From 5d1f36b7616a98de7b31b776971df8a07ffcc0f8 Mon Sep 17 00:00:00 2001 From: Emin Date: Wed, 22 Apr 2026 09:43:12 +0800 Subject: [PATCH 1/9] feat(ci): add release and auto-tag workflows - auto-tag.yml: auto-create version tag on pyproject.toml changes - release.yml: build wheel in manylinux container + create GitHub Release Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/auto-tag.yml | 52 +++++++++++ .github/workflows/release.yml | 154 +++++++++++++++++++++++++++++++++ 2 files changed, 206 insertions(+) create mode 100644 .github/workflows/auto-tag.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml new file mode 100644 index 0000000..e0482f9 --- /dev/null +++ b/.github/workflows/auto-tag.yml @@ -0,0 +1,52 @@ +name: Auto Tag + +on: + push: + branches: [main] + paths: [pyproject.toml] + +permissions: + contents: write + +jobs: + auto-tag: + name: Create version tag + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Read version from pyproject.toml + id: version + run: | + VERSION=$(python3 -c " + import re, pathlib + text = pathlib.Path('pyproject.toml').read_text() + m = re.search(r'^version\s*=\s*\"([^\"]+)\"', text, re.MULTILINE) + print(m.group(1) if m else '') + ") + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + echo "tag=v$VERSION" >> "$GITHUB_OUTPUT" + echo "Detected version: $VERSION" + + - name: Check if tag exists + id: check + run: | + if git ls-remote --tags origin "refs/tags/${{ steps.version.outputs.tag }}" | grep -q .; then + echo "exists=true" >> "$GITHUB_OUTPUT" + echo "Tag ${{ steps.version.outputs.tag }} already exists, skipping." + else + echo "exists=false" >> "$GITHUB_OUTPUT" + echo "Tag ${{ steps.version.outputs.tag }} does not exist, will create." + fi + + - name: Create and push tag + if: steps.check.outputs.exists == 'false' && steps.version.outputs.version != '' + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git tag "${{ steps.version.outputs.tag }}" + git push origin "${{ steps.version.outputs.tag }}" + echo "Created and pushed tag: ${{ steps.version.outputs.tag }}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..07ec153 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,154 @@ +name: Release + +on: + push: + tags: ['v*'] + workflow_dispatch: + inputs: + tag_name: + description: 'Tag to release (e.g., v0.1.0)' + required: true + +permissions: + contents: write + +jobs: + check-version: + name: Check Version Consistency + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.inputs.tag_name || github.ref }} + + - name: Verify version consistency + run: | + PY_VER=$(python3 -c " + import re, pathlib + text = pathlib.Path('pyproject.toml').read_text() + m = re.search(r'^version\s*=\s*\"([^\"]+)\"', text, re.MULTILINE) + print(m.group(1) if m else '') + ") + INIT_VER=$(python3 -c " + import re, pathlib, sys + sys.path.insert(0, '.') + import importlib.util + spec = importlib.util.spec_from_file_location('chipcompiler', 'chipcompiler/__init__.py') + mod = importlib.util.module_from_spec(spec) + spec.loader.exec_module(mod) + print(mod.__version__) + ") + echo "pyproject.toml version: $PY_VER" + echo "chipcompiler/__version__: $INIT_VER" + [[ "$PY_VER" == "$INIT_VER" ]] || { + echo "ERROR: version mismatch. pyproject.toml='$PY_VER' chipcompiler/__version__='$INIT_VER'" + exit 1 + } + # Verify tag matches version + FULL_TAG="${{ github.event.inputs.tag_name || github.ref_name }}" + EXPECTED_TAG="v$PY_VER" + [[ "$FULL_TAG" == "$EXPECTED_TAG" ]] || { + echo "ERROR: tag mismatch. tag='$FULL_TAG' expected='$EXPECTED_TAG'" + exit 1 + } + echo "Version check passed: $PY_VER" + + build: + name: Build Wheel + needs: check-version + runs-on: ubuntu-latest + container: quay.io/pypa/manylinux_2_34_x86_64 + steps: + - name: Install git + run: dnf install -y git + + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.inputs.tag_name || github.ref }} + submodules: recursive + fetch-depth: 0 + + - name: Setup Bazel + shell: bash + run: | + curl -fsSL https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-amd64 \ + -o /usr/local/bin/bazel + chmod +x /usr/local/bin/bazel + + - name: Setup uv + uses: astral-sh/setup-uv@v5 + with: + version: latest + enable-cache: true + + - name: Build wheel + run: bazel run //:build_wheel + + - name: Upload wheel artifact + uses: actions/upload-artifact@v4 + with: + name: ecc-wheel + path: | + dist/wheel/repaired/*.whl + dist/wheel/SHA256SUMS + + release: + name: Create Release + needs: build + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.inputs.tag_name || github.ref }} + fetch-depth: 0 + + - name: Download wheel artifact + uses: actions/download-artifact@v4 + with: + name: ecc-wheel + path: dist/wheel + + - name: Determine tag version + id: version + run: | + if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + FULL_TAG="${{ github.event.inputs.tag_name }}" + TAG_VERSION="${FULL_TAG#v}" + else + FULL_TAG="${GITHUB_REF_NAME}" + TAG_VERSION="${GITHUB_REF_NAME#v}" + fi + echo "version=$TAG_VERSION" >> "$GITHUB_OUTPUT" + echo "full_tag=$FULL_TAG" >> "$GITHUB_OUTPUT" + + - name: Generate release notes + id: notes + run: | + PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "") + { + if [[ -n "$PREV_TAG" ]]; then + echo "## Changes" + echo "" + git log --oneline --no-merges "${PREV_TAG}..HEAD" | sed 's/^/- /' + echo "" + fi + echo "## Checksums" + echo "" + echo '```' + cat dist/wheel/SHA256SUMS + echo '```' + } > release-notes.md + cat release-notes.md + + - name: Create GitHub Release + env: + GH_TOKEN: ${{ github.token }} + run: | + gh release create "${{ steps.version.outputs.full_tag }}" \ + --title "ecc ${{ steps.version.outputs.full_tag }}" \ + --notes-file release-notes.md \ + dist/wheel/repaired/*.whl \ + dist/wheel/SHA256SUMS From b25c95b9620a5188790421975b43744ecf96cafb Mon Sep 17 00:00:00 2001 From: Emin Date: Wed, 22 Apr 2026 10:05:30 +0800 Subject: [PATCH 2/9] feat(ci): add path filters to CI workflow Only trigger CI on PRs when code/build-related files change. Push to main always triggers (changes are already reviewed). Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/ci.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b3c2736..8072dbb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,9 +3,16 @@ name: CI on: workflow_dispatch: push: - branches: - - main + branches: [main] pull_request: + paths: + - 'chipcompiler/**' + - 'test/**' + - 'pyproject.toml' + - 'BUILD.bazel' + - 'bazel/**' + - 'MODULE.bazel' + - '.github/workflows/ci.yml' concurrency: group: ci-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} From 076341565338bea5fea15ff952c5602e21bc762e Mon Sep 17 00:00:00 2001 From: Emin Date: Wed, 22 Apr 2026 10:08:41 +0800 Subject: [PATCH 3/9] feat(ci): add version consistency check to CI Check pyproject.toml version matches chipcompiler/__version__ before running the full CI build, catching version drift early. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/ci.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8072dbb..1c8e185 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,8 +27,40 @@ env: ECC_TOOLS_WHEEL_URL: https://github.com/openecos-projects/ecc-tools/releases/download/v0.1.0-alpha.1/ecc_tools-0.1.0a1-py3-none-manylinux_2_34_x86_64.whl jobs: + check-version: + name: Check Version Consistency + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Verify pyproject.toml matches chipcompiler/__version__ + run: | + PY_VER=$(python3 -c " + import re, pathlib + text = pathlib.Path('pyproject.toml').read_text() + m = re.search(r'^version\s*=\s*\"([^\"]+)\"', text, re.MULTILINE) + print(m.group(1) if m else '') + ") + INIT_VER=$(python3 -c " + import sys, importlib.util + sys.path.insert(0, '.') + spec = importlib.util.spec_from_file_location('chipcompiler', 'chipcompiler/__init__.py') + mod = importlib.util.module_from_spec(spec) + spec.loader.exec_module(mod) + print(mod.__version__) + ") + echo "pyproject.toml version: $PY_VER" + echo "chipcompiler/__version__: $INIT_VER" + [[ "$PY_VER" == "$INIT_VER" ]] || { + echo "ERROR: version mismatch. pyproject.toml='$PY_VER' chipcompiler/__version__='$INIT_VER'" + exit 1 + } + echo "Version check passed: $PY_VER" + ci: name: Checks And Build + needs: check-version runs-on: ubuntu-latest steps: - name: Checkout From 7535b28774d2e0f5da62c76e1c7e80611efc0b34 Mon Sep 17 00:00:00 2001 From: Emin Date: Wed, 22 Apr 2026 10:13:49 +0800 Subject: [PATCH 4/9] refactor(ci): extract check-version into reusable action Move duplicated version consistency check into a composite action (.github/actions/check-version) used by both CI and release workflows. Supports optional tag validation via expected_tag input. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/actions/check-version/action.yml | 46 ++++++++++++++++++++++++ .github/workflows/ci.yml | 25 ++----------- .github/workflows/release.yml | 35 +++--------------- 3 files changed, 52 insertions(+), 54 deletions(-) create mode 100644 .github/actions/check-version/action.yml diff --git a/.github/actions/check-version/action.yml b/.github/actions/check-version/action.yml new file mode 100644 index 0000000..4445a96 --- /dev/null +++ b/.github/actions/check-version/action.yml @@ -0,0 +1,46 @@ +name: Check ECC Version Consistency +description: Verify pyproject.toml version matches chipcompiler/__version__. Optionally verify a tag matches the version. + +inputs: + expected_tag: + description: 'Expected tag (e.g., v0.1.0). If provided, also verify the tag matches the version.' + required: false + default: '' + +runs: + using: composite + steps: + - name: Verify version consistency + shell: bash + run: | + PY_VER=$(python3 -c " + import re, pathlib + text = pathlib.Path('pyproject.toml').read_text() + m = re.search(r'^version\s*=\s*\"([^\"]+)\"', text, re.MULTILINE) + print(m.group(1) if m else '') + ") + INIT_VER=$(python3 -c " + import sys, importlib.util + sys.path.insert(0, '.') + spec = importlib.util.spec_from_file_location('chipcompiler', 'chipcompiler/__init__.py') + mod = importlib.util.module_from_spec(spec) + spec.loader.exec_module(mod) + print(mod.__version__) + ") + echo "pyproject.toml version: $PY_VER" + echo "chipcompiler/__version__: $INIT_VER" + [[ "$PY_VER" == "$INIT_VER" ]] || { + echo "ERROR: version mismatch. pyproject.toml='$PY_VER' chipcompiler/__version__='$INIT_VER'" + exit 1 + } + + EXPECTED_TAG="${{ inputs.expected_tag }}" + if [[ -n "$EXPECTED_TAG" ]]; then + EXPECTED="v$PY_VER" + [[ "$EXPECTED_TAG" == "$EXPECTED" ]] || { + echo "ERROR: tag mismatch. tag='$EXPECTED_TAG' expected='$EXPECTED'" + exit 1 + } + fi + + echo "Version check passed: $PY_VER" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1c8e185..8d1cfb2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,29 +34,8 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Verify pyproject.toml matches chipcompiler/__version__ - run: | - PY_VER=$(python3 -c " - import re, pathlib - text = pathlib.Path('pyproject.toml').read_text() - m = re.search(r'^version\s*=\s*\"([^\"]+)\"', text, re.MULTILINE) - print(m.group(1) if m else '') - ") - INIT_VER=$(python3 -c " - import sys, importlib.util - sys.path.insert(0, '.') - spec = importlib.util.spec_from_file_location('chipcompiler', 'chipcompiler/__init__.py') - mod = importlib.util.module_from_spec(spec) - spec.loader.exec_module(mod) - print(mod.__version__) - ") - echo "pyproject.toml version: $PY_VER" - echo "chipcompiler/__version__: $INIT_VER" - [[ "$PY_VER" == "$INIT_VER" ]] || { - echo "ERROR: version mismatch. pyproject.toml='$PY_VER' chipcompiler/__version__='$INIT_VER'" - exit 1 - } - echo "Version check passed: $PY_VER" + - name: Check version + uses: ./.github/actions/check-version ci: name: Checks And Build diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 07ec153..25c9ca3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,37 +22,10 @@ jobs: with: ref: ${{ github.event.inputs.tag_name || github.ref }} - - name: Verify version consistency - run: | - PY_VER=$(python3 -c " - import re, pathlib - text = pathlib.Path('pyproject.toml').read_text() - m = re.search(r'^version\s*=\s*\"([^\"]+)\"', text, re.MULTILINE) - print(m.group(1) if m else '') - ") - INIT_VER=$(python3 -c " - import re, pathlib, sys - sys.path.insert(0, '.') - import importlib.util - spec = importlib.util.spec_from_file_location('chipcompiler', 'chipcompiler/__init__.py') - mod = importlib.util.module_from_spec(spec) - spec.loader.exec_module(mod) - print(mod.__version__) - ") - echo "pyproject.toml version: $PY_VER" - echo "chipcompiler/__version__: $INIT_VER" - [[ "$PY_VER" == "$INIT_VER" ]] || { - echo "ERROR: version mismatch. pyproject.toml='$PY_VER' chipcompiler/__version__='$INIT_VER'" - exit 1 - } - # Verify tag matches version - FULL_TAG="${{ github.event.inputs.tag_name || github.ref_name }}" - EXPECTED_TAG="v$PY_VER" - [[ "$FULL_TAG" == "$EXPECTED_TAG" ]] || { - echo "ERROR: tag mismatch. tag='$FULL_TAG' expected='$EXPECTED_TAG'" - exit 1 - } - echo "Version check passed: $PY_VER" + - name: Check version + uses: ./.github/actions/check-version + with: + expected_tag: ${{ github.event.inputs.tag_name || github.ref_name }} build: name: Build Wheel From a259baa91cdda767c45be9543f2bb37d50c1c2aa Mon Sep 17 00:00:00 2001 From: Emin Date: Wed, 22 Apr 2026 10:17:29 +0800 Subject: [PATCH 5/9] chore: bump version to 0.1.0-alpha Co-Authored-By: Claude Opus 4.6 (1M context) --- BUILD.bazel | 2 +- bazel/scripts/build-wheel.sh | 2 +- chipcompiler/__init__.py | 2 +- pyproject.toml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/BUILD.bazel b/BUILD.bazel index 2fcedd9..e4c7a0e 100644 --- a/BUILD.bazel +++ b/BUILD.bazel @@ -13,7 +13,7 @@ genrule( "//chipcompiler:chipcompiler_python_sources", "//chipcompiler:chipcompiler_runtime_data", ], - outs = ["raw_wheel/ecc-0.1.0-py3-none-any.whl"], + outs = ["raw_wheel/ecc-0.1.0a0-py3-none-any.whl"], tools = ["@multitool//tools/uv"], cmd = """ set -euo pipefail diff --git a/bazel/scripts/build-wheel.sh b/bazel/scripts/build-wheel.sh index f8c1ab7..5754934 100755 --- a/bazel/scripts/build-wheel.sh +++ b/bazel/scripts/build-wheel.sh @@ -72,7 +72,7 @@ venv_python="$smoke_dir/venv/bin/python" "$venv_python" -c " import chipcompiler from chipcompiler.tools.ecc.module import ECCToolsModule -assert chipcompiler.__version__ == '0.1.0', f'unexpected version: {chipcompiler.__version__}' +assert chipcompiler.__version__ == '0.1.0-alpha', f'unexpected version: {chipcompiler.__version__}' print('ecc wheel smoke test passed: chipcompiler package importable') " diff --git a/chipcompiler/__init__.py b/chipcompiler/__init__.py index bbca508..17db813 100644 --- a/chipcompiler/__init__.py +++ b/chipcompiler/__init__.py @@ -1,2 +1,2 @@ # chipcompiler package -__version__ = "0.1.0" +__version__ = "0.1.0-alpha" diff --git a/pyproject.toml b/pyproject.toml index e14379c..5439947 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ requires = [ "uv-build>=0.8.5" ] [project] name = "ecc" -version = "0.1.0" +version = "0.1.0-alpha" readme = "README.md" authors = [ { name = "Emin", email = "me@emin.chat" }, From a6bfe1934b5fcdba29d20449699efbe57326949a Mon Sep 17 00:00:00 2001 From: Emin Date: Wed, 22 Apr 2026 10:19:04 +0800 Subject: [PATCH 6/9] feat(ci): add MODULE.bazel to version consistency check Sync MODULE.bazel version with pyproject.toml (0.1.0-alpha). Check-version action now verifies all three sources match: pyproject.toml, MODULE.bazel, and chipcompiler/__version__. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/actions/check-version/action.yml | 14 +++++++++++++- MODULE.bazel | 2 +- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/actions/check-version/action.yml b/.github/actions/check-version/action.yml index 4445a96..6232031 100644 --- a/.github/actions/check-version/action.yml +++ b/.github/actions/check-version/action.yml @@ -1,5 +1,5 @@ name: Check ECC Version Consistency -description: Verify pyproject.toml version matches chipcompiler/__version__. Optionally verify a tag matches the version. +description: Verify pyproject.toml, MODULE.bazel, and chipcompiler/__version__ all match. Optionally verify a tag matches the version. inputs: expected_tag: @@ -19,6 +19,12 @@ runs: m = re.search(r'^version\s*=\s*\"([^\"]+)\"', text, re.MULTILINE) print(m.group(1) if m else '') ") + MODULE_VER=$(python3 -c " + import re, pathlib + text = pathlib.Path('MODULE.bazel').read_text() + m = re.search(r'version\s*=\s*\"([^\"]+)\"', text) + print(m.group(1) if m else '') + ") INIT_VER=$(python3 -c " import sys, importlib.util sys.path.insert(0, '.') @@ -28,7 +34,13 @@ runs: print(mod.__version__) ") echo "pyproject.toml version: $PY_VER" + echo "MODULE.bazel version: $MODULE_VER" echo "chipcompiler/__version__: $INIT_VER" + + [[ "$PY_VER" == "$MODULE_VER" ]] || { + echo "ERROR: version mismatch. pyproject.toml='$PY_VER' MODULE.bazel='$MODULE_VER'" + exit 1 + } [[ "$PY_VER" == "$INIT_VER" ]] || { echo "ERROR: version mismatch. pyproject.toml='$PY_VER' chipcompiler/__version__='$INIT_VER'" exit 1 diff --git a/MODULE.bazel b/MODULE.bazel index bc80c97..5653079 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -1,6 +1,6 @@ module( name = "ecc", - version = "0.0.0", + version = "0.1.0-alpha", ) bazel_dep(name = "rules_python", version = "1.7.0") From aa6e1399b8308a06508cdee093be676ba42d1d0b Mon Sep 17 00:00:00 2001 From: Emin Date: Wed, 22 Apr 2026 10:45:02 +0800 Subject: [PATCH 7/9] refactor(build): derive smoke-test version from pyproject.toml Replace the hard-coded version assertion in build-wheel.sh with a dynamic extraction from pyproject.toml. This avoids manual script updates on every version bump and ensures the smoke test validates consistency between the build manifest and the installed package. Co-Authored-By: Claude Opus 4.6 (1M context) --- bazel/scripts/build-wheel.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bazel/scripts/build-wheel.sh b/bazel/scripts/build-wheel.sh index 5754934..d19fa5e 100755 --- a/bazel/scripts/build-wheel.sh +++ b/bazel/scripts/build-wheel.sh @@ -69,10 +69,11 @@ venv_python="$smoke_dir/venv/bin/python" "https://github.com/openecos-projects/ecc-dreamplace/releases/download/v0.1.0-alpha.1/ecc_dreamplace-0.1.0a1-py3-none-manylinux_2_34_x86_64.whl" \ "$final_whl" +expected_version=$(grep -E '^version\s*=' "$WS/pyproject.toml" | head -n1 | sed 's/.*"\([^"]*\)".*/\1/') "$venv_python" -c " import chipcompiler from chipcompiler.tools.ecc.module import ECCToolsModule -assert chipcompiler.__version__ == '0.1.0-alpha', f'unexpected version: {chipcompiler.__version__}' +assert chipcompiler.__version__ == '${expected_version}', f'unexpected version: {chipcompiler.__version__} (expected ${expected_version})' print('ecc wheel smoke test passed: chipcompiler package importable') " From 2b6677a5d8c17ee0313d724e3ee5f518d71eaa5e Mon Sep 17 00:00:00 2001 From: Emin Date: Wed, 22 Apr 2026 10:46:34 +0800 Subject: [PATCH 8/9] fix(ci): include workflow and action paths in PR trigger filter Add .github/workflows/release.yml, .github/workflows/auto-tag.yml, and .github/actions/** to the pull_request.paths filter. This ensures changes to release/tag workflows and composite actions trigger CI for validation before merge. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8d1cfb2..e514f0f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,9 @@ on: - 'bazel/**' - 'MODULE.bazel' - '.github/workflows/ci.yml' + - '.github/workflows/release.yml' + - '.github/workflows/auto-tag.yml' + - '.github/actions/**' concurrency: group: ci-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} From 010707df90cb8aebcee069be480be1e7abaab74f Mon Sep 17 00:00:00 2001 From: Emin Date: Wed, 22 Apr 2026 10:48:08 +0800 Subject: [PATCH 9/9] fix(ci): pin Bazel setup in release workflow to setup-bazel action Replace the unversioned curl download of bazelisk-latest with the pinned bazel-contrib/setup-bazel@0.14.0 action used in CI. This eliminates supply-chain risk from unverified latest binaries and adds bazelisk/disk/repository caching for reproducible, faster release builds. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 25c9ca3..f0bee9c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,11 +44,11 @@ jobs: fetch-depth: 0 - name: Setup Bazel - shell: bash - run: | - curl -fsSL https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-amd64 \ - -o /usr/local/bin/bazel - chmod +x /usr/local/bin/bazel + uses: bazel-contrib/setup-bazel@0.14.0 + with: + bazelisk-cache: true + disk-cache: ${{ github.workflow }} + repository-cache: true - name: Setup uv uses: astral-sh/setup-uv@v5