feat: add buf schema registry for proto publishing

dukedorje · dukedorje · commit 15d881521bdc · 2026-01-23T17:04:09.000-07:00
- Add buf.yaml with lint rules and breaking change detection
- Add buf.gen.yaml for multi-language client generation (Go, Python, TS, Java)
- Update CI to lint protos and detect breaking changes on PRs
- Update release workflow to auto-publish schema to buf.build/identikey/recrypt
- Bundle proto definitions in release artifacts
- Ignore gen/ directory for local code generation
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,6 +11,25 @@ env:
   RUSTFLAGS: "-D warnings"
 
 jobs:
+  proto:
+    name: Proto Lint & Breaking
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Buf Setup
+        uses: bufbuild/buf-setup-action@v1
+
+      - name: Buf Lint
+        run: buf lint
+
+      - name: Buf Breaking Change Detection
+        uses: bufbuild/buf-breaking-action@v1
+        with:
+          against: "https://github.com/${{ github.repository }}.git#branch=main"
+        # Only check breaking changes on PRs, not on main pushes
+        if: github.event_name == 'pull_request'
+
   fmt:
     name: Format
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -197,6 +197,10 @@ jobs:
           cp target/${{ matrix.target }}/release/recrypt-server dist/
           cp target/${{ matrix.target }}/release/recrypt dist/
           chmod +x dist/recrypt-server dist/recrypt
+          
+          # Include proto definitions for client generation
+          mkdir -p dist/proto
+          cp crates/recrypt-proto/proto/recrypt.proto dist/proto/
 
           cd dist
           tar -czvf ../recrypt-${{ steps.version.outputs.version }}-${{ matrix.target }}.tar.gz *
@@ -208,6 +212,10 @@ jobs:
           New-Item -ItemType Directory -Path dist -Force | Out-Null
           Copy-Item target/${{ matrix.target }}/release/recrypt-server.exe dist/
           Copy-Item target/${{ matrix.target }}/release/recrypt.exe dist/
+          
+          # Include proto definitions for client generation
+          New-Item -ItemType Directory -Path dist/proto -Force | Out-Null
+          Copy-Item crates/recrypt-proto/proto/recrypt.proto dist/proto/
 
           Compress-Archive -Path dist/* -DestinationPath recrypt-${{ steps.version.outputs.version }}-${{ matrix.target }}.zip
 
@@ -234,10 +242,27 @@ jobs:
             recrypt-${{ steps.version.outputs.version }}-${{ matrix.target }}.${{ matrix.archive_ext }}.sha256
           if-no-files-found: error
 
+  publish-proto:
+    name: Publish Proto to Buf Registry
+    runs-on: ubuntu-latest
+    # Only publish on actual releases, not test builds
+    if: github.event_name != 'workflow_dispatch'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Buf Setup
+        uses: bufbuild/buf-setup-action@v1
+
+      - name: Buf Push
+        uses: bufbuild/buf-push-action@v1
+        with:
+          buf_token: ${{ secrets.BUF_TOKEN }}
+
   release:
     name: Create Release
-    needs: build
-    if: always() && !cancelled()
+    needs: [build]
+    # publish-proto runs in parallel but shouldn't block release
+    if: always() && !cancelled() && needs.build.result != 'failure'
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.gitignore b/.gitignore
@@ -37,3 +37,6 @@ vendor/openfhe-install/
 vendor/liboqs-install/
 # HumanLayer thoughts (local only)
 thoughts/
+
+# Buf generated code (use buf.build registry instead)
+gen/
diff --git a/buf.gen.yaml b/buf.gen.yaml
@@ -0,0 +1,31 @@
+# Buf code generation configuration
+# See: https://buf.build/docs/configuration/v2/buf-gen-yaml
+#
+# Usage: buf generate
+# This generates client code for multiple languages from the proto definitions.
+version: v2
+
+managed:
+  enabled: true
+  override:
+    - file_option: go_package_prefix
+      value: github.com/identikey/recrypt/gen/go
+
+plugins:
+  # Go
+  - remote: buf.build/protocolbuffers/go
+    out: gen/go
+    opt: paths=source_relative
+
+  # Python
+  - remote: buf.build/protocolbuffers/python
+    out: gen/python
+
+  # TypeScript (connect-es for modern TS/JS)
+  - remote: buf.build/connectrpc/es
+    out: gen/ts
+    opt: target=ts
+
+  # Java
+  - remote: buf.build/protocolbuffers/java
+    out: gen/java
diff --git a/buf.yaml b/buf.yaml
@@ -0,0 +1,18 @@
+# Buf configuration for protobuf schema management
+# See: https://buf.build/docs/configuration/v2/buf-yaml
+version: v2
+
+modules:
+  - path: crates/recrypt-proto/proto
+    name: buf.build/identikey/recrypt
+
+lint:
+  use:
+    - STANDARD
+  except:
+    # We use BACKEND_UNKNOWN = 0 intentionally as the unspecified value
+    - ENUM_ZERO_VALUE_SUFFIX
+
+breaking:
+  use:
+    - FILE
