feat: release candidate CI to allow for kokoro signing

.github/workflows/README.md

@@ -0,0 +1,75 @@
+# CLI Release Workflows
+
+This directory contains GitHub Actions workflows for building and releasing the Genkit CLI.
+
+## Current Workflows (Unsigned)
+
+### `build-cli-binaries.yml` - Build CLI Binaries (RC)
+- **Purpose**: Build and release unsigned CLI binaries
+- **Trigger**: Manual workflow dispatch
+- **Inputs**:
+  - `version`: Version tag to build (e.g., `v1.0.0`, `v1.0.0-rc.1`)
+  - `create_rc`: Create release candidate with unsigned binaries (optional, default: false)
+- **Outputs**: 
+  - Binary artifacts for all platforms (Linux x64/ARM64, macOS x64/ARM64, Windows x64)
+  - Optional: GitHub release with unsigned binaries for testing
+
+### `promote-cli-release.yml` - Promote CLI Release (Unsigned)
+- **Purpose**: Promote RC releases to final releases
+- **Trigger**: Manual workflow dispatch
+- **Inputs**:
+  - `rc_version`: RC version to promote (e.g., `v1.0.0-rc.1`)
+  - `final_version`: Final version tag (e.g., `v1.0.0`)
+- **Outputs**: Final GitHub release with unsigned binaries
+
+## Preserved Workflows (Signed - Disabled)
+
+### `build-cli-binaries-signed.yml` - Build CLI Binaries (SIGNED - DISABLED)
+- **Purpose**: Preserved for future code signing implementation
+- **Status**: Disabled - shows error message directing users to unsigned workflow
+- **Future**: Will be re-enabled when code signing is implemented
+
+### `promote-cli-release-signed.yml` - Promote CLI Release (SIGNED - DISABLED)
+- **Purpose**: Preserved for future code signing implementation
+- **Status**: Disabled - shows error message directing users to unsigned workflow
+- **Future**: Will be re-enabled when code signing is implemented
+
+## Usage
+
+### For RC Releases:
+1. Run "Build CLI Binaries (RC)" workflow
+2. Set version (e.g., `v1.0.0-rc.1`)
+3. Check "Create release" to publish RC with unsigned binaries
+
+### For Final Releases:
+1. Run "Promote CLI Release (Unsigned)" workflow
+2. Set RC version (e.g., `v1.0.0-rc.1`)
+3. Set final version (e.g., `v1.0.0`)
+
+## Binary Naming Convention
+
+The workflows generate binaries with the following naming convention:
+- `genkit-linux-x64` - Linux x64
+- `genkit-linux-arm64` - Linux ARM64
+- `genkit-darwin-x64` - macOS x64 (Intel)
+- `genkit-darwin-arm64` - macOS ARM64 (Apple Silicon)
+- `genkit-win32-x64.exe` - Windows x64
+
+## Future Code Signing
+
+When code signing is implemented:
+1. Rename workflows back to original names
+2. Re-enable signed workflows
+3. Update install script to use signed binaries
+4. Update binary naming to include `-signed` suffix
+
+## Installation Script
+
+The `bin/install_cli` script has been updated to work with unsigned releases. It downloads the latest non-prerelease binaries from GitHub releases.
+
+## Notes
+
+- All current releases use unsigned binaries
+- The install script (`genkit.tools`) works with unsigned binaries
+- When code signing is ready, the signed workflows will be re-enabled
+- The disabled workflows prevent accidental use of incomplete signing processes 

.github/workflows/build-cli-binaries-signed.yml

@@ -0,0 +1,46 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Build CLI Binaries (SIGNED - DISABLED)
+
+on:
+  workflow_dispatch:
+    inputs:
+      _disabled:
+        description: 'This workflow is disabled - use the unsigned workflow instead'
+        required: true
+        type: boolean
+        default: false
+
+permissions:
+  contents: write
+
+jobs:
+  disabled:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Workflow Disabled
+        run: |
+          echo "❌ This signed workflow is disabled!"
+          echo ""
+          echo "Please use the unsigned workflow instead:"
+          echo "  - Workflow: 'Build CLI Binaries (RC)'"
+          echo "  - File: .github/workflows/build-cli-binaries.yml"
+          echo ""
+          echo "This workflow is preserved for future code signing implementation."
+          echo "When code signing is ready, this workflow will be re-enabled."
+          exit 1
+

.github/workflows/build-cli-binaries.yml

@@ -14,10 +14,23 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-name: Build CLI Binaries
+name: Build CLI Binaries (RC)
 
 on:
   workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version tag to build (e.g., v1.0.0, v1.0.0-rc.1)'
+        required: true
+        type: string
+      create_rc:
+        description: 'Create release candidate with unsigned binaries'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: write
 
 jobs:
   build:
@@ -34,18 +47,23 @@ jobs:
             target: darwin-arm64
           - os: windows-latest
             target: win32-x64
-          # Note: Windows ARM64 currently runs x64 binaries through emulation
-          # Native ARM64 support is not yet available in Bun
-          # See: https://github.com/oven-sh/bun/pull/11430
-          # - os: windows-11-arm
-          #   target: win32-arm64
 
     runs-on: ${{ matrix.os }}
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Validate version format
+        shell: bash
+        run: |
+          VERSION="${{ inputs.version }}"
+          if ! echo "$VERSION" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$' > /dev/null; then
+            echo "Error: Version '$VERSION' does not follow semantic versioning format (e.g., v1.0.0, v1.0.0-rc.1)"
+            exit 1
+          fi
+          echo "✓ Version format is valid: $VERSION"
+
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
@@ -101,7 +119,7 @@ jobs:
         with:
           name: genkit-${{ matrix.target }}
           path: genkit-tools/cli/dist/bin/genkit-${{ matrix.target }}${{ steps.binary.outputs.ext }}
-          retention-days: 1  # TODO: Consider increasing to 7 days for better debugging capability
+          retention-days: 7
 
   test:
     needs: build
@@ -253,4 +271,112 @@ jobs:
           }
 
           # Clean up any remaining genkit processes
-          Get-Process | Where-Object { $_.ProcessName -match "genkit" } | Stop-Process -Force -ErrorAction SilentlyContinue
+          Get-Process | Where-Object { $_.ProcessName -match "genkit" } | Stop-Process -Force -ErrorAction SilentlyContinue
+
+  create-rc:
+    needs: [build, test]
+    runs-on: ubuntu-latest
+    if: inputs.create_rc
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Generate changelog
+        id: changelog
+        run: |
+          # Get the previous release tag by version ordering
+          PREVIOUS_TAG=$(git tag --sort=-version:refname | head -2 | tail -1 2>/dev/null || echo "")
+
+          if [[ -n "$PREVIOUS_TAG" ]]; then
+            # Generate changelog from previous tag to current
+            CHANGELOG=$(git log --pretty=format:"- %s" $PREVIOUS_TAG..HEAD | head -20)
+            echo "changelog<<EOF" >> $GITHUB_OUTPUT
+            echo "$CHANGELOG" >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+          else
+            # First release
+            echo "changelog<<EOF" >> $GITHUB_OUTPUT
+            echo "- Initial release" >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Download all binary artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: release-assets
+
+      - name: Create Release Candidate
+        id: create_rc
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ inputs.version }}
+          name: Genkit CLI ${{ inputs.version }} (Release Candidate)
+          body: |
+            # Genkit CLI ${{ inputs.version }} - Release Candidate
+
+            ⚠️ **This is a release candidate with unsigned binaries for testing purposes.**
+
+            ## Downloads (Unsigned - For Testing Only)
+
+            - [Linux x64](https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-linux-x64)
+            - [Linux ARM64](https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-linux-arm64)
+            - [macOS x64](https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-darwin-x64)
+            - [macOS ARM64](https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-darwin-arm64)
+            - [Windows x64](https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-win32-x64.exe)
+
+            ## Changes
+
+            ${{ steps.changelog.outputs.changelog }}
+
+            ## Next Steps
+
+            After testing, these binaries will be promoted to the final release.
+
+            ## Installation (Testing Only)
+
+            ```bash
+            # Download and test the RC binary
+            curl -Lo genkit https://github.com/${{ github.repository }}/releases/download/${{ inputs.version }}/genkit-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
+            chmod +x genkit
+            ./genkit --version
+            ```
+          draft: false
+          prerelease: true
+          files: |
+            release-assets/genkit-linux-x64/genkit-linux-x64
+            release-assets/genkit-linux-arm64/genkit-linux-arm64
+            release-assets/genkit-darwin-x64/genkit-darwin-x64
+            release-assets/genkit-darwin-arm64/genkit-darwin-arm64
+            release-assets/genkit-win32-x64/genkit-win32-x64.exe
+
+  create-rc-summary:
+    needs: [create-rc]
+    runs-on: ubuntu-latest
+    if: inputs.create_rc
+
+    steps:
+      - name: Create job summary
+        run: |
+          echo "# 🎉 Genkit CLI Release Candidate Created" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Version:** \`${{ inputs.version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "## ✅ Build Status" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "All binaries have been successfully built and uploaded!" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### 📦 Available Binaries:" >> $GITHUB_STEP_SUMMARY
+          echo "- ✓ Linux x64 (\`genkit-linux-x64\`)" >> $GITHUB_STEP_SUMMARY
+          echo "- ✓ Linux ARM64 (\`genkit-linux-arm64\`)" >> $GITHUB_STEP_SUMMARY
+          echo "- ✓ macOS x64 (\`genkit-darwin-x64\`)" >> $GITHUB_STEP_SUMMARY
+          echo "- ✓ macOS ARM64 (\`genkit-darwin-arm64\`)" >> $GITHUB_STEP_SUMMARY
+          echo "- ✓ Windows x64 (\`genkit-win32-x64.exe\`)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### 🔗 Release Links" >> $GITHUB_STEP_SUMMARY
+          echo "- [View Release](https://github.com/${{ github.repository }}/releases/tag/${{ inputs.version }})" >> $GITHUB_STEP_SUMMARY
+          echo "- [Download Binaries](https://github.com/${{ github.repository }}/releases/tag/${{ inputs.version }}#assets)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### 📝 Next Steps" >> $GITHUB_STEP_SUMMARY
+          echo "1. Test the RC binaries" >> $GITHUB_STEP_SUMMARY
+          echo "2. Promote to final release using the 'Promote CLI Release (Unsigned)' workflow" >> $GITHUB_STEP_SUMMARY 

.github/workflows/promote-cli-release-signed.yml

@@ -0,0 +1,45 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Promote CLI Release (SIGNED - DISABLED)
+
+on:
+  workflow_dispatch:
+    inputs:
+      _disabled:
+        description: 'This workflow is disabled - use the unsigned workflow instead'
+        required: true
+        type: boolean
+        default: false
+
+permissions:
+  contents: write
+
+jobs:
+  disabled:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Workflow Disabled
+        run: |
+          echo "❌ This signed workflow is disabled!"
+          echo ""
+          echo "Please use the unsigned workflow instead:"
+          echo "  - Workflow: 'Promote CLI Release (Unsigned)'"
+          echo "  - File: .github/workflows/promote-cli-release.yml"
+          echo ""
+          echo "This workflow is preserved for future code signing implementation."
+          echo "When code signing is ready, this workflow will be re-enabled."
+          exit 1