chore: bump version to 1.3.16 #96
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| permissions: | |
| contents: write | |
| jobs: | |
| integration-test: | |
| name: Integration tests (Docker) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: x86_64-unknown-linux-gnu | |
| - name: Cache cargo registry | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: ${{ runner.os }}-cargo- | |
| - name: Build Linux binary (native, cached) | |
| run: cargo build --release --target x86_64-unknown-linux-gnu -p panda | |
| # Build a thin test image with the pre-compiled binary (~10s, no cargo inside) | |
| - name: Build test image | |
| run: | | |
| docker build \ | |
| --build-arg PANDA_BINARY=target/x86_64-unknown-linux-gnu/release/panda \ | |
| -f docker/Dockerfile.ci \ | |
| -t panda-test:latest \ | |
| . | |
| - name: Run integration tests | |
| run: docker run --rm -e PANDA_NO_BERT=1 panda-test:latest | |
| build: | |
| name: Build ${{ matrix.target }} | |
| needs: integration-test | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - target: aarch64-apple-darwin | |
| os: macos-latest | |
| asset_name: panda-macos-arm64 | |
| ort_arch: arm64 | |
| - target: x86_64-apple-darwin | |
| os: macos-latest | |
| asset_name: panda-macos-x86_64 | |
| ort_arch: x86_64 | |
| - target: x86_64-unknown-linux-gnu | |
| os: ubuntu-latest | |
| asset_name: panda-linux-x86_64 | |
| ort_arch: "" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| # ort-sys 2.x doesn't ship prebuilt binaries for x86_64-apple-darwin. | |
| # Download ORT ourselves and point the build script at it. | |
| - name: Download ONNX Runtime (macOS) | |
| if: matrix.ort_arch != '' | |
| run: | | |
| ORT_VERSION="1.20.1" | |
| ORT_URL="https://github.com/microsoft/onnxruntime/releases/download/v${ORT_VERSION}/onnxruntime-osx-${{ matrix.ort_arch }}-${ORT_VERSION}.tgz" | |
| curl -fsSL "$ORT_URL" -o ort.tgz | |
| mkdir -p ort-extracted | |
| tar -xzf ort.tgz -C ort-extracted | |
| ORT_DIR=$(find ort-extracted -type d -name "onnxruntime-*" | head -1) | |
| echo "ORT_LIB_LOCATION=${ORT_DIR}/lib" >> "$GITHUB_ENV" | |
| echo "ORT_PREFER_DYNAMIC_LINK=1" >> "$GITHUB_ENV" | |
| - name: Build | |
| run: cargo build --release --target ${{ matrix.target }} -p panda | |
| - name: Rename binary | |
| run: cp target/${{ matrix.target }}/release/panda ${{ matrix.asset_name }} | |
| - name: Smoke test binary | |
| env: | |
| PANDA_NO_BERT: "1" | |
| run: | | |
| # Dynamic-linked ORT needs the dylib visible at runtime. | |
| if [ -n "${ORT_LIB_LOCATION:-}" ]; then | |
| export DYLD_LIBRARY_PATH="${ORT_LIB_LOCATION}:${DYLD_LIBRARY_PATH:-}" | |
| export LD_LIBRARY_PATH="${ORT_LIB_LOCATION}:${LD_LIBRARY_PATH:-}" | |
| fi | |
| BIN="./${{ matrix.asset_name }}" | |
| # x86_64-apple-darwin is cross-compiled on the ARM64 runner. | |
| # Verify it's a valid Mach-O but skip execution (no Rosetta guarantee in CI). | |
| if [[ "${{ matrix.target }}" == "x86_64-apple-darwin" ]]; then | |
| file "$BIN" | grep -q "x86_64" && echo "✓ Valid x86_64 Mach-O" || exit 1 | |
| exit 0 | |
| fi | |
| # ── Runs natively on aarch64-apple-darwin and x86_64-unknown-linux-gnu ── | |
| # 1. Binary executes and reports correct version | |
| $BIN --version | grep -qE "^panda [0-9]+\.[0-9]+\.[0-9]+" | |
| # 2. Simulate a Claude Code user: create settings.json, run panda init | |
| mkdir -p ~/.claude/hooks | |
| echo '{}' > ~/.claude/settings.json | |
| $BIN init | |
| # 3. Hook script exists and is executable | |
| test -x ~/.claude/hooks/panda-rewrite.sh | |
| # 4. panda verify reports installed (exit 0) | |
| $BIN verify | |
| # 5. PreToolUse hook script rewrites a supported command | |
| REWRITE_IN='{"tool_name":"Bash","tool_input":{"command":"git status"}}' | |
| REWRITE_OUT=$(echo "$REWRITE_IN" | bash ~/.claude/hooks/panda-rewrite.sh) | |
| echo "$REWRITE_OUT" | grep -q "panda" \ | |
| || { echo "rewrite script did not inject panda: $REWRITE_OUT"; exit 1; } | |
| # 6. Filter stdin works | |
| printf ' Refreshing state...\n Refreshing state...\n Refreshing state...\nPlan: 1 to add.\n' \ | |
| | $BIN filter --command terraform \ | |
| | grep -q "collapsed" | |
| # 7. Run a real git command end-to-end | |
| git init /tmp/smoke-repo -q | |
| git -C /tmp/smoke-repo config user.email "ci@panda.test" | |
| git -C /tmp/smoke-repo config user.name "PandaFilter CI" | |
| git -C /tmp/smoke-repo commit --allow-empty -q -m "init" | |
| $BIN run git -C /tmp/smoke-repo status | |
| # 8. panda gain exits 0 (analytics written by step 7) | |
| $BIN gain | |
| echo "✓ Smoke test passed (${{ matrix.asset_name }})" | |
| # macOS only: bundle binary + ORT dylib into a tarball so brew install | |
| # needs no build dependencies and completes in seconds. | |
| # Reuses ORT downloaded in the earlier step. | |
| - name: Bundle binary + ORT dylib (macOS) | |
| if: matrix.ort_arch != '' | |
| run: | | |
| # Pick the versioned dylib only (skip dSYM debug bundles) | |
| DYLIB=$(find ort-extracted -name "libonnxruntime.*.dylib" ! -path "*.dSYM*" | head -1) | |
| mkdir bundle | |
| cp "${{ matrix.asset_name }}" bundle/panda | |
| cp "$DYLIB" bundle/ | |
| tar -czf "${{ matrix.asset_name }}.tar.gz" -C bundle . | |
| echo "Bundle contents:" | |
| tar -tzf "${{ matrix.asset_name }}.tar.gz" | |
| - name: Upload macOS bundle | |
| if: matrix.ort_arch != '' | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: ${{ matrix.asset_name }}.tar.gz | |
| generate_release_notes: true | |
| - name: Upload Linux binary | |
| if: matrix.ort_arch == '' | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: ${{ matrix.asset_name }} | |
| generate_release_notes: true | |
| update-formula: | |
| name: Update Homebrew formula | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| repository: AssafWoo/homebrew-pandafilter | |
| token: ${{ secrets.FORMULA_PAT }} | |
| ref: main | |
| - name: Compute SHA256s and update formula | |
| run: | | |
| TAG="${GITHUB_REF_NAME}" | |
| BASE="https://github.com/AssafWoo/PandaFilter/releases/download/${TAG}" | |
| # Download both macOS tarballs (release assets may take a moment to appear) | |
| for ARCH in arm64 x86_64; do | |
| FILE="/tmp/panda-macos-${ARCH}.tar.gz" | |
| for i in $(seq 1 10); do | |
| curl -fsSL "${BASE}/panda-macos-${ARCH}.tar.gz" -o "$FILE" && break | |
| echo "Waiting for panda-macos-${ARCH}.tar.gz (attempt $i)..." | |
| sleep 10 | |
| done | |
| SIZE=$(stat -c%s "$FILE" 2>/dev/null || echo 0) | |
| if [ "$SIZE" -lt 102400 ]; then | |
| echo "ERROR: panda-macos-${ARCH}.tar.gz is only ${SIZE} bytes" | |
| exit 1 | |
| fi | |
| done | |
| ARM64_SHA=$(sha256sum /tmp/panda-macos-arm64.tar.gz | awk '{print $1}') | |
| X86_SHA=$(sha256sum /tmp/panda-macos-x86_64.tar.gz | awk '{print $1}') | |
| echo "arm64 SHA256: $ARM64_SHA" | |
| echo "x86_64 SHA256: $X86_SHA" | |
| # Update explicit version field | |
| sed -i "s|version \"[0-9.]*\"|version \"${TAG#v}\"|g" Formula/pandafilter.rb | |
| # Update download URLs (replace old version tag) | |
| sed -i "s|releases/download/v[^/]*/panda-macos-arm64\.tar\.gz|releases/download/${TAG}/panda-macos-arm64.tar.gz|g" Formula/pandafilter.rb | |
| sed -i "s|releases/download/v[^/]*/panda-macos-x86_64\.tar\.gz|releases/download/${TAG}/panda-macos-x86_64.tar.gz|g" Formula/pandafilter.rb | |
| # Update SHA256s — match the sha256 line immediately after each URL line | |
| sed -i "/panda-macos-arm64\.tar\.gz/{n; s/sha256 \"[a-f0-9]*/sha256 \"${ARM64_SHA}/}" Formula/pandafilter.rb | |
| sed -i "/panda-macos-x86_64\.tar\.gz/{n; s/sha256 \"[a-f0-9]*/sha256 \"${X86_SHA}/}" Formula/pandafilter.rb | |
| echo "--- Formula after update ---" | |
| head -18 Formula/pandafilter.rb | |
| - name: Commit and push formula | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git add Formula/pandafilter.rb | |
| git diff --cached --quiet && echo "No formula changes" && exit 0 | |
| git commit -m "chore: update formula for ${GITHUB_REF_NAME}" | |
| git pull --rebase origin main | |
| git push origin HEAD:main |