breaking(release): add OIDC npm release workflow. include all builds in package. add Alpine/MUSL support.

mceachen · mceachen · commit f7ae5c0dd523 · 2026-01-04T07:00:31.000-08:00
diff --git a/.github/workflows/npm-release.yaml b/.github/workflows/npm-release.yaml
@@ -0,0 +1,242 @@
+name: "npm Release"
+
+# Fork-specific workflow for publishing to npm with OIDC
+
+# Separate from release.yaml to make merging upstream changes easier
+
+#
+# APPROACH: We bundle all platform binaries in a single npm package (like
+# prebuildify) rather than using platform-specific optionalDependencies (like
+# esbuild/swc). Rationale:
+#   - Simpler: one package to publish, not 5+ platform packages
+#   - More secure: avoids post-install scripts and dependency on npm registry
+#   - Reliable: works offline, with disabled scripts, and custom registries
+#   - Small overhead: sqlite-vec binaries are ~200KB each, so bundling all is
+#     fine
+
+#
+# FIRST-TIME SETUP (required before this workflow will work):
+#
+# 1. Build and publish the package locally to create it on npm:
+#    ./scripts/vendor.sh make loadable mkdir -p dist/$(node -p "process.platform
+#    + '-' + process.arch") cp dist/vec0.* dist/$(node -p "process.platform +
+#    '-' + process.arch")/ npm login npm publish --access public
+#
+# 2. Configure OIDC trusted publishing on npmjs.com:
+#    - Go to https://www.npmjs.com/package/@USER/sqlite-vec/access
+#    - Under "Publishing access" click "Add a trusted publisher"
+#    - Repository: USER/sqlite-vec
+#    - Workflow: npm-release.yaml
+#    - Environment: (leave blank)
+#
+# 3. Now this workflow can publish subsequent versions automatically
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version bump type"
+        required: false
+        type: choice
+        default: "patch"
+        options:
+          - patch
+          - minor
+          - major
+
+permissions:
+  contents: read
+
+jobs:
+  build-linux-x64:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - run: ./scripts/vendor.sh
+      - run: make loadable
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: linux-x64
+          path: dist/vec0.so
+
+  build-linux-arm64:
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - run: ./scripts/vendor.sh
+      - run: make sqlite-vec.h
+      - run: make loadable
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: linux-arm64
+          path: dist/vec0.so
+
+  build-linux-x64-musl:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - run: |
+          docker run --rm -v $(pwd):/tmp/project --entrypoint /bin/sh --platform linux/amd64 node:20-alpine -c "\
+          apk add build-base --update-cache && \
+          cd /tmp/project && \
+          ./scripts/vendor.sh && \
+          make loadable"
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: linux-x64-musl
+          path: dist/vec0.so
+
+  build-linux-arm64-musl:
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - run: |
+          docker run --rm -v $(pwd):/tmp/project --entrypoint /bin/sh --platform linux/arm64 node:20-alpine -c "\
+          apk add build-base --update-cache && \
+          cd /tmp/project && \
+          ./scripts/vendor.sh && \
+          make loadable"
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: linux-arm64-musl
+          path: dist/vec0.so
+
+  build-darwin-x64:
+    runs-on: macos-15-intel
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - run: ./scripts/vendor.sh
+      - run: make loadable
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: darwin-x64
+          path: dist/vec0.dylib
+
+  build-darwin-arm64:
+    runs-on: macos-14
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - run: ./scripts/vendor.sh
+      - run: make loadable
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: darwin-arm64
+          path: dist/vec0.dylib
+
+  build-win32-x64:
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
+      - run: ./scripts/vendor.sh
+        shell: bash
+      - run: make sqlite-vec.h
+      - run: mkdir dist
+      - run: cl.exe /fPIC -shared /W4 /Ivendor/ /O2 /LD sqlite-vec.c -o dist/vec0.dll
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: win32-x64
+          path: dist/vec0.dll
+
+  build-win32-arm64:
+    runs-on: windows-11-arm
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
+        with:
+          arch: arm64
+      - run: ./scripts/vendor.sh
+        shell: bash
+      - run: make sqlite-vec.h
+      - run: mkdir dist
+      - run: cl.exe /fPIC -shared /W4 /Ivendor/ /O2 /LD sqlite-vec.c -o dist/vec0.dll
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: win32-arm64
+          path: dist/vec0.dll
+
+  publish-npm:
+    runs-on: ubuntu-24.04
+    needs:
+      [
+        build-linux-x64,
+        build-linux-arm64,
+        build-linux-x64-musl,
+        build-linux-arm64-musl,
+        build-darwin-x64,
+        build-darwin-arm64,
+        build-win32-x64,
+        build-win32-arm64,
+      ]
+    permissions:
+      contents: write # Required to push version commits and tags
+      id-token: write # Required for npm OIDC trusted publishing
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0 # Full history for version tags
+
+      # Download all artifacts into platform-specific subdirectories
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: linux-x64
+          path: dist/linux-x64
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: linux-arm64
+          path: dist/linux-arm64
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: linux-x64-musl
+          path: dist/linux-x64-musl
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: linux-arm64-musl
+          path: dist/linux-arm64-musl
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: darwin-x64
+          path: dist/darwin-x64
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: darwin-arm64
+          path: dist/darwin-arm64
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: win32-x64
+          path: dist/win32-x64
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: win32-arm64
+          path: dist/win32-arm64
+
+      - run: ls -laR dist/
+
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        with:
+          node-version: "20"
+          registry-url: "https://registry.npmjs.org"
+
+      - uses: photostructure/git-ssh-signing-action@fdd4b062a9ba41473f013258cc9c7eea1640f826 # v1.2.0
+        with:
+          ssh-signing-key: ${{ secrets.SSH_SIGNING_KEY }}
+          git-user-name: ${{ secrets.GIT_USER_NAME }}
+          git-user-email: ${{ secrets.GIT_USER_EMAIL }}
+
+      - run: npm install -g npm@latest
+
+      - name: Bump version and create signed tag
+        run: |
+          npm version ${{ github.event.inputs.version }} --sign-git-tag -m "release: %s"
+          echo "NEW_VERSION=$(npm pkg get version | tr -d '\"')" >> $GITHUB_ENV
+
+      - name: Push version commit and tag
+        run: git push origin main --follow-tags
+
+      - name: Create GitHub Release
+        run: gh release create "v${{ env.NEW_VERSION }}" --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish to npm with OIDC
+        run: npm publish --provenance --access public
diff --git a/index.cjs b/index.cjs
@@ -1,6 +1,6 @@
 const { join } = require("node:path");
 const { arch, platform } = require("node:process");
-const { statSync } = require("node:fs");
+const { readdirSync, statSync } = require("node:fs");
 
 const ENTRYPOINT_BASE_NAME = "vec0";
 
@@ -10,15 +10,48 @@ function extensionSuffix(platform) {
   return "so";
 }
 
+/**
+ * Detect if running on musl libc (Alpine Linux, etc.)
+ * Uses detect-libc's primary heuristic: check for musl dynamic linker
+ */
+function isMusl() {
+  if (platform !== "linux") return false;
+  try {
+    const files = readdirSync("/lib");
+    return files.some((f) => f.startsWith("ld-musl-"));
+  } catch {
+    return false;
+  }
+}
+
 function getLoadablePath() {
+  // Platform-specific subdirectory (e.g., darwin-arm64, linux-x64, linux-x64-musl)
+  const platformDir =
+    platform === "linux" && isMusl()
+      ? `${platform}-${arch}-musl`
+      : `${platform}-${arch}`;
   const loadablePath = join(
     __dirname,
     "dist",
+    platformDir,
     `${ENTRYPOINT_BASE_NAME}.${extensionSuffix(platform)}`
   );
 
   if (!statSync(loadablePath, { throwIfNoEntry: false })) {
-    throw new Error(`Loadable extension for sqlite-vec not found at ${loadablePath}. Was the extension built? Run: make loadable`);
+    const supported = [
+      "darwin-x64",
+      "darwin-arm64",
+      "linux-x64",
+      "linux-x64-musl",
+      "linux-arm64",
+      "linux-arm64-musl",
+      "win32-x64",
+      "win32-arm64",
+    ];
+    throw new Error(
+      `Loadable extension for sqlite-vec not found for ${platformDir} at ${loadablePath}. ` +
+        `Supported platforms: ${supported.join(", ")}.`
+    );
   }
 
   return loadablePath;
diff --git a/index.mjs b/index.mjs
@@ -1,7 +1,7 @@
 import { join } from "node:path";
 import { fileURLToPath } from "node:url";
 import { arch, platform } from "node:process";
-import { statSync } from "node:fs";
+import { readdirSync, statSync } from "node:fs";
 
 const ENTRYPOINT_BASE_NAME = "vec0";
 
@@ -11,15 +11,48 @@ function extensionSuffix(platform) {
   return "so";
 }
 
+/**
+ * Detect if running on musl libc (Alpine Linux, etc.)
+ * Uses detect-libc's primary heuristic: check for musl dynamic linker
+ */
+function isMusl() {
+  if (platform !== "linux") return false;
+  try {
+    const files = readdirSync("/lib");
+    return files.some((f) => f.startsWith("ld-musl-"));
+  } catch {
+    return false;
+  }
+}
+
 function getLoadablePath() {
+  // Platform-specific subdirectory (e.g., darwin-arm64, linux-x64, linux-x64-musl)
+  const platformDir =
+    platform === "linux" && isMusl()
+      ? `${platform}-${arch}-musl`
+      : `${platform}-${arch}`;
   const loadablePath = join(
     fileURLToPath(new URL(".", import.meta.url)),
     "dist",
+    platformDir,
     `${ENTRYPOINT_BASE_NAME}.${extensionSuffix(platform)}`
   );
 
   if (!statSync(loadablePath, { throwIfNoEntry: false })) {
-    throw new Error(`Loadable extension for sqlite-vec not found at ${loadablePath}. Was the extension built? Run: make loadable`);
+    const supported = [
+      "darwin-x64",
+      "darwin-arm64",
+      "linux-x64",
+      "linux-x64-musl",
+      "linux-arm64",
+      "linux-arm64-musl",
+      "win32-x64",
+      "win32-arm64",
+    ];
+    throw new Error(
+      `Loadable extension for sqlite-vec not found for ${platformDir} at ${loadablePath}. ` +
+        `Supported platforms: ${supported.join(", ")}.`
+    );
   }
 
   return loadablePath;
diff --git a/package.json b/package.json
@@ -13,7 +13,6 @@
     }
   },
   "scripts": {
-    "install": "bash -c './scripts/vendor.sh && make loadable'",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "repository": {
@@ -52,15 +51,6 @@
     "index.cjs",
     "index.mjs",
     "index.d.ts",
-    "dist/vec0.so",
-    "dist/vec0.dylib",
-    "dist/vec0.dll",
-    "sqlite-vec.c",
-    "sqlite-vec.h",
-    "sqlite-vec.h.tmpl",
-    "VERSION",
-    "vendor/",
-    "scripts/vendor.sh",
-    "Makefile"
+    "dist/"
   ]
 }
