wifi-densepose/v2/crates/cog-ha-matter/cog
ruv 3833929dcb cog-ha-matter (ADR-116 P8): CI release workflow + fix inherited filename bug
New `.github/workflows/cog-ha-matter-release.yml`:

  * Triggers on `cog-ha-matter-v*` tag-push + manual dispatch
  * Three jobs: build-x86_64, build-arm, publish-gcs
  * x86_64: native ubuntu-latest cargo build
  * arm: aarch64-unknown-linux-gnu via apt-installed gcc-aarch64-linux-gnu
    linker (no `cross` dep needed — keeps workflow self-contained)
  * Each build job runs make build-{arch} + make sign-{arch} +
    gated Ed25519 sign step (skipped when COGNITUM_OWNER_SIGNING_KEY
    secret is unset — workflow still produces unsigned artifacts so
    we get build coverage now and signing later without re-merging)
  * publish-gcs job gated on `vars.HAS_GCP_CREDENTIALS == 'true'`
    so the workflow is safe to merge before credentials land —
    no-op until the org admin sets the variable
  * Uploads binary + sha256 + (optional) sig to
    `gs://cognitum-apps/cogs/{arch}/cog-ha-matter-{arch}`
  * Prints the app-registry.json snippet for the cognitum-one PR
    (so the publish step's output is the exact JSON the user pastes)

Fixed a bug inherited from cog-pose-estimation's Makefile: the
precedent produces `dist/cog-cog-pose-estimation-arm` (double
`cog-` prefix because CRATE name already starts with `cog-`) but
the manifest URL has single prefix `cog-pose-estimation-arm`. The
upload path doesn't match the binary_url — a latent bug in the
pose cog's pipeline.

My copy now produces `dist/cog-ha-matter-arm` matching the
manifest URL `cog-ha-matter-{{ARCH}}`. Changed: Makefile (build /
sign / upload / verify / clean targets), workflow (artifact names
+ gsutil paths), README (local dry-run instructions). The
cog-pose-estimation precedent is unchanged — separate fix if/when
the user wants to align it.

What this iter does NOT do (P8 remaining):
  * provision GCP_CREDENTIALS / COGNITUM_OWNER_SIGNING_KEY secrets
    (user action — needs org admin access)
  * actually run the workflow (needs a `cog-ha-matter-v0.1.0` tag
    push, or workflow_dispatch from the Actions tab)
  * append to app-registry.json in cognitum-one (separate repo PR)

Next iter: tag a v0.0.1-dev (so the workflow runs once + we see
any build-time errors on real CI runners) OR scaffold the
app-registry.json patch payload as a check-in doc.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-05-23 23:05:54 -04:00
..
Makefile cog-ha-matter (ADR-116 P8): CI release workflow + fix inherited filename bug 2026-05-23 23:05:54 -04:00
README.md cog-ha-matter (ADR-116 P8): CI release workflow + fix inherited filename bug 2026-05-23 23:05:54 -04:00
manifest.template.json cog-ha-matter (ADR-116 P8): scaffold cog/ publishing layout 2026-05-23 22:55:44 -04:00

README.md

HA-Matter Cog Packaging

Build / sign / upload pipeline for cog-ha-matter, mirroring the cog-pose-estimation precedent so the Seed runtime treats both cogs identically.

See ADR-100 — Cog Packaging Specification and ADR-116 — HA-Matter Seed Cog.

What this cog does

Wraps the ADR-115 HA-DISCO + HA-MIND MQTT publisher as a Seed-installable artifact with:

  • mDNS auto-discovery (_ruview-ha._tcp)
  • Ed25519-signed witness chain for tamper-evident audit logs
  • Privacy-mode flag (only semantic primitives, no biometrics)
  • One-flag deferral to v0.7 for the embedded broker / v0.8 for the Matter Bridge

Layout

File Purpose
manifest.template.json Build-time manifest with {{VERSION}} / {{ARCH}} slots; make manifest substitutes them
Makefile build / sign / upload / release / verify / clean targets
dist/ Created by make build; gitignored, holds release binaries + sha256 + sig

Local build (dry-run)

cd v2/crates/cog-ha-matter/cog
make build          # builds aarch64 + x86_64 release binaries
make sign           # writes .sha256 + (TODO) .sig sidecars
make manifest       # prints the manifest the Seed would record

make sign is currently a no-op for the signature itself — the COGNITUM_OWNER_SIGNING_KEY provisioning is the same TODO that blocks cog-pose-estimation. Until then, dev cogs ship unsigned and app-registry.json lists them with "binary_signature": "".

Upload (requires gcloud auth)

gcloud auth login
make upload         # gsutil cp dist/* gs://cognitum-apps/cogs/{arch}/

The GCS bucket is shared with cog-pose-estimation and is part of the cognitum-apps project. Write access requires membership in the cog-publishers IAM group.

app-registry.json

Lives in the cognitum-one repo, not here. After make upload succeeds, file a PR there that appends:

{
  "id": "ha-matter",
  "version": "<the version make manifest printed>",
  "binary_url": "https://storage.googleapis.com/cognitum-apps/cogs/{arch}/cog-ha-matter-{arch}",
  "binary_sha256": "<from dist/cog-ha-matter-{arch}.sha256>",
  "binary_signature": "<from dist/cog-ha-matter-{arch}.sig — empty until signing is wired>",
  "description": "Home Assistant + Matter Cognitum Seed cog (mDNS + witness chain)",
  "min_seed_version": "0.6.0",
  "installable_on": ["arm", "x86_64"]
}