pushci 1.3.0 → 1.4.0

package/README.md

@@ -61,8 +61,9 @@ PushCI includes an MCP server for AI coding agents like **Claude Code**, **Curso
 
 ## Supported
 
-**19 Languages**: Go, Node/TS, Python, Rust, Java, C#,
-Ruby, PHP, Swift, Dart, Elixir, Zig, Docker +more
+**33 Languages**: Go, Node/TS, Python, Rust, Java, C#,
+Ruby, PHP, Swift, Dart, Elixir, Zig, Scala, Haskell,
+Kotlin, Lua, Perl, R, Julia, OCaml, Nim, Crystal +more
 
 **40+ Frameworks**: Next.js, Nuxt, SvelteKit, Django, FastAPI,
 Flask, Spring Boot, Rails, Laravel, Phoenix, Flutter +more
@@ -103,44 +104,235 @@ Supported platforms:
 ## Commands
 
 ```
-pushci init        Scan repo, generate config, install hooks
-pushci run         Run full CI pipeline locally
-pushci deploy      Deploy to configured target
-pushci diagnose    AI-diagnose failed runs
-pushci status      Show last run results
-pushci secret      Manage encrypted secrets
-pushci heal        AI-powered pipeline auto-fix
-pushci ask         Natural language CI commands
-pushci generate    AI-generate pushci.yml
-pushci migrate     Convert GitHub Actions workflow
-pushci mcp         Start MCP server for AI agents
-pushci agent       Start webhook server (GitHub/GitLab/BB)
-pushci login       Authenticate with PushCI (Pro)
-pushci logout      Remove saved credentials
-pushci doctor      Check environment health
+pushci init         Detect stack and generate pushci.yml
+pushci run          Execute pipeline checks
+pushci deploy       Deploy to target environment
+pushci diagnose     AI-diagnose failed runs
+pushci status       Show last run results
+pushci secret       Manage encrypted secrets
+pushci heal         AI self-heal broken pipeline
+pushci ask          Natural language CI commands
+pushci generate     AI-generate pushci.yml
+pushci migrate      Convert GitHub Actions workflow
+pushci mcp          Start MCP server for AI agents
+pushci agent        Start webhook agent server
+pushci index        Build dependency graph for blast radius
+pushci skill        Install/list/remove marketplace skills
+pushci login        Authenticate with PushCI (Pro)
+pushci logout       Remove saved credentials
+pushci doctor       Check environment health
 pushci troubleshoot Diagnose issues with actionable fixes
-pushci version     Print version
+pushci trace        View Perfetto performance traces
+pushci release      Build & publish release locally ($0)
+pushci promote      Register with AI registries
+pushci uninstall    Remove hooks, config, and .pushci
+pushci version      Print version
 ```
 
 See [docs/CLI.md](docs/CLI.md) for the full CLI reference with flags, examples, and plan requirements.
 
 ## Configuration
 
-Optional `pushci.yml`:
+`pushci.yml` is optional — `pushci init` generates one that works, and
+zero-config mode auto-detects your stack. When you want more control,
+PushCI supports three authoring styles. Full reference is at
+[pushci.dev/docs/pushci-yaml](https://pushci.dev/docs/pushci-yaml).
+
+### Simple example
+
+Zero-config Node.js app with linear stages, single-target deploy on
+`main`, and Slack notifications. Drop this into your repo as
+`pushci.yml` and run `pushci run`.
 
 ```yaml
 on: [push, pull_request]
-checks:
-  - build
-  - test
-  - lint
-  - line-limit: 100
+
+stages:
+  - name: install
+    checks:
+      - name: deps
+        run: pnpm install --frozen-lockfile
+
+  - name: lint
+    depends_on: [install]
+    checks:
+      - name: eslint
+        run: pnpm lint
+
+  - name: test
+    depends_on: [install]
+    checks:
+      - name: vitest
+        run: pnpm test
+
+  - name: build
+    depends_on: [install, lint, test]
+    checks:
+      - name: next-build
+        run: pnpm build
+
+deploy:
+  trigger: push
+  only_on: [main]
+  run: npx wrangler pages deploy dist --project-name=my-app
+
+notify:
+  slack: "${{ secrets.SLACK_WEBHOOK }}"
+```
+
+### Complex example — every feature
+
+Parallel stages, cross-stage DAG, conditional checks, retries,
+timeouts, Docker-isolated steps, multi-environment staged deploy with
+an approval gate on production, and stage-scoped secrets.
+
+```yaml
+on: [push, pull_request, workflow_dispatch]
+
+stages:
+  - name: install
+    checks:
+      - name: pnpm-install
+        run: pnpm install --frozen-lockfile
+        retry: 2
+        timeout: 3m
+
+  - name: quality
+    depends_on: [install]
+    parallel: true            # every check runs concurrently
+    env:
+      NODE_ENV: test
+    checks:
+      - name: typecheck
+        run: pnpm tsc --noEmit
+      - name: lint
+        run: pnpm lint
+      - name: format
+        run: pnpm prettier --check .
+      - name: audit
+        run: pnpm audit --audit-level=high
+        on_fail: warn         # log but don't fail the stage
+
+  - name: test
+    depends_on: [install]
+    parallel: true
+    env:
+      DATABASE_URL: postgres://test:test@localhost:5432/test
+    checks:
+      - name: unit
+        run: pnpm test:unit --coverage
+      - name: integration
+        run: pnpm test:integration
+        retry: 1
+        timeout: 5m
+      - name: e2e
+        if: branch == 'main' || branch =~ '^release/'
+        run: pnpm test:e2e
+        docker: mcr.microsoft.com/playwright:v1.49.0-focal
+        timeout: 10m
+
+  - name: security
+    depends_on: [install]
+    checks:
+      - name: secret-scan
+        run: npx gitleaks detect --no-git
+      - name: sast
+        run: pushci scan --engine claude --fail-on high
+
+  - name: build
+    depends_on: [quality, test, security]
+    checks:
+      - name: next-build
+        run: pnpm build
+      - name: bundle-size
+        run: npx size-limit
+        line-limit: 10
+
 deploy:
-  target: cloudflare-pages
-  trigger: merge to main
+  trigger: push
+  environments:
+    - name: staging
+      only_on: [develop]
+      run: npx wrangler pages deploy dist --project-name=app-staging
+      env:
+        CF_API_TOKEN: "${{ secrets.CF_API_TOKEN_STAGING }}"
+    - name: production
+      only_on: [main]
+      approve: true           # requires interactive approval
+      run: npx wrangler pages deploy dist --project-name=app-prod
+      env:
+        CF_API_TOKEN: "${{ secrets.CF_API_TOKEN_PROD }}"
+
+notify:
+  slack: "${{ secrets.SLACK_WEBHOOK }}"
+  discord: "${{ secrets.DISCORD_WEBHOOK }}"
+  email: oncall@example.com
+```
+
+### GitHub Actions parity — no rewrite needed
+
+PushCI v1.3.1+ runs your existing `.github/workflows/*.yml` files
+end-to-end via the embedded [nektos/act](https://github.com/nektos/act)
+runtime. `actions/checkout@v4`, matrix builds, service containers,
+composite actions, secret masking, `needs.*.outputs.*` — all work.
+Just drop in a workflow and run:
+
+```bash
+pushci actions run                 # runs all .github/workflows/*.yml
+pushci actions run --job test      # run one job
+pushci actions run --dry-run       # validate without containers
+pushci actions doctor              # check act + docker + workflow status
+```
+
+A real complex workflow that runs unchanged:
+
+```yaml
+name: CI
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node: [20, 22]
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_PASSWORD: test
+        ports: ['5432:5432']
+        options: >-
+          --health-cmd pg_isready --health-interval 10s
+          --health-timeout 5s --health-retries 5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node }}
+      - run: npm ci
+      - run: npm test
+        env:
+          DATABASE_URL: postgres://postgres:test@localhost:5432/postgres
+      - id: coverage
+        run: echo "pct=$(npm test --silent)" >> $GITHUB_OUTPUT
+    outputs:
+      coverage: ${{ steps.coverage.outputs.pct }}
+
+  deploy:
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+      - name: Deploy
+        run: echo "coverage was ${{ needs.test.outputs.coverage }}"
+        env:
+          CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
 ```
 
-Or just run `pushci init` — AI figures everything out.
+Or just run `pushci init` — PushCI figures everything out automatically.
 
 ## Git Hook
 

package/bin/pushci.js

@@ -1,30 +1,53 @@
 #!/usr/bin/env node
+// pushci npm shim. Resolution order: local dev build → bundled
+// bin/pushci-<os>-<arch> → pushci on PATH → download from GitHub
+// Releases → go build → install help. VERSION reads from package.json
+// so the shim and npm package never drift. See CLAUDE.md
+// "Release & Distribution" for the full pipeline.
+
 const { execSync, spawn } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
 
-const VERSION = '1.1.0';
+const pkg = require('../package.json');
+const VERSION = pkg.version;
+const REPO = 'finsavvyai/push-ci.dev';
+
 const BINARY_NAME = os.platform() === 'win32' ? 'pushci.exe' : 'pushci';
-const CDN = 'https://pushci-releases.broad-dew-49ad.workers.dev';
 
-const PLATFORM_MAP = {
-  darwin: 'darwin', linux: 'linux', win32: 'windows',
-};
-const ARCH_MAP = {
-  x64: 'amd64', arm64: 'arm64',
-};
+const PLATFORM_MAP = { darwin: 'darwin', linux: 'linux', win32: 'windows' };
+const ARCH_MAP = { x64: 'amd64', arm64: 'arm64' };
 
 function getBinaryPath() {
+  // 1. Local dev build at the package root (set by `go build` during
+  //    development or by goreleaser-like bundling).
   const local = path.join(__dirname, '..', BINARY_NAME);
-  if (fs.existsSync(local)) return local;
+  if (fs.existsSync(local) && isValidBinary(local)) return local;
+
+  // 2. Bundled platform-specific binary shipped inside the npm
+  //    tarball at bin/pushci-<os>-<arch>[.exe]. This is the
+  //    fastest path — zero network, works offline, deterministic.
+  //    It's also the only reliable path for users who don't have
+  //    GitHub Releases access (corporate proxies, air-gapped CI).
+  const plat = PLATFORM_MAP[os.platform()];
+  const arch = ARCH_MAP[os.arch()];
+  if (plat && arch) {
+    const winExt = os.platform() === 'win32' ? '.exe' : '';
+    const bundled = path.join(__dirname, `pushci-${plat}-${arch}${winExt}`);
+    if (fs.existsSync(bundled) && isValidBinary(bundled)) return bundled;
+  }
 
+  // 3. Existing install on PATH (Homebrew, go install, curl
+  //    installer). The `which` result may be this same shim, so
+  //    validate it's a real binary before trusting it.
   try {
     const cmd = os.platform() === 'win32' ? 'where' : 'which';
     const found = execSync(`${cmd} pushci`, { encoding: 'utf8' }).trim();
-    if (found) return found;
+    if (found && found !== __filename && isValidBinary(found)) return found;
   } catch (_) {}
 
+  // 4-6. Download, build, or give up.
   return downloadOrBuild();
 }
 
@@ -37,31 +60,16 @@ function downloadOrBuild() {
   if (fs.existsSync(target) && isValidBinary(target)) return target;
 
   if (plat && arch) {
-    const url = `${CDN}/v${VERSION}/pushci-${plat}-${arch}${ext}`;
-    console.log(`Downloading pushci v${VERSION}...`);
-    try {
-      execSync(`curl -sfL --retry 2 -o "${target}" "${url}"`, { timeout: 30000 });
-      if (isValidBinary(target)) {
-        fs.chmodSync(target, 0o755);
-        return target;
-      }
-      try { fs.unlinkSync(target); } catch (_) {}
-    } catch (_) {}
+    if (downloadFromReleases(plat, arch, target)) {
+      return target;
+    }
   }
 
-  try {
-    execSync('go version', { stdio: 'ignore' });
-    console.log('Building pushci from source...');
-    const out = path.join(os.tmpdir(), BINARY_NAME);
-    execSync(`go build -o "${out}" ./cmd/pushci`, {
-      cwd: path.join(__dirname, '..'),
-      stdio: 'inherit',
-      timeout: 120000,
-    });
-    if (fs.existsSync(out)) return out;
-  } catch (_) {}
+  if (buildFromSource(target)) {
+    return target;
+  }
 
-  // If invoked from a git hook, don't block the push
+  // If invoked from a git hook, don't block the push.
   if (process.env.GIT_DIR) {
     console.error('pushci: binary unavailable, skipping checks.');
     process.exit(0);
@@ -70,6 +78,81 @@ function downloadOrBuild() {
   process.exit(1);
 }
 
+// downloadFromReleases pulls the goreleaser archive for the current
+// platform from GitHub Releases, extracts the binary, and moves it
+// into place. Returns true on success, false on any failure so the
+// caller can fall through to buildFromSource.
+function downloadFromReleases(plat, arch, target) {
+  const isWin = os.platform() === 'win32';
+  const archiveExt = isWin ? 'zip' : 'tar.gz';
+  const archiveName = `pushci_${VERSION}_${plat}_${arch}.${archiveExt}`;
+  const url = `https://github.com/${REPO}/releases/download/v${VERSION}/${archiveName}`;
+
+  const scratchDir = fs.mkdtempSync(path.join(os.tmpdir(), 'pushci-install-'));
+  const archivePath = path.join(scratchDir, archiveName);
+
+  console.log(`Downloading pushci v${VERSION} from GitHub Releases...`);
+  try {
+    execSync(
+      `curl -sfL --retry 2 --retry-delay 1 -o "${archivePath}" "${url}"`,
+      { timeout: 60000 },
+    );
+  } catch (_) {
+    fs.rmSync(scratchDir, { recursive: true, force: true });
+    return false;
+  }
+
+  try {
+    if (isWin) {
+      // tar has shipped with Windows 10 (1803+) — `tar -xf` handles
+      // .zip the same as .tar.gz so we avoid a PowerShell branch.
+      execSync(`tar -xf "${archivePath}" -C "${scratchDir}"`, {
+        timeout: 30000,
+      });
+    } else {
+      execSync(`tar -xzf "${archivePath}" -C "${scratchDir}"`, {
+        timeout: 30000,
+      });
+    }
+    const extracted = path.join(scratchDir, BINARY_NAME);
+    if (!fs.existsSync(extracted) || !isValidBinary(extracted)) {
+      fs.rmSync(scratchDir, { recursive: true, force: true });
+      return false;
+    }
+    fs.copyFileSync(extracted, target);
+    if (!isWin) fs.chmodSync(target, 0o755);
+    fs.rmSync(scratchDir, { recursive: true, force: true });
+    return true;
+  } catch (_) {
+    fs.rmSync(scratchDir, { recursive: true, force: true });
+    return false;
+  }
+}
+
+// buildFromSource is the Go-install fallback. Only runs when download
+// fails AND the user has Go on PATH. Useful for air-gapped dev setups.
+function buildFromSource(target) {
+  try {
+    execSync('go version', { stdio: 'ignore' });
+  } catch (_) {
+    return false;
+  }
+  console.log('Downloading failed, building pushci from source...');
+  try {
+    execSync(`go build -o "${target}" ./cmd/pushci`, {
+      cwd: path.join(__dirname, '..'),
+      stdio: 'inherit',
+      timeout: 180000,
+    });
+    return fs.existsSync(target) && isValidBinary(target);
+  } catch (_) {
+    return false;
+  }
+}
+
+// isValidBinary sanity-checks the magic bytes so a half-downloaded
+// archive doesn't pass for a real binary. ELF (Linux), Mach-O
+// (darwin little- and big-endian), PE (Windows).
 function isValidBinary(filepath) {
   try {
     const stat = fs.statSync(filepath);
@@ -78,12 +161,14 @@ function isValidBinary(filepath) {
     const fd = fs.openSync(filepath, 'r');
     fs.readSync(fd, buf, 0, 4, 0);
     fs.closeSync(fd);
-    if (buf[0] === 0x7f && buf[1] === 0x45) return true;
-    if (buf[0] === 0xcf && buf[1] === 0xfa) return true;
-    if (buf[0] === 0xfe && buf[1] === 0xed) return true;
-    if (buf[0] === 0x4d && buf[1] === 0x5a) return true;
+    if (buf[0] === 0x7f && buf[1] === 0x45) return true; // ELF
+    if (buf[0] === 0xcf && buf[1] === 0xfa) return true; // Mach-O (64-bit LE)
+    if (buf[0] === 0xfe && buf[1] === 0xed) return true; // Mach-O (32-bit BE)
+    if (buf[0] === 0x4d && buf[1] === 0x5a) return true; // PE (MZ)
     return false;
-  } catch (_) { return false; }
+  } catch (_) {
+    return false;
+  }
 }
 
 function printInstallHelp() {
@@ -95,12 +180,13 @@ function printInstallHelp() {
   console.error('  brew install finsavvyai/tap/pushci');
   console.error('  go install github.com/finsavvyai/pushci/cmd/pushci@latest');
   console.error('');
-  console.error("Don't have npm/npx? Install Node.js first:");
+  console.error("Don't have Node installed?");
   console.error('  macOS:   brew install node');
-  console.error('  Linux:   curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash - && sudo apt-get install -y nodejs');
+  console.error('  Linux:   see https://nodejs.org/en/download/package-manager');
   console.error('  Windows: https://nodejs.org');
   console.error('');
-  console.error('Or install Go: https://go.dev/dl');
+  console.error('Offline? Install Go and the shim will build from source:');
+  console.error('  https://go.dev/dl');
 }
 
 const binary = getBinaryPath();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "pushci",
-  "version": "1.3.0",
-  "description": "AI-native CI/CD that runs on your machine. Zero config, zero cost. 19 languages, 69 skills, Tailscale mesh, blast radius analysis.",
+  "version": "1.4.0",
+  "description": "AI-native CI/CD that runs on your machine. Zero config, zero cost. 33 languages, 69 skills, Tailscale mesh, blast radius analysis.",
   "bin": {
     "pushci": "bin/pushci.js"
   },