fix: adopt caido/action-release for immutable releases#7
Conversation
…ix tags - Switch from tag-push trigger to workflow_dispatch - Use caido/action-release@v1 with immutableCreate - Extract version from manifest.json for tag name (no v prefix) - Add branch guard and signing validation - Update README releasing instructions Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
Pull request overview
Updates the release process to follow the Caido community “immutable releases” pattern by switching to a manually-triggered workflow and using caido/action-release with immutable creation enabled, while aligning tag naming with the plugin version.
Changes:
- Change release workflow trigger from tag-push (
v*) toworkflow_dispatch, with a main-branch guard. - Replace
softprops/action-gh-releasewithcaido/action-release@v1and enableimmutableCreate: true. - Extract the release tag version from
manifest.jsoninside the built plugin zip, and update README release instructions accordingly.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| README.md | Updates release instructions to use the manual “Run workflow” flow and immutable releases. |
| .github/workflows/release.yml | Implements workflow_dispatch release flow, adds branch guard + signing check, uses caido/action-release with immutable release creation and version-derived tag. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -25,14 +35,28 @@ jobs: | |||
| run: npm run build | |||
There was a problem hiding this comment.
The workflow uses npm install/npm run build even though the repo is bun-first (bun.lock + README/.agents docs). This means the release build can ignore the lockfile and produce non-reproducible artifacts. Consider setting up bun in this workflow and using bun install --frozen-lockfile + bun run build (or bun run package if that's the intended release artifact).
| openssl pkeyutl -sign -inkey private_key.pem -out plugin_package.zip.sig -rawin -in plugin_package.zip | ||
| rm private_key.pem |
There was a problem hiding this comment.
The private key file is removed only on the happy path. If openssl pkeyutl fails, the rm private_key.pem line won’t run and the key can remain in the workspace for subsequent steps. Consider using a trap (as the previous version did) to ensure cleanup on failure, and/or running the signing step in a subshell that always deletes the file.
| openssl pkeyutl -sign -inkey private_key.pem -out plugin_package.zip.sig -rawin -in plugin_package.zip | |
| rm private_key.pem | |
| trap 'rm -f private_key.pem' EXIT | |
| openssl pkeyutl -sign -inkey private_key.pem -out plugin_package.zip.sig -rawin -in plugin_package.zip |
| echo "${{ secrets.PRIVATE_KEY }}" > private.pem | ||
| openssl pkeyutl -sign -inkey private.pem -out plugin_package.zip.sig -rawin -in dist/plugin_package.zip | ||
| VERSION=$(unzip -p plugin_package.zip manifest.json | jq -r .version) | ||
| echo "version=${VERSION}" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
jq -r .version will output the literal string null (exit code 0) if the manifest is missing a version field, which would then be used as the Git tag. Add validation that VERSION is non-empty and not null (and optionally matches the expected semver format) before writing it to $GITHUB_OUTPUT.
| echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
| if [ -z "$VERSION" ] || [ "$VERSION" = "null" ]; then | |
| echo "Error: manifest.json is missing a valid 'version' field." | |
| exit 1 | |
| fi | |
| echo "version=${VERSION}" >> "$GITHUB_OUTPUT" |
Summary
workflow_dispatchcaido/action-release@v1withimmutableCreate: true(matches official Caido community pattern)manifest.json(novprefix), matching the store checklist requirementContext
Required for caido/store#74 PR checklist:
caido.config.json"Made with Cursor