, random order, external network access, or ambient machine state in unit tests
+Release discipline:
+
+- create annotated release tags that match `contract/release/publish-set.toml`
+- keep repo-owned release commands runnable without depending on GitHub-specific workflow files
+- when documenting release flow here, document the local repo contract rather than forge-specific orchestration
+
## 8. Commit and handoff guidance
Commit messages in this repo are part of the public open-source surface.
diff --git a/contract/release/runbook.md b/contract/release/runbook.md
@@ -16,35 +16,33 @@ This command validates:
- required crate coverage at `100/100/100`
- publish crate metadata required for crates.io
-## publish simulation
+## release tag
+
+Create an annotated tag whose version matches `release.version` in `contract/release/publish-set.toml`.
+
+Recommended form:
```bash
-./scripts/ci/release_publish_order.sh dry-run
+git tag -a "v$(awk -F '\"' '/^version = / { print $2; exit }' contract/release/publish-set.toml)" -m "release"
```
-This runs `cargo publish --dry-run` in release order and reports deferred crates when they depend on earlier crates that are not yet published.
+## publish simulation
-GitHub Actions equivalent:
+```bash
+./publish-crates.sh --dry-run
+```
-- run workflow `publish crates`
-- set `dry_run = true`
-- optionally set `crates` (space or comma separated) to test a subset in release order
+This runs `cargo publish --dry-run` in release order and reports deferred crates when they depend on earlier crates that are not yet published.
## publish
```bash
-./scripts/ci/release_publish_order.sh publish
+./publish-crates.sh --publish
```
This publishes in `publish_order` and waits for each crate version to become visible on crates.io before continuing.
-GitHub Actions equivalent:
-
-- run workflow `publish crates`
-- set `dry_run = false`
-- ensure repository secret `CRATES_IO_TOKEN` is configured
-
-The workflow also accepts `CARGO_REGISTRY_TOKEN`; either secret can provide the cargo publish token.
+Set `CARGO_REGISTRY_TOKEN` or `CRATES_IO_TOKEN` in the runtime environment before the publish step.
## post-release verification
diff --git a/docs/nix.md b/docs/nix.md
@@ -96,7 +96,6 @@ nix run .#publish-crates -- --dry-run
- Nix, shell, and TOML formatting through `treefmt`
- Rust formatting through `cargo fmt --check`
-- GitHub Actions workflow validation through `actionlint`
- pure cargo check/test derivations for the contract crate set
- repo guards that can run without cargo registry network access
diff --git a/nix/checks.nix b/nix/checks.nix
@@ -25,20 +25,8 @@ let
installPhaseCommand = "mkdir -p $out";
}
);
- actionlint = common.mkRepoCheck {
- name = "actionlint";
- runtimeInputs = [
- pkgs.actionlint
- pkgs.shellcheck
- ];
- initGit = true;
- command = ''
- actionlint
- '';
- };
in
{
- actionlint = actionlint;
cargo-fmt = cargoFmt;
cargo-check = cargoCheck;
cargo-test = cargoTest;
