Publishing from CI

Once a package is real, you'll want releases to be automatic: tag a version and let CI publish it. It's the same flock publish you ran by hand — the token just comes from a CI secret instead of ~/.kestrel/credentials.

1. Add the token as a secret

Mint a token on the account page. A dedicated CI token is good practice — you can revoke it independently of the one on your laptop. Add it to your repository as an encrypted secret named FLOCK_TOKEN (on GitHub: Settings → Secrets and variables → Actions).

2. Keep your org in the manifest

CI has no FLOCK_ORG unless you set one, so the package's org should live in flock.toml — where it belongs anyway:

[package]
name = "palette"
version = "0.2.0"
org = "your-name"

3. The workflow

A GitHub Actions workflow that publishes whenever you push a v* tag:

name: Publish
on:
  push:
    tags: ["v*"]

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Kestrel
        run: |
          curl -fsSL https://kestrel-lang.com/install | sh
          echo "$HOME/.jessup/bin" >> "$GITHUB_PATH"

      - name: Publish
        env:
          FLOCK_TOKEN: ${{ secrets.FLOCK_TOKEN }}
        run: flock publish

The install step drops jessup (and flock) into ~/.jessup/bin and adds it to the job's PATH. flock publish then reads FLOCK_TOKEN from the environment and the org/version from flock.toml.

4. Cut a release

Bump version in flock.toml, commit, then tag and push:

git tag v0.2.0
git push origin v0.2.0

The workflow runs and publishes 0.2.0. Since versions are immutable, keep your tag and your manifest version in sync — each release is one new version, and the registry rejects any attempt to re-publish one that already exists.

Next: the Reference.