ci: unified CI and release workflows with reusable build pipelines#723
Open
cdecker wants to merge 3 commits into
Open
ci: unified CI and release workflows with reusable build pipelines#723cdecker wants to merge 3 commits into
cdecker wants to merge 3 commits into
Conversation
Replace the per-language standalone CI workflows (kotlin.yml, python.yml, typescript.yml, rust-unit.yml, check-formatting.yml) with a single ci.yml orchestrator that delegates to reusable build-*.yml workflows. Replace the per-crate tag-triggered release.yml with a unified Release Orchestrator that: - Validates version numbers and changelogs - Publishes Rust crates in topological order (gl-client -> gl-sdk -> gl-sdk-cli) with crates.io index polling between steps - Builds all bindings in parallel (Swift, Kotlin, N-API, Python) - Publishes to npm, PyPI, Swift SPM, and creates GitHub Releases - Uses trusted publishing (OIDC) for crates.io -- no API token needed - Supports dry-run mode with cargo publish --dry-run and npm --dry-run New reusable build workflows: - build-rust.yml: workspace build + test - build-swift.yml: iOS XCFramework + Swift sources - build-kotlin.yml: Android NDK + KMP bindings - build-napi.yml: Node.js native bindings (5 targets) - build-python.yml: Python wheels (6 targets + sdist) Also adds license and repository metadata to gl-sdk-cli Cargo.toml (required for crates.io publishing).
Iterate on the CI orchestrator and reusable build workflows to reliably test against prebuilt artifacts without rebuilding from source. Key changes: Workflow infrastructure: - Add build-test-binaries.yml for gl-plugin and gl-signerproxy artifacts - Install cfssl from prebuilt release binaries instead of Go toolchain - Modernize all third-party actions to 2026 versions (v6/v7/v8) - Add protoc repo-token to avoid GitHub API rate limiting - Fix macOS builds: native hosts (macos-13/macos-14) for architecture match - Fix Windows: set Python architecture for x86 builds - Fix Linux: chown maturin Docker output to restore user permissions - Per-architecture rust-cache namespaces to avoid target collisions Python wheel testing (python-test job): - Install gl-testing with --no-deps to avoid uv workspace source resolution rebuilding gl-client from source via maturin - Install remaining deps explicitly, excluding workspace packages - Use uv run --no-sync to prevent workspace re-resolution - Use uv venv --clear (clnvm creates a .venv first) - Add bitcoind, cfssl, lightningd (clnvm) for integration test fixtures - Set CARGO_TARGET_DIR so gl-testing finds downloaded test binaries N-API testing (napi-test job): - Use absolute workspace paths for pip install (working-directory offset) - Install gl-sdk wheel alongside gl-client - Spawn gltestserver with uv run --no-sync (not uv run --package) - Download prebuilt test binaries instead of compiling Rust locally - Set CARGO_TARGET_DIR for gl-testing binary discovery gl-sdk wheel packaging: - Force-include glsdk/glsdk.py in hatchling build hook (gitignored by default, so the UniFFI Python bindings were missing from the wheel) - Retag wheel from py3-none-any to correct platform tag since it contains native libglsdk.so/.dylib/.dll Also includes cargo fmt and Cargo.toml dependency consolidation from the parent branch. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
cdecker
force-pushed
the
2026w21-ci-release-workflows
branch
from
b0b2e4a to
573370c
Compare
The nobody_id and root_id test fixtures set GL_NOBODY_CRT, GL_NOBODY_KEY, and GL_CA_CRT env vars but never cleaned them up on teardown. When later tests called Credentials.load(b""), the Rust Device::default() found the stale env vars pointing to deleted temp files, load_file_or_default failed, and .expect() panicked. With panic=abort in the release profile, UniFFI's catch_unwind couldn't intercept it, killing the process with SIGABRT (exit 134). Three fixes: - Remove panic=abort from [profile.release] so UniFFI can catch panics - Fall back to compiled-in defaults when env var file reads fail - Clean up cert env vars in fixture teardown Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the per-language standalone CI workflows and the per-crate tag-triggered release workflow with a unified architecture built on reusable build workflows.
Architecture
graph TD subgraph "Reusable Build Workflows" BR[build-rust.yml] BK[build-kotlin.yml] BN[build-napi.yml] BP[build-python.yml] BS[build-swift.yml] end subgraph "Orchestrators" CI[ci.yml] REL[release.yml] end CI --> BR CI --> BK CI --> BN CI --> BP REL --> BS REL --> BK REL --> BN REL --> BPChanges
Deleted (replaced by
ci.yml):kotlin.yml,python.yml,typescript.yml,rust-unit.yml,check-formatting.ymlNew reusable build workflows (
workflow_callonly):build-rust.yml— workspace build + testbuild-swift.yml— iOS XCFramework + Swift sourcesbuild-kotlin.yml— Android NDK + KMP bindingsbuild-napi.yml— Node.js native bindings (5 targets)build-python.yml— Python wheels (6 targets + sdist)New
ci.yml— CI orchestrator for PRs/pushes. Calls the build workflows and runs N-API integration tests + Python install smoke test + formatting check.Replaced
release.yml— Release orchestrator (manual dispatch):Cargo.toml+ changelog entries existgl-client->gl-sdk->gl-sdk-cli) with crates.io index polling between stepscargo publish --dry-run,npm publish --dry-run, builds all bindings, but skips real publishing/taggingOther:
licenseandrepositorytogl-sdk-cli/Cargo.toml(required for crates.io)Testing
After merge, run the Release Orchestrator with
dry_run=trueto validate everything end-to-end without publishing.