New `.github/workflows/cog-ha-matter-release.yml`:
* Triggers on `cog-ha-matter-v*` tag-push + manual dispatch
* Three jobs: build-x86_64, build-arm, publish-gcs
* x86_64: native ubuntu-latest cargo build
* arm: aarch64-unknown-linux-gnu via apt-installed gcc-aarch64-linux-gnu
linker (no `cross` dep needed — keeps workflow self-contained)
* Each build job runs make build-{arch} + make sign-{arch} +
gated Ed25519 sign step (skipped when COGNITUM_OWNER_SIGNING_KEY
secret is unset — workflow still produces unsigned artifacts so
we get build coverage now and signing later without re-merging)
* publish-gcs job gated on `vars.HAS_GCP_CREDENTIALS == 'true'`
so the workflow is safe to merge before credentials land —
no-op until the org admin sets the variable
* Uploads binary + sha256 + (optional) sig to
`gs://cognitum-apps/cogs/{arch}/cog-ha-matter-{arch}`
* Prints the app-registry.json snippet for the cognitum-one PR
(so the publish step's output is the exact JSON the user pastes)
Fixed a bug inherited from cog-pose-estimation's Makefile: the
precedent produces `dist/cog-cog-pose-estimation-arm` (double
`cog-` prefix because CRATE name already starts with `cog-`) but
the manifest URL has single prefix `cog-pose-estimation-arm`. The
upload path doesn't match the binary_url — a latent bug in the
pose cog's pipeline.
My copy now produces `dist/cog-ha-matter-arm` matching the
manifest URL `cog-ha-matter-{{ARCH}}`. Changed: Makefile (build /
sign / upload / verify / clean targets), workflow (artifact names
+ gsutil paths), README (local dry-run instructions). The
cog-pose-estimation precedent is unchanged — separate fix if/when
the user wants to align it.
What this iter does NOT do (P8 remaining):
* provision GCP_CREDENTIALS / COGNITUM_OWNER_SIGNING_KEY secrets
(user action — needs org admin access)
* actually run the workflow (needs a `cog-ha-matter-v0.1.0` tag
push, or workflow_dispatch from the Actions tab)
* append to app-registry.json in cognitum-one (separate repo PR)
Next iter: tag a v0.0.1-dev (so the workflow runs once + we see
any build-time errors on real CI runners) OR scaffold the
app-registry.json patch payload as a check-in doc.
Co-Authored-By: claude-flow <ruv@ruv.net>
|
||
|---|---|---|
| .. | ||
| Makefile | ||
| README.md | ||
| manifest.template.json | ||
README.md
HA-Matter Cog Packaging
Build / sign / upload pipeline for cog-ha-matter, mirroring the
cog-pose-estimation precedent so the
Seed runtime treats both cogs identically.
See ADR-100 — Cog Packaging Specification and ADR-116 — HA-Matter Seed Cog.
What this cog does
Wraps the ADR-115 HA-DISCO + HA-MIND MQTT publisher as a Seed-installable artifact with:
- mDNS auto-discovery (
_ruview-ha._tcp) - Ed25519-signed witness chain for tamper-evident audit logs
- Privacy-mode flag (only semantic primitives, no biometrics)
- One-flag deferral to v0.7 for the embedded broker / v0.8 for the Matter Bridge
Layout
| File | Purpose |
|---|---|
manifest.template.json |
Build-time manifest with {{VERSION}} / {{ARCH}} slots; make manifest substitutes them |
Makefile |
build / sign / upload / release / verify / clean targets |
dist/ |
Created by make build; gitignored, holds release binaries + sha256 + sig |
Local build (dry-run)
cd v2/crates/cog-ha-matter/cog
make build # builds aarch64 + x86_64 release binaries
make sign # writes .sha256 + (TODO) .sig sidecars
make manifest # prints the manifest the Seed would record
make sign is currently a no-op for the signature itself — the
COGNITUM_OWNER_SIGNING_KEY provisioning is the same TODO that
blocks cog-pose-estimation.
Until then, dev cogs ship unsigned and app-registry.json lists
them with "binary_signature": "".
Upload (requires gcloud auth)
gcloud auth login
make upload # gsutil cp dist/* gs://cognitum-apps/cogs/{arch}/
The GCS bucket is shared with cog-pose-estimation and is part of
the cognitum-apps project. Write access requires membership in the
cog-publishers IAM group.
app-registry.json
Lives in the cognitum-one
repo, not here. After make upload succeeds, file a PR there
that appends:
{
"id": "ha-matter",
"version": "<the version make manifest printed>",
"binary_url": "https://storage.googleapis.com/cognitum-apps/cogs/{arch}/cog-ha-matter-{arch}",
"binary_sha256": "<from dist/cog-ha-matter-{arch}.sha256>",
"binary_signature": "<from dist/cog-ha-matter-{arch}.sig — empty until signing is wired>",
"description": "Home Assistant + Matter Cognitum Seed cog (mDNS + witness chain)",
"min_seed_version": "0.6.0",
"installable_on": ["arm", "x86_64"]
}