diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 27dfa2c..5ff7eb5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,29 +39,38 @@ jobs: RELEASE_TAG: ${{ inputs.tag }} run: git checkout "$RELEASE_TAG" - - name: Check Homebrew tap token - id: homebrew + - name: Resolve release tag + id: release + env: + DISPATCH_TAG: ${{ inputs.tag }} + REF_NAME: ${{ github.ref_name }} + run: | + tag="${DISPATCH_TAG:-$REF_NAME}" + if [ -z "$tag" ]; then + echo "::error::could not resolve release tag" + exit 1 + fi + echo "tag=$tag" >>"$GITHUB_OUTPUT" + echo "version=${tag#v}" >>"$GITHUB_OUTPUT" + + - name: Verify Homebrew tap token env: HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }} run: | if [ -z "$HOMEBREW_TAP_GITHUB_TOKEN" ]; then - echo "skip=true" >>"$GITHUB_OUTPUT" - echo "::warning::HOMEBREW_TAP_GITHUB_TOKEN is missing; skipping Homebrew tap publish" - exit 0 + echo "::error::HOMEBREW_TAP_GITHUB_TOKEN is missing; cannot publish Homebrew formula" + exit 1 fi code="$(curl -sS -o /dev/null -w '%{http_code}' \ -H "Authorization: Bearer $HOMEBREW_TAP_GITHUB_TOKEN" \ -H "Accept: application/vnd.github+json" \ https://api.github.com/repos/openclaw/homebrew-tap || true)" if [ "$code" != "200" ]; then - echo "skip=true" >>"$GITHUB_OUTPUT" - echo "::warning::HOMEBREW_TAP_GITHUB_TOKEN cannot access openclaw/homebrew-tap (HTTP $code); skipping Homebrew tap publish" - exit 0 + echo "::error::HOMEBREW_TAP_GITHUB_TOKEN cannot access openclaw/homebrew-tap (HTTP $code)" + exit 1 fi - echo "skip=false" >>"$GITHUB_OUTPUT" - name: GoReleaser - if: ${{ steps.homebrew.outputs.skip != 'true' }} uses: goreleaser/goreleaser-action@v7 with: distribution: goreleaser @@ -71,12 +80,17 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }} - - name: GoReleaser without Homebrew - if: ${{ steps.homebrew.outputs.skip == 'true' }} - uses: goreleaser/goreleaser-action@v7 - with: - distribution: goreleaser - version: "~> v2" - args: release --clean --config /tmp/.goreleaser.yaml --skip=homebrew + - name: Verify Homebrew formula env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }} + RELEASE_VERSION: ${{ steps.release.outputs.version }} + run: | + formula="$(gh api repos/openclaw/homebrew-tap/contents/Formula/crabbox.rb --jq '.content' | base64 --decode)" + if ! grep -q "version \"$RELEASE_VERSION\"" <<<"$formula"; then + echo "::error::openclaw/homebrew-tap Formula/crabbox.rb was not updated to $RELEASE_VERSION" + exit 1 + fi + if ! grep -q "releases/download/v$RELEASE_VERSION/" <<<"$formula"; then + echo "::error::openclaw/homebrew-tap Formula/crabbox.rb does not point at v$RELEASE_VERSION assets" + exit 1 + fi diff --git a/docs/operations.md b/docs/operations.md index 9f45465..9353f9c 100644 --- a/docs/operations.md +++ b/docs/operations.md @@ -225,7 +225,10 @@ Before tagging a release: - Live smoke at least one coordinator-backed `crabbox run`, then verify `crabbox attach`, `crabbox events`, `crabbox logs`, and lease cleanup. - Push, pull, and wait for CI green on the release commit. -- Tag and push `vX.Y.Z`, then wait for the release workflow. +- Tag and push `vX.Y.Z`, then wait for the release workflow. The workflow + publishes GitHub release assets and directly pushes the generated + `Formula/crabbox.rb` update to `openclaw/homebrew-tap` with + `HOMEBREW_TAP_GITHUB_TOKEN`; missing tap access is a release failure. - Verify the GitHub release assets and Homebrew formula update. - `brew update`, install or upgrade `openclaw/tap/crabbox`, run `crabbox --version`, and run a short live smoke from the installed binary.