Publish when tag is pushed

.github/workflows/CreateRelease.yml

@@ -6,9 +6,11 @@ on:
   workflow_dispatch:
   push:
     branches: [main]
+    tags:
+      - "v*"
 
 permissions:
-  id-token: write
+  id-token: write # needed for trusted publishing (OIDC) to npm and crates.io
   contents: write # needed to create a release
 
 jobs:
@@ -30,6 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.set-version.outputs.version }}
+      dry_run: ${{ steps.set-version.outputs.dry_run }}
 
     steps:
       - uses: actions/checkout@v6
@@ -42,67 +45,50 @@ jobs:
         shell: bash
         run: |
           git fetch --tags || true
-          # Extract the version number from the branch name, which is expected to be in the format 'release/vX.Y.Z'
+          # Extract the version number from the tag name, which is expected to be in the format 'vX.Y.Z'
           # if not, default to '0.0.0' to avoid errors in subsequent steps
-          if [[ "${GITHUB_REF}" =~ refs/heads/release/v([0-9]+\.[0-9]+\.[0-9]+) ]]; then
+          if [[ "${GITHUB_REF}" =~ refs/tags/v([0-9]+\.[0-9]+\.[0-9]+) ]]; then
             version="${BASH_REMATCH[1]}"
+            dry_run=false
           else
             version="0.0.0"
+            dry_run=true
           fi
           echo "Setting version to 'v$version'"
           echo "version=$version" >> $GITHUB_OUTPUT
+          echo "dry_run=$dry_run" >> $GITHUB_OUTPUT
 
-  create-gh-release:
+  create-release-branch:
     needs: [build, benchmarks, set-version]
-    environment: release
     runs-on: ubuntu-latest
-    if: ${{ contains(github.ref, 'refs/heads/release/') }}
+    if: ${{ needs.set-version.outputs.dry_run == 'false' }}
 
     steps:
-      - name: Download benchmarks (Windows)
-        uses: actions/download-artifact@v8
-        with:
-          name: benchmarks_Windows_whp
-          path: benchmarks_Windows_whp
-
-      - name: Download benchmarks (Linux kvm)
-        uses: actions/download-artifact@v8
-        with:
-          name: benchmarks_Linux_kvm
-          path: benchmarks_Linux_kvm
+      - uses: actions/checkout@v6
 
-      - name: Download benchmarks (Linux hyperv3)
-        uses: actions/download-artifact@v8
-        with:
-          name: benchmarks_Linux_hyperv3
-          path: benchmarks_Linux_hyperv3
-
-      - name: Archive benchmarks
+      - name: Create Release Branch
+        shell: bash
         run: |
-          tar -zcvf benchmarks_Windows_whp.tar.gz benchmarks_Windows_whp
-          tar -zcvf benchmarks_Linux_kvm.tar.gz benchmarks_Linux_kvm
-          tar -zcvf benchmarks_Linux_hyperv3.tar.gz benchmarks_Linux_hyperv3
+          git checkout -b release/v${{ needs.set-version.outputs.version }}
+          git push --set-upstream origin release/v${{ needs.set-version.outputs.version }}
 
-      - name: Create GH Release
-        run: |
-            gh release create ${{ needs.set-version.outputs.version }} \
-              --generate-notes \
-              benchmarks_Windows_whp.tar.gz \
-              benchmarks_Linux_kvm.tar.gz \
-              benchmarks_Linux_hyperv3.tar.gz
-        env:
-            GH_TOKEN: ${{ github.token }}
+  publish-gh-release:
+    needs: [build, benchmarks, set-version]
+    uses: ./.github/workflows/gh-publish.yml
+    with:
+      version: ${{ needs.set-version.outputs.version }}
+      dry_run: ${{ needs.set-version.outputs.dry_run != 'false' }}
 
   publish-npm-packages:
     needs: [build, benchmarks, set-version]
     uses: ./.github/workflows/npm-publish.yml
     with:
       version: ${{ needs.set-version.outputs.version }}
-      dry-run: ${{ !contains(github.ref, 'refs/heads/release/') }}
+      dry_run: ${{ needs.set-version.outputs.dry_run != 'false' }}
 
   publish-cargo-crates:
     needs: [build, benchmarks, set-version]
     uses: ./.github/workflows/cargo-publish.yml
     with:
       version: ${{ needs.set-version.outputs.version }}
-      dry-run: ${{ !contains(github.ref, 'refs/heads/release/') }}
+      dry_run: ${{ needs.set-version.outputs.dry_run != 'false' }}

.github/workflows/cargo-publish.yml

@@ -9,23 +9,23 @@ on:
         description: 'Version to publish (e.g., 0.2.0)'
         required: true
         type: string
-      dry-run:
+      dry_run:
         description: 'Dry run (skip actual publish)'
         required: false
         type: boolean
         default: false
-  # IMPORTANT: Trusted publishing (OIDC) is configured on npmjs.com with
-  # workflow filename 'CreateRelease.yml'. npm checks the *calling* workflow
-  # for workflow_call, not the reusable workflow that runs npm publish.
+  # IMPORTANT: Trusted publishing (OIDC) is configured on crates.io with
+  # workflow filename 'CreateRelease.yml'. crates.io checks the *calling* workflow
+  # for workflow_call, not the reusable workflow that runs cargo publish.
   # Calling this workflow from a different parent workflow will fail OIDC auth.
-  # See: https://docs.npmjs.com/trusted-publishers#troubleshooting
+  # See: https://crates.io/docs/trusted-publishing
   workflow_call:
     inputs:
       version:
         description: 'Version to publish'
         required: true
         type: string
-      dry-run:
+      dry_run:
         description: 'Dry run (skip actual publish)'
         required: false
         type: boolean
@@ -70,7 +70,7 @@ jobs:
               return
             fi
 
-            if curl -s "https://crates.io/api/v1/crates/$crate/$VERSION" | jq -e .version > /dev/null; then
+            if cargo info --locked -q "$crate"@"$VERSION" > /dev/null; then
               echo "PUBLISH_${crate_env_var}=false" >> "$GITHUB_ENV"
               echo "✅ $crate@$VERSION already exists."
             else
@@ -102,10 +102,10 @@ jobs:
         run: cargo publish -p hyperlight-js-runtime
         env:
           CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token }}
-        if: ${{ env.PUBLISH_HYPERLIGHT_JS_RUNTIME != 'false' && !inputs['dry-run'] }}
+        if: ${{ env.PUBLISH_HYPERLIGHT_JS_RUNTIME != 'false' && !inputs.dry_run }}
 
       - name: Publish hyperlight-js
         run: cargo publish -p hyperlight-js
         env:
           CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token }}
-        if: ${{ env.PUBLISH_HYPERLIGHT_JS != 'false' && !inputs['dry-run'] }}
+        if: ${{ env.PUBLISH_HYPERLIGHT_JS != 'false' && !inputs.dry_run }}

.github/workflows/gh-publish.yml

@@ -0,0 +1,71 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Publish npm packages
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to publish (e.g., 0.2.0)'
+        required: true
+        type: string
+      dry_run:
+        description: 'Dry run (skip actual publish)'
+        required: false
+        type: boolean
+        default: false
+  workflow_call:
+    inputs:
+      version:
+        description: 'Version to publish'
+        required: true
+        type: string
+      dry_run:
+        description: 'Dry run (skip actual publish)'
+        required: false
+        type: boolean
+        default: true
+
+permissions:
+  contents: write
+
+jobs:
+  create-gh-release:
+    environment: release
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download benchmarks (Windows)
+        uses: actions/download-artifact@v8
+        with:
+          name: benchmarks_Windows_whp
+          path: benchmarks_Windows_whp
+
+      - name: Download benchmarks (Linux kvm)
+        uses: actions/download-artifact@v8
+        with:
+          name: benchmarks_Linux_kvm
+          path: benchmarks_Linux_kvm
+
+      - name: Download benchmarks (Linux hyperv3)
+        uses: actions/download-artifact@v8
+        with:
+          name: benchmarks_Linux_hyperv3
+          path: benchmarks_Linux_hyperv3
+
+      - name: Archive benchmarks
+        run: |
+          tar -zcvf benchmarks_Windows_whp.tar.gz benchmarks_Windows_whp
+          tar -zcvf benchmarks_Linux_kvm.tar.gz benchmarks_Linux_kvm
+          tar -zcvf benchmarks_Linux_hyperv3.tar.gz benchmarks_Linux_hyperv3
+
+      - name: Create GH Release
+        if: ${{ inputs.dry_run == 'false' }}
+        run: |
+            gh release create ${{ inputs.version }} \
+              --generate-notes \
+              benchmarks_Windows_whp.tar.gz \
+              benchmarks_Linux_kvm.tar.gz \
+              benchmarks_Linux_hyperv3.tar.gz
+        env:
+            GH_TOKEN: ${{ github.token }}

.github/workflows/npm-publish.yml

@@ -9,7 +9,7 @@ on:
         description: 'Version to publish (e.g., 0.2.0)'
         required: true
         type: string
-      dry-run:
+      dry_run:
         description: 'Dry run (skip actual publish)'
         required: false
         type: boolean
@@ -25,7 +25,7 @@ on:
         description: 'Version to publish'
         required: true
         type: string
-      dry-run:
+      dry_run:
         description: 'Dry run (skip actual publish)'
         required: false
         type: boolean
@@ -251,7 +251,7 @@ jobs:
       # You should almost never need to publish manually — if you do,
       # see docs/release.md for the full (deliberately painful) steps.
       - name: Validate NPM_TOKEN for manual dispatch
-        if: ${{ github.event_name == 'workflow_dispatch' && !inputs['dry-run'] }}
+        if: ${{ github.event_name == 'workflow_dispatch' && !inputs.dry_run }}
         run: |
           if [ -z "$NPM_TOKEN" ]; then
             echo "::error::NPM_TOKEN repo secret is required for manual workflow_dispatch publishing."
@@ -273,35 +273,35 @@ jobs:
           fi
 
       - name: Publish Linux GNU package
-        if: ${{ !inputs['dry-run'] }}
+        if: ${{ !inputs.dry_run }}
         working-directory: ${{ env.WORKING_DIR }}/npm/linux-x64-gnu
         run: npm publish --access public --ignore-scripts ${{ steps.publish-flags.outputs.provenance }}
         env:
           NODE_AUTH_TOKEN: ${{ github.event_name == 'workflow_dispatch' && secrets.NPM_TOKEN || '' }}
 
       - name: Publish Linux musl package
-        if: ${{ !inputs['dry-run'] }}
+        if: ${{ !inputs.dry_run }}
         working-directory: ${{ env.WORKING_DIR }}/npm/linux-x64-musl
         run: npm publish --access public --ignore-scripts ${{ steps.publish-flags.outputs.provenance }}
         env:
           NODE_AUTH_TOKEN: ${{ github.event_name == 'workflow_dispatch' && secrets.NPM_TOKEN || '' }}
 
       - name: Publish Windows package
-        if: ${{ !inputs['dry-run'] }}
+        if: ${{ !inputs.dry_run }}
         working-directory: ${{ env.WORKING_DIR }}/npm/win32-x64-msvc
         run: npm publish --access public --ignore-scripts ${{ steps.publish-flags.outputs.provenance }}
         env:
           NODE_AUTH_TOKEN: ${{ github.event_name == 'workflow_dispatch' && secrets.NPM_TOKEN || '' }}
 
       - name: Publish main package
-        if: ${{ !inputs['dry-run'] }}
+        if: ${{ !inputs.dry_run }}
         working-directory: ${{ env.WORKING_DIR }}
         run: npm publish --access public --ignore-scripts ${{ steps.publish-flags.outputs.provenance }}
         env:
           NODE_AUTH_TOKEN: ${{ github.event_name == 'workflow_dispatch' && secrets.NPM_TOKEN || '' }}
 
       - name: Verify all packages published
-        if: ${{ !inputs['dry-run'] }}
+        if: ${{ !inputs.dry_run }}
         run: |
           echo "Waiting for registry propagation..."
           sleep 15
@@ -325,7 +325,7 @@ jobs:
           VERSION: ${{ inputs.version }}
 
       - name: Dry run - show what would be published
-        if: ${{ inputs['dry-run'] }}
+        if: ${{ inputs.dry_run }}
         working-directory: ${{ env.WORKING_DIR }}
         run: |
           echo "=== DRY RUN - Would publish the following packages ==="

docs/release.md

@@ -110,7 +110,7 @@ If you need to publish npm packages manually via `workflow_dispatch`, you'll nee
    - Go to Actions → "Publish npm packages" → Run workflow
    - Select the correct branch
    - Enter the version (e.g. `0.2.1`)
-   - Set `dry-run` to `false`
+   - Set `dry_run` to `false`
 
 5. **Clean up immediately after publishing**
    - Delete the `NPM_TOKEN` repo secret on GitHub → Settings → Secrets and variables → Actions