Add moq-relay release workflow and Nix cache configuration#1178
Conversation
Add a GitHub Actions workflow that builds moq-relay binaries for 4 targets (x86_64/aarch64 Linux, x86_64/aarch64 macOS) on release tags and uploads them as GitHub Release assets. Also add a Nix package definition (nix/moq-relay-bin.nix) that fetches pre-built binaries from GitHub Releases instead of compiling from source. https://claude.ai/code/session_01EvMqKAenxxuNN8MnoYDLas
- Add nixConfig to flake.nix with the kixelated Cachix substituter so consumers automatically get pre-built binaries without compiling - Expose moq-relay-bin package in flake that reads from nix/hashes.json - Update moq-relay-bin.nix to read version/hashes from hashes.json by default, with optional manual overrides - Add update-hashes job to the release workflow that computes SRI hashes and commits nix/hashes.json to main after each release - Add nix/hashes.json placeholder (populated by CI on first release) https://claude.ai/code/session_01EvMqKAenxxuNN8MnoYDLas
…kage - Reduce moq-relay workflow to x86_64 and aarch64 Linux targets only - Remove nix/moq-relay-bin.nix and nix/hashes.json (not needed with Cachix) - Remove moq-relay-bin from flake packages - Keep nixConfig with Cachix substituter for instant Nix installs https://claude.ai/code/session_01EvMqKAenxxuNN8MnoYDLas
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (10)
✅ Files skipped from review due to trivial changes (10)
WalkthroughAdded a new GitHub Actions workflow ( 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.github/workflows/moq-relay.yml (1)
42-43: Tag parser is stricter than SemVer intent.
([0-9.]+)rejects valid SemVer prerelease/build tags (e.g.1.2.3-rc.1). If semantic versioning is intended, use a SemVer-compatible pattern.Also applies to: 85-86
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/moq-relay.yml around lines 42 - 43, The tag regex in the if-statement using "$ref" currently captures only digits/dots via ([0-9.]+) and will reject valid SemVer prerelease/build identifiers (e.g. 1.2.3-rc.1); update the pattern used in the conditional that matches "moq-relay-v(...)" (and the identical one later around lines 85-86) to a SemVer-compatible pattern that allows numeric segments plus optional prerelease and build metadata (or at minimum permit hyphens and alphanumerics after the numeric version), then write the captured group to $GITHUB_OUTPUT as before (keep the variable name/version extraction logic intact).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/moq-relay.yml:
- Around line 8-10: The workflow currently grants workflow-wide write access via
the top-level "permissions: contents: write"; change the default scope to the
least-privileged level needed by most jobs (e.g., "permissions: contents: read"
or remove write) and grant "contents: write" only to the "release" job by adding
a job-level permissions block for the release job; update the "build" job to use
read-only access (or inherit the default) so only the "release" job has write
rights.
- Around line 92-99: The current prev_tag selection uses git tag --list ...
--sort=-v:refname with grep -v which picks the highest other tag rather than the
immediate predecessor; update the logic in the step that sets
prev_tag/current_tag so you sort tags by version ascending and choose the tag
just before current_tag (e.g., use git tag --list 'moq-relay-v*'
--sort=v:refname, iterate/find the line equal to current_tag and take the
previous line), ensuring the script that sets prev_tag uses that previous-tag
value (symbols: current_tag and prev_tag) so changelog ranges compare against
the true immediate prior release.
- Around line 106-122: The release step currently calls gh release create (using
github.ref_name, steps.parse.outputs.version, prev_tag, artifacts/*) which fails
if the release already exists; change the step to first check for the release
existence with gh release view "${{ github.ref_name }}" and if it exists use gh
release upload (or gh release edit to update notes/notes-start-tag) to update
assets and metadata instead of running gh release create, otherwise run gh
release create as before; ensure the logic preserves the
prev_tag/--notes-start-tag behavior when creating and replaces or re-uploads
artifacts/* on reruns to make the job idempotent.
---
Nitpick comments:
In @.github/workflows/moq-relay.yml:
- Around line 42-43: The tag regex in the if-statement using "$ref" currently
captures only digits/dots via ([0-9.]+) and will reject valid SemVer
prerelease/build identifiers (e.g. 1.2.3-rc.1); update the pattern used in the
conditional that matches "moq-relay-v(...)" (and the identical one later around
lines 85-86) to a SemVer-compatible pattern that allows numeric segments plus
optional prerelease and build metadata (or at minimum permit hyphens and
alphanumerics after the numeric version), then write the captured group to
$GITHUB_OUTPUT as before (keep the variable name/version extraction logic
intact).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 49eaef1c-7330-4981-84cd-d6b07f66d6a6
📒 Files selected for processing (2)
.github/workflows/moq-relay.ymlflake.nix
… correct prev_tag, idempotent release - Scope top-level permissions to read, grant write only to the release job - Accept SemVer prerelease/build metadata in tag regex - Find the immediate predecessor tag instead of the highest other tag - Check for existing release before creating to make reruns idempotent - Remove nixConfig from flake.nix to avoid untrusted substituter prompts Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ate bun.lock Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary
This PR adds automated release infrastructure for the moq-relay binary and configures Nix to use a binary cache for faster builds.
Key Changes
New GitHub Actions workflow (
moq-relay.yml): Automated build and release pipeline triggered on version tagsNix configuration (
flake.nix): Added cachix binary cache configurationImplementation Details
moq-relay-v*https://claude.ai/code/session_01EvMqKAenxxuNN8MnoYDLas