fix: apply improvements to cli workflows

Author: cabljac

.github/workflows/build-cli-binaries.yml

@@ -29,6 +29,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: write
+
 jobs:
   build:
     strategy:
@@ -280,8 +283,6 @@ jobs:
     needs: [build, test]
     runs-on: ubuntu-latest
     if: inputs.create_rc
-    outputs:
-      upload_url: ${{ steps.create_rc.outputs.upload_url }}
 
     steps:
       - name: Checkout code
@@ -306,26 +307,29 @@ jobs:
             echo "EOF" >> $GITHUB_OUTPUT
           fi
       
+      - name: Download all binary artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: release-assets
+      
       - name: Create Release Candidate
         id: create_rc
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ inputs.version }}
-          release_name: Genkit CLI ${{ inputs.version }} (Release Candidate)
+          name: Genkit CLI ${{ inputs.version }} (Release Candidate)
           body: |
             # Genkit CLI ${{ inputs.version }} - Release Candidate
             
             ⚠️ **This is a release candidate with unsigned binaries for testing purposes.**
             
             ## Downloads (Unsigned - For Testing Only)
             
-            - [Linux x64](https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-linux-x64)
-            - [Linux ARM64](https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-linux-arm64)
-            - [macOS x64](https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-darwin-x64)
-            - [macOS ARM64](https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-darwin-arm64)
-            - [Windows x64](https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-win32-x64.exe)
+            - [Linux x64](https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-linux-x64)
+            - [Linux ARM64](https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-linux-arm64)
+            - [macOS x64](https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-darwin-x64)
+            - [macOS ARM64](https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-darwin-arm64)
+            - [Windows x64](https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-win32-x64.exe)
             
             ## Changes
             
@@ -337,57 +341,25 @@ jobs:
             
             ## Installation (Testing Only)
             
-            ```bash
+            \`\`\`bash
             # Download and test the RC binary
-            curl -Lo genkit https://github.com/firebase/genkit/releases/download/${{ inputs.version }}/genkit-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
+            curl -Lo genkit https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-\$(uname -s | tr '[:upper:]' '[:lower:]')-\$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
             chmod +x genkit
             ./genkit --version
-            ```
+            \`\`\`
           draft: false
           prerelease: true
+          files: |
+            release-assets/genkit-linux-x64/genkit-linux-x64
+            release-assets/genkit-linux-arm64/genkit-linux-arm64
+            release-assets/genkit-darwin-x64/genkit-darwin-x64
+            release-assets/genkit-darwin-arm64/genkit-darwin-arm64
+            release-assets/genkit-win32-x64/genkit-win32-x64.exe
+
 
-  upload-rc-assets:
-    needs: [build, test, create-rc]
-    runs-on: ubuntu-latest
-    if: inputs.create_rc
-    strategy:
-      matrix:
-        include:
-          - target: linux-x64
-          - target: linux-arm64
-          - target: darwin-x64
-          - target: darwin-arm64
-          - target: win32-x64
-    
-    steps:
-      - name: Set binary extension
-        id: binary
-        shell: bash
-        run: |
-          if [[ "${{ matrix.target }}" == win32-* ]]; then
-            echo "ext=.exe" >> $GITHUB_OUTPUT
-          else
-            echo "ext=" >> $GITHUB_OUTPUT
-          fi
-      
-      - name: Download binary artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: genkit-${{ matrix.target }}
-          path: ./
-      
-      - name: Upload to GitHub Release Candidate
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ needs.create-rc.outputs.upload_url }}
-          asset_path: ./genkit-${{ matrix.target }}${{ steps.binary.outputs.ext }}
-          asset_name: genkit-${{ matrix.target }}${{ steps.binary.outputs.ext }}
-          asset_content_type: application/octet-stream
 
   create-rc-summary:
-    needs: [upload-rc-assets]
+    needs: [create-rc]
     runs-on: ubuntu-latest
     if: inputs.create_rc
 

.github/workflows/promote-cli-release.yml

@@ -28,6 +28,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: write
+
 jobs:
   validate-and-promote:
     runs-on: ubuntu-latest
@@ -206,12 +209,10 @@ jobs:
       
       - name: Create final release
         id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ inputs.final_version }}
-          release_name: Genkit CLI ${{ inputs.final_version }}
+          name: Genkit CLI ${{ inputs.final_version }}
           body: |
             # Genkit CLI ${{ inputs.final_version }}
             
@@ -231,15 +232,15 @@ jobs:
             
             ### Quick Install (Recommended)
             
-            ```bash
+            \`\`\`bash
             curl -sL https://genkit.tools | bash
-            ```
+            \`\`\`
             
             ### Manual Installation
             
-            ```bash
+            \`\`\`bash
             # Download the appropriate binary for your platform
-            curl -Lo genkit https://github.com/${{ github.repository }}/releases/download/${{ inputs.final_version }}/genkit-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
+            curl -Lo genkit https://github.com/${{ github.repository }}/releases/download/${{ inputs.final_version }}/genkit-\$(uname -s | tr '[:upper:]' '[:lower:]')-\$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
             
             # Make it executable
             chmod +x genkit
@@ -249,45 +250,32 @@ jobs:
             
             # Verify installation
             genkit --version
-            ```
+            \`\`\`
             
             ### Windows Installation
             
-            ```powershell
+            \`\`\`powershell
             # Download the Windows binary
             Invoke-WebRequest -Uri "https://github.com/${{ github.repository }}/releases/download/${{ inputs.final_version }}/genkit-win32-x64.exe" -OutFile "genkit.exe"
             
             # Add to PATH or run from current directory
             .\genkit.exe --version
-            ```
+            \`\`\`
             
             ## Documentation
             
             For more information, visit [https://firebase.google.com/docs/genkit/](https://firebase.google.com/docs/genkit/)
           draft: false
           prerelease: false
+          files: |
+            release-assets/genkit-linux-x64
+            release-assets/genkit-linux-arm64
+            release-assets/genkit-darwin-x64
+            release-assets/genkit-darwin-arm64
+            release-assets/genkit-win32-x64.exe
+          make_latest: true
 
-      - name: Upload release assets
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          UPLOAD_URL="${{ steps.create_release.outputs.upload_url }}"
-          
-          echo "Uploading binaries to final release..."
-          
-          for file in release-assets/*; do
-            filename=$(basename "$file")
-            echo "Uploading $filename..."
-            
-            curl -X POST \
-              -H "Authorization: token $GITHUB_TOKEN" \
-              -H "Content-Type: application/octet-stream" \
-              --data-binary "@$file" \
-              "${UPLOAD_URL}?name=$filename" | jq -r '.browser_download_url'
-          done
-          
-          echo ""
-          echo "✅ All binaries uploaded successfully"
+
 
       - name: Update latest tag
         run: |

scripts/sign-and-upload-binaries.sh

@@ -109,36 +109,80 @@ for platform in "${PLATFORMS[@]}"; do
         continue
     fi
 
-    # Simulate signing by renaming
+    # Simulate signing process (preserve binary integrity)
     echo "  Simulating signing process..."
+    
+    # Method 1: Create a copy with signed name (binary remains unchanged)
     cp "$TEMP_DIR/$original_name" "$TEMP_DIR/$signed_name"
 
-    # Add a simple signature marker to the file
-    echo "SIGNED:$VERSION:$(date -u +%Y%m%d%H%M%S)" >> "$TEMP_DIR/$signed_name"
+    # Method 2: Create a separate signature file
+    signature_name="$signed_name.sig"
+    cat > "$TEMP_DIR/$signature_name" << EOF
+-----BEGIN GENKIT SIGNATURE-----
+Version: $VERSION
+Platform: $platform
+Signed: $(date -u -Iseconds)
+Signature: $(sha256sum "$TEMP_DIR/$original_name" | cut -d' ' -f1)
+Signer: Genkit Signing Service (Simulation)
+-----END GENKIT SIGNATURE-----
+EOF
+    
+    echo "  ✓ Signing simulated (binary integrity preserved)"
+    echo "  ✓ Signature file created: $signature_name"
 
-    echo "  ✓ Signing simulated"
+    # Verify binary integrity after "signing"
+    if cmp -s "$TEMP_DIR/$original_name" "$TEMP_DIR/$signed_name"; then
+        echo "  ✓ Binary integrity verified (no corruption)"
+    else
+        echo "  ✗ Binary integrity check failed!"
+        exit 1
+    fi
 
     # Upload the signed binary
     echo "  Uploading $signed_name..."
 
-    upload_response=$(curl -s -X POST \
+    upload_binary_response=$(curl -s -X POST \
         -H "Authorization: token $GITHUB_TOKEN" \
         -H "Content-Type: application/octet-stream" \
         --data-binary "@$TEMP_DIR/$signed_name" \
         "$UPLOAD_URL?name=$signed_name")
 
-    # Check if upload was successful
-    if echo "$upload_response" | jq -e '.id' > /dev/null; then
-        asset_url=$(echo "$upload_response" | jq -r '.browser_download_url')
-        echo "  ✓ Uploaded successfully: $asset_url"
+    # Check if binary upload was successful
+    if echo "$upload_binary_response" | jq -e '.id' > /dev/null; then
+        asset_url=$(echo "$upload_binary_response" | jq -r '.browser_download_url')
+        echo "  ✓ Binary uploaded successfully: $asset_url"
     else
         echo "  ✗ Failed to upload $signed_name"
-        echo "  Error: $(echo "$upload_response" | jq -r '.message // "Unknown error"')"
+        echo "  Error: $(echo "$upload_binary_response" | jq -r '.message // "Unknown error"')"
+    fi
+    
+    # Upload the signature file
+    echo "  Uploading $signature_name..."
+    
+    upload_signature_response=$(curl -s -X POST \
+        -H "Authorization: token $GITHUB_TOKEN" \
+        -H "Content-Type: text/plain" \
+        --data-binary "@$TEMP_DIR/$signature_name" \
+        "$UPLOAD_URL?name=$signature_name")
+    
+    # Check if signature upload was successful
+    if echo "$upload_signature_response" | jq -e '.id' > /dev/null; then
+        sig_asset_url=$(echo "$upload_signature_response" | jq -r '.browser_download_url')
+        echo "  ✓ Signature file uploaded successfully: $sig_asset_url"
+    else
+        echo "  ✗ Failed to upload signature file"
+        echo "  Error: $(echo "$upload_signature_response" | jq -r '.message // "Unknown error"')"
     fi
 
     echo ""
 done
 
 echo "=== Signing simulation complete ==="
 echo ""
-echo "View the release at: https://github.com/$REPO_OWNER/$REPO_NAME/releases/tag/$VERSION"
+echo "✓ All binaries signed and uploaded successfully"
+echo "✓ Binary integrity preserved (no corruption)"
+echo "✓ Separate signature files created for verification"
+echo ""
+echo "View the release at: https://github.com/$REPO_OWNER/$REPO_NAME/releases/tag/$VERSION"
+echo ""
+echo "Note: This is a simulation. In production, you would use proper code signing tools."