Skip to content

Create Draft Release #23

Create Draft Release

Create Draft Release #23

name: Create Draft Release
on:
workflow_dispatch:
inputs:
git_tag:
description: Git Tag To Release From. Last Git Tag Is Used If Omitted
required: false
release_branch:
description: Release Branch Where Recent Bump Occurred
required: true
permissions:
contents: read
defaults:
run:
shell: bash
jobs:
create_release:
permissions:
contents: write
name: Initiate Draft Release
runs-on: ubuntu-20.04
environment: release
outputs:
upload_url: ${{ steps.release_upload_url.outputs.upload_url }}
tag_name: ${{ steps.release_version.outputs.tag_name }}
steps:
- name: Checkout Ockam
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 0
ref: ${{ github.event.inputs.release_branch }}
- name: Import GPG key
uses: build-trust/.github/actions/import_gpg@a6377d3c2dac878b92a0da26cdf3da2856c64840
with:
gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}'
gpg_password: '${{ secrets.GPG_PASSPHRASE }}'
gpg_name: '${{ secrets.GPG_USER_NAME }}'
gpg_email: '${{ secrets.GPG_EMAIL }}'
- name: Get Release Text
id: release_version
env:
GIT_TAG: '${{ github.event.inputs.git_tag }}'
run: |
cargo install tomlq
set -x
source tools/scripts/release/crates-to-publish.sh
# Add Ockam as first crate
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml")
text="Ockam $ockam_version"
text="$text
# Homebrew
To install this release using Homebrew:
\`\`\`bash
$ brew install build-trust/ockam/ockam
\`\`\`"
# Install Docker image
text="$text
# Docker
To use the Docker OCI package:
\`\`\`bash
docker pull ghcr.io/build-trust/ockam:$ockam_version
\`\`\`"
text="$text
# Precompiled Binaries
\`\`\`bash
# download sha256sums.txt
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt
# download sha256sums.txt.sig
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt.sig
# download our release public key
curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \\
https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub
# verify signatures
cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt
# download ockam command binary for your architecture
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/ockam.x86_64-unknown-linux-gnu
# verify that the sha256 hash of the downloaded binary is the same as
# the corresponding hash mentioned in sha256sums.txt
cat sha256sums.txt | grep ockam.x86_64-unknown-linux-gnu | sha256sum -c
# rename the download binary and give it permission to execute
mv ockam.x86_64-unknown-linux-gnu ockam
chmod u+x ockam
\`\`\`"
text="$text
# Rust Crates
To use Ockam as a Rust library, run the following command within your project directory:
\`\`\`bash
cargo add ockam@$ockam_version
\`\`\`
The following crates were published as part of this release:
- \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"
for crate in ${updated_crates[@]}; do
version=$(eval "tomlq package.version -f $crate/Cargo.toml")
name=$(eval "tomlq package.name -f $crate/Cargo.toml")
if [[ $name == "ockam" ]]; then
echo "Skipping ockam crate"
continue
fi
text="$text
- \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))";
done
echo "version=$ockam_version" >> $GITHUB_OUTPUT
echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT
echo "$text" > release_note.md
cat release_note.md
# Add tag
git tag -s ockam_v$ockam_version -m "Ockam Release"
git push --tags
- name: Create GitHub release
id: release_upload_url
uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_name: 'Ockam v${{ steps.release_version.outputs.version }}'
tag_name: '${{ steps.release_version.outputs.tag_name }}'
body_path: 'release_note.md'
draft: true
- name: Echo Link
run: echo "${{ steps.release_upload_url.outputs.html_url }}"
build_release:
name: Build Binaries
needs: create_release
environment: release
env:
DEVELOPMENT_TEAM: ${{ vars.DEVELOPMENT_TEAM }}
PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_SPECIFIER }}
CODE_SIGN_IDENTITY: ${{ vars.CODE_SIGN_IDENTITY }}
NOTARIZATION_EMAIL: ${{ vars.NOTARIZATION_EMAIL }}
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
permissions:
contents: write
strategy:
fail-fast: false
matrix:
build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86]
include:
- build: linux_arm64
os: ubuntu-20.04
toolchain: stable
target: aarch64-unknown-linux-musl
build_app: false
use-cross-build: true
- build: linux_armv7
os: ubuntu-20.04
toolchain: stable
target: armv7-unknown-linux-musleabihf
use-cross-build: true
build_app: false
- build: linux_86
os: ubuntu-20.04
toolchain: stable
target: x86_64-unknown-linux-musl
use-cross-build: true
build_app: false
- build: linux_86_gnu
os: ubuntu-22.04
toolchain: stable
target: x86_64-unknown-linux-gnu
use-cross-build: false
build_app: true
build_command: false
- build: macos_silicon
os: macos-13
toolchain: stable
target: aarch64-apple-darwin
use-cross-build: false
build_app: true
- build: macos_86
os: macos-13
toolchain: stable
target: x86_64-apple-darwin
use-cross-build: false
build_app: true
runs-on: ${{ matrix.os }}
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
ref: ${{ github.event.inputs.release_branch }}
- name: Echo Link
run: echo "${{ needs.create_release.outputs.upload_url }}"
- name: Apple Signing Initialization
if: ${{ matrix.os == 'macos-13' }}
shell: bash
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
set -ex
# Switch to xcode 15
sudo xcode-select --switch /Applications/Xcode_15.0.app/
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
# Add keychain path to env
echo "KEYCHAIN_PATH=${KEYCHAIN_PATH}" >> "$GITHUB_ENV"
- uses: ./.github/actions/build_binaries
with:
use_cross_build: ${{ matrix.use-cross-build }}
toolchain: ${{ matrix.toolchain }}
target: ${{ matrix.target }}
platform_operating_system: ${{ matrix.os }}
build_app: ${{ matrix.build_app }}
- name: Copy Artifacts
run: |
set -x
cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }}
echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV
if [ -e "implementations/swift/build/Ockam.dmg" ]; then
cp "implementations/swift/build/Ockam.dmg" "ockam.app.${{ matrix.target }}.dmg"
echo "ASSET_OCKAM_APP_DMG=ockam.app.${{ matrix.target }}.dmg" >> $GITHUB_ENV
fi
ls $GITHUB_WORKSPACE
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.0.0'
- name: Sign Binaries
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: |
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig"
if [ -n "${{ env.ASSET_OCKAM_APP_DMG }}" ]; then
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_APP_DMG }}" > "${{ env.ASSET_OCKAM_APP_DMG }}.sig"
fi
- name: Upload CLI release archive
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}
asset_name: ${{ env.ASSET_OCKAM_CLI }}
asset_content_type: application/octet-stream
- name: Upload CLI Signature
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_name: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_content_type: application/octet-stream
- name: Upload MacOS App release
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
if: ${{ env.ASSET_OCKAM_APP_DMG }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}
asset_content_type: application/octet-stream
- name: Upload MacOS App release Signature
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
if: ${{ env.ASSET_OCKAM_APP_DMG }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
asset_content_type: application/octet-stream
build_elixir_nifs:
name: Build Elixir NIFs
needs: create_release
environment: release
permissions:
contents: write
strategy:
fail-fast: false
matrix:
job:
- { target: aarch64-unknown-linux-gnu , os: ubuntu-20.04 , use-cross: true }
- { target: x86_64-unknown-linux-gnu , os: ubuntu-20.04 }
- { target: aarch64-apple-darwin , os: macos-14 }
- { target: x86_64-apple-darwin , os: macos-14 }
runs-on: ${{ matrix.job.os }}
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
ref: ${{ github.event.inputs.release_branch }}
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@78c6b5541adb5849f5d72d15da722aedb26327ca # Stable branch
with:
toolchain: stable
target: ${{ matrix.job.target }}
- name: Install Cross
if: matrix.job.use-cross == true
run: cargo install --version 0.2.4 cross
- name: Build NIFs
run: |
set -ex
if [[ '${{ matrix.job.use-cross }}' == 'true' ]]; then
cross build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release
exit
fi
rustup target add ${{ matrix.job.target }}
cargo build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release
- name: List
run: |
ls target/${{ matrix.job.target }}/release/
- name: Rename Build
run: |
cargo install tomlq
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
final_name="libockam_rust_elixir_nifs-v${ockam_version}-nif-2.15-${{ matrix.job.target }}.so"
if [[ "${{ matrix.job.target }}" == *"darwin"* ]]; then
cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.dylib "$final_name"
else
cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.so "$final_name"
fi
tar -zcvf "${final_name}.tar.gz" "$final_name"
echo "FILE_NAME=${final_name}.tar.gz" >> $GITHUB_ENV
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.0.0'
- name: Sign NIFs
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: |
cosign sign-blob --yes --key env://PRIVATE_KEY ${{ env.FILE_NAME }} > "${{ env.FILE_NAME }}.sig"
- name: Upload Library
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: "${{ env.FILE_NAME }}"
asset_name: "${{ env.FILE_NAME }}"
asset_content_type: application/octet-stream
- name: Upload Signature
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.FILE_NAME }}.sig
asset_name: ${{ env.FILE_NAME }}.sig
asset_content_type: application/octet-stream
sign_release:
name: Sign All Assets
needs: [build_release, create_release, build_elixir_nifs]
runs-on: ubuntu-20.04
environment: release
permissions:
contents: write
steps:
- name: Fetch All Assets
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release download ${{ needs.create_release.outputs.tag_name }} -R ${{ github.repository_owner }}/ockam
- name: Generate File SHASum
run: shasum -a 256 *ockam* > sha256sums.txt
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.0.0'
- name: Sign Files
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig
- name: Upload SHASum File
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt
asset_name: sha256sums.txt
asset_content_type: application/octet-stream
- name: Upload SHASum Signature File
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt.sig
asset_name: sha256sums.txt.sig
asset_content_type: application/octet-stream