From 76fd3b068e2bdbf6c99f04bc2cfd786fc305a8ae Mon Sep 17 00:00:00 2001
From: Ryan Butler <thebutlah@gmail.com>
Date: Tue, 27 Jan 2026 20:51:38 -0500
Subject: [PATCH] feat(ci): auto-bump orb-os on successful release

---
 .github/workflows/release.yaml | 52 ++++++++++++++++++++++++++++++++--
 .github/workflows/ta.yaml      |  2 +-
 2 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 597e345..90c954c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -2,7 +2,8 @@ name: Release
 on:
   push: 
     branches:
-      - 'main'
+      - 'ryanbutler-orbs-1278-auto-bump-orb-os-on-orb-rustzone-merge'
+      # - 'main'
 
 permissions: {}
 
@@ -49,8 +50,6 @@ jobs:
           ls -aRsh
           popd
 
-
-
       - name: Upload Release and Create Tag
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # pin@v1
         if: ${{ github.ref_name == github.event.repository.default_branch }}
@@ -59,3 +58,50 @@ jobs:
           fail_on_unmatched_files: true
           overwrite_files: false
           files: artifacts/*
+
+      - name: Checkout orb-os
+        uses: actions/checkout@v4
+        with:
+          repository: worldcoin/orb-os
+          # token: ${{ secrets.ORB_OS_PR_TOKEN }}
+          path: orb-os
+
+      - name: Update ORB_RUSTZONE in target files
+        working-directory: orb-os
+        shell: bash
+        run: |
+          set -Eeuxo pipefail
+          release_name='git-${{ steps.compute_version.outputs.short_sha }}'
+
+          # Build bash array "files" either from workflow_dispatch input (newline-separated)
+          # or from DEFAULT_BUMP_FILES (space-separated).
+          declare -a files=("diamond/common.sh")
+
+          # Update each file
+          for commonsh in "${files[@]}"; do
+            if [[ ! -f "$commonsh" ]]; then
+              echo "ERROR: file does not exist: $commonsh" >&2
+              exit 1
+            fi
+
+            # Replace only the value inside ORB_RUSTZONE="...".
+            regex='^(declare -rx[[:space:]]+ORB_RUSTZONE=")[^"]*(".*)$'
+            sed -i -E "s/${regex}/\1${release_name}\2/" "${commonsh}"
+
+            echo "Updated ${commonsh}:"
+            grep -n -E "${regex}" "$file"
+          done
+          git diff
+
+      - name: Create PR in orb-os
+        uses: peter-evans/create-pull-request@v6
+        with:
+          # token: ${{ secrets.ORB_OS_PR_TOKEN }}
+          path: orb-os
+          branch: bump-bot/orb-rustzone-${{ steps.compute_version.outputs.short_sha }}
+          commit-message: "chore: bump ORB_RUSTZONE to ${{ steps.compute_version.outputs.short_sha }}"
+          title: "chore: bump ORB_RUSTZONE to ${{ steps.compute_version.outputs.short_sha }}"
+          body: |
+            see title
+          base: main
+
diff --git a/.github/workflows/ta.yaml b/.github/workflows/ta.yaml
index 6170349..b778ecf 100644
--- a/.github/workflows/ta.yaml
+++ b/.github/workflows/ta.yaml
@@ -145,7 +145,7 @@ jobs:
       - uses: cachix/install-nix-action@0b0e072294b088b73964f1d72dfdac0951439dbd # pin@v31.8.4
       - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15
         # not on prod to eliminate privilege escalation via cachix cache injection
-        if: ${{ matrix.environment }} == 'stage'
+        if: ${{ matrix.environment == 'stage' }}
         continue-on-error: true
         with:
           name: worldcoin