From 3d25e0b34f40f7ed38cbd66e1b0be20d28694e02 Mon Sep 17 00:00:00 2001 From: Kailas Mahavarkar <66670953+KailasMahavarkar@users.noreply.github.com> Date: Fri, 10 Apr 2026 17:02:20 +0530 Subject: [PATCH 1/5] chore: auto-release on package.json version bump + bump to v1.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a release job to the CI workflow. On every push to main, after verify passes, it reads the version from package.json and checks if the tag already exists. If not, gh release create runs with --generate-notes, which triggers the existing Docker build job and produces versioned tags (:v1.1.0, :latest). No manual release steps needed — bump the version in a PR, merge, done. Also bumps package.json to 1.1.0 to exercise the new path. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/publish.yml | 32 ++++++++++++++++++++++++++++++++ package.json | 2 +- tests/workflow-behaviour.test.ts | 1 + 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 94a85ae..b25b43e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -39,6 +39,38 @@ jobs: - name: Type-check run: bun run build + release: + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + needs: verify + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Check if version tag exists + id: check + run: | + VERSION=$(jq -r .version package.json) + echo "version=$VERSION" >> $GITHUB_OUTPUT + if git ls-remote --tags origin | grep -q "refs/tags/v${VERSION}$"; then + echo "exists=true" >> $GITHUB_OUTPUT + else + echo "exists=false" >> $GITHUB_OUTPUT + fi + + - name: Create release + if: steps.check.outputs.exists == 'false' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh release create "v${{ steps.check.outputs.version }}" \ + --title "v${{ steps.check.outputs.version }}" \ + --generate-notes + build-and-push-image: if: github.event_name != 'pull_request' needs: verify diff --git a/package.json b/package.json index dd1e010..1b41b90 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@orkait-ai/hyperstack", - "version": "1.0.0", + "version": "1.1.0", "description": "Disciplined MCP server + skill system. 11 plugins, 79 tools, 21 skills with adversarial enforcement. Designer/DESIGN.md pipeline, shadcn/ui, React Flow, Motion, Lenis, React 19, Echo, Go, Rust, design tokens, UI/UX.", "bin": { "hyperstack": "bin/hyperstack.mjs" diff --git a/tests/workflow-behaviour.test.ts b/tests/workflow-behaviour.test.ts index b64a210..d335a47 100644 --- a/tests/workflow-behaviour.test.ts +++ b/tests/workflow-behaviour.test.ts @@ -20,4 +20,5 @@ test("publish workflow verifies the package across the supported OS and Bun matr /if:\s*github\.event_name\s*!=\s*'pull_request'/, "publish job should not push images from pull request runs", ); + assert.match(workflow, /gh release create/, "workflow should auto-create a release on version bump"); }); From afd57b55fb9b7c59ee22787a4beab75c24d87784 Mon Sep 17 00:00:00 2001 From: Kailas Mahavarkar <66670953+KailasMahavarkar@users.noreply.github.com> Date: Fri, 10 Apr 2026 17:03:07 +0530 Subject: [PATCH 2/5] =?UTF-8?q?fix(docker):=20bun.lockb=20=E2=86=92=20bun.?= =?UTF-8?q?lock=20(bun=201.3+=20uses=20text=20lockfile)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 1262e54..12dc5af 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM oven/bun:alpine WORKDIR /app -COPY package.json bun.lockb ./ +COPY package.json bun.lock ./ RUN bun install --frozen-lockfile COPY src/ src/ USER bun From c9280514d7e72ebdb930f162ad375c2f78cce90e Mon Sep 17 00:00:00 2001 From: Kailas Mahavarkar <66670953+KailasMahavarkar@users.noreply.github.com> Date: Fri, 10 Apr 2026 17:06:29 +0530 Subject: [PATCH 3/5] fix: revert to ghcr.io and make package public after each push - Restore ghcr.io as registry (Docker Hub changes reverted) - Add 'Make package public' step that patches /orgs/orkait/packages/container/hyperstack with visibility=public after every image push Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/publish.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b25b43e..7f3ed39 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -83,7 +83,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Log in to the Container registry + - name: Log in to GitHub Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} @@ -103,3 +103,11 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + - name: Make package public on ghcr.io + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api --method PATCH \ + /orgs/orkait/packages/container/hyperstack \ + -f visibility=public From dd00f2598d2174d56b543901a367aac01b0842fd Mon Sep 17 00:00:00 2001 From: Kailas Mahavarkar <66670953+KailasMahavarkar@users.noreply.github.com> Date: Fri, 10 Apr 2026 17:09:46 +0530 Subject: [PATCH 4/5] fix(ci): build-and-push-image only on release events MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously ran on every push to main. Now that the release job auto-creates a GitHub release on version bump, Docker should only build when a release is published — not on every commit. Flow: push to main → verify → release (if version bumped) release published → verify → build-and-push-image Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/publish.yml | 2 +- tests/workflow-behaviour.test.ts | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7f3ed39..e404572 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -72,7 +72,7 @@ jobs: --generate-notes build-and-push-image: - if: github.event_name != 'pull_request' + if: github.event_name == 'release' needs: verify runs-on: ubuntu-latest permissions: diff --git a/tests/workflow-behaviour.test.ts b/tests/workflow-behaviour.test.ts index d335a47..dabaa9e 100644 --- a/tests/workflow-behaviour.test.ts +++ b/tests/workflow-behaviour.test.ts @@ -17,8 +17,8 @@ test("publish workflow verifies the package across the supported OS and Bun matr assert.match(workflow, /needs:\s*verify/, "publish job should wait for the verification matrix"); assert.match( workflow, - /if:\s*github\.event_name\s*!=\s*'pull_request'/, - "publish job should not push images from pull request runs", + /if:\s*github\.event_name\s*==\s*'release'/, + "publish job should only run on release events", ); assert.match(workflow, /gh release create/, "workflow should auto-create a release on version bump"); }); From 58f61f7ab390883fdff6e2ec894edb0948f70dd3 Mon Sep 17 00:00:00 2001 From: Kailas Mahavarkar <66670953+KailasMahavarkar@users.noreply.github.com> Date: Fri, 10 Apr 2026 17:13:57 +0530 Subject: [PATCH 5/5] fix(ci): remove make-package-public step MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GITHUB_TOKEN with packages:write can push images but cannot change package visibility — that requires admin:packages scope which Actions tokens don't receive. Removing the step; set the package public once manually in GitHub UI (Packages → Package settings → Change visibility). Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/publish.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e404572..046932e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -104,10 +104,3 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - name: Make package public on ghcr.io - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - gh api --method PATCH \ - /orgs/orkait/packages/container/hyperstack \ - -f visibility=public