From c37bdae9f75db9e8c91c30a8ee753b9119da9a39 Mon Sep 17 00:00:00 2001
From: Aleksander Gondek <aleksander.gondek@asml.com>
Date: Sun, 14 Jun 2026 15:03:30 +0000
Subject: [PATCH 1/2] build: add missing changelog.md

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..cb6fe69
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,4 @@
+# Changelog
+All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines.
+
+- - -

From 1a88e13362ce8247647054b1529d4719bf1f6586 Mon Sep 17 00:00:00 2001
From: Aleksander Gondek <aleksander.gondek@asml.com>
Date: Sun, 14 Jun 2026 15:13:34 +0000
Subject: [PATCH 2/2] build: automation to publish releases on Github

This changeset introduces automation steps, that will
publish and attest the releases in the Github.
---
 .github/workflows/publish.yaml    | 73 +++++++++++++++++++++++++++++
 .github/workflows/release_prep.sh | 11 +++++
 .gitignore                        |  1 +
 tools/gen_release_artifacts.bash  | 77 +++++++++++++++++++++++++++++++
 4 files changed, 162 insertions(+)
 create mode 100644 .github/workflows/publish.yaml
 create mode 100755 .github/workflows/release_prep.sh
 create mode 100755 tools/gen_release_artifacts.bash

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
new file mode 100644
index 0000000..4f56207
--- /dev/null
+++ b/.github/workflows/publish.yaml
@@ -0,0 +1,73 @@
+name: "publish"
+run-name: "Publish release of commit ${{ github.sha }}"
+
+# https://github.com/bazel-contrib/.github/blob/1d798ff015ed0696433e01e2c3ccbb2abefadad7/.github/workflows/release_ruleset.yaml
+permissions:
+  id-token: write        # Needed to attest provenance
+  attestations: write    # Needed to attest provenance
+  contents: write        # Needed to upload release files
+
+on:
+  push:
+    branches: ["main"]
+    # Simplified detection of a cog-release:
+    # CHANGELOG.md file has been modified.
+    paths:
+      - "CHANGELOG.md"
+
+jobs:
+  prepare:
+    name: "prepare"
+    runs-on: ["ubuntu-latest"]
+    outputs:
+      version: ${{ steps.gen_release_artifacts.outputs.version }}
+
+    steps:
+      - uses: cachix/install-nix-action@v31
+
+      - name: "Checkout 'main' branch"
+        uses: actions/checkout@v5
+        with:
+          clean: true
+          fetch-depth: 0
+          fetch-tags: true
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: "Generate release artifacts"
+        id: gen_release_artifacts
+        shell: bash
+        run: |2
+          outs="$(./scripts/gen-release-artifacts.bash)"
+          export outs
+          echo "outs=${outs}" >> "$GITHUB_OUTPUT"
+          version="$(cat "${outs}/version")"
+          export version
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
+
+      # This step is made to ensure the uploaded archive file does not contain ./release as top-level file
+      - shell: bash
+        run: |2
+          mkdir ./release
+          cp ${{ steps.gen_release_artifacts.outputs.outs}}/${{ steps.gen_release_artifacts.outputs.version }}.tar.gz ./release/${{ steps.gen_release_artifacts.outputs.version }}.tar.gz
+          cp ${{ steps.gen_release_artifacts.outputs.outs}}/release_notes.md ./release/release_notes.md
+
+      # Upload generated artifacts, so that bazel-contrib/.github workflow release_ruleset can use them
+      - uses: actions/upload-artifact@v4
+        with:
+          name: release
+          path: |2
+            ./release/${{ steps.gen_release_artifacts.outputs.version }}.tar.gz
+            ./release/release_notes.md
+          retention-days: 1
+
+  publish_github:
+    name: "Publish Github release"
+    needs: "prepare"
+    uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@v7.7.0
+    with:
+      draft: false
+      mount_bazel_caches: false
+      prerelease: false
+      release_files: |2
+        ./release/*
+      tag_name: ${{ needs.prepare.outputs.version }}
diff --git a/.github/workflows/release_prep.sh b/.github/workflows/release_prep.sh
new file mode 100755
index 0000000..12d845d
--- /dev/null
+++ b/.github/workflows/release_prep.sh
@@ -0,0 +1,11 @@
+#! /usr/bin/env bash
+set -euo pipefail
+
+# The existance of this file is mandated by
+# the github action used for generation of
+# a github release (and its attestation.)
+# https://github.com/bazel-contrib/.github/blob/1d798ff015ed0696433e01e2c3ccbb2abefadad7/.github/workflows/release_ruleset.yaml
+#
+# It is supposed to output release notes to stdout
+
+cat ./release/release_notes.md
diff --git a/.gitignore b/.gitignore
index c914bdf..eb47b86 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,4 @@
 /bazel.iml
 .bazelisk*
 bazel-*
+release
diff --git a/tools/gen_release_artifacts.bash b/tools/gen_release_artifacts.bash
new file mode 100755
index 0000000..3d2ce09
--- /dev/null
+++ b/tools/gen_release_artifacts.bash
@@ -0,0 +1,77 @@
+#! /usr/bin/env nix-shell
+#! nix-shell --quiet ../default.nix
+#! nix-shell -i bash
+set -euo pipefail
+
+# On github action runners the $RUNNER_TEMP is
+# not cleaned betweeen job steps, however TMPDIR is.
+OUT_DIR=$(mktemp -d -p ${RUNNER_TEMP:-"/tmp"})
+pushd $(git rev-parse --show-toplevel) >/dev/null
+
+# Get current version
+echo "rules_variant-v$(cog get-version 2>/dev/null)" >${OUT_DIR}/version
+VERSION="$(cat ${OUT_DIR}/version)"
+
+# Generate release notes
+RELEASE_NOTES="${OUT_DIR}/release_notes.md"
+cog changelog --at "${VERSION}" >${RELEASE_NOTES} 2>/dev/null
+
+# Create the tar.gz archive
+# VERSION already contains rules_variant-v prefix!
+ARCHIVE_NAME="${VERSION}.tar.gz"
+
+# https://www.gnu.org/software/tar/manual/html_node/Reproducibility.html
+# ^ Describes why and how we are ensuring archive reproducibility
+function get_commit_time() {
+  TZ=UTC0 git log -1 \
+    --format=tformat:%cd \
+    --date=format:%Y-%m-%dT%H:%M:%SZ \
+    "$@"
+}
+# Each file gets the timestamp of latest commit in the repo
+git ls-files | while read -r file; do
+  commit_time=$(get_commit_time "$file")
+  commit_time=${commit_time:-$(TZ=UTC0 date -r $file "+%Y-%m-%dT%H:%M:%SZ")}
+  touch -md $commit_time "$file"
+done
+
+SOURCE_EPOCH=$(get_commit_time)
+TARFLAGS="
+  --sort=name --format=posix
+  --pax-option=exthdr.name=%d/PaxHeaders/%f
+  --pax-option=delete=atime,delete=ctime
+  --clamp-mtime --mtime=$SOURCE_EPOCH
+  --numeric-owner --owner=0 --group=0
+  --mode=go+u,go-w
+"
+GZIPFLAGS="--no-name --best"
+LC_ALL=C tar $TARFLAGS -c --to-stdout $(git ls-files) |
+  gzip $GZIPFLAGS > "${OUT_DIR}/${ARCHIVE_NAME}"
+
+ARCHIVE_SHA=$(sha256sum "${OUT_DIR}/${ARCHIVE_NAME}" | cut -f 1 -d' ')
+
+# Enrich the release_notes.md with usage example
+cat <<EOF >> ${RELEASE_NOTES}
+## Usage example
+
+### WORKSPACE
+
+Paste this snippet into your \`WORKSPACE.bazel\` file:
+
+\`\`\`starlark
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+http_archive(
+    name = "rules_variant",
+    sha256 = "${ARCHIVE_SHA}",
+    url = "https://github.com/ASML-Labs/rules_variant/releases/download/${VERSION}/${ARCHIVE_NAME}",
+)
+
+load("@rules_variant//variant/workspace:deps.bzl", "rules_variant_deps")
+rules_variant_deps()
+\`\`\`
+EOF
+
+popd >/dev/null
+
+# Inform where to find artifacts
+echo ${OUT_DIR}