-
Notifications
You must be signed in to change notification settings - Fork 0
152 lines (152 loc) · 5.65 KB
/
release.yml
File metadata and controls
152 lines (152 loc) · 5.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Release
on:
push:
tags:
- "v*"
workflow_dispatch:
inputs:
dry-run:
description: "Dry run — build and verify without pushing images or publishing"
type: boolean
default: true
permissions:
contents: read
packages: write
id-token: write
env:
DRY_RUN: ${{ github.event_name == 'workflow_dispatch' && inputs.dry-run == true }}
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- run: cargo test --all
build:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- target: x86_64-unknown-linux-musl
arch: amd64
- target: aarch64-unknown-linux-musl
arch: arm64
steps:
- uses: actions/checkout@v6
- uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- name: Install zig and cargo-zigbuild
run: pip install ziglang && curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash && cargo binstall -y cargo-zigbuild
- uses: mozilla-actions/sccache-action@v0.0.9
- name: Cross-compile for ${{ matrix.arch }}
run: cargo zigbuild --release --target ${{ matrix.target }}
env:
SCCACHE_GHA_ENABLED: "true"
RUSTC_WRAPPER: sccache
- uses: actions/upload-artifact@v7
with:
name: initium-${{ matrix.arch }}
path: target/${{ matrix.target }}/release/initium
docker:
runs-on: ubuntu-latest
needs: [test, build]
steps:
- uses: actions/checkout@v6
- uses: actions/download-artifact@v8
with:
name: initium-amd64
path: bin/
- run: mv bin/initium bin/initium-amd64 && chmod +x bin/initium-amd64
- uses: actions/download-artifact@v8
with:
name: initium-arm64
path: bin/
- run: mv bin/initium bin/initium-arm64 && chmod +x bin/initium-arm64
- name: Verify binaries
run: |
file bin/initium-amd64 bin/initium-arm64
echo "amd64 size: $(du -h bin/initium-amd64 | cut -f1)"
echo "arm64 size: $(du -h bin/initium-arm64 | cut -f1)"
- uses: sigstore/cosign-installer@v3
if: env.DRY_RUN == 'false'
- uses: docker/setup-buildx-action@v4
- uses: docker/login-action@v4
if: env.DRY_RUN == 'false'
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract version
id: version
run: |
if [[ "$GITHUB_REF" == refs/tags/v* ]]; then
echo "VERSION=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
else
echo "VERSION=dry-run-$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
fi
- name: Build initium image
uses: docker/build-push-action@v7
id: build-main
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ env.DRY_RUN == 'false' }}
tags: |
ghcr.io/kitstream/initium:${{ steps.version.outputs.VERSION }}
ghcr.io/kitstream/initium:latest
sbom: true
provenance: true
- name: Sign initium image
if: env.DRY_RUN == 'false'
run: cosign sign --yes ghcr.io/kitstream/initium@${{ steps.build-main.outputs.digest }}
- name: SBOM attestation for initium image
if: env.DRY_RUN == 'false'
run: |
cosign attest --yes --type spdx \
--predicate <(docker buildx imagetools inspect ghcr.io/kitstream/initium@${{ steps.build-main.outputs.digest }} --format '{{json (index .SBOM "linux/amd64").SPDX}}') \
ghcr.io/kitstream/initium@${{ steps.build-main.outputs.digest }}
- name: Build initium-jyq image
uses: docker/build-push-action@v7
id: build-jyq
with:
context: .
file: Dockerfile.jyq
platforms: linux/amd64,linux/arm64
push: ${{ env.DRY_RUN == 'false' }}
tags: |
ghcr.io/kitstream/initium-jyq:${{ steps.version.outputs.VERSION }}
ghcr.io/kitstream/initium-jyq:latest
sbom: true
provenance: true
- name: Sign initium-jyq image
if: env.DRY_RUN == 'false'
run: cosign sign --yes ghcr.io/kitstream/initium-jyq@${{ steps.build-jyq.outputs.digest }}
- name: SBOM attestation for initium-jyq image
if: env.DRY_RUN == 'false'
run: |
cosign attest --yes --type spdx \
--predicate <(docker buildx imagetools inspect ghcr.io/kitstream/initium-jyq@${{ steps.build-jyq.outputs.digest }} --format '{{json (index .SBOM "linux/amd64").SPDX}}') \
ghcr.io/kitstream/initium-jyq@${{ steps.build-jyq.outputs.digest }}
publish:
runs-on: ubuntu-latest
needs: [docker]
if: ${{ !(github.event_name == 'workflow_dispatch' && inputs.dry-run == true) }}
steps:
- uses: actions/checkout@v6
- uses: dtolnay/rust-toolchain@stable
- name: Ensure Cargo.lock is up to date
run: cargo update --workspace
- name: Publish to crates.io
run: |
cargo publish --allow-dirty 2>&1 || {
if cargo search initium --limit 1 | grep -q "$(grep '^version' Cargo.toml | head -1 | sed 's/.*"\(.*\)"/\1/')"; then
echo "::warning::Version already published to crates.io — skipping"
else
echo "::error::cargo publish failed"
exit 1
fi
}
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}