Merge pull request #278 from knockout/bmh/sc-automate-github-release

release: automate GitHub releases

Author: brianmhunt

.changeset/config.json

@@ -2,7 +2,37 @@
   "$schema": "https://unpkg.com/@changesets/config@3.1.3/schema.json",
   "changelog": "@changesets/cli/changelog",
   "commit": false,
-  "fixed": [],
+  "fixed": [
+    [
+      "@tko/bind",
+      "@tko/binding.component",
+      "@tko/binding.core",
+      "@tko/binding.foreach",
+      "@tko/binding.if",
+      "@tko/binding.template",
+      "@tko/build.knockout",
+      "@tko/build.reference",
+      "@tko/builder",
+      "@tko/computed",
+      "@tko/filter.punches",
+      "@tko/lifecycle",
+      "@tko/observable",
+      "@tko/provider",
+      "@tko/provider.attr",
+      "@tko/provider.bindingstring",
+      "@tko/provider.component",
+      "@tko/provider.databind",
+      "@tko/provider.multi",
+      "@tko/provider.mustache",
+      "@tko/provider.native",
+      "@tko/provider.virtual",
+      "@tko/utils",
+      "@tko/utils.component",
+      "@tko/utils.functionrewrite",
+      "@tko/utils.jsx",
+      "@tko/utils.parser"
+    ]
+  ],
   "linked": [],
   "access": "public",
   "baseBranch": "main",

.github/workflows/github-release.yml

@@ -0,0 +1,87 @@
+name: Backfill GitHub Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      target_sha:
+        description: Published main commit SHA to tag and release
+        required: true
+        type: string
+
+jobs:
+  backfill-github-release:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout published commit
+        # actions/checkout v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          ref: ${{ inputs.target_sha }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Validate target commit and determine release version
+        id: version
+        env:
+          TARGET_SHA: ${{ inputs.target_sha }}
+        run: |
+          git fetch origin main --depth=1
+
+          if ! git merge-base --is-ancestor "$TARGET_SHA" "origin/main"; then
+            echo "Target SHA $TARGET_SHA is not reachable from origin/main." >&2
+            exit 1
+          fi
+
+          version="$(node tools/release-version.cjs)"
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+
+      - name: Verify published npm version exists
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          npm view "@tko/build.reference@$VERSION" version --registry=https://registry.npmjs.org >/dev/null
+
+      - name: Backfill GitHub release if missing
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ steps.version.outputs.version }}
+          TARGET_SHA: ${{ inputs.target_sha }}
+        run: |
+          tag="v${VERSION}"
+
+          if gh release view "$tag" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then
+            object_type="$(gh api "repos/$GITHUB_REPOSITORY/git/ref/tags/$tag" --jq '.object.type')"
+            object_sha="$(gh api "repos/$GITHUB_REPOSITORY/git/ref/tags/$tag" --jq '.object.sha')"
+
+            if [ "$object_type" = "tag" ]; then
+              existing_target="$(gh api "repos/$GITHUB_REPOSITORY/git/tags/$object_sha" --jq '.object.sha')"
+            else
+              existing_target="$object_sha"
+            fi
+
+            if [ "$existing_target" = "$TARGET_SHA" ]; then
+              echo "GitHub release $tag already exists on $TARGET_SHA; nothing to do."
+              exit 0
+            fi
+
+            echo "GitHub release $tag already exists on $existing_target, expected $TARGET_SHA." >&2
+            exit 1
+          fi
+
+          prerelease_flag=""
+          case "$VERSION" in
+            *-alpha*|*-beta*|*-rc*)
+              prerelease_flag="--prerelease"
+              ;;
+          esac
+
+          gh release create "$tag" \
+            --repo "$GITHUB_REPOSITORY" \
+            --target "$TARGET_SHA" \
+            --title "TKO ${VERSION}" \
+            --generate-notes \
+            $prerelease_flag

.github/workflows/release.yml

@@ -32,6 +32,8 @@ jobs:
       - name: Checkout code
         # actions/checkout v6.0.2
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         # actions/setup-node v6.3.0
@@ -66,6 +68,9 @@ jobs:
     if: needs.prepare-release.outputs.has_changesets == 'false'
     runs-on: ubuntu-latest
 
+    outputs:
+      release_version: ${{ steps.version.outputs.version }}
+
     permissions:
       contents: read
       id-token: write
@@ -74,6 +79,8 @@ jobs:
       - name: Checkout code
         # actions/checkout v6.0.2
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         # actions/setup-node v6.3.0
@@ -88,6 +95,12 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Determine release version
+        id: version
+        run: |
+          version="$(node tools/release-version.cjs)"
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+
       - name: Build all packages
         run: make
 
@@ -98,3 +111,54 @@ jobs:
         # npm generates provenance attestations automatically during trusted
         # publishing from GitHub Actions.
         run: npx changeset publish
+
+  github-release:
+    name: Create GitHub Release
+    needs: [prepare-release, publish]
+    if: needs.prepare-release.outputs.has_changesets == 'false' && needs.publish.result == 'success'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Create GitHub release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ needs.publish.outputs.release_version }}
+          TARGET_SHA: ${{ github.sha }}
+        run: |
+          tag="v${VERSION}"
+
+          if gh release view "$tag" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then
+            object_type="$(gh api "repos/$GITHUB_REPOSITORY/git/ref/tags/$tag" --jq '.object.type')"
+            object_sha="$(gh api "repos/$GITHUB_REPOSITORY/git/ref/tags/$tag" --jq '.object.sha')"
+
+            if [ "$object_type" = "tag" ]; then
+              existing_target="$(gh api "repos/$GITHUB_REPOSITORY/git/tags/$object_sha" --jq '.object.sha')"
+            else
+              existing_target="$object_sha"
+            fi
+
+            if [ "$existing_target" = "$TARGET_SHA" ]; then
+              echo "GitHub release $tag already exists on $TARGET_SHA; skipping."
+              exit 0
+            fi
+
+            echo "GitHub release $tag already exists on $existing_target, expected $TARGET_SHA." >&2
+            exit 1
+          fi
+
+          prerelease_flag=""
+          case "$VERSION" in
+            *-alpha*|*-beta*|*-rc*)
+              prerelease_flag="--prerelease"
+              ;;
+          esac
+
+          gh release create "$tag" \
+            --repo "$GITHUB_REPOSITORY" \
+            --target "$TARGET_SHA" \
+            --title "TKO ${VERSION}" \
+            --generate-notes \
+            $prerelease_flag

AGENTS.md

@@ -106,7 +106,8 @@ GitHub Actions workflows (`.github/workflows/`):
 | `test-headless.yml` | PRs | Matrix test (Chrome, Firefox, jQuery) |
 | `lint-and-typecheck.yml` | PRs | Prettier + ESLint + tsc (combined) |
 | `publish-check.yml` | PRs | Verify packages are publishable |
-| `release.yml` | Push to main | Changeset version PRs + npm publish |
+| `release.yml` | Push to main | Changeset version PRs + npm publish + GitHub release creation |
+| `github-release.yml` | Manual fallback | Backfill a GitHub release/tag for a published `main` commit if automatic release creation needs a retry |
 | `deploy-docs.yml` | Push to main | Deploy tko.io to GitHub Pages |
 | `codeql-analysis.yml` | Weekly + main push | Security scanning |
 
@@ -116,6 +117,10 @@ All PR checks must pass before merge.
 
 Releases are managed with [Changesets](https://github.com/changesets/changesets).
 
+TKO uses a repo-wide fixed release line for all public `@tko/*` packages. A
+release that bumps any public package bumps the full public package set to the
+same version.
+
 **For contributors** — when your PR changes package behavior:
 ```bash
 npx changeset add    # Select affected packages, bump type, describe change
@@ -127,6 +132,8 @@ This creates a changeset file in `.changeset/` that gets committed with your PR.
 2. If unreleased changesets exist, the action opens a "Version Packages" PR
 3. Review the PR (it bumps versions and updates changelogs)
 4. Merge it to publish to npm via GitHub Actions OIDC trusted publishing
+5. The same release workflow creates the matching GitHub Release and tag after a successful publish
+6. If GitHub release creation ever needs a retry after publish, run `github-release.yml` manually with the merged commit SHA
 
 Avoid manual workstation publishes. If release CI is unavailable, fix the
 workflow or npm trusted publisher configuration rather than bypassing it with a

README.md

@@ -55,7 +55,8 @@ It's available as `@tko/build.knockout`, and over CDN:
 | $ `make test` | Run all tests with electron. See below. |
 | $ `make test-headless` | Run all tests with chromium. See below. |
 | $ `npx changeset add` | Add a changeset for package behavior changes in your PR |
-| Release workflow | On merge to `main`, CI opens or updates a version PR; when that version PR is merged and there are no remaining changesets, CI publishes from GitHub Actions via npm trusted publishing |
+| Release workflow | On merge to `main`, CI opens or updates a version PR; when that version PR is merged and there are no remaining changesets, the same workflow publishes from GitHub Actions via npm trusted publishing and creates the matching GitHub release/tag |
+| GitHub release workflow | Manual fallback to backfill the GitHub release/tag for a published `main` commit if automatic release creation needs a retry |
 | $ `make test-coverage` | Run all tests and create a code coverage report |
 
 Checkout the `Makefile` for more commands that can be executed with `make {command}`.

plans/build-and-release-certainty.md

@@ -62,17 +62,20 @@ New workflow `.github/workflows/publish-check.yml` that runs on PRs:
 Installed `@changesets/cli`. Configuration in `.changeset/config.json`.
 Contributors add a changeset file with their PR: `npx changeset add`.
 On merge to main, the release workflow opens a "Version Packages" PR
-that bumps versions and updates changelogs. Merging that PR publishes
-to npm.
+that bumps versions and updates changelogs. TKO now uses a repo-wide
+fixed version group for all public `@tko/*` packages, so public releases
+move together on one version line. Merging that PR publishes to npm.
 
 ### 2.2 Add a release workflow ✅ DONE
 
 `.github/workflows/release.yml` — triggered on push to main:
 - Builds all packages and runs tests
 - If unreleased changesets exist, opens/updates a version PR
 - If version PR is merged, publishes to npm
+- After a successful publish, creates the matching GitHub Release and tag in the same workflow
 - Uses npm trusted publishing via GitHub Actions OIDC
 - Requires trusted publisher configuration for the public `@tko/*` packages on npm
+- Includes a manual `github-release.yml` workflow to backfill a missing release/tag for a published `main` commit if GitHub release creation ever needs a retry after publish
 
 ---
 

tools/release-version.cjs

@@ -0,0 +1,24 @@
+const fs = require('fs')
+const path = require('path')
+
+const roots = ['builds', 'packages']
+const versions = new Set()
+
+for (const root of roots) {
+  for (const name of fs.readdirSync(root)) {
+    const packageJson = path.join(root, name, 'package.json')
+    if (!fs.existsSync(packageJson)) continue
+
+    const pkg = JSON.parse(fs.readFileSync(packageJson, 'utf8'))
+    if (pkg.private) continue
+
+    versions.add(pkg.version)
+  }
+}
+
+if (versions.size !== 1) {
+  console.error(`Expected one public package version, found: ${[...versions].sort().join(', ')}`)
+  process.exit(1)
+}
+
+process.stdout.write([...versions][0])