chore: Release #124
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| # Releases are tags named 'v<version>', and must have the "major.minor.micro", for example: "0.1.0". | |
| # Release candidates are tagged as `v<version>-rc<num>`, for example: "0.1.0-rc1". | |
| tags: | |
| - "v*" | |
| permissions: | |
| contents: write # for creating a release | |
| id-token: write # for attestations | |
| attestations: write # for attestations | |
| jobs: | |
| init: | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| version: ${{steps.version.outputs.version}} | |
| prerelease: ${{steps.state.outputs.prerelease}} | |
| steps: | |
| - name: Evaluate state | |
| id: state | |
| env: | |
| HEAD_REF: ${{github.head_ref}} | |
| run: | | |
| test -z "${HEAD_REF}" && (echo 'do-publish=true' >> $GITHUB_OUTPUT) | |
| if [[ "${{ github.event.ref }}" =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo release=true >> $GITHUB_OUTPUT | |
| elif [[ "${{ github.event.ref }}" =~ ^refs/tags/v.*$ ]]; then | |
| echo prerelease=true >> $GITHUB_OUTPUT | |
| fi | |
| - name: Set version | |
| id: version | |
| run: | | |
| VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') | |
| [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') | |
| [ "$VERSION" == "main" ] && VERSION=latest | |
| echo "Version: $VERSION" | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| # check that our CI would pass | |
| ci: | |
| uses: ./.github/workflows/ci.yaml | |
| # now do the actual (release) builds | |
| build: | |
| needs: | |
| - init | |
| - ci | |
| strategy: | |
| matrix: | |
| target: | |
| - aarch64-unknown-linux-gnu | |
| - x86_64-unknown-linux-gnu | |
| - aarch64-unknown-linux-musl | |
| - x86_64-unknown-linux-musl | |
| - x86_64-apple-darwin | |
| - aarch64-apple-darwin | |
| - x86_64-pc-windows-msvc | |
| include: | |
| - target: aarch64-unknown-linux-gnu | |
| os: ubuntu-22.04 | |
| cross: "true" | |
| args: --features vendored,crypto-openssl,walker-common/bzip2-rs,walker-common/liblzma,csaf --no-default-features | |
| - target: x86_64-unknown-linux-gnu | |
| os: ubuntu-22.04 | |
| install: sudo apt install clang llvm pkg-config nettle-dev | |
| args: --features crypto-openssl,walker-common/bzip2-rs,walker-common/liblzma,csaf --no-default-features | |
| - target: aarch64-unknown-linux-musl | |
| os: ubuntu-22.04 | |
| cross: "true" | |
| args: --features vendored,crypto-openssl,walker-common/bzip2-rs,walker-common/liblzma,csaf --no-default-features | |
| - target: x86_64-unknown-linux-musl | |
| os: ubuntu-22.04 | |
| install: sudo apt install clang llvm pkg-config libssl-dev nettle-dev musl-tools | |
| args: --features vendored,crypto-openssl,walker-common/bzip2-rs,walker-common/liblzma,csaf --no-default-features | |
| - target: x86_64-apple-darwin | |
| os: macos-12 | |
| args: --features vendored,crypto-openssl,walker-common/bzip2-rs,walker-common/liblzma,csaf --no-default-features | |
| - target: aarch64-apple-darwin | |
| os: macos-12 | |
| xcode: "true" | |
| args: --features vendored,crypto-openssl,walker-common/bzip2-rs,walker-common/liblzma,csaf --no-default-features | |
| - target: x86_64-pc-windows-msvc | |
| os: windows-2022 | |
| exe: ".exe" | |
| #args: --features crypto-openssl,walker-common/bzip2-rs,csaf --no-default-features | |
| args: --features crypto-cng,walker-common/bzip2-rs,walker-common/liblzma,csaf --no-default-features | |
| install: | | |
| echo "VCPKG_ROOT=$env:VCPKG_INSTALLATION_ROOT" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| vcpkg install openssl:x64-windows-static-md | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: ${{ matrix.target }}-cargo-release-${{ hashFiles('**/Cargo.toml') }} | |
| - run: rustup target add ${{ matrix.target }} | |
| if: matrix.target != '' | |
| - name: Install dependencies | |
| run: ${{ matrix.install }} | |
| if: matrix.install != '' | |
| - name: Setup cargo-binstall (Linux) | |
| if: runner.os != 'Windows' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash | |
| - name: Setup cargo-binstall (Windows) | |
| if: runner.os == 'Windows' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| Set-ExecutionPolicy Unrestricted -Scope Process; iex (iwr "https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.ps1").Content | |
| - name: Prepare cross | |
| if: matrix.cross == 'true' | |
| shell: bash | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| cargo binstall cross -y | |
| - name: Install cargo-cyclonedx | |
| shell: bash | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| cargo binstall -y cargo-cyclonedx | |
| - name: Build | |
| shell: bash | |
| run: | | |
| if [[ "${{ matrix.xcode }}" == "true" ]]; then | |
| export SDKROOT=$(xcrun -sdk macosx --show-sdk-path) | |
| export MACOSX_DEPLOYMENT_TARGET=$(xcrun -sdk macosx --show-sdk-platform-version) | |
| fi | |
| OPTS="--release" | |
| if [[ -n "${{ matrix.target }}" ]]; then | |
| OPTS="$OPTS --target=${{ matrix.target }}" | |
| fi | |
| OPTS="$OPTS ${{ matrix.args }}" | |
| CMD="cargo" | |
| if [[ -n "${{ matrix.cross }}" ]]; then | |
| CMD="cross" | |
| fi | |
| env NETTLE_STATIC=yes ${CMD} build ${OPTS} | |
| - name: Create upload directory | |
| run: | | |
| mkdir -p upload | |
| - name: Create SBOM | |
| shell: bash | |
| run: | | |
| cargo cyclonedx -v --spec-version 1.5 --format json --describe binaries --target "${{ matrix.target }}" | |
| mv csaf/csaf-cli/csaf_bin.cdx.json "upload/csaf-${{ matrix.target }}.cdx.json" | |
| mv sbom/sbom-cli/sbom_bin.cdx.json "upload/sbom-${{ matrix.target }}.cdx.json" | |
| - name: List output | |
| shell: bash | |
| run: | | |
| ls -l target/ | |
| - name: Copy binary | |
| shell: bash | |
| run: | | |
| # if we have an alternate target, there is a sub-directory | |
| if [[ -f "target/release/csaf${{ matrix.exe }}" ]]; then | |
| SRC_CSAF="target/release/csaf${{ matrix.exe }}" | |
| SRC_SBOM="target/release/sbom${{ matrix.exe }}" | |
| elif [[ -f "target/${{ matrix.target }}/release/csaf${{ matrix.exe }}" ]]; then | |
| SRC_CSAF="target/${{ matrix.target }}/release/csaf${{ matrix.exe }}" | |
| SRC_SBOM="target/${{ matrix.target }}/release/sbom${{ matrix.exe }}" | |
| else | |
| echo "Unable to find output" | |
| false # stop build | |
| fi | |
| # for upload | |
| cp -pv "${SRC_CSAF}" upload/csaf-${{ matrix.target }}${{ matrix.exe }} | |
| cp -pv "${SRC_SBOM}" upload/sbom-${{ matrix.target }}${{ matrix.exe }} | |
| - name: Upload binary (csaf) | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: csaf-${{ matrix.target }} | |
| path: | | |
| upload/csaf-${{ matrix.target }}${{ matrix.exe }} | |
| upload/csaf-${{ matrix.target }}.cdx.json | |
| if-no-files-found: error | |
| - name: Upload binary (sbom) | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-${{ matrix.target }} | |
| path: | | |
| upload/sbom-${{ matrix.target }}${{ matrix.exe }} | |
| upload/sbom-${{ matrix.target }}.cdx.json | |
| if-no-files-found: error | |
| containers: | |
| needs: [ init, build ] | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| packages: write # for publishing containers | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to ghcr.io | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ghcr.io/ctron/csaf-walker | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: ~/download | |
| - name: Move files | |
| run: | | |
| mv ~/download . | |
| - name: Build and push | |
| uses: docker/build-push-action@v5 | |
| with: | |
| push: true | |
| file: Containerfile | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| publish: | |
| needs: [ init, containers ] | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install convco | |
| run: | | |
| curl -sLO https://github.com/convco/convco/releases/download/v0.5.1/convco-ubuntu.zip | |
| unzip convco-ubuntu.zip | |
| chmod a+x convco | |
| sudo mv convco /usr/local/bin | |
| - name: Generate changelog | |
| run: | | |
| convco changelog -s --max-majors=1 --max-minors=1 --max-patches=1 -n > /tmp/changelog.md | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: ~/download | |
| - name: Display downloaded content | |
| run: ls -R ~/download | |
| - name: Stage release | |
| run: | | |
| mkdir -p staging | |
| cp -pv ~/download/*/csaf-* staging/ | |
| cp -pv ~/download/*/sbom-* staging/ | |
| - uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: 'staging/*' | |
| - name: Display staging area | |
| run: ls -R staging | |
| - name: Create Release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAG: v${{ needs.init.outputs.version }} | |
| run: | | |
| OPTS="" | |
| if [[ "${{ needs.init.outputs.prerelease }}" == "true" ]]; then | |
| OPTS="${OPTS} -p" | |
| fi | |
| gh release create ${OPTS} --title "${{ needs.init.outputs.version }}" -F /tmp/changelog.md ${TAG} \ | |
| $(find staging -type f) |