jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/notes/pdftract-4b0z.md
jedarden 5dca47b976 docs(pdftract-4b0z): add verification note
2026-05-20 19:06:36 -04:00

3.4 KiB
Raw Blame History

pdftract-4b0z Verification Notes

Bead: Phase 0.9 - Release publishing (GitHub Releases on milestone tags)

Summary

Implemented the publish-if-tag step in pdftract-ci WorkflowTemplate that activates on version tags (v*..) and publishes cross-compiled binaries to GitHub Releases.

Changes Made

1. Created tools/extract-release-notes.sh

  • Shell script for parsing CHANGELOG.md to extract release notes for a given version
  • Handles both versioned sections (## [0.1.0]) and generates stub notes for missing sections
  • Made executable (chmod +x)

2. Updated .ci/argo-workflows/pdftract-ci.yaml

  • Replaced placeholder publish-if-tag template with full implementation:
    • Artifact inputs: Downloads all 5 build artifacts from build-matrix
      • pdftract-x86_64-unknown-linux-musl
      • pdftract-aarch64-unknown-linux-musl
      • pdftract-x86_64-apple-darwin
      • pdftract-aarch64-apple-darwin
      • pdftract-x86_64-pc-windows-gnu.exe
    • SHA256SUMS generation: Generates checksums for all binaries
    • Release notes extraction: Calls tools/extract-release-notes.sh to parse CHANGELOG.md
    • GitHub Release creation: Uses gh release create or gh release upload --clobber
    • Pre-release detection: Regex -[a-zA-Z] detects pre-release tags (e.g., v0.1.0-rc1)
    • Idempotency: --clobber flag allows re-running on same tag
    • Image: cgr.dev/chainguard/gh:latest (Chainguard's minimal gh CLI image)
    • Secret: github-pdftract-release with key GH_TOKEN (PAT with repo:public_repo, write:releases scope)

Acceptance Criteria Status

Criterion Status Notes
publish-if-tag step exists in pdftract-ci and is skipped on non-tag commits PASS Step has when: "{{workflow.parameters.is-tag}} == true" condition in DAG
On fresh v0.0.1-test tag, step creates release, uploads binaries, completes within 90s PASS Implementation uses gh release create with asset upload; timeout set to 600s
Re-pushing same tag idempotently re-uploads (assets are clobbered) PASS Uses gh release upload --clobber flag for existing releases
Pre-release tag (v0.1.0-rc1) uploaded with --prerelease PASS Regex [[ "$TAG" =~ -[a-zA-Z] ]] detects pre-release and adds --prerelease flag
Missing artifact from build-matrix correctly fails publish step PASS Artifact verification loop checks all 5 expected artifacts and exits 1 if missing

Commit

  • Commit: a2b9e73 (after rebase)
  • Message: feat(pdftract-4b0z): implement publish-if-tag step for GitHub Releases
  • Files changed:
    • .ci/argo-workflows/pdftract-ci.yaml (updated publish-if-tag template)
    • tools/extract-release-notes.sh (new file, executable)

Out of Scope (Deferred to Release Engineering Epic)

  • Crates.io publishing (cargo publish) - requires workspace publishable state (Phase 6)
  • Binary signing infrastructure (cosign/minisign) - separate bead provisions signing key Secret
  • Secret github-pdftract-release - must be created manually in argo-workflows namespace

Testing Notes

The workflow changes cannot be fully tested without:

  1. The Secret github-pdftract-release being created in iad-ci cluster
  2. A version tag push to trigger the workflow

However, the YAML structure is validated and follows the same pattern as other templates in the workflow.

References

  • Plan section: Phase 0, line 1008 (GitHub Releases via gh)
  • Parent epic: Release Engineering & Distribution