ci(release): semantic-release + GoReleaser pipeline

.github/workflows/ci.yml

@@ -0,0 +1,157 @@
+name: ci
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  verify:
+    # Concurrency is scoped to this job so superseded PR pushes cancel their
+    # own verify runs WITHOUT cancelling an in-flight `release` job that may
+    # already have created a tag/GitHub Release.
+    concurrency:
+      group: verify-${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+    if: ${{ github.event_name != 'push' || !contains(github.event.head_commit.message, '[skip ci]') }}
+    name: verify (fmt + lint + test + coverage)
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Read Go version from .tool-versions
+        id: go-version
+        shell: bash
+        run: |
+          set -euo pipefail
+          version=$(awk '$1 == "golang" { print $2; exit }' .tool-versions)
+          if [ -z "${version}" ]; then
+            echo "Failed to determine Go version from .tool-versions" >&2
+            exit 1
+          fi
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.go-version.outputs.version }}
+          cache: true
+          cache-dependency-path: |
+            **/go.sum
+
+      - name: Run verifier (fmt + lint + test + coverage gate)
+        run: go run ./cmd/verify
+
+  # Tag, release notes, GitHub Release, binaries, and Homebrew tap update
+  # all happen here on push to `main` after `verify` passes. Conventional
+  # Commits drive the version. No manual `scripts/release.sh` step.
+  release:
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && !contains(github.event.head_commit.message, '[skip ci]') }}
+    name: release
+    needs: [verify]
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    concurrency:
+      group: release-${{ github.repository }}-main
+      cancel-in-progress: false
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+      id-token: write
+      attestations: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: true
+
+      - name: Read Go version from .tool-versions
+        id: go-version
+        shell: bash
+        run: |
+          set -euo pipefail
+          version=$(awk '$1 == "golang" { print $2; exit }' .tool-versions)
+          if [ -z "${version}" ]; then
+            echo "Failed to determine Go version from .tool-versions" >&2
+            exit 1
+          fi
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.go-version.outputs.version }}
+          cache: true
+          cache-dependency-path: |
+            **/go.sum
+
+      # Decides next version from Conventional Commits, creates tag + GitHub
+      # Release with notes. Outputs `new_release_published` and
+      # `new_release_version` for downstream steps.
+      - name: Run semantic-release
+        id: release
+        uses: cycjimmy/semantic-release-action@v4
+        with:
+          extra_plugins: |
+            conventional-changelog-conventionalcommits@7
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GIT_AUTHOR_NAME: glitch418x
+          GIT_AUTHOR_EMAIL: 189487110+glitch418x@users.noreply.github.com
+          GIT_COMMITTER_NAME: glitch418x
+          GIT_COMMITTER_EMAIL: 189487110+glitch418x@users.noreply.github.com
+
+      # semantic-release creates the tag via the GitHub Release API; pull all
+      # tags so we can detect one at HEAD (whether just-created or already
+      # present from a previous partial-failure run).
+      - name: Fetch tags
+        run: git fetch --tags --force
+
+      # Gate GoReleaser on "is there a tag at HEAD?" rather than
+      # `steps.release.outputs.new_release_published`. Re-running the job
+      # after a partial failure (semantic-release succeeded, GoReleaser
+      # failed mid-flight, e.g. transient `TAP_GITHUB_TOKEN` outage) still
+      # publishes binaries to the existing GitHub Release because the tag
+      # is now there. Without this, the second run would short-circuit and
+      # leave the release without binaries.
+      - name: Detect tag at HEAD
+        id: tag
+        shell: bash
+        run: |
+          set -euo pipefail
+          if tag=$(git describe --exact-match --tags HEAD 2>/dev/null); then
+            echo "tag=${tag}" >> "$GITHUB_OUTPUT"
+            echo "present=true" >> "$GITHUB_OUTPUT"
+            echo "found tag at HEAD: ${tag}"
+          else
+            echo "present=false" >> "$GITHUB_OUTPUT"
+            echo "no tag at HEAD — skipping GoReleaser"
+          fi
+
+      - name: Run GoReleaser
+        if: steps.tag.outputs.present == 'true'
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAP_GITHUB_TOKEN: ${{ secrets.TAP_GITHUB_TOKEN }}
+          GORELEASER_CURRENT_TAG: ${{ steps.tag.outputs.tag }}
+
+      - name: Attest build provenance
+        if: steps.tag.outputs.present == 'true'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: "dist/healthd_*.tar.gz"

.gitignore

@@ -0,0 +1,2 @@
+/bin/
+/dist/

.goreleaser.yaml

@@ -0,0 +1,75 @@
+version: 2
+
+project_name: healthd
+
+before:
+  hooks:
+    - go mod tidy
+
+builds:
+  - id: healthd
+    main: .
+    binary: healthd
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w
+      - -X github.com/uinaf/healthd/cmd.Version={{ .Version }}
+      - -X github.com/uinaf/healthd/cmd.Commit={{ .Commit }}
+      - -X github.com/uinaf/healthd/cmd.BuildDate={{ .Date }}
+    goos:
+      - darwin
+    goarch:
+      - arm64
+      - amd64
+
+archives:
+  # Match the existing artifact layout: healthd_v0.X.Y_darwin_arm64.tar.gz
+  # containing only the `healthd` binary. The leading `v` keeps the brew
+  # formula URL pattern stable across releases.
+  - id: healthd
+    name_template: "{{ .ProjectName }}_{{ .Tag }}_{{ .Os }}_{{ .Arch }}"
+    formats: [tar.gz]
+    # Match existing artifact layout: a tarball containing only the `healthd`
+    # binary. `none*` disables the README/LICENSE auto-include.
+    files:
+      - none*
+
+checksum:
+  name_template: "checksums.txt"
+  algorithm: sha256
+
+snapshot:
+  version_template: "{{ incpatch .Version }}-snapshot-{{ .ShortCommit }}"
+
+changelog:
+  # semantic-release owns release notes; goreleaser ships binaries only.
+  disable: true
+
+release:
+  github:
+    owner: uinaf
+    name: healthd
+  # semantic-release creates the release first; goreleaser uploads artifacts to it.
+  mode: append
+  prerelease: auto
+
+brews:
+  - name: healthd
+    repository:
+      owner: uinaf
+      name: homebrew-tap
+      branch: main
+      token: "{{ .Env.TAP_GITHUB_TOKEN }}"
+    directory: Formula
+    commit_author:
+      name: glitch418x
+      email: 189487110+glitch418x@users.noreply.github.com
+    commit_msg_template: "healthd: bump to {{ .Tag }}"
+    homepage: "https://github.com/uinaf/healthd"
+    description: "Pluggable local host health-check daemon"
+    license: "MIT"
+    test: |
+      assert_match "healthd", shell_output("#{bin}/healthd --help")