samuel-plugin-release

Reusable GitHub Actions workflow that every Samuel v2 plugin repo calls from its own .github/workflows/release.yml. One workflow does three things based on the kind field in samuel-plugin.toml:

Kind	Output
skill	tar.gz blob + cosign keyless signature, attached to a GitHub release
wasm	TinyGo build (-target=wasi) + cosign signature
oci	Multi-arch buildx push to GHCR + cosign image signature

How a plugin repo opts in

# .github/workflows/release.yml in any samuel-* plugin repo
name: release
on:
  push:
    tags: ["v*"]
permissions:
  contents: write
  packages: write
  id-token: write
jobs:
  release:
    uses: ar4mirez/samuel-plugin-release/.github/workflows/release.yml@v1
    with:
      manifest: samuel-plugin.toml
    secrets: inherit

Versioning

Tag this repo v1, v1.0.0, etc. Callers should pin to @v1 for major stability. Breaking workflow changes get a new major.

Signing

All artifacts are signed via cosign keyless OIDC. No long-lived keys live in this repo or any caller repo. Consumers verify with:

cosign verify-blob --certificate-identity-regexp \
  'https://github.com/ar4mirez/samuel-.*/\.github/workflows/release\.yml@.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --signature plugin.tar.gz.sig --certificate plugin.tar.gz.pem \
  plugin.tar.gz

Testing the workflow

samuel-plugin-release ships with one fixture plugin at testdata/fixture/. The repo's own CI (.github/workflows/selftest.yml) calls the reusable workflow against the fixture on every push to main, so we catch regressions before plugin authors do.