-
Notifications
You must be signed in to change notification settings - Fork 1
63 lines (55 loc) · 1.86 KB
/
release.yml
File metadata and controls
63 lines (55 loc) · 1.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: Release
# Tag-driven release workflow.
# On push of a v*.*.* tag, build a release tarball, sign it with
# SLSA build provenance via Sigstore, and attach both to a new
# GitHub release. Homebrew formulae and other downstream consumers
# can verify provenance with `gh attestation verify`.
on:
push:
tags:
- 'v*.*.*'
permissions:
contents: write # create the GitHub release
attestations: write # write the provenance attestation
id-token: write # required by Sigstore for OIDC
jobs:
release:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Resolve version
id: version
run: echo "version=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
- name: Build release tarball
run: |
VERSION="${{ steps.version.outputs.version }}"
STAGE="mxkey-${VERSION}"
mkdir -p "${STAGE}"
# Copy the user-facing surface only — exclude dev/CI noise.
cp -R \
mxkey \
install.sh \
SKILL.md \
LICENSE \
README.md \
references \
assets \
"${STAGE}/"
tar -czf "${STAGE}.tar.gz" "${STAGE}"
shasum -a 256 "${STAGE}.tar.gz" > "${STAGE}.tar.gz.sha256"
cat "${STAGE}.tar.gz.sha256"
- name: Generate SLSA provenance attestation
uses: actions/attest-build-provenance@v1
with:
subject-path: 'mxkey-${{ steps.version.outputs.version }}.tar.gz'
- name: Create GitHub release
env:
GH_TOKEN: ${{ github.token }}
run: |
VERSION="${{ steps.version.outputs.version }}"
gh release create "v${VERSION}" \
--title "v${VERSION}" \
--generate-notes \
"mxkey-${VERSION}.tar.gz" \
"mxkey-${VERSION}.tar.gz.sha256"