ci: ship prebuilt libraries on release

[Segfaultd]

What

Adds a new `Release Artifacts` GitHub Actions workflow that builds prebuilt MafiaNet libraries for all supported runtimes whenever a release is published, and attaches a single combined archive to that release.

How

Trigger: `release: [published]` — fires on publishing a `vX.Y.Z` release.

`build` job (matrix, native runners, `fail-fast: false`):

key	runner	OpenSSL
`linux-x64`	`ubuntu-latest`	`libssl-dev` (apt)
`macos-x64`	`macos-13`	`brew install openssl@3`
`macos-arm64`	`macos-14`	`brew install openssl@3`
`windows-x64`	`windows-latest`	runner-provided (same as build.yml)

Each runner configures Release, builds static + shared (CMake defaults), runs `cmake --install` into a staging prefix using the install rules already in `Source/CMakeLists.txt`, and uploads the staged tree.

`package` job (`needs: build`, `contents: write`): downloads all trees, assembles one layout (single shared `include/` + `lib//` with libs and CMake config; Windows `.dll`s folded in from `bin/`), adds a `README.txt` noting the OpenSSL runtime dependency, zips to `mafianet--all.zip`, and attaches it via `gh release upload --clobber`.

Notes

• Two native macOS runners instead of a universal build: Homebrew's OpenSSL is thin/single-arch, so a universal binary's off-arch slice would fail to link.
• Packaging-only — no tests; correctness stays gated by `build.yml` on push/PR.
• `build.yml` / `docs.yml` untouched.

Summary by CodeRabbit

• New Features
  • Precompiled MafiaNet libraries are now published automatically for every GitHub Release across Linux, macOS (Intel/ARM), and Windows.
  • Release packages include the consolidated headers and per-platform libraries, along with documentation describing the include/ and lib/<runtime>/ layout and how the libraries link to OpenSSL 3.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c631f536-ca99-436c-9415-c9cf64c022c9

📥 Commits

Reviewing files that changed from the base of the PR and between bb2fa1e and a4df72a.

📒 Files selected for processing (1)

• .github/workflows/release-artifacts.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/release-artifacts.yml

---

Walkthrough

A new GitHub Actions workflow release-artifacts.yml is added. It triggers on published releases, runs a matrix build job across four runtimes (linux-x64, macos-x64, macos-arm64, windows-x64) installing OpenSSL 3 and building via CMake into staged directories, then a packaging job assembles all artifacts into a single versioned zip and uploads it to the release.

Changes

Release Artifacts Workflow

Layer / File(s)	Summary
Matrix build job: trigger, OS config, CMake build, and artifact upload .github/workflows/release-artifacts.yml	Defines the release: published trigger and a four-runtime matrix; installs OpenSSL 3 via apt/brew per platform; configures CMake with CMAKE_INSTALL_PREFIX pointing at a per-job stage directory (passing explicit OpenSSL root on macOS); builds and installs; uploads the staged tree as a named artifact per runtime.
Package job: assemble combined archive and upload to release .github/workflows/release-artifacts.yml	Downloads all four runtime artifacts into dist/; merges shared headers (from the linux artifact) and per-runtime lib/lib64 and bin contents into a mafianet-<version>/lib/<runtime>/ layout; writes a README.txt documenting the structure and OpenSSL 3 dynamic-linking dependency; zips the result into mafianet-<version>-all.zip; uploads it to the release via gh release upload --clobber.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hop hop, the workflow springs to life,
Four runtimes built without a strife,
OpenSSL installed, CMake configured right,
A single zip emerges — what a delight!
🗜️ Uploaded with --clobber, neat and bright!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: ship prebuilt libraries on release' directly and accurately describes the main change: a new GitHub Actions workflow that automatically builds and distributes prebuilt MafiaNet libraries when releases are published.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/release-artifacts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-artifacts.yml:
- Around line 10-13: The workflow currently lacks explicit permission scoping
and relies on default token permissions for the build and package jobs. Add a
top-level `permissions` section after the `on` trigger with minimal read-only
permissions (typically `contents: read`). Then, in the `build` job, explicitly
set the same minimal permissions, and in the `package` job, elevate only the
necessary permissions (such as `contents: write` or `packages: write`) required
for that specific job's operations. This ensures each job operates with only the
minimum permissions it needs.
- Around line 10-13: Add a guard condition to enforce the vX.Y.Z tag format
before executing any packaging and upload steps in this workflow. The on.release
trigger currently accepts all published releases, so add a job-level or
step-level condition that validates the release tag matches the semantic
versioning pattern (e.g., using a regular expression check on
github.event.release.tag_name). If the tag does not match the vX.Y.Z format, the
job should fail fast or skip. This validation should be applied to all affected
sections mentioned in the workflow, including the main packaging logic and any
associated upload steps, so that only properly formatted version tags produce
artifacts.
- Around line 25-27: The os field for the macos-x64 matrix entry in the
release-artifacts.yml workflow currently uses the deprecated macos-13 runner
label, which was retired on December 4, 2025 and is no longer available as a
GitHub-hosted runner. Replace the macos-13 value with macos-15-intel to ensure
the macOS x64 build can run successfully.
- Line 33: The actions/checkout action on lines 33, 75, and 90 uses a floating
tag reference `@v4` which introduces supply-chain risk. Replace each occurrence of
uses: actions/checkout@v4 with the full 40-character commit SHA of that version,
optionally including a comment with the version tag for readability (e.g., uses:
actions/checkout@a1b2c3d4e5f6... # v4). This ensures the workflow is pinned to a
specific immutable commit rather than a tag that could be moved or compromised.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ed642412-ecc1-4b28-ac7f-ae5b77ed9c89

📥 Commits

Reviewing files that changed from the base of the PR and between c6653f0 and bb2fa1e.

📒 Files selected for processing (1)

• .github/workflows/release-artifacts.yml