ci: Add GitHub Actions workflow for lni_nodejs multi-platform builds (#28)

clawd21 · Clawd · web-flow · commit 95c2a210d64f · 2026-01-27T22:52:32.000-06:00
* ci: Add GitHub Actions workflow for lni_nodejs multi-platform builds Builds native Node.js bindings for: - Linux x64 (gnu) - Linux ARM64 (gnu) - macOS x64 - macOS ARM64 - macOS Universal (lipo) - Windows x64 (msvc) Features: - Runs on push to master/main and tags - Creates GitHub Release on version tags (v*) - Uploads platform-specific .node binaries as release assets - Optional npm publish (requires NPM_TOKEN secret) - Test step to verify bindings load correctly * fix(ci): Add protobuf-compiler and fix napi build command - Install protobuf-compiler on all platforms (needed for prost-build) - Use 'yarn napi build' with --target flag directly - Add brew/choco install steps for macOS/Windows * security(ci): Pin all GitHub Actions to commit SHAs Replace mutable tag references with reproducible commit SHA pins: - actions/checkout@v4 → @34e114876b0b11c390a56381ad16ebd13914f8d5 - actions/setup-node@v4 → @49933ea5288caeca8642d1e84afbd3f7d6820020 - dtolnay/rust-toolchain@stable → @4be9e76fd7c4901c61fb841f559994984270fce7 - actions/upload-artifact@v4 → @ea165f8d65b6e75b540449e92b4886f43607fa02 - actions/download-artifact@v4 → @d3f86a106a0bac45b974a628896c90dbdf5c8093 - softprops/action-gh-release@v1 → @de2c0eb89ae2a093876385947365aca7b0e5f844 Original tags preserved in comments above each uses: line for clarity. * fix(ci): Use architecture-specific macOS runners - darwin-x64: Use macos-13 (Intel runner) for native x86_64 build - darwin-arm64: Use macos-14 (Apple Silicon runner) for native aarch64 build - Update test and universal-macos jobs to use macos-14 macos-latest now defaults to arm64, causing cross-compilation issues. * security(ci): Check NODE_AUTH_TOKEN env var instead of interpolating secret Avoid interpolating ${{ secrets.NPM_TOKEN }} directly into shell script. Instead, check the NODE_AUTH_TOKEN environment variable which is already set via the env block. This prevents potential secret exposure in logs. * chore(ci): Update softprops/action-gh-release to v2 - v1 → v2 (SHA: a06a81a03ee405af7f2048a818ed3f03bbf83c7b) - v2 uses node20 runtime (vs node16 in v1) - All existing inputs (files, generate_release_notes, draft, prerelease) are compatible * fix(nodejs): add macOS linker flags for N-API undefined symbols The darwin builds were failing because the linker couldn't find N-API symbols (_napi_create_error, _napi_create_function, etc.). These symbols are provided by Node.js at runtime, so we need -undefined dynamic_lookup to tell the linker to defer resolution. * ci: update macOS runners to non-deprecated versions - macos-13 (Intel) → macos-15-intel - macos-14 (ARM64) → macos-latest Per GitHub deprecation notice: actions/runner-images#13046 --------- Co-authored-by: Clawd <clawd@clawd.bot>
diff --git a/.github/workflows/build-nodejs.yml b/.github/workflows/build-nodejs.yml
@@ -0,0 +1,268 @@
+name: Build lni_nodejs
+
+on:
+  push:
+    branches: [master, main]
+    tags:
+      - 'v*'
+  pull_request:
+    branches: [master, main]
+  workflow_dispatch:
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Linux
+          - os: ubuntu-latest
+            target: x86_64-unknown-linux-gnu
+            name: linux-x64-gnu
+          - os: ubuntu-latest
+            target: aarch64-unknown-linux-gnu
+            name: linux-arm64-gnu
+          # macOS (use specific runners for native builds)
+          - os: macos-15-intel  # Intel runner for x64 (macos-13 deprecated)
+            target: x86_64-apple-darwin
+            name: darwin-x64
+          - os: macos-latest  # Apple Silicon runner for arm64 (macos-15)
+            target: aarch64-apple-darwin
+            name: darwin-arm64
+          # Windows
+          - os: windows-latest
+            target: x86_64-pc-windows-msvc
+            name: win32-x64-msvc
+
+    runs-on: ${{ matrix.os }}
+    name: Build - ${{ matrix.name }}
+
+    steps:
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Setup Node.js
+        # actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: '20'
+
+      - name: Install Rust
+        # dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7
+        with:
+          toolchain: stable
+          targets: ${{ matrix.target }}
+
+      - name: Install build dependencies (Linux)
+        if: runner.os == 'Linux'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y protobuf-compiler
+
+      - name: Install cross-compilation tools (Linux ARM64)
+        if: matrix.target == 'aarch64-unknown-linux-gnu'
+        run: |
+          sudo apt-get install -y gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
+
+      - name: Install build dependencies (macOS)
+        if: runner.os == 'macOS'
+        run: |
+          brew install protobuf
+
+      - name: Install build dependencies (Windows)
+        if: runner.os == 'Windows'
+        run: |
+          choco install protoc -y
+
+      - name: Install dependencies
+        working-directory: bindings/lni_nodejs
+        run: yarn install
+
+      - name: Build native module
+        working-directory: bindings/lni_nodejs
+        env:
+          CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
+        run: |
+          yarn napi build --platform --release --target ${{ matrix.target }}
+
+      - name: Upload artifact
+        # actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: bindings-${{ matrix.name }}
+          path: bindings/lni_nodejs/*.node
+          if-no-files-found: error
+
+  # Universal macOS binary
+  universal-macos:
+    needs: build
+    runs-on: macos-latest  # Apple Silicon (lipo works on any arch)
+    name: Universal macOS Binary
+
+    steps:
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Download x64 artifact
+        # actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+        with:
+          name: bindings-darwin-x64
+          path: artifacts/x64
+
+      - name: Download arm64 artifact
+        # actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+        with:
+          name: bindings-darwin-arm64
+          path: artifacts/arm64
+
+      - name: Create universal binary
+        run: |
+          lipo -create \
+            artifacts/x64/*.node \
+            artifacts/arm64/*.node \
+            -output lni_js.darwin-universal.node
+
+      - name: Upload universal artifact
+        # actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: bindings-darwin-universal
+          path: lni_js.darwin-universal.node
+
+  # Test the builds
+  test:
+    needs: build
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            artifact: bindings-linux-x64-gnu
+          - os: macos-latest  # Apple Silicon runner
+            artifact: bindings-darwin-arm64
+          - os: windows-latest
+            artifact: bindings-win32-x64-msvc
+
+    runs-on: ${{ matrix.os }}
+    name: Test - ${{ matrix.os }}
+
+    steps:
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Setup Node.js
+        # actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: '20'
+
+      - name: Download artifact
+        # actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+        with:
+          name: ${{ matrix.artifact }}
+          path: bindings/lni_nodejs
+
+      - name: Install dependencies
+        working-directory: bindings/lni_nodejs
+        run: yarn install --ignore-scripts
+
+      - name: Test import
+        working-directory: bindings/lni_nodejs
+        run: |
+          node -e "const lni = require('./'); console.log('✅ LNI loaded:', Object.keys(lni).slice(0,5).join(', '))"
+
+  # Create release on tag
+  release:
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs: [build, universal-macos, test]
+    runs-on: ubuntu-latest
+    name: Create Release
+    permissions:
+      contents: write
+
+    steps:
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Download all artifacts
+        # actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+        with:
+          path: artifacts
+
+      - name: Prepare release assets
+        run: |
+          mkdir -p release
+          for dir in artifacts/bindings-*; do
+            name=$(basename "$dir")
+            platform="${name#bindings-}"
+            for file in "$dir"/*.node; do
+              if [ -f "$file" ]; then
+                cp "$file" "release/lni_js.${platform}.node"
+              fi
+            done
+          done
+          ls -la release/
+
+      - name: Create Release
+        # softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b
+        with:
+          files: release/*
+          generate_release_notes: true
+          draft: false
+          prerelease: ${{ contains(github.ref, '-') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # Optional: Publish to npm
+  publish:
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs: [release]
+    runs-on: ubuntu-latest
+    name: Publish to npm
+    
+    steps:
+      # actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Setup Node.js
+        # actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Download all artifacts
+        # actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+        with:
+          path: artifacts
+
+      - name: Prepare npm package
+        working-directory: bindings/lni_nodejs
+        run: |
+          # Copy platform-specific binaries
+          for dir in ../../artifacts/bindings-*; do
+            cp "$dir"/*.node . 2>/dev/null || true
+          done
+          ls -la *.node
+
+      - name: Publish to npm
+        working-directory: bindings/lni_nodejs
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          # Only publish if NODE_AUTH_TOKEN is set (via secrets.NPM_TOKEN)
+          if [ -n "${NODE_AUTH_TOKEN}" ]; then
+            npm publish --access public
+          else
+            echo "NPM_TOKEN not configured, skipping publish"
+          fi
diff --git a/bindings/lni_nodejs/.cargo/config.toml b/bindings/lni_nodejs/.cargo/config.toml
@@ -1,5 +1,12 @@
 [target.aarch64-unknown-linux-musl]
 linker = "aarch64-linux-musl-gcc"
 rustflags = ["-C", "target-feature=-crt-static"]
+
 [target.x86_64-pc-windows-msvc]
-rustflags = ["-C", "target-feature=+crt-static"]
+rustflags = ["-C", "target-feature=+crt-static"]
+
+[target.aarch64-apple-darwin]
+rustflags = ["-C", "link-arg=-undefined", "-C", "link-arg=dynamic_lookup"]
+
+[target.x86_64-apple-darwin]
+rustflags = ["-C", "link-arg=-undefined", "-C", "link-arg=dynamic_lookup"]
