-
Notifications
You must be signed in to change notification settings - Fork 0
236 lines (213 loc) · 8.22 KB
/
release.yml
File metadata and controls
236 lines (213 loc) · 8.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# Release pipeline for deslicer-cli.
# Triggered by semver tags (v*.*.*). Builds five platform targets, signs
# artifacts with cosign keyless (Sigstore OIDC), attaches SLSA provenance,
# publishes a GitHub Release, and moves the floating v1 tag.
name: Release
on:
push:
tags: ['v*.*.*']
permissions:
contents: read
env:
CARGO_TERM_COLOR: always
BINARY_NAME: deslicer
# Opt JS actions into the Node 24 runtime (silences Node 20 deprecation annotations
# for third-party actions we cannot pin ourselves, e.g. slsa-github-generator).
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
build:
name: Build (${{ matrix.target }})
runs-on: ${{ matrix.os }}
env:
DESLICER_GIT_SHA: ${{ github.sha }}
strategy:
fail-fast: false
matrix:
include:
- target: x86_64-unknown-linux-musl
os: ubuntu-latest
archive: tar.gz
cross: false
- target: aarch64-unknown-linux-musl
os: ubuntu-latest
archive: tar.gz
cross: true
- target: x86_64-apple-darwin
os: macos-latest
archive: tar.gz
cross: false
- target: aarch64-apple-darwin
os: macos-latest
archive: tar.gz
cross: false
- target: x86_64-pc-windows-msvc
os: windows-latest
archive: zip
cross: false
steps:
- name: Checkout
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v6
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
- name: Cache cargo
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
key: release-${{ matrix.target }}
- name: Install Linux musl dependencies
if: matrix.os == 'ubuntu-latest' && !matrix.cross
run: |
sudo apt-get update
sudo apt-get install -y musl-tools
- name: Install cross (aarch64 Linux musl)
if: matrix.cross
run: cargo install cross --locked --version 0.2.5
- name: Add Rust target
run: rustup target add ${{ matrix.target }}
- name: Build release binary
shell: bash
run: |
set -euo pipefail
if [ "${{ matrix.cross }}" = "true" ]; then
cross build --release --target "${{ matrix.target }}"
else
cargo build --release --target "${{ matrix.target }}"
fi
- name: Package archive (Unix)
if: matrix.archive == 'tar.gz'
shell: bash
run: |
set -euo pipefail
TARGET="${{ matrix.target }}"
ARTIFACT="deslicer-${TARGET}.tar.gz"
BIN="target/${TARGET}/release/${{ env.BINARY_NAME }}"
install -d "dist/${TARGET}"
cp "${BIN}" "dist/${TARGET}/${{ env.BINARY_NAME }}"
tar -C "dist/${TARGET}" -czf "${ARTIFACT}" "${{ env.BINARY_NAME }}"
sha256sum "${ARTIFACT}" > "${ARTIFACT}.sha256"
echo "artifact=${ARTIFACT}" >> "$GITHUB_ENV"
- name: Package archive (Windows)
if: matrix.archive == 'zip'
shell: pwsh
run: |
$target = "${{ matrix.target }}"
$artifact = "deslicer-$target.zip"
$bin = "target/$target/release/${{ env.BINARY_NAME }}.exe"
New-Item -ItemType Directory -Force -Path "dist/$target" | Out-Null
Copy-Item $bin "dist/$target/${{ env.BINARY_NAME }}.exe"
Compress-Archive -Path "dist/$target/${{ env.BINARY_NAME }}.exe" -DestinationPath $artifact -Force
$hash = (Get-FileHash $artifact -Algorithm SHA256).Hash.ToLower()
Set-Content -NoNewline -Path "$artifact.sha256" -Value "$hash $artifact"
"artifact=$artifact" | Out-File -FilePath $env:GITHUB_ENV -Append
- name: Upload build artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: deslicer-${{ matrix.target }}
path: |
deslicer-${{ matrix.target }}.*
if-no-files-found: error
hashes:
name: Compute artifact hashes for provenance
needs: build
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: Download all build artifacts
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
path: release-assets
merge-multiple: true
- name: Compute base64 subjects
id: hash
shell: bash
run: |
set -euo pipefail
cd release-assets
# Provenance subjects are the distributable archives only
# (exclude .sha256 / .sig / .cert sidecars).
sha256sum deslicer-*.tar.gz deslicer-*.zip > SHA256SUMS
echo "hashes=$(base64 -w0 SHA256SUMS)" >> "$GITHUB_OUTPUT"
publish:
name: Sign, provenance, and release
needs: build
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
actions: read
steps:
- name: Checkout
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v6
with:
fetch-depth: 0
- name: Download all build artifacts
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
path: release-assets
merge-multiple: true
- name: Install cosign
uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
with:
cosign-release: v2.6.3
- name: Sign release artifacts (keyless)
shell: bash
run: |
set -euo pipefail
cd release-assets
shopt -s nullglob
for file in deslicer-*.{tar.gz,zip}; do
echo "Signing ${file}"
cosign sign-blob --yes "${file}" \
--output-signature "${file}.sig" \
--output-certificate "${file}.cert"
done
- name: Create GitHub Release
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
with:
tag_name: ${{ github.ref_name }}
name: ${{ github.ref_name }}
generate_release_notes: true
# Hyphenated semver tags (e.g. v0.1.0-rc.1) are prereleases: this
# keeps them out of "latest" and lets crates/homebrew skip them.
prerelease: ${{ contains(github.ref_name, '-') }}
fail_on_unmatched_files: false
files: |
release-assets/deslicer-*.tar.gz
release-assets/deslicer-*.zip
release-assets/deslicer-*.sha256
release-assets/deslicer-*.sig
release-assets/deslicer-*.cert
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Move floating v1 tag
# Never point the floating v1 tag at a prerelease (rc/beta) build.
if: ${{ !contains(github.ref_name, '-') }}
shell: bash
run: |
set -euo pipefail
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git tag -f v1 "${GITHUB_SHA}"
git push origin refs/tags/v1 --force
provenance:
name: SLSA provenance
# Depends on hashes for the subjects and publish so the release exists
# before the .intoto.jsonl attestation is attached to it.
needs: [hashes, publish]
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
permissions:
actions: read
id-token: write
contents: write
# SECURITY EXCEPTION to the "pin every third-party action to a full commit
# SHA" rule: the slsa-github-generator reusable workflow MUST be referenced
# by a semver tag. At runtime it downloads its builder binary from the
# release that matches its own ref; a 40-char SHA cannot be mapped to a
# release, so the download is skipped and the binary is missing (exit 127).
# The generator self-verifies the downloaded builder against the release,
# which is the project's sanctioned integrity mechanism for this pin.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
base64-subjects: ${{ needs.hashes.outputs.hashes }}
upload-assets: true