File size: 6,976 Bytes
6a7089a | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 | # Release Process
**β οΈ CRITICAL:** The npm package depends on Go binaries being in the GitHub release. The release pipeline will fail hard if goreleaser doesn't upload binaries β npm users won't get a working binary.
Pinchtab uses an automated CI/CD pipeline triggered by Git tags. When you push a tag like `v0.7.0`, GitHub Actions:
1. **Builds Go binaries** β darwin-arm64, darwin-x64, linux-x64, linux-arm64, windows-x64
2. **Creates GitHub release** β with checksums.txt for integrity verification
3. **Publishes to npm** β TypeScript SDK with auto-download postinstall script
4. **Builds Docker images** β linux/amd64, linux/arm64
## Prerequisites
### Secrets (configure once in GitHub)
Go to **Settings β Secrets and variables β Actions** and add:
- **NPM_TOKEN** β npm authentication token
- Create at https://npmjs.com/settings/~/tokens
- Scope: `automation` (publish + read)
- **DOCKERHUB_USER** β Docker Hub username (if using Docker Hub)
- **DOCKERHUB_TOKEN** β Docker Hub personal access token
### Local setup
```bash
# 1. Ensure main branch is up to date
git checkout main && git pull origin main
# 2. Merge feature branches
# (all features should be on main before tagging)
# 3. Verify version consistency
cat package.json | jq .version # npm package
cat go.mod | grep "module" # Go module
git describe --tags # latest tag
```
## Pre-Release Checklist
Goreleaser is already configured correctly. Verify before tagging:
```bash
# 1. Check builds section (compiles for all platforms)
grep -A 8 "^builds:" .goreleaser.yml
# Should output: linux/darwin/windows + amd64/arm64
# 2. Check archives use binary format (required for npm)
grep -A 5 "^archives:" .goreleaser.yml
# Should show: format: binary (not tar/zip)
# 3. Verify checksums enabled
grep "checksum:" .goreleaser.yml
# Should output: name_template: checksums.txt
# 4. Check release config
grep -A 2 "^release:" .goreleaser.yml
# Should output: GitHub owner/repo
```
**Configuration status:**
- β
`builds:` section compiles all platforms (darwin-arm64, darwin-amd64, linux-arm64, linux-amd64, windows-amd64, windows-arm64)
- β
`archives:` outputs binaries directly: `pinchtab-darwin-arm64`, `pinchtab-linux-x64`, etc.
- β
`checksum:` generates `checksums.txt` (used by npm postinstall verification)
- β
`release:` points to GitHub (uploads everything automatically)
**Ready to release.** Just tag and push.
## Releasing
### For patch/minor versions (recommended)
```bash
# 1. Bump version in all places
npm version patch # or minor, major
git push origin main
# 2. Create tag
git tag v0.7.1
git push origin v0.7.1
```
### For manual releases
```bash
# 1. Tag directly
git tag -a v0.7.1 -m "Release v0.7.1"
git push origin v0.7.1
# 2. Or via GitHub UI: Releases β Create from tag
# (workflow will auto-create if not present)
```
### Using workflow_dispatch (manual trigger)
If you need to re-release an existing tag:
1. Go to **Actions β Release**
2. **Run workflow**
3. Enter tag (e.g. `v0.7.1`)
For a no-side-effects dry run from `main` or any other ref:
1. Go to **Actions β Release**
2. **Run workflow**
3. Leave `tag` empty
4. Set `ref` to the branch, tag, or commit you want to test
5. Set `dry_run` to `true`
Dry-run behavior:
- GoReleaser runs in snapshot mode, so artifacts are built but not published
- npm runs `npm publish --dry-run`
- Docker runs a multi-arch `buildx` build with `push=false`
- ClawHub skill publishing is not part of this workflow and is therefore skipped
## Pipeline details
### 1. Goreleaser (Go binary) β CRITICAL for npm
Triggered on `v*` tag push. Builds binaries and creates GitHub release.
**What it does:**
- β
Compiles for all platforms (darwin-arm64, darwin-x64, linux-x64, linux-arm64, windows-x64)
- β
Generates `checksums.txt` (SHA256)
- β
**Uploads binaries to GitHub Releases** β Required by npm postinstall!
- Also: Docker images, changelog, etc.
**β οΈ CRITICAL:** npm postinstall script downloads binaries from GitHub Releases. If the release doesn't have the binaries (e.g., only Docker images), `npm install pinchtab` will fail silently and the binary won't be available.
**Configured in:** `.goreleaser.yml`
**Verify release has binaries:**
```bash
curl -s https://api.github.com/repos/pinchtab/pinchtab/releases/v0.7.0 | jq '.assets[].name'
# Should output: pinchtab-darwin-arm64, pinchtab-darwin-x64, etc.
```
### 2. npm publish
Depends on: `release` job (waits for goreleaser to finish)
**What it does:**
- Syncs version from tag (v0.7.0 β 0.7.0)
- Builds TypeScript (`npm run build`)
- Publishes to npm registry
- Users get postinstall script that downloads binaries from GitHub Releases
**User flow on `npm install pinchtab`:**
```
1. npm downloads @pinchtab/cli package
2. Runs postinstall script
3. Script detects OS/arch (darwin-arm64, linux-x64, etc.)
4. Downloads binary from GitHub release
5. Verifies SHA256 checksum
6. Stores in ~/.pinchtab/bin/0.7.0/pinchtab-<os>-<arch>
7. Makes executable
8. If ANY STEP fails β npm install fails (exit 1)
```
**β οΈ REQUIRES:** Goreleaser must have successfully uploaded binaries to GitHub release. The npm postinstall will verify this and fail hard if binaries are missing.
### 3. Docker
GitHub Actions builds the release image directly from the tagged source with `docker buildx`.
The workflow pushes the same multi-arch build to both GHCR and Docker Hub, so Docker no longer depends on GoReleaser's temporary build context.
### 4. ClawHub skill
The main `Release` workflow publishes the Pinchtab skill to ClawHub only after both npm and Docker complete successfully.
The standalone `Publish Skill` workflow is manual-only and is intended for retries or one-off recovery publishes.
## Troubleshooting
### npm publish fails (403)
- Check **NPM_TOKEN** is set in secrets
- Verify token has `automation` scope
- Check you're not already published (can't overwrite existing version)
### Binary checksum mismatch
- goreleaser must generate `checksums.txt`
- Verify `.goreleaser.yml` has `checksum:` section
- Check GitHub release includes `checksums.txt`
### Docker push fails
- Verify DOCKERHUB_USER and DOCKERHUB_TOKEN
- Check token has permission to push
## Rolling back
If something goes wrong:
```bash
# Delete the tag locally and on GitHub
git tag -d v0.7.1
git push origin :refs/tags/v0.7.1
# Delete npm version (requires owner permission)
npm unpublish pinchtab@0.7.1
# Revert any commits
git revert <commit>
git push origin main
# Retag when ready
git tag v0.7.1
git push origin v0.7.1
```
## Version strategy
- Use **semantic versioning**: v0.7.0 (major.minor.patch)
- Tag on main branch only
- One tag = one release (all artifacts)
- npm version must match Go binary tag
## See also
- `.github/workflows/release.yml` β GitHub Actions workflow
- `.goreleaser.yml` β Go binary release config
- `npm/package.json` β npm package metadata
|