Draft Release #59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Draft Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: 'Release tag (e.g. v1.2.3)' | |
| required: true | |
| type: string | |
| permissions: | |
| contents: read | |
| packages: read | |
| id-token: none | |
| actions: read | |
| attestations: read | |
| checks: read | |
| deployments: read | |
| issues: read | |
| discussions: read | |
| pull-requests: read | |
| repository-projects: read | |
| security-events: read | |
| statuses: read | |
| models: read | |
| # Job-level permissions grant write scopes only where required. | |
| concurrency: | |
| group: release-${{ inputs.tag }} | |
| cancel-in-progress: false | |
| jobs: | |
| resolve-tag: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| outputs: | |
| commit: ${{ steps.resolve.outputs.commit }} | |
| steps: | |
| - name: Checkout main | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| - name: Resolve tag to commit | |
| id: resolve | |
| run: | | |
| git cat-file -e "refs/tags/${{ inputs.tag }}" 2>/dev/null || { | |
| echo "❌ Tag ${{ inputs.tag }} does not exist" | |
| exit 1 | |
| } | |
| COMMIT=$(git rev-parse "refs/tags/${{ inputs.tag }}^{}") | |
| echo "commit=$COMMIT" >> $GITHUB_OUTPUT | |
| echo "Resolved tag ${{ inputs.tag }} to commit $COMMIT" | |
| # Determines whether this tag should update :latest on GHCR. | |
| # Runs once; the Docker job consumes its output via matrix. | |
| determine-latest: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 2 | |
| outputs: | |
| value: ${{ steps.is_latest.outputs.value }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check is-latest | |
| id: is_latest | |
| run: | | |
| VALUE=$(python .github/workflows/release/release.py is-latest "${{ inputs.tag }}") | |
| echo "value=$VALUE" >> $GITHUB_OUTPUT | |
| # Builds the x64 and arm64 binaries for Linux via the Docker builder | |
| build-binaries-linux: | |
| needs: [resolve-tag] | |
| timeout-minutes: 60 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: | |
| - amd64 | |
| - arm64 | |
| name: | |
| - commit-boost | |
| include: | |
| - target: amd64 | |
| package-suffix: x86-64 | |
| - target: arm64 | |
| package-suffix: arm64 | |
| - name: commit-boost | |
| target-crate: commit-boost | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ needs.resolve-tag.outputs.commit }} | |
| fetch-depth: 0 | |
| submodules: true | |
| - name: Log commit hash | |
| run: | | |
| echo "Releasing commit: $(git rev-parse HEAD)" | |
| - name: Set lowercase owner | |
| run: echo "OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build binary (Linux) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: false | |
| platforms: linux/${{ matrix.target }} | |
| file: provisioning/build.Dockerfile | |
| outputs: type=local,dest=build/linux_${{ matrix.target }} | |
| build-args: | | |
| TARGET_CRATE=${{ matrix.name }} | |
| - name: Package binary (Linux) | |
| run: | | |
| cd build/linux_${{ matrix.target }} | |
| tar -czvf ${{ matrix.name }}-${{ inputs.tag }}-linux_${{ matrix.package-suffix }}.tar.gz ${{ matrix.name }} | |
| mv ${{ matrix.name }}-${{ inputs.tag }}-linux_${{ matrix.package-suffix }}.tar.gz ../../ | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.name }}-${{ inputs.tag }}-linux_${{ matrix.package-suffix }} | |
| path: | | |
| ${{ matrix.name }}-${{ inputs.tag }}-linux_${{ matrix.package-suffix }}.tar.gz | |
| # Builds the arm64 binary for Darwin natively | |
| build-binaries-darwin: | |
| needs: [resolve-tag] | |
| timeout-minutes: 60 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: | |
| # x64 requires macos-latest-large which is not available in the free tier | |
| # - x86_64-apple-darwin | |
| - aarch64-apple-darwin | |
| name: | |
| - commit-boost | |
| include: | |
| # - target: x86_64-apple-darwin | |
| # os: macos-latest-large | |
| # package-suffix: x86-64 | |
| - target: aarch64-apple-darwin | |
| os: macos-latest | |
| package-suffix: arm64 | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ needs.resolve-tag.outputs.commit }} | |
| fetch-depth: 0 | |
| submodules: true | |
| - name: Log commit hash | |
| run: | | |
| echo "Releasing commit: $(git rev-parse HEAD)" | |
| - name: Install Protoc | |
| run: | |
| # Brew's version is much more up to date than the Linux ones, and installing the latest via script runs into curl issues so for now, brew's easier to use | |
| # provisioning/protoc.sh | |
| brew install protobuf | |
| - name: Cache Cargo registry | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cargo/registry | |
| key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Cache Cargo index | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cargo/git | |
| key: ${{ runner.os }}-cargo-git-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Cache Cargo build | |
| uses: actions/cache@v4 | |
| with: | |
| path: target | |
| key: ${{ runner.os }}-cargo-build-${{ matrix.target }}-${{ matrix.name }}-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-build-${{ matrix.target }}-${{ matrix.name }}- | |
| ${{ runner.os }}-cargo-build-${{ matrix.target }}- | |
| ${{ runner.os }}-cargo-build- | |
| - name: Build binary (Darwin) | |
| run: cargo build --release --target ${{ matrix.target }} --bin ${{ matrix.name }} | |
| - name: Package binary (Darwin) | |
| run: | | |
| cd target/${{ matrix.target }}/release | |
| tar -czvf ${{ matrix.name }}-${{ inputs.tag }}-darwin_${{ matrix.package-suffix }}.tar.gz ${{ matrix.name }} | |
| mv ${{ matrix.name }}-${{ inputs.tag }}-darwin_${{ matrix.package-suffix }}.tar.gz ../../../ | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.name }}-${{ inputs.tag }}-darwin_${{ matrix.package-suffix }} | |
| path: | | |
| ${{ matrix.name }}-${{ inputs.tag }}-darwin_${{ matrix.package-suffix }}.tar.gz | |
| # Builds and pushes Docker images for both PBS and Signer | |
| build-and-push-docker: | |
| needs: [resolve-tag, build-binaries-linux, determine-latest] | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| matrix: | |
| crate: [pbs, signer, commit-boost] | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 45 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ needs.resolve-tag.outputs.commit }} | |
| fetch-depth: 0 | |
| submodules: true | |
| - name: Download binary archives | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: ./artifacts | |
| pattern: "commit-boost*" | |
| - name: Extract binaries | |
| run: | | |
| mkdir -p ./artifacts/bin/linux_amd64 | |
| mkdir -p ./artifacts/bin/linux_arm64 | |
| tar -xzf ./artifacts/commit-boost-${{ inputs.tag }}-linux_x86-64/commit-boost-${{ inputs.tag }}-linux_x86-64.tar.gz -C ./artifacts/bin | |
| mv ./artifacts/bin/commit-boost ./artifacts/bin/linux_amd64/commit-boost | |
| tar -xzf ./artifacts/commit-boost-${{ inputs.tag }}-linux_arm64/commit-boost-${{ inputs.tag }}-linux_arm64.tar.gz -C ./artifacts/bin | |
| mv ./artifacts/bin/commit-boost ./artifacts/bin/linux_arm64/commit-boost | |
| - name: Set lowercase owner | |
| run: echo "OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| build-args: | | |
| BINARIES_PATH=./artifacts/bin | |
| tags: | | |
| ghcr.io/${{ env.OWNER }}/${{ matrix.crate }}:${{ inputs.tag }} | |
| ${{ needs.determine-latest.outputs.value == 'true' && format('ghcr.io/{0}/{1}:latest', env.OWNER, matrix.crate) || '' }} | |
| file: provisioning/${{ matrix.crate }}.Dockerfile | |
| # Signs all binaries with Sigstore for provenance | |
| sign-binaries: | |
| needs: [build-binaries-linux, build-binaries-darwin] | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Download binary artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: ./artifacts | |
| pattern: "commit-boost-*" | |
| - name: Sign all binaries with Sigstore | |
| uses: sigstore/gh-action-sigstore-python@v3.0.0 | |
| with: | |
| inputs: ./artifacts/**/*.tar.gz | |
| - name: Upload signed artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: signed-${{ inputs.tag }} | |
| path: ./artifacts/**/*.sigstore* | |
| # Creates a draft release on GitHub with the binaries | |
| finalize-release: | |
| needs: | |
| - build-binaries-linux | |
| - build-binaries-darwin | |
| - build-and-push-docker | |
| - sign-binaries | |
| permissions: | |
| contents: write | |
| packages: read | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| steps: | |
| - name: Download binary artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: ./artifacts | |
| pattern: "commit-boost-*" | |
| - name: Download signed artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: ./artifacts | |
| pattern: "signed-*" | |
| - name: Finalize Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: ./artifacts/**/* | |
| draft: true | |
| prerelease: false | |
| tag_name: ${{ inputs.tag }} | |
| name: ${{ inputs.tag }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |