sandbox-agent/.github/workflows/release.yaml

name: release

on:
  workflow_dispatch:
    inputs:
      version:
        description: "Version (e.g. 0.1.0 or v0.1.0)"
        required: true
        type: string
      latest:
        description: "Latest"
        required: true
        type: boolean
        default: true

defaults:
  run:
    # Enable fail-fast behavior
    shell: bash -e {0}

env:
  # Disable incremental compilation for faster from-scratch builds
  CARGO_INCREMENTAL: 0

jobs:
  setup:
    name: "Setup"
    runs-on: ubuntu-24.04
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: dtolnay/rust-toolchain@stable

      - uses: pnpm/action-setup@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Setup
        env:
          R2_RELEASES_ACCESS_KEY_ID: ${{ secrets.R2_RELEASES_ACCESS_KEY_ID }}
          R2_RELEASES_SECRET_ACCESS_KEY: ${{ secrets.R2_RELEASES_SECRET_ACCESS_KEY }}
        run: |
          # Install dependencies
          pnpm install

          # Install tsx globally
          npm install -g tsx

          # Build command based on inputs
          CMD="./scripts/release/main.ts --version \"${{ github.event.inputs.version }}\" --phase setup-ci"

          if [ "${{ inputs.latest }}" != "true" ]; then
            CMD="$CMD --no-latest"
          fi

          eval "$CMD"

  binaries:
    name: "Build & Upload Binaries"
    needs: [setup]
    strategy:
      matrix:
        include:
          - platform: linux
            target: x86_64-unknown-linux-musl
            binary_ext: ""
            arch: x86_64
          - platform: windows
            target: x86_64-pc-windows-gnu
            binary_ext: ".exe"
            arch: x86_64
          - platform: macos
            target: x86_64-apple-darwin
            binary_ext: ""
            arch: x86_64
          - platform: macos
            target: aarch64-apple-darwin
            binary_ext: ""
            arch: aarch64
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: pnpm/action-setup@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Build inspector frontend
        run: |
          pnpm install
          SANDBOX_AGENT_SKIP_INSPECTOR=1 pnpm --filter @sandbox-agent/inspector build

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build binary
        run: |
          docker/release/build.sh ${{ matrix.target }}
          ls -la dist/

      - name: Upload to R2
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.R2_RELEASES_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_RELEASES_SECRET_ACCESS_KEY }}
        run: |
          # Install AWS CLI
          sudo apt-get update
          sudo apt-get install -y unzip curl

          curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
          unzip awscliv2.zip
          sudo ./aws/install --update

          COMMIT_SHA_SHORT="${GITHUB_SHA::7}"
          BINARY_PATH="dist/sandbox-agent-${{ matrix.target }}${{ matrix.binary_ext }}"

          # Upload to commit directory for later promotion
          aws s3 cp \
            "${BINARY_PATH}" \
            "s3://rivet-releases/sandbox-agent/${COMMIT_SHA_SHORT}/binaries/sandbox-agent-${{ matrix.target }}${{ matrix.binary_ext }}" \
            --region auto \
            --endpoint-url https://2a94c6a0ced8d35ea63cddc86c2681e7.r2.cloudflarestorage.com \
            --checksum-algorithm CRC32

  complete:
    name: "Complete"
    needs: [setup, binaries]
    if: ${{ always() && !cancelled() && needs.setup.result == 'success' && needs.binaries.result == 'success' }}
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: dtolnay/rust-toolchain@stable

      - uses: pnpm/action-setup@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          registry-url: "https://registry.npmjs.org"
          cache: pnpm

      - name: Complete
        env:
          # https://cli.github.com/manual/gh_help_environment
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
          R2_RELEASES_ACCESS_KEY_ID: ${{ secrets.R2_RELEASES_ACCESS_KEY_ID }}
          R2_RELEASES_SECRET_ACCESS_KEY: ${{ secrets.R2_RELEASES_SECRET_ACCESS_KEY }}
        run: |
          # Authenticate with NPM
          cat << EOF > ~/.npmrc
          //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}
          EOF

          # Install dependencies
          pnpm install

          # Install tsx globally
          npm install -g tsx

          # Build command based on inputs
          CMD="./scripts/release/main.ts --version \"${{ github.event.inputs.version }}\" --phase complete-ci --no-validate-git"

          if [ "${{ inputs.latest }}" != "true" ]; then
            CMD="$CMD --no-latest"
          fi

          eval "$CMD"