build: update CI and release for native bundles and latest jreleaser

[maxandersen]

Current Flow (main)

PR Build

graph TD
    PR[PR opened/updated] --> CI[ci-build.yml]
    CI --> SCB[step-ci-build.yml]
    SCB --> FC[format-check]
    SCB --> BS[build-shared]
    BS --> NI[build-test-native-image<br/>3 OS]
    BS --> UT[unit-test-jvm<br/>3 OS × Java 11]
    BS --> IT[integration-test-jvm<br/>matrix]
    BS --> SM[smoke-test]
    NI --> |uploads| A1[jbang.bin per OS]
    UT --> MR[merge-test-reports]
    IT --> MR
    NI --> MR

Loading

Main Build

graph TD
    PUSH[push to main] --> MB[main-build.yml]
    MB --> SCB["step-ci-build.yml<br/>(skip_tests: true ⚠️)"]
    SCB --> JR["jreleaser job<br/>(just tree -a build ⚠️)"]

Loading

Release

graph TD
    TAG[push v* tag] --> BUILD["single ubuntu job<br/>⚠️ standalone, not reusing CI"]
    BUILD --> B1[gradle build + publish]
    B1 --> B2[integration-test Java 11 only]
    B2 --> B3["version extract<br/>⚠️ deprecated set-output"]
    B3 --> JR["JReleaser 1.19.0"]

Loading

Problems

Issue	Impact
Release is standalone single-runner build	Different from PR CI — different steps, coverage
No native bundles	Only jbang.zip/jbang.tar, no platform-specific binaries
Ubuntu-only release testing	PR CI tests 3 OS; release only ubuntu
No jreleaser validation on PRs	Config errors discovered during release
Main build has tests disabled	skip_tests: true — never actually validates main
No earlyaccess release	main-build.yml incomplete (just tree -a build)
Deprecated ::set-output	Will stop working
JReleaser 1.19.0	Behind latest

---

Proposed Flow (this PR)

PR Build — enhanced

graph TD
    PR["PR (version: 0.138.0.10-SNAPSHOT)"] --> CI[ci-build.yml]
    CI --> SCB[step-ci-build.yml]
    SCB --> FC[format-check]
    SCB --> BS[build-shared]
    BS --> NI[build-test-native-image<br/>3 OS]
    BS --> UT[unit-test-jvm<br/>3 OS]
    BS --> IT[integration-test-jvm<br/>matrix]
    BS --> SM[smoke-test]
    NI --> |uploads| A1[jbang.bin per OS]
    NI --> |NEW| A2["native bundles<br/>jbang-{os}-{arch}.tar/.zip"]
    BS --> DRY["NEW: jreleaser dry-run<br/>JReleaser 1.24.0"]
    NI -.-> |runs even if NI fails| DRY
    UT --> MR[merge-test-reports]
    IT --> MR
    NI --> MR

    style DRY fill:#9f9,stroke:#333
    style A2 fill:#9f9,stroke:#333

Loading

Main Build — full CI + earlyaccess

graph TD
    PUSH["push to main<br/>(version: 0.138.0.10-SNAPSHOT)"] --> MB[main-build.yml]
    MB --> SCB["step-ci-build.yml<br/>(full CI with tests)"]
    SCB --> |all jobs complete| EA[earlyaccess job]
    EA --> |downloads| A1[shared-build]
    EA --> |downloads| A2[native bundles]
    EA --> JR["JReleaser full-release<br/>SNAPSHOT → auto pre-release<br/>skips brew, sdkman, etc."]

    style EA fill:#9f9,stroke:#333

Loading

Release — lean, validated

graph TD
    TAG["push v* tag<br/>(version: 0.139.0)"] --> CD[check-debug]
    TAG --> VAL[validate-release]
    VAL --> |verify on main| V1[git merge-base]
    VAL --> |verify CI passed| V2[gh api commit status]
    VAL --> BS[build-shared<br/>gradle build + publish]
    BS --> NI[build-native-image<br/>3 OS]
    BS --> SM[smoke-test]
    NI --> REL[release]
    SM --> REL
    CD --> REL
    REL --> JR["JReleaser 1.24.0<br/>non-SNAPSHOT → full release"]

    style VAL fill:#ff9,stroke:#333
    style REL fill:#9f9,stroke:#333

Loading

Version Strategy

Nisse plugin with appendSnapshot = true:

Context	Version	JReleaser behavior
PR build	0.138.0.10-SNAPSHOT	Dry-run only
Main build	0.138.0.10-SNAPSHOT	Earlyaccess pre-release, skips active: RELEASE distributors
Tagged release	0.139.0	Full release with brew, sdkman, chocolatey, etc.

Release Artifacts

File	Purpose
jbang.zip / jbang.tar	Generic bundle (no native binary)
jbang-0.139.0-linux-x64.tar	Versioned platform bundle
jbang-linux-x64.tar	Unversioned, for latest/download/ URLs

Platform bundles contain jbang-<os>-<arch>.bin (e.g. jbang-linux-x64.bin).
Scripts look for jbang-<os>-<arch>.bin first, then jbang.bin as fallback.

Strictness

Scenario	PR dry-run	Main earlyaccess	Release
Native images built ✅	With bundles	With bundles	With bundles
Native images failed ❌	Still runs	Still runs	Fails hard
CI not passed for commit	N/A	N/A	Fails hard
Commit not on main	N/A	N/A	Fails hard

Improvements

What	Detail
Release doesn't re-run full tests	Code tested on PR + main; release just builds & ships
Release validates CI passed	Checks commit status via GitHub API before proceeding
Earlyaccess on every main push	SNAPSHOT version triggers pre-release automatically
JReleaser dry-run on PRs	Config errors caught before merge
Native bundles with platform naming	jbang-linux-x64.bin — deterministic, no conflicts
No duplicated build logic	PR and main share step-ci-build.yml; release is lean
Deprecations fixed	GITHUB_OUTPUT, JReleaser 1.24.0

Split from #2467.

Summary by CodeRabbit

• New Features

  • Platform-specific native distribution bundles now available for Linux, macOS, and Windows across different CPU architectures.
  • Enhanced automatic architecture detection in installation scripts with improved fallback handling.

• Chores

  • Improved release validation and dry-run checks in CI/CD pipeline.
  • Updated early-access release publishing workflow.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Adds Gradle tasks and naming helpers to produce platform-specific native ZIP/TAR bundles, updates CI workflows to build/upload those bundles and run an optional JReleaser dry-run, integrates downloads into release/early-access jobs, updates JReleaser artifact globs, and adapts launcher scripts and tests for platform-named binaries.

Changes

Native Bundle Distribution Pipeline

Layer / File(s)	Summary
Native bundle naming and Gradle tasks build.gradle	Adds OS/arch helper functions, makes native executable included unconditionally (renamed to platform-specific name), declares String getNativeExecutableName(), and adds nativeDistZip/nativeDistTar and latest* packaging tasks.
CI build, dry-run and release orchestration .github/workflows/step-ci-build.yml, .github/workflows/tag-and-release.yml, .github/workflows/main-build.yml, .github/workflows/publish-packages.yml	Adds skip_jreleaser_dry_run input; build job runs native bundle packaging and uploads per-OS artifacts; introduces conditional jreleaser-dry-run that downloads artifacts, reads build/tmp/version.txt, and runs JReleaser in --dry-run; reorganizes tag-and-release into build-shared/build-native-image/smoke-test and uses early-access JReleaser version; main-build adds earlyaccess job.
Release artifact manifest configuration jreleaser.yml	Extends files.artifacts.globs to include build/distributions/jbang-*-*.zip and build/distributions/jbang-*-*.tar so versioned platform archives are captured without explicit filenames.
Runtime native binary detection and integration src/main/java/dev/jbang/cli/App.java, src/main/java/dev/jbang/cli/Wrapper.java, src/main/java/dev/jbang/spi/IntegrationManager.java, src/main/scripts/jbang*	Launcher and wrapper accept generic .bin/.bin.exe suffixes, compute OS-dependent bin suffix, map arm64→aarch64, prefer jbang-${os}-${arch}.bin(.exe) when JBANG_USE_NATIVE=true, and when running inside a native image derive jbang.jar from the native binary directory for Java invocations.
Tests: version output regex src/it/java/dev/jbang/it/VersionIT.java	Adjusts shouldVersion and shouldVerboseVersion assertions to allow an optional -SNAPSHOT suffix on the version output.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• jbangdev/jbang#2464: Overlaps with changes to nisseConfig.jgit and versioning-related build configuration.

Suggested reviewers

• quintesse

Poem

🐰 I zip and tar each platform's shoe,
I hop through CI to check what's new,
Dry-run hums, then artifacts fly,
Native bins named for OS and CPU,
Release bells ring — a carrot for you!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: updating CI and release workflows to support native bundles and upgrading JReleaser to the latest version (1.24.0).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-release-jreleaser-update

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/tag-and-release.yml:
- Around line 72-78: The "Download native bundles" step currently uses
actions/download-artifact@v4 with a pattern but no run-id/workflow, so it tries
to fetch artifacts from the current workflow that never uploaded the native
bundles and will fail due to if-no-files-found: error; fix by either (a) adding
the native bundle build/upload earlier in this workflow so the artifact exists
before the "Download native bundles" step (ensure artifact name matches the
pattern from step shared-build.outputs.github-short-sha), or (b) change the
download step to target the producing run by supplying run-id and/or workflow
(and token) so it downloads artifacts from the step-ci-build.yml run for the
same short SHA, or (c) if missing bundles are acceptable, change
if-no-files-found from error to warn; update the step named "Download native
bundles" accordingly and keep pattern, path and merge-multiple as needed.

In `@build.gradle`:
- Around line 332-343: commonSpec currently checks file.exists() at
configuration time, so on clean runs the native binary isn't included; change
the copy spec to use a lazy/evaluated-at-execution provider (e.g., use from {
project.layout.buildDirectory.file("native-image/${nativeExecName}") } or
from(provider { project.file("build/native-image/${nativeExecName}") }) instead
of checking exists()), leaving the dependsOn('nativeImage') in
nativeDistZip/nativeDistTar so the native image is produced before packaging;
update the logic around commonSpec's inclusion of
build/native-image/<nativeExecName> to use that closure/provider so the file is
picked up when it actually exists.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2da9224f-4f30-4d83-b929-879e3f5d6cee

📥 Commits

Reviewing files that changed from the base of the PR and between 1a6383b and 76a2262.

📒 Files selected for processing (4)

• .github/workflows/step-ci-build.yml
• .github/workflows/tag-and-release.yml
• build.gradle
• jreleaser.yml

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/step-ci-build.yml:
- Around line 305-307: The checkout step uses actions/checkout (the step with
"uses: actions/checkout@...") and currently leaves credential persistence
enabled; update that checkout step in the artifact-handling job to add the input
persist-credentials: false so git credentials are not stored for subsequent
steps, keeping the rest of the checkout inputs (like fetch-depth) as-is.
- Around line 298-303: The new job jreleaser-dry-run currently inherits broad
workflow token permissions; add an explicit least-privilege permissions block
under the jreleaser-dry-run job to restrict the GITHUB_TOKEN (for example set
"permissions: contents: read" and only add other specific permissions if this
job actually requires them) so the job no longer gets overly-broad default
rights; update the jreleaser-dry-run job definition to include that permissions
mapping and remove any unused scopes.

In @.github/workflows/tag-and-release.yml:
- Around line 25-31: The workflow currently relies on default token permissions
for the ci-build job that reuses ./.github/workflows/step-ci-build.yml; add an
explicit least-privilege permissions block (at the workflow root or the ci-build
job) that restricts scopes to only what the reusable workflow needs (for
example: contents: read and id-token: write if OIDC is required) and avoid broad
write permissions; if the reusable workflow requires any additional specific
scopes, enumerate them explicitly rather than using defaults or broad write
access.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 16060fc6-3360-4039-ad12-7d9a6f947b11

📥 Commits

Reviewing files that changed from the base of the PR and between 76a2262 and 3a4d872.

📒 Files selected for processing (4)

• .github/workflows/step-ci-build.yml
• .github/workflows/tag-and-release.yml
• build.gradle
• jreleaser.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Scope token permissions for the new jreleaser-dry-run job.

Line 298 introduces a new job but no explicit permissions, so it inherits broad defaults. Please set least-privilege permissions at workflow/job scope.

🔧 Proposed hardening

  jreleaser-dry-run:
+   permissions:
+     contents: read
    needs: [build-shared, build-test-native-image]
    if: needs.build-shared.result == 'success' && needs.build-test-native-image.result == 'success'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	jreleaser-dry-run:
	needs: [build-shared, build-test-native-image]
	if: needs.build-shared.result == 'success' && needs.build-test-native-image.result == 'success'
	runs-on: ubuntu-latest
	env:
	JRELEASER_VERSION: 1.24.0
	jreleaser-dry-run:
	permissions:
	contents: read
	needs: [build-shared, build-test-native-image]
	if: needs.build-shared.result == 'success' && needs.build-test-native-image.result == 'success'
	runs-on: ubuntu-latest
	env:
	JRELEASER_VERSION: 1.24.0

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 298-347: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/step-ci-build.yml around lines 298 - 303, The new job
jreleaser-dry-run currently inherits broad workflow token permissions; add an
explicit least-privilege permissions block under the jreleaser-dry-run job to
restrict the GITHUB_TOKEN (for example set "permissions: contents: read" and
only add other specific permissions if this job actually requires them) so the
job no longer gets overly-broad default rights; update the jreleaser-dry-run job
definition to include that permissions mapping and remove any unused scopes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Disable persisted checkout credentials in artifact-handling job.

Line 305 checks out code with default credential persistence. For this job, set persist-credentials: false to reduce token exposure risk.

🔧 Proposed hardening

      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
        with:
          fetch-depth: 0
+         persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 305-307: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/step-ci-build.yml around lines 305 - 307, The checkout
step uses actions/checkout (the step with "uses: actions/checkout@...") and
currently leaves credential persistence enabled; update that checkout step in
the artifact-handling job to add the input persist-credentials: false so git
credentials are not stored for subsequent steps, keeping the rest of the
checkout inputs (like fetch-depth) as-is.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit least-privilege permissions for this workflow.

Line 25 adds the new reusable CI entrypoint, but the workflow still relies on default token permissions. Please declare explicit permissions to avoid unnecessary write scope.

🔧 Proposed hardening

 on:
   push:
     tags:
       - 'v*'

 name: tag-and-release
+permissions:
+  contents: read
 jobs:
   check-debug:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ci-build:
	needs: check-debug
	uses: ./.github/workflows/step-ci-build.yml
	with:
	debug_enabled: ${{ needs.check-debug.outputs.debug_enabled == 'true' }}
	debug_detached: true
	skip_tests: false
	on:
	push:
	tags:
	- 'v*'
	name: tag-and-release
	permissions:
	contents: read
	jobs:
	ci-build:
	needs: check-debug
	uses: ./.github/workflows/step-ci-build.yml
	with:
	debug_enabled: ${{ needs.check-debug.outputs.debug_enabled == 'true' }}
	debug_detached: true
	skip_tests: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 25-31: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tag-and-release.yml around lines 25 - 31, The workflow
currently relies on default token permissions for the ci-build job that reuses
./.github/workflows/step-ci-build.yml; add an explicit least-privilege
permissions block (at the workflow root or the ci-build job) that restricts
scopes to only what the reusable workflow needs (for example: contents: read and
id-token: write if OIDC is required) and avoid broad write permissions; if the
reusable workflow requires any additional specific scopes, enumerate them
explicitly rather than using defaults or broad write access.

[quintesse]

LGTM

[maxandersen]

rebased and merged