Create Draft Release #23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create Draft Release | |
on: | |
workflow_dispatch: | |
inputs: | |
git_tag: | |
description: Git Tag To Release From. Last Git Tag Is Used If Omitted | |
required: false | |
release_branch: | |
description: Release Branch Where Recent Bump Occurred | |
required: true | |
permissions: | |
contents: read | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
create_release: | |
permissions: | |
contents: write | |
name: Initiate Draft Release | |
runs-on: ubuntu-20.04 | |
environment: release | |
outputs: | |
upload_url: ${{ steps.release_upload_url.outputs.upload_url }} | |
tag_name: ${{ steps.release_version.outputs.tag_name }} | |
steps: | |
- name: Checkout Ockam | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.inputs.release_branch }} | |
- name: Import GPG key | |
uses: build-trust/.github/actions/import_gpg@a6377d3c2dac878b92a0da26cdf3da2856c64840 | |
with: | |
gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}' | |
gpg_password: '${{ secrets.GPG_PASSPHRASE }}' | |
gpg_name: '${{ secrets.GPG_USER_NAME }}' | |
gpg_email: '${{ secrets.GPG_EMAIL }}' | |
- name: Get Release Text | |
id: release_version | |
env: | |
GIT_TAG: '${{ github.event.inputs.git_tag }}' | |
run: | | |
cargo install tomlq | |
set -x | |
source tools/scripts/release/crates-to-publish.sh | |
# Add Ockam as first crate | |
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml") | |
name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml") | |
text="Ockam $ockam_version" | |
text="$text | |
# Homebrew | |
To install this release using Homebrew: | |
\`\`\`bash | |
$ brew install build-trust/ockam/ockam | |
\`\`\`" | |
# Install Docker image | |
text="$text | |
# Docker | |
To use the Docker OCI package: | |
\`\`\`bash | |
docker pull ghcr.io/build-trust/ockam:$ockam_version | |
\`\`\`" | |
text="$text | |
# Precompiled Binaries | |
\`\`\`bash | |
# download sha256sums.txt | |
curl --proto '=https' --tlsv1.2 -sSfL -O \\ | |
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt | |
# download sha256sums.txt.sig | |
curl --proto '=https' --tlsv1.2 -sSfL -O \\ | |
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt.sig | |
# download our release public key | |
curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \\ | |
https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub | |
# verify signatures | |
cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt | |
# download ockam command binary for your architecture | |
curl --proto '=https' --tlsv1.2 -sSfL -O \\ | |
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/ockam.x86_64-unknown-linux-gnu | |
# verify that the sha256 hash of the downloaded binary is the same as | |
# the corresponding hash mentioned in sha256sums.txt | |
cat sha256sums.txt | grep ockam.x86_64-unknown-linux-gnu | sha256sum -c | |
# rename the download binary and give it permission to execute | |
mv ockam.x86_64-unknown-linux-gnu ockam | |
chmod u+x ockam | |
\`\`\`" | |
text="$text | |
# Rust Crates | |
To use Ockam as a Rust library, run the following command within your project directory: | |
\`\`\`bash | |
cargo add ockam@$ockam_version | |
\`\`\` | |
The following crates were published as part of this release: | |
- \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \ | |
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))" | |
for crate in ${updated_crates[@]}; do | |
version=$(eval "tomlq package.version -f $crate/Cargo.toml") | |
name=$(eval "tomlq package.name -f $crate/Cargo.toml") | |
if [[ $name == "ockam" ]]; then | |
echo "Skipping ockam crate" | |
continue | |
fi | |
text="$text | |
- \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \ | |
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"; | |
done | |
echo "version=$ockam_version" >> $GITHUB_OUTPUT | |
echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT | |
echo "$text" > release_note.md | |
cat release_note.md | |
# Add tag | |
git tag -s ockam_v$ockam_version -m "Ockam Release" | |
git push --tags | |
- name: Create GitHub release | |
id: release_upload_url | |
uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_name: 'Ockam v${{ steps.release_version.outputs.version }}' | |
tag_name: '${{ steps.release_version.outputs.tag_name }}' | |
body_path: 'release_note.md' | |
draft: true | |
- name: Echo Link | |
run: echo "${{ steps.release_upload_url.outputs.html_url }}" | |
build_release: | |
name: Build Binaries | |
needs: create_release | |
environment: release | |
env: | |
DEVELOPMENT_TEAM: ${{ vars.DEVELOPMENT_TEAM }} | |
PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_SPECIFIER }} | |
CODE_SIGN_IDENTITY: ${{ vars.CODE_SIGN_IDENTITY }} | |
NOTARIZATION_EMAIL: ${{ vars.NOTARIZATION_EMAIL }} | |
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} | |
permissions: | |
contents: write | |
strategy: | |
fail-fast: false | |
matrix: | |
build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86] | |
include: | |
- build: linux_arm64 | |
os: ubuntu-20.04 | |
toolchain: stable | |
target: aarch64-unknown-linux-musl | |
build_app: false | |
use-cross-build: true | |
- build: linux_armv7 | |
os: ubuntu-20.04 | |
toolchain: stable | |
target: armv7-unknown-linux-musleabihf | |
use-cross-build: true | |
build_app: false | |
- build: linux_86 | |
os: ubuntu-20.04 | |
toolchain: stable | |
target: x86_64-unknown-linux-musl | |
use-cross-build: true | |
build_app: false | |
- build: linux_86_gnu | |
os: ubuntu-22.04 | |
toolchain: stable | |
target: x86_64-unknown-linux-gnu | |
use-cross-build: false | |
build_app: true | |
build_command: false | |
- build: macos_silicon | |
os: macos-13 | |
toolchain: stable | |
target: aarch64-apple-darwin | |
use-cross-build: false | |
build_app: true | |
- build: macos_86 | |
os: macos-13 | |
toolchain: stable | |
target: x86_64-apple-darwin | |
use-cross-build: false | |
build_app: true | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
with: | |
ref: ${{ github.event.inputs.release_branch }} | |
- name: Echo Link | |
run: echo "${{ needs.create_release.outputs.upload_url }}" | |
- name: Apple Signing Initialization | |
if: ${{ matrix.os == 'macos-13' }} | |
shell: bash | |
env: | |
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} | |
P12_PASSWORD: ${{ secrets.P12_PASSWORD }} | |
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }} | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
run: | | |
set -ex | |
# Switch to xcode 15 | |
sudo xcode-select --switch /Applications/Xcode_15.0.app/ | |
# create variables | |
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile | |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
# import certificate and provisioning profile from secrets | |
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH | |
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH | |
# create temporary keychain | |
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# import certificate to keychain | |
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security list-keychain -d user -s $KEYCHAIN_PATH | |
# apply provisioning profile | |
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles | |
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles | |
# Add keychain path to env | |
echo "KEYCHAIN_PATH=${KEYCHAIN_PATH}" >> "$GITHUB_ENV" | |
- uses: ./.github/actions/build_binaries | |
with: | |
use_cross_build: ${{ matrix.use-cross-build }} | |
toolchain: ${{ matrix.toolchain }} | |
target: ${{ matrix.target }} | |
platform_operating_system: ${{ matrix.os }} | |
build_app: ${{ matrix.build_app }} | |
- name: Copy Artifacts | |
run: | | |
set -x | |
cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }} | |
echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV | |
if [ -e "implementations/swift/build/Ockam.dmg" ]; then | |
cp "implementations/swift/build/Ockam.dmg" "ockam.app.${{ matrix.target }}.dmg" | |
echo "ASSET_OCKAM_APP_DMG=ockam.app.${{ matrix.target }}.dmg" >> $GITHUB_ENV | |
fi | |
ls $GITHUB_WORKSPACE | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 | |
with: | |
cosign-release: 'v2.0.0' | |
- name: Sign Binaries | |
env: | |
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
run: | | |
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig" | |
if [ -n "${{ env.ASSET_OCKAM_APP_DMG }}" ]; then | |
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_APP_DMG }}" > "${{ env.ASSET_OCKAM_APP_DMG }}.sig" | |
fi | |
- name: Upload CLI release archive | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: ${{ env.ASSET_OCKAM_CLI }} | |
asset_name: ${{ env.ASSET_OCKAM_CLI }} | |
asset_content_type: application/octet-stream | |
- name: Upload CLI Signature | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: ${{ env.ASSET_OCKAM_CLI }}.sig | |
asset_name: ${{ env.ASSET_OCKAM_CLI }}.sig | |
asset_content_type: application/octet-stream | |
- name: Upload MacOS App release | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
if: ${{ env.ASSET_OCKAM_APP_DMG }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }} | |
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }} | |
asset_content_type: application/octet-stream | |
- name: Upload MacOS App release Signature | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
if: ${{ env.ASSET_OCKAM_APP_DMG }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}.sig | |
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}.sig | |
asset_content_type: application/octet-stream | |
build_elixir_nifs: | |
name: Build Elixir NIFs | |
needs: create_release | |
environment: release | |
permissions: | |
contents: write | |
strategy: | |
fail-fast: false | |
matrix: | |
job: | |
- { target: aarch64-unknown-linux-gnu , os: ubuntu-20.04 , use-cross: true } | |
- { target: x86_64-unknown-linux-gnu , os: ubuntu-20.04 } | |
- { target: aarch64-apple-darwin , os: macos-14 } | |
- { target: x86_64-apple-darwin , os: macos-14 } | |
runs-on: ${{ matrix.job.os }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
with: | |
ref: ${{ github.event.inputs.release_branch }} | |
- name: Install Rust toolchain | |
uses: dtolnay/rust-toolchain@78c6b5541adb5849f5d72d15da722aedb26327ca # Stable branch | |
with: | |
toolchain: stable | |
target: ${{ matrix.job.target }} | |
- name: Install Cross | |
if: matrix.job.use-cross == true | |
run: cargo install --version 0.2.4 cross | |
- name: Build NIFs | |
run: | | |
set -ex | |
if [[ '${{ matrix.job.use-cross }}' == 'true' ]]; then | |
cross build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release | |
exit | |
fi | |
rustup target add ${{ matrix.job.target }} | |
cargo build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release | |
- name: List | |
run: | | |
ls target/${{ matrix.job.target }}/release/ | |
- name: Rename Build | |
run: | | |
cargo install tomlq | |
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml") | |
final_name="libockam_rust_elixir_nifs-v${ockam_version}-nif-2.15-${{ matrix.job.target }}.so" | |
if [[ "${{ matrix.job.target }}" == *"darwin"* ]]; then | |
cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.dylib "$final_name" | |
else | |
cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.so "$final_name" | |
fi | |
tar -zcvf "${final_name}.tar.gz" "$final_name" | |
echo "FILE_NAME=${final_name}.tar.gz" >> $GITHUB_ENV | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 | |
with: | |
cosign-release: 'v2.0.0' | |
- name: Sign NIFs | |
env: | |
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
run: | | |
cosign sign-blob --yes --key env://PRIVATE_KEY ${{ env.FILE_NAME }} > "${{ env.FILE_NAME }}.sig" | |
- name: Upload Library | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: "${{ env.FILE_NAME }}" | |
asset_name: "${{ env.FILE_NAME }}" | |
asset_content_type: application/octet-stream | |
- name: Upload Signature | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: ${{ env.FILE_NAME }}.sig | |
asset_name: ${{ env.FILE_NAME }}.sig | |
asset_content_type: application/octet-stream | |
sign_release: | |
name: Sign All Assets | |
needs: [build_release, create_release, build_elixir_nifs] | |
runs-on: ubuntu-20.04 | |
environment: release | |
permissions: | |
contents: write | |
steps: | |
- name: Fetch All Assets | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: gh release download ${{ needs.create_release.outputs.tag_name }} -R ${{ github.repository_owner }}/ockam | |
- name: Generate File SHASum | |
run: shasum -a 256 *ockam* > sha256sums.txt | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 | |
with: | |
cosign-release: 'v2.0.0' | |
- name: Sign Files | |
env: | |
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig | |
- name: Upload SHASum File | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: sha256sums.txt | |
asset_name: sha256sums.txt | |
asset_content_type: application/octet-stream | |
- name: Upload SHASum Signature File | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: sha256sums.txt.sig | |
asset_name: sha256sums.txt.sig | |
asset_content_type: application/octet-stream |