@kungfu-tech/buildchain 2.0.16-alpha.0 → 2.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,202 @@
1
+ # promote-buildchain-ref
2
+
3
+ Internal buildchain action for promoting verified buildchain release-line and
4
+ compatibility refs from buildchain release channels:
5
+
6
+ - `alpha/v2/v2.0` creates or reuses the next exact prerelease tag such as
7
+ `v2.0.1-alpha.0`, writes that version into package version state, points the
8
+ alpha and dev channel branches at the version commit, then promotes
9
+ `v2.0-alpha`;
10
+ - `release/v2/v2.0` creates or reuses the next exact release tag such as
11
+ `v2.0.0`, writes that version into package version state, points the release
12
+ channel branch and release tags at the release commit, then prepares a second
13
+ source commit for the next exact prerelease tag such as `v2.0.1-alpha.0` and
14
+ points the alpha/dev channel branches plus `v2.0-alpha` at that prerelease
15
+ commit;
16
+ - `publish-gate/major` accepts a reviewed PR from a production release line such
17
+ as `release/v2/v2.0`, writes the next major production version such as
18
+ `v3.0.0`, points `publish-gate/major`, `release/v3/v3.0`, `v3.0`, and `v3`
19
+ at that release commit, then prepares `v3.0.1-alpha.0` for
20
+ `alpha/v3/v3.0`, `dev/v3/v3.0`, and `v3.0-alpha`. The older `major-gate`
21
+ branch name is a compatibility alias only.
22
+
23
+ The release branch name defines the minor line. For example,
24
+ `release/v2/v2.1` creates `v2.1.N`, promotes `v2.1`, and promotes `v2` only
25
+ when the next minor tag such as `v2.2` does not already exist.
26
+
27
+ The action updates version state in `lerna.json`, root `package.json`, and
28
+ workspace package manifests discovered from package manager metadata
29
+ (`package.json` workspaces, `lerna.json` packages, or `pnpm-workspace.yaml`).
30
+ Package manager detection is adaptive (`pnpm`, `npm`, or `yarn`) and is recorded
31
+ in logs.
32
+
33
+ Repositories can also provide `buildchain.toml` to declare version-state files
34
+ and `lifecycle.verify`. TOML-configured version files take precedence over
35
+ package-manager discovery and can target JSON, TOML, or regex-based files. The
36
+ version commit itself is written through the GitHub Git Data API so the ref
37
+ graph is the durable source of truth. Repositories without any supported version
38
+ state degrade to ref-only promotion only when strict version state is disabled.
39
+
40
+ ## Dry Run
41
+
42
+ Use `dry-run: "true"` or the CLI `buildchain release --dry-run` before merging a
43
+ channel PR when you need to understand what Buildchain would do. This dry-run is
44
+ at the Buildchain release-line level. It explains:
45
+
46
+ - the legal source branch for the target channel;
47
+ - exact release or alpha tags that would be created or reused;
48
+ - floating tags and channel branches that would move;
49
+ - version-state files and verification lifecycle that would apply;
50
+ - branch protection, PR lineage, and release-from-alpha checks;
51
+ - publish transaction behavior when `lifecycle.publish` or
52
+ `publish-transaction` is enabled.
53
+
54
+ It does not move refs, move tags, write package files, run publish commands, or
55
+ publish npm packages. The GitHub action dry-run still calls GitHub APIs to
56
+ resolve the current target SHA and concrete pending ref updates, but every
57
+ write is reported as a dry-run update.
58
+
59
+ Repositories whose package version is anchored to an explicitly selected
60
+ upstream release can opt into manual next-anchor behavior:
61
+
62
+ ```toml
63
+ [version]
64
+ required = true
65
+ strategy = "anchored"
66
+ next = "manual"
67
+ manifest = "libnode.release.json"
68
+ ```
69
+
70
+ In this mode, the action validates the configured version files and anchor
71
+ manifest through the repository's verify lifecycle, but it does not rewrite the
72
+ package version to match the Buildchain release tag. After a production
73
+ release, it sets `next-anchor-required=true` and does not auto-create the next
74
+ alpha branch or tag. The repository must create the next upstream anchor line
75
+ explicitly, then run the normal channel promotion flow for that line.
76
+
77
+ When branch protection requires pull requests, generated version-state commits
78
+ are also routed through pull requests. The action creates an internal
79
+ `buildchain/version-state/...` branch and PR, then stops before moving tags. Once
80
+ that PR is reviewed, checked, and merged, the next promotion run verifies that
81
+ the merge only changed declared version-state files from the legal source
82
+ parent, then moves exact and floating refs.
83
+
84
+ ## Publish Transactions
85
+
86
+ Promotion can also own external publish side effects. Enable this only from a
87
+ trusted channel workflow:
88
+
89
+ ```yaml
90
+ - uses: kungfu-systems/buildchain/actions/promote-buildchain-ref@v2
91
+ with:
92
+ token: ${{ secrets.BUILDCHAIN_PROMOTION_TOKEN }}
93
+ sha: ${{ github.sha }}
94
+ target-ref: release/v2/v2.0
95
+ publish-transaction: "true"
96
+ publish-mode: publish-final-version
97
+ publish-auth: trusted-publishing
98
+ publish-required-artifacts-json: >-
99
+ [
100
+ {"kind":"npm","name":"@kungfu-tech/buildchain","ref":"2.0.0","digest":"sha256:..."}
101
+ ]
102
+ ```
103
+
104
+ When enabled, the action creates or resumes a release transaction keyed by
105
+ repository, version, source SHA, and target ref. It persists that transaction to
106
+ a machine-managed branch under `buildchain/release-state/<version>`, with
107
+ `state.json` and, once available, `evidence.json`. Fresh GitHub runners read
108
+ that durable ref before running publish, so reruns do not depend on a previous
109
+ runner's local `.buildchain` directory.
110
+
111
+ The action runs `lifecycle.publish` from `buildchain.toml` or the explicit
112
+ `publish-command` input, then validates publish evidence before exact tags and
113
+ floating refs move. If durable state persistence fails, the action fails closed
114
+ before publish or public ref finalization.
115
+
116
+ `publish-mode` defaults to `publish-final-version`, the token-free path for
117
+ normal npm Trusted Publishing. Same-version alpha-to-latest recovery must be
118
+ declared as `publish-mode: promote-existing-version` and
119
+ `publish-auth: npm-token`; Buildchain runs `npm whoami` before it creates
120
+ release-state or moves any `npm dist-tag`. The Trusted Publishing mode is not
121
+ allowed to perform `npm dist-tag add`.
122
+
123
+ Buildchain itself uses this path for npm. Its `lifecycle.publish` runs
124
+ `node scripts/npm-publish-transaction.mjs`, which publishes
125
+ `@kungfu-tech/buildchain` through npm Trusted Publishing and writes npm
126
+ artifact evidence into the transaction before release refs move. The separate
127
+ `.github/workflows/npm-publish.yml` workflow is dry-run only.
128
+
129
+ Publish lifecycle environment:
130
+
131
+ ```text
132
+ BUILDCHAIN_VERSION
133
+ BUILDCHAIN_CHANNEL
134
+ BUILDCHAIN_SOURCE_SHA
135
+ BUILDCHAIN_TARGET_REF
136
+ BUILDCHAIN_RELEASE_STATE
137
+ BUILDCHAIN_EVIDENCE_DIR
138
+ BUILDCHAIN_RELEASE_SHA
139
+ BUILDCHAIN_RELEASE_MATERIAL_SHA
140
+ BUILDCHAIN_PUBLISH_TOOLING_SHA
141
+ BUILDCHAIN_PUBLISH_EVIDENCE
142
+ ```
143
+
144
+ The action outputs `transaction-id`, `transaction-state`,
145
+ `transaction-exact-tag`, `transaction-release-sha`, `transaction-state-ref`,
146
+ `transaction-state-sha`, `transaction-state-path`, `publish-evidence-path`, and
147
+ `finalization-needed`. `transaction-state-ref` is the durable recovery location.
148
+ `finalization-needed=true` means publish evidence is valid, but protected branch
149
+ or ref finalization needs a later promotion run.
150
+
151
+ Finalization recovery is anchored to the durable transaction, not to a single
152
+ workflow run SHA. After a generated version-state PR is merged, the current
153
+ channel head can be a merge commit that contains or corresponds to the recorded
154
+ `release_material_sha`; it does not have to equal the original `source_sha` or
155
+ the transaction `release_sha`. Reruns accept exact tags that already point at
156
+ the transaction release/material SHA or the finalized channel head, and continue
157
+ moving any missing floating tags or dev/alpha refs before marking the
158
+ transaction `complete`.
159
+
160
+ Normal reruns accept already-published artifacts only when evidence matches.
161
+ Missing required artifacts can be published on the next run. Conflicting
162
+ artifacts put the transaction into `repair_required`; `abandoned` and
163
+ `failed_permanently` also fail closed unless `publish-transaction-override` is
164
+ set for a controlled repair.
165
+
166
+ In strict buildchain promotion, ref movement is also gated by the old ABV
167
+ governance semantics:
168
+
169
+ - the target channel branch protection details must be readable, must enforce
170
+ protection for administrators, and must require approving PR review plus the
171
+ strict `check` job from the `Verify` workflow;
172
+ - alpha promotion must come from a merged same-repository PR
173
+ `dev/vN/vN.M -> alpha/vN/vN.M`;
174
+ - release promotion must come from a merged same-repository PR
175
+ `alpha/vN/vN.M -> release/vN/vN.M`;
176
+ - major promotion must come from a merged same-repository PR
177
+ `release/vN/vN.M -> publish-gate/major`;
178
+ - release promotion must have an exact alpha tag for the same patch line, and
179
+ the release source tree must match that alpha tag tree, so release does not
180
+ introduce new code after alpha;
181
+ - generated release and next-alpha version-state trees can be verified locally
182
+ with either the `verification-command` input or `buildchain.toml`
183
+ `lifecycle.verify` before any tags or channel refs move.
184
+
185
+ The promotion workflow should use `BUILDCHAIN_PROMOTION_TOKEN` for non-dry-run
186
+ promotion. The token is the buildchain equivalent of the old ABV runner release
187
+ authority: protected branch review and check rules guard human channel merges,
188
+ while this action independently rechecks PR lineage, alpha/release tree
189
+ equivalence, and generated version-state verification before moving channel
190
+ refs and tags.
191
+
192
+ The tag names intentionally follow the old ABV release semantics:
193
+ exact release tags are `vX.Y.Z`, exact alpha tags are `vX.Y.Z-alpha.N`, floating
194
+ release tags are minor/major tags such as `v2.0` and `v2`, and floating alpha
195
+ tags are minor-line tags such as `v2.0-alpha`. Bare tags such as `1.0.0` are not
196
+ maintained as buildchain release entrypoints.
197
+
198
+ Repository rulesets should protect exact tags, not every `v*` tag. A ruleset
199
+ such as `refs/tags/v*` also protects floating channel tags like `v2.0-alpha`,
200
+ which Buildchain must update after exact tags and publish evidence are durable.
201
+ Use an exact-tag rule such as `refs/tags/v*.*.*` for immutable evidence tags and
202
+ leave floating channel tags mutable for the promotion token.
@@ -0,0 +1,41 @@
1
+ # run-lifecycle
2
+
3
+ Run a Buildchain lifecycle stage or an explicit command and write a deterministic
4
+ artifact manifest.
5
+
6
+ ```yaml
7
+ - uses: kungfu-systems/buildchain/actions/run-lifecycle@v2
8
+ with:
9
+ stage: build
10
+ required: "true"
11
+ artifact-name: my-product-linux-x64-${{ github.sha }}
12
+ artifact-paths: |
13
+ dist
14
+ build/stage
15
+ ```
16
+
17
+ When `command` is provided, it overrides `buildchain.toml` for that invocation.
18
+ When `command` is empty, the action loads `buildchain.toml` and runs the named
19
+ stage.
20
+
21
+ The action writes both a full manifest and a compact summary. It also exposes
22
+ the summary as outputs for reusable workflow callers:
23
+
24
+ | Output | Meaning |
25
+ | --- | --- |
26
+ | `manifest-path` | Full manifest path |
27
+ | `summary-path` | Compact summary path |
28
+ | `artifact-name` | Resolved artifact name |
29
+ | `artifact-file-count` | Number of manifest files |
30
+ | `artifact-total-bytes` | Total manifest bytes |
31
+ | `artifact-summary-json` | One-line JSON summary |
32
+ | `expected-artifacts-ok` | `true` when expectations passed |
33
+
34
+ `expected-artifacts-json` can require exact paths, file count bounds, and a
35
+ minimum byte total:
36
+
37
+ ```yaml
38
+ with:
39
+ expected-artifacts-json: >-
40
+ {"minFiles":2,"requiredPaths":["dist/app.tar.gz","dist/checksums.txt"]}
41
+ ```
@@ -0,0 +1,34 @@
1
+ # validate-config
2
+
3
+ Buildchain v2 action for validating `buildchain.toml` without running lifecycle
4
+ commands.
5
+
6
+ Use this action during repository migration when a heavyweight project needs to
7
+ prove that its Buildchain version state and lifecycle declaration are ready, but
8
+ the actual build should not run yet.
9
+
10
+ ## Usage
11
+
12
+ ```yaml
13
+ - uses: kungfu-systems/buildchain/actions/validate-config@v2
14
+ with:
15
+ require-version-state: "true"
16
+ require-lifecycle-stages: "install,build,verify"
17
+ ```
18
+
19
+ The action checks:
20
+
21
+ - `buildchain.toml` exists and uses schema `1`;
22
+ - configured version-state files exist and expose a string version;
23
+ - anchored/manual version strategy declarations and JSON/TOML anchor manifests
24
+ are structurally valid when configured;
25
+ - web-surface project, channel, deploy adapter, retention, and staging security
26
+ declarations are structurally valid when configured;
27
+ - required lifecycle stages are declared and structurally valid.
28
+
29
+ It does not execute `lifecycle.install`, `lifecycle.build`, `lifecycle.verify`,
30
+ or any other lifecycle command.
31
+
32
+ Outputs include `project-type`, `project-name`, `project-site`, `channels`, and
33
+ `deploy-adapters-json`, so callers can route site workflows without reparsing
34
+ TOML in every repository.
package/docs/MAP.md ADDED
@@ -0,0 +1,64 @@
1
+ # Documentation Map
2
+
3
+ Start here. Find the question you have; follow it to the document that answers
4
+ it. This map is meant to be readable by both a person skimming for the right doc
5
+ and an agent grounding a specific claim.
6
+
7
+ Each row carries a **plane** - *why* (intent / rationale), *verify* (trust the
8
+ running artifact), *use* (consume / extend) - and a **status**:
9
+
10
+ - `stable` - current and holds.
11
+ - `draft` - exists, rough or incomplete.
12
+ - `to write` - planned; the material exists but is not yet a single doc.
13
+ - `retired` - intentionally not part of the active Buildchain v2 surface.
14
+
15
+ ## Map
16
+
17
+ | Your question | Document | Plane | Status |
18
+ | --- | --- | --- | --- |
19
+ | What is Buildchain, in one idea? | [`../README.md`](../README.md) | - | stable |
20
+ | How do agents and contributors enter this repo? | [`../AGENTS.md`](../AGENTS.md) + [`../CONTRIBUTING.md`](../CONTRIBUTING.md) | use | stable |
21
+ | How do I install or run the `buildchain` CLI? | [`cli.md`](cli.md) | use | stable |
22
+ | How do I initialize a new repository? | [`cli.md`](cli.md) + [`lifecycle-protocol.md`](lifecycle-protocol.md) | use | stable |
23
+ | Why does Buildchain use branch-driven release governance? | [`release-governance.md`](release-governance.md) | why | stable |
24
+ | What exact branch/tag state machine runs on alpha, release, and major gate? | [`release-flow.md`](release-flow.md) | verify | stable |
25
+ | What did Buildchain migrate or retire from old action repositories? | [`migration-inventory.md`](migration-inventory.md) | verify | stable |
26
+ | What is the active action and workflow source of truth? | [`ownership.md`](ownership.md) | verify | stable |
27
+ | How do I declare version files and custom lifecycle commands? | [`lifecycle-protocol.md`](lifecycle-protocol.md) | use | stable |
28
+ | How does publish evidence, recovery, and finalization work? | [`publish-transaction.md`](publish-transaction.md) | verify | stable |
29
+ | How do I call the reusable build workflow? | [`reusable-build-surface.md`](reusable-build-surface.md) | use | stable |
30
+ | How do I deploy a site/app preview, staging, or production surface? | [`web-surface-deployments.md`](web-surface-deployments.md) | use | stable |
31
+ | How do I use the active actions directly? | [`../actions/validate-config/README.md`](../actions/validate-config/README.md), [`../actions/run-lifecycle/README.md`](../actions/run-lifecycle/README.md), [`../actions/promote-buildchain-ref/README.md`](../actions/promote-buildchain-ref/README.md) | use | stable |
32
+ | What do the fixture repositories demonstrate? | [`../fixtures/libnode-shaped/README.md`](../fixtures/libnode-shaped/README.md), [`../fixtures/publish-transaction-shaped/README.md`](../fixtures/publish-transaction-shaped/README.md), [`../fixtures/web-surface-shaped/README.md`](../fixtures/web-surface-shaped/README.md) | verify | stable |
33
+ | What license and contribution terms apply? | [`../LICENSE`](../LICENSE) + [`../LICENSE-POLICY.md`](../LICENSE-POLICY.md) | use | stable |
34
+ | How do I report a vulnerability? | [`../SECURITY.md`](../SECURITY.md) | use | stable |
35
+
36
+ ## Also asking about
37
+
38
+ - **ABV / old workflows / old action repositories** -> [`release-governance.md`](release-governance.md)
39
+ and [`migration-inventory.md`](migration-inventory.md).
40
+ - **v2 / v2.0 / v2.0-alpha / exact tags / floating tags** ->
41
+ [`release-governance.md`](release-governance.md) and
42
+ [`release-flow.md`](release-flow.md).
43
+ - **dry-run / what would happen if this channel PR merges** -> [`cli.md`](cli.md)
44
+ and [`release-flow.md`](release-flow.md).
45
+ - **pnpm / npm / yarn / package-manager adapters** ->
46
+ [`lifecycle-protocol.md`](lifecycle-protocol.md).
47
+ - **pip / Conan / CMake / custom commands** -> [`lifecycle-protocol.md`](lifecycle-protocol.md)
48
+ and [`reusable-build-surface.md`](reusable-build-surface.md).
49
+ - **libnode / native artifacts / self-hosted runner matrix** ->
50
+ [`reusable-build-surface.md`](reusable-build-surface.md) and
51
+ [`../fixtures/libnode-shaped/README.md`](../fixtures/libnode-shaped/README.md).
52
+ - **Trusted Publishing / npm / publish evidence / recovery** ->
53
+ [`cli.md`](cli.md) and [`publish-transaction.md`](publish-transaction.md).
54
+ - **sites / web previews / staging / production gates** ->
55
+ [`web-surface-deployments.md`](web-surface-deployments.md).
56
+
57
+ ## How this map is maintained
58
+
59
+ - A document becomes a row here when it is a stable entrypoint for a user,
60
+ contributor, or workflow consumer.
61
+ - A row's status must never claim more than the artifact delivers.
62
+ - `why` documents explain intent and design pressure; `verify` and `use`
63
+ documents should state what is guaranteed, where to verify it, and the current
64
+ maturity of that guarantee.
@@ -189,7 +189,8 @@ node scripts/write-publish-evidence.mjs
189
189
  ```
190
190
 
191
191
  When `actions/promote-buildchain-ref` runs with `publish-transaction: "true"`,
192
- the publish stage receives:
192
+ the publish stage receives the transaction identity plus the resolved publish
193
+ contract:
193
194
 
194
195
  ```text
195
196
  BUILDCHAIN_VERSION
@@ -202,6 +203,11 @@ BUILDCHAIN_RELEASE_SHA
202
203
  BUILDCHAIN_RELEASE_MATERIAL_SHA
203
204
  BUILDCHAIN_PUBLISH_TOOLING_SHA
204
205
  BUILDCHAIN_PUBLISH_EVIDENCE
206
+ BUILDCHAIN_PUBLISH_MODE
207
+ BUILDCHAIN_PUBLISH_AUTH
208
+ BUILDCHAIN_NPM_DIST_TAG
209
+ BUILDCHAIN_PACKAGE_SET_ORDER
210
+ BUILDCHAIN_PACKAGE_SET_MAIN_PACKAGE
205
211
  ```
206
212
 
207
213
  The stage must write publish evidence JSON. Buildchain validates that evidence
@@ -212,6 +218,20 @@ without local workspace residue. See
212
218
  [`docs/publish-transaction.md`](publish-transaction.md) for the state machine,
213
219
  evidence schema, and recovery commands.
214
220
 
221
+ For npm packages, prefer:
222
+
223
+ ```toml
224
+ [publish]
225
+ mode = "publish-final-version"
226
+ auth = "trusted-publishing"
227
+ dist_tag = "latest"
228
+ ```
229
+
230
+ Use `mode = "promote-existing-version"` only for explicit same-version
231
+ dist-tag recovery, and pair it with `auth = "npm-token"`. Trusted Publishing
232
+ does not authorize `npm dist-tag add`; Buildchain fails that combination before
233
+ any publish transaction side effect.
234
+
215
235
  ## Promotion Semantics
216
236
 
217
237
  `actions/promote-buildchain-ref` consumes `version.files`, `lifecycle.verify`,
@@ -0,0 +1,88 @@
1
+ # Buildchain v2 Migration Inventory
2
+
3
+ This inventory records the buildchain v2 action surface. Buildchain v2 is the
4
+ monorepo source of truth for active Kungfu repository workflows, the active
5
+ reusable build workflow, and the three GitHub Actions that are still part of
6
+ Buildchain's reusable contract.
7
+ Standalone `workflows` and `action-*` repositories are historical rollback
8
+ anchors, not active Buildchain migration targets.
9
+
10
+ ## Workflow Sources
11
+
12
+ | Source repository | Previous branch | Buildchain v2 disposition |
13
+ | --- | --- | --- |
14
+ | `workflows` | `dev/v2/v2.0` | root `.github/workflows` sources migrated; reusable workflows linted by actionlint |
15
+
16
+ ## Reusable Workflow Boundaries
17
+
18
+ The active Buildchain-native reusable surface is:
19
+
20
+ | Workflow | Disposition |
21
+ | --- | --- |
22
+ | `.github/workflows/.build.yml` | active reusable build contract: runner presets, trusted event gate, publish source lock, lifecycle commands, deterministic artifacts, aggregate summary, and release manifest outputs |
23
+
24
+ Other hidden reusable workflow files from the old `workflows` repository may
25
+ still exist in `.github/workflows`. They are retained so the repository can lint
26
+ them, document migration boundaries, and make retired paths fail closed. They
27
+ are not new Buildchain v2 integration targets unless a dedicated document says
28
+ otherwise. In particular, the legacy `.release-new-version.yml` path is not the
29
+ modern publish surface; new publish integrations should use `.build.yml`,
30
+ `buildchain.toml`, `lifecycle.publish`, and publish transaction evidence.
31
+
32
+ ## Migrated Actions
33
+
34
+ No standalone `action-*` repository is shipped as a Buildchain action anymore.
35
+ Old product, operations, PR-helper, page-generation, dependency-sync, and
36
+ version-bump actions have either been retired or absorbed into Buildchain's
37
+ native lifecycle, reusable workflow, and promotion scripts.
38
+
39
+ ## Retired Actions Excluded From v2
40
+
41
+ These legacy action repositories are intentionally not shipped as buildchain v2
42
+ actions because the corresponding workflows now reject the retired mechanism or
43
+ because the action is part of that retired path.
44
+
45
+ | Previous repository | Reason |
46
+ | --- | --- |
47
+ | `action-approve` | retired GitHub issue/PR helper; use repository-native GitHub automation |
48
+ | `action-batch-pull-request` | retired PR orchestration helper; not part of the Buildchain reusable contract |
49
+ | `action-bump-version` | replaced by Buildchain release-line scripts and `actions/promote-buildchain-ref` |
50
+ | `action-check-format` | replaced by project-owned `lifecycle.verify` commands |
51
+ | `action-find-dependencies` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
52
+ | `action-generate-download-page` | retired product page generator; model as project-owned lifecycle/deploy work if needed |
53
+ | `action-generate-release-page` | retired product page generator; model as project-owned lifecycle/deploy work if needed |
54
+ | `action-merge-close-issue` | retired GitHub issue/PR helper; use repository-native GitHub automation |
55
+ | `action-package-dependency` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
56
+ | `action-publish-prebuilt` | retired S3 prebuilt publisher; use lifecycle publish plus publish transaction evidence |
57
+ | `action-purge-artifacts` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
58
+ | `action-qa-automated` | retired external QA trigger; model as project-owned lifecycle or workflow logic |
59
+ | `action-release-note` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
60
+ | `action-rollback-release` | replaced by Buildchain publish transaction recover/finalize/repair semantics |
61
+ | `action-set-collaborators` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
62
+ | `action-sync-airtable` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
63
+ | `action-sync-extensions-version` | retired in workflows v2 or backed by retired Airtable/dependency/collaborator/purge mechanism |
64
+ | `action-sync-pr` | retired PR synchronization helper; not part of the Buildchain reusable contract |
65
+ | `action-update-dependencies-version` | retired dependency-version helper; use package-manager adapters and lifecycle commands |
66
+
67
+ ## Buildchain-Native Actions
68
+
69
+ These actions are new Buildchain v2 surfaces rather than migrations from an
70
+ older standalone action repository.
71
+
72
+ | Buildchain path | Purpose |
73
+ | --- | --- |
74
+ | `actions/promote-buildchain-ref` | governance-closed Buildchain release ref promotion |
75
+ | `actions/run-lifecycle` | lifecycle command execution and deterministic artifact manifest generation |
76
+ | `actions/validate-config` | `buildchain.toml` version-state and lifecycle preflight without executing lifecycle commands |
77
+
78
+ ## Stable v2 Refs
79
+
80
+ - Actions: `kungfu-systems/buildchain/actions/<name>@v2`
81
+ - Reusable workflows: `kungfu-systems/buildchain/.github/workflows/<workflow>.yml@v2`
82
+
83
+ ## Verification Gates
84
+
85
+ - `pnpm install --frozen-lockfile`
86
+ - `pnpm run check`
87
+ - GitHub-hosted `Verify` workflow
88
+ - Manual `Self-hosted Runner Smoke` workflow for trusted self-hosted runner validation
@@ -0,0 +1,52 @@
1
+ # Ownership And Migration Rules
2
+
3
+ ## Source Of Truth
4
+
5
+ Buildchain v2 workflow and action design lands in this repository. Standalone
6
+ `workflows` and `action-*` repositories are historical rollback anchors.
7
+ Buildchain only ships the native action surface required for config validation,
8
+ lifecycle execution, and release ref promotion.
9
+
10
+ ## Compatibility Rule
11
+
12
+ Do not break existing stable reusable workflow refs during migration:
13
+
14
+ - `kungfu-systems/workflows@v2`
15
+
16
+ Any consumer migration must record:
17
+
18
+ - old `uses:` refs;
19
+ - new `uses:` refs;
20
+ - workflow run ids;
21
+ - rollback command or revert path.
22
+
23
+ New stable references should use:
24
+
25
+ - `kungfu-systems/buildchain/actions/validate-config@v2`
26
+ - `kungfu-systems/buildchain/actions/run-lifecycle@v2`
27
+ - `kungfu-systems/buildchain/actions/promote-buildchain-ref@v2`
28
+ - `kungfu-systems/buildchain/.github/workflows/<workflow>.yml@v2`
29
+
30
+ ## Publishing Rule
31
+
32
+ Publishing paths stay disabled in buildchain's own verification workflows unless
33
+ explicitly enabled by a production release workflow. Any consumer cutover that
34
+ publishes packages, S3 artifacts, release pages, or preview links must include
35
+ rollback notes. Reusable workflow consumers should gate publish jobs with
36
+ `needs.<build-job>.outputs.publish-allowed == 'true'` and record the requested
37
+ `publish-channel`, rather than duplicating channel branch logic in every
38
+ consumer workflow.
39
+
40
+ ## Candidate Ref Rule
41
+
42
+ Candidate refs are expected to resolve under `kungfu-systems/*`. Broader
43
+ sources require an explicit trust decision before they can reach self-hosted
44
+ runners or secrets.
45
+
46
+ ## Source-Locked Publish Rule
47
+
48
+ When a consumer uses `publish-gate/*` branches, publish jobs must use the
49
+ resolved `publish-source-sha` and `release-manifest-json` emitted by the reusable
50
+ build workflow. Before touching a package registry, S3 bucket, release page, or
51
+ floating alias, the publish job must verify that the gate branch still points at
52
+ the recorded SHA. A moved gate branch is a stale release decision, not a retry.
@@ -70,6 +70,13 @@ of reusing or overwriting that failed transaction slot.
70
70
  Repositories declare publish work in `buildchain.toml`:
71
71
 
72
72
  ```toml
73
+ [publish]
74
+ mode = "publish-final-version"
75
+ auth = "trusted-publishing"
76
+ dist_tag = "latest"
77
+ package_set_order = "platforms-first-main-last"
78
+ main_package = "@kungfu-tech/libnode"
79
+
73
80
  [lifecycle.publish]
74
81
  commands = [
75
82
  "python scripts/publish_wheels.py",
@@ -93,6 +100,11 @@ BUILDCHAIN_RELEASE_SHA
93
100
  BUILDCHAIN_RELEASE_MATERIAL_SHA
94
101
  BUILDCHAIN_PUBLISH_TOOLING_SHA
95
102
  BUILDCHAIN_PUBLISH_EVIDENCE
103
+ BUILDCHAIN_PUBLISH_MODE
104
+ BUILDCHAIN_PUBLISH_AUTH
105
+ BUILDCHAIN_NPM_DIST_TAG
106
+ BUILDCHAIN_PACKAGE_SET_ORDER
107
+ BUILDCHAIN_PACKAGE_SET_MAIN_PACKAGE
96
108
  ```
97
109
 
98
110
  Buildchain itself uses this contract for npm publishing:
@@ -103,7 +115,7 @@ command = "node scripts/npm-publish-transaction.mjs"
103
115
  ```
104
116
 
105
117
  That script validates that `package.json` matches `BUILDCHAIN_VERSION`, runs
106
- `npm publish --access public --tag <alpha|latest>` through npm Trusted
118
+ `npm publish --access public --tag <BUILDCHAIN_NPM_DIST_TAG>` through npm Trusted
107
119
  Publishing, and writes npm artifact evidence before the promotion action moves
108
120
  public refs.
109
121
 
@@ -111,6 +123,33 @@ public refs.
111
123
  match. `BUILDCHAIN_PUBLISH_TOOLING_SHA` identifies the publishing code. A repair
112
124
  run may change tooling, but material drift fails closed.
113
125
 
126
+ ## Release Modes And Auth
127
+
128
+ Buildchain distinguishes two npm release modes:
129
+
130
+ | Mode | Use | Auth | npm operation |
131
+ | --- | --- | --- | --- |
132
+ | `publish-final-version` | normal alpha or stable publication | `trusted-publishing` | `npm publish --tag <alpha|latest>` |
133
+ | `promote-existing-version` | same-version alpha-to-latest recovery | `npm-token` | `npm dist-tag add <pkg>@<version> latest` |
134
+
135
+ The normal libnode path is `publish-final-version`: publish an alpha package set
136
+ such as `22.22.3-kf.3-alpha.0` with the `alpha` dist-tag, then publish a
137
+ distinct final package set such as `22.22.3-kf.3` with the `latest` dist-tag.
138
+ GitHub-hosted npm Trusted Publishing can authorize those `npm publish` calls
139
+ when the workflow grants `id-token: write`.
140
+
141
+ `promote-existing-version` is deliberately separate. npm Trusted Publishing does
142
+ not authorize arbitrary registry-management operations such as `npm dist-tag
143
+ add`; it authorizes publish-time package provenance. Therefore same-version
144
+ promotion must declare `auth = "npm-token"`. Buildchain runs an npm token
145
+ preflight with `npm whoami` before it writes any release transaction state or
146
+ moves a dist-tag. Missing token auth fails early with a contract error instead
147
+ of a late `E401` after publish evidence has started to move.
148
+
149
+ For package sets, `package_set_order = "platforms-first-main-last"` makes the
150
+ main package the visibility gate. Platform package side effects are planned or
151
+ retried first, and the main package or main dist-tag move happens last.
152
+
114
153
  ## Evidence
115
154
 
116
155
  The publish lifecycle must write JSON evidence. Buildchain validates common