mainis protected — direct pushes are rejected. All releases must go through a PR (gh pr create … && gh pr merge --squash --delete-branch) before the tag push step below.
This repo now produces two artifacts from a single Rust codebase rooted at the repo root:
- Standalone native binaries for Homebrew + GitHub Release direct download
(
pcr-macos-arm64,pcr-macos-x64,pcr-linux-x64,pcr-linux-arm64,pcr-linux-x64-musl,pcr-windows-x64.exe,pcr-windows-arm64.exe). - napi-rs
.nodeaddons packaged as thepcr-devnpm meta package plus seven@pcr-dev/<triple>per-platform optional subpackages.
The repo is pure Rust as of v0.2.x — the Go tree was removed in the rust-port
merge. The last Go release lives behind the v0.1.17 tag if you ever need it.
-
Bump the workspace version.
# Cargo.toml — workspace.package.version # crates/pcr-napi/package.json — "version" # crates/pcr-napi/npm/*/package.json — "version" (all seven) # crates/pcr-napi/package.json — optionalDependencies entries
-
Land the bump via a PR, then tag the merge commit.
mainis protected; direct pushes are rejected. Open a PR with the version-bump commit, get the PR-CI workflow green, squash-merge, and then tag the resulting merge commit:# On a release branch: git checkout -b release/v0.2.0 git add -A git commit -m "release v0.2.0" git push -u origin HEAD # Open + merge the PR (squash to keep a single release commit on main): gh pr create --fill --base main gh pr merge --squash --delete-branch # Once the squash-merge lands, tag the merge commit on main and push: git checkout main git pull --ff-only git tag -a v0.2.0 -m "v0.2.0" git push origin v0.2.0
The tag push triggers
.github/workflows/release.yml, which runs:lint—cargo fmt --check,cargo clippy -- -D warnings,cargo testbinaries— 7-target matrix producing standalone binariesnapi— 7-target matrix producing per-triple.nodefilesnpm-publish— publishes the 7 subpackages + the metapcr-devrelease— creates the GitHub Release with binaries +.sha256shomebrew— dispatches to thepcr-developers/homebrew-pcrrepo so it re-rendersFormula/pcr.rbfrom the template.
Publish a new Rust build as pcr-dev@next on npm and as a brew --HEAD so
interested users can opt in before the default tag flips:
cd crates/pcr-napi
npm version 0.2.0-beta.1 --no-git-tag-version
for d in npm/*/; do (cd "$d" && npm version 0.2.0-beta.1 --no-git-tag-version); done
# Publish each subpackage, then the meta:
for d in npm/*/; do (cd "$d" && npm publish --tag next --access public); done
npm publish --tag next --access publicFor Homebrew, add a temporary head URL to the formula pointing at
pcr-developers/cli on the Rust branch:
head "https://github.com/pcr-developers/cli.git", branch: "main"Users install with brew install --HEAD pcr-developers/pcr/pcr for beta.
The stable tag on npm (latest) and the stable formula (no head) keep
pointing at the previous Go release until the cutover step below.
Before cutting the first Rust release, tag the final Go build as the permanent rollback:
# One-time, using the last green Go build (v0.1.14 or whatever shipped):
npm dist-tag add pcr-dev@0.1.14 legacy
# Pin the homebrew tap's old formula in a `Formula/pcr@legacy.rb` alias
cp homebrew-pcr/Formula/pcr.rb homebrew-pcr/Formula/pcr@legacy.rb
# Commit to the homebrew repo.After that, npm install -g pcr-dev@legacy and brew install pcr@legacy
give any user the Go build in one command if the Rust build ever breaks
for them.
After the beta window (usually two release cycles):
# npm — retag the tested Rust release as `latest`
npm dist-tag add pcr-dev@0.2.0 latest
# homebrew — the tap's automation PR from the release workflow already
# swapped pcr.rb to the v0.2.0 Rust URLs/sha256s, so nothing extra here.
The Go sources were removed as part of the rust-port merge commit. If
you ever need the old code, check out the v0.1.17 tag (the last Go
release) or any commit before the rust-port merge.
| Secret | Purpose |
|---|---|
NPM_TOKEN |
Publish the pcr-dev meta + 7 subpackages |
HOMEBREW_TAP_TOKEN |
Dispatch event to pcr-developers/homebrew-pcr |
AZURE_*, TRUSTED_SIGNING_* |
(Optional) Windows Authenticode signing via Azure Trusted Signing |
APPLE_DEVELOPER_ID, APPLE_TEAM_ID, APPLE_API_KEY |
(Optional) macOS codesign + notarization |
The signing secrets are not required for the Rust build to function on an
AppLocker-locked machine — AppLocker evaluates CreateProcess and not
LoadLibrary, and the new distribution never invokes CreateProcess on a
PCR-shipped binary on that machine. Signing is purely for SmartScreen
reputation (Windows) and Gatekeeper (macOS) on unmanaged home installs.