build: add missing changelog.md

.github/workflows/publish.yaml

@@ -0,0 +1,73 @@
+name: "publish"
+run-name: "Publish release of commit ${{ github.sha }}"
+
+# https://github.com/bazel-contrib/.github/blob/1d798ff015ed0696433e01e2c3ccbb2abefadad7/.github/workflows/release_ruleset.yaml
+permissions:
+  id-token: write        # Needed to attest provenance
+  attestations: write    # Needed to attest provenance
+  contents: write        # Needed to upload release files
+
+on:
+  push:
+    branches: ["main"]
+    # Simplified detection of a cog-release:
+    # CHANGELOG.md file has been modified.
+    paths:
+      - "CHANGELOG.md"
+
+jobs:
+  prepare:
+    name: "prepare"
+    runs-on: ["ubuntu-latest"]
+    outputs:
+      version: ${{ steps.gen_release_artifacts.outputs.version }}
+
+    steps:
+      - uses: cachix/install-nix-action@v31
+
+      - name: "Checkout 'main' branch"
+        uses: actions/checkout@v5
+        with:
+          clean: true
+          fetch-depth: 0
+          fetch-tags: true
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: "Generate release artifacts"
+        id: gen_release_artifacts
+        shell: bash
+        run: |2
+          outs="$(./scripts/gen-release-artifacts.bash)"
+          export outs
+          echo "outs=${outs}" >> "$GITHUB_OUTPUT"
+          version="$(cat "${outs}/version")"
+          export version
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
+
+      # This step is made to ensure the uploaded archive file does not contain ./release as top-level file
+      - shell: bash
+        run: |2
+          mkdir ./release
+          cp ${{ steps.gen_release_artifacts.outputs.outs}}/${{ steps.gen_release_artifacts.outputs.version }}.tar.gz ./release/${{ steps.gen_release_artifacts.outputs.version }}.tar.gz
+          cp ${{ steps.gen_release_artifacts.outputs.outs}}/release_notes.md ./release/release_notes.md
+
+      # Upload generated artifacts, so that bazel-contrib/.github workflow release_ruleset can use them
+      - uses: actions/upload-artifact@v4
+        with:
+          name: release
+          path: |2
+            ./release/${{ steps.gen_release_artifacts.outputs.version }}.tar.gz
+            ./release/release_notes.md
+          retention-days: 1
+
+  publish_github:
+    name: "Publish Github release"
+    needs: "prepare"
+    uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@v7.7.0
+    with:
+      draft: false
+      mount_bazel_caches: false
+      prerelease: false
+      release_files: |2
+        ./release/*
+      tag_name: ${{ needs.prepare.outputs.version }}

.github/workflows/release_prep.sh

@@ -0,0 +1,11 @@
+#! /usr/bin/env bash
+set -euo pipefail
+
+# The existance of this file is mandated by
+# the github action used for generation of
+# a github release (and its attestation.)
+# https://github.com/bazel-contrib/.github/blob/1d798ff015ed0696433e01e2c3ccbb2abefadad7/.github/workflows/release_ruleset.yaml
+#
+# It is supposed to output release notes to stdout
+
+cat ./release/release_notes.md

.gitignore

@@ -14,3 +14,4 @@
 /bazel.iml
 .bazelisk*
 bazel-*
+release

CHANGELOG.md

@@ -0,0 +1,4 @@
+# Changelog
+All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines.
+
+- - -

tools/gen_release_artifacts.bash

@@ -0,0 +1,77 @@
+#! /usr/bin/env nix-shell
+#! nix-shell --quiet ../default.nix
+#! nix-shell -i bash
+set -euo pipefail
+
+# On github action runners the $RUNNER_TEMP is
+# not cleaned betweeen job steps, however TMPDIR is.
+OUT_DIR=$(mktemp -d -p ${RUNNER_TEMP:-"/tmp"})
+pushd $(git rev-parse --show-toplevel) >/dev/null
+
+# Get current version
+echo "rules_variant-v$(cog get-version 2>/dev/null)" >${OUT_DIR}/version
+VERSION="$(cat ${OUT_DIR}/version)"
+
+# Generate release notes
+RELEASE_NOTES="${OUT_DIR}/release_notes.md"
+cog changelog --at "${VERSION}" >${RELEASE_NOTES} 2>/dev/null
+
+# Create the tar.gz archive
+# VERSION already contains rules_variant-v prefix!
+ARCHIVE_NAME="${VERSION}.tar.gz"
+
+# https://www.gnu.org/software/tar/manual/html_node/Reproducibility.html
+# ^ Describes why and how we are ensuring archive reproducibility
+function get_commit_time() {
+  TZ=UTC0 git log -1 \
+    --format=tformat:%cd \
+    --date=format:%Y-%m-%dT%H:%M:%SZ \
+    "$@"
+}
+# Each file gets the timestamp of latest commit in the repo
+git ls-files | while read -r file; do
+  commit_time=$(get_commit_time "$file")
+  commit_time=${commit_time:-$(TZ=UTC0 date -r $file "+%Y-%m-%dT%H:%M:%SZ")}
+  touch -md $commit_time "$file"
+done
+
+SOURCE_EPOCH=$(get_commit_time)
+TARFLAGS="
+  --sort=name --format=posix
+  --pax-option=exthdr.name=%d/PaxHeaders/%f
+  --pax-option=delete=atime,delete=ctime
+  --clamp-mtime --mtime=$SOURCE_EPOCH
+  --numeric-owner --owner=0 --group=0
+  --mode=go+u,go-w
+"
+GZIPFLAGS="--no-name --best"
+LC_ALL=C tar $TARFLAGS -c --to-stdout $(git ls-files) |
+  gzip $GZIPFLAGS > "${OUT_DIR}/${ARCHIVE_NAME}"
+
+ARCHIVE_SHA=$(sha256sum "${OUT_DIR}/${ARCHIVE_NAME}" | cut -f 1 -d' ')
+
+# Enrich the release_notes.md with usage example
+cat <<EOF >> ${RELEASE_NOTES}
+## Usage example
+
+### WORKSPACE
+
+Paste this snippet into your \`WORKSPACE.bazel\` file:
+
+\`\`\`starlark
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+http_archive(
+    name = "rules_variant",
+    sha256 = "${ARCHIVE_SHA}",
+    url = "https://github.com/ASML-Labs/rules_variant/releases/download/${VERSION}/${ARCHIVE_NAME}",
+)
+
+load("@rules_variant//variant/workspace:deps.bzl", "rules_variant_deps")
+rules_variant_deps()
+\`\`\`
+EOF
+
+popd >/dev/null
+
+# Inform where to find artifacts
+echo ${OUT_DIR}