xworkmate-bridge/.github/workflows/runtime-release.yml
Haitao Pan b8f4ed6102 fix(ci): key per-job SHA256SUMS by os and arch
The runtime-release matrix builds linux+darwin × amd64+arm64, but each job
wrote its checksum to SHA256SUMS-<arch> (arch only). The linux/<arch> and
darwin/<arch> jobs therefore emitted the same filename, which clobbered each
other under the publish job's `merge-multiple: true` download. The merged
SHA256SUMS ended up with only 2 of the 4 platforms, so consumers of the
missing tarballs (notably xworkmate-bridge-linux-arm64.tar.gz) failed with
"missing checksum" — breaking the console offline arm64 package build.

Name the per-job file SHA256SUMS-<os>-<arch> so all four are unique and the
merged SHA256SUMS lists every published tarball.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 17:26:05 +08:00

110 lines
3.4 KiB
YAML

name: Build XWorkmate Bridge Runtime Release
on:
push:
branches: [main, release/**]
paths:
- "**/*.go"
- go.mod
- go.sum
- .github/workflows/runtime-release.yml
workflow_dispatch:
permissions:
contents: write
concurrency:
group: xworkmate-bridge-runtime-release-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
name: Build ${{ matrix.os }}-${{ matrix.arch }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os: [linux, darwin]
arch: [amd64, arm64]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
cache: true
- name: Test
run: go test ./...
- name: Build runtime asset
env:
TARGET_OS: ${{ matrix.os }}
TARGET_ARCH: ${{ matrix.arch }}
run: |
set -euo pipefail
root="dist/runtime/xworkmate-bridge"
mkdir -p "${root}/bin" dist/assets
CGO_ENABLED=0 GOOS="${TARGET_OS}" GOARCH="${TARGET_ARCH}" \
go build -buildvcs=false -trimpath \
-ldflags "-X main.buildCommit=${GITHUB_SHA}" \
-o "${root}/bin/xworkmate-go-core" .
cat > "${root}/manifest.json" <<JSON
{
"component": "xworkmate-bridge",
"commit": "${GITHUB_SHA}",
"os": "${TARGET_OS}",
"arch": "${TARGET_ARCH}",
"binary": "bin/xworkmate-go-core"
}
JSON
tar -czf "dist/assets/xworkmate-bridge-${TARGET_OS}-${TARGET_ARCH}.tar.gz" \
-C dist/runtime xworkmate-bridge
(
cd dist/assets
# Name the per-job checksum file by OS *and* ARCH. Keying on ARCH
# alone makes the linux/darwin jobs of the same arch both emit
# SHA256SUMS-<arch>, which then clobber each other under the
# publish job's merge-multiple download — leaving SHA256SUMS with
# only 2 of the 4 platforms and breaking arm64 (and darwin-amd64)
# consumers with "missing checksum".
sha256sum -- ./*.tar.gz | sed 's# \./# #' > "SHA256SUMS-${TARGET_OS}-${TARGET_ARCH}"
)
- uses: actions/upload-artifact@v4
with:
name: xworkmate-bridge-${{ matrix.os }}-${{ matrix.arch }}
path: |
dist/assets/*.tar.gz
dist/assets/SHA256SUMS-*
if-no-files-found: error
publish:
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
with:
pattern: xworkmate-bridge-*
path: dist
merge-multiple: true
- name: Publish assets
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
tag="runtime-${GITHUB_SHA::12}"
cat dist/SHA256SUMS-* | sort -u > dist/SHA256SUMS
rm -f dist/SHA256SUMS-*
if gh release view "${tag}" --repo "${GITHUB_REPOSITORY}" >/dev/null 2>&1; then
gh release upload "${tag}" dist/*.tar.gz dist/SHA256SUMS \
--repo "${GITHUB_REPOSITORY}" --clobber
else
gh release create "${tag}" dist/*.tar.gz dist/SHA256SUMS \
--repo "${GITHUB_REPOSITORY}" \
--target "${GITHUB_SHA}" \
--title "XWorkmate Bridge runtime ${GITHUB_SHA::12}" \
--notes "Prebuilt bridge binaries. No target-host Go build is required."
fi