Merge main and resolve review feedback #36
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | ||
| on: | ||
| push: | ||
| tags: | ||
| - 'v*' | ||
| env: | ||
| CARGO_TERM_COLOR: always | ||
| permissions: | ||
| contents: write | ||
| packages: write | ||
| id-token: write | ||
| jobs: | ||
| create-release: | ||
| name: Create Release | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Extract version | ||
| id: get_version | ||
| run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT" | ||
| - name: Verify release metadata matches tag | ||
| env: | ||
| TAG_NAME: ${{ steps.get_version.outputs.VERSION }} | ||
| run: | | ||
| set -euo pipefail | ||
| expected_version="${TAG_NAME#v}" | ||
| cargo_version="$(python - <<'PY' | ||
| import tomllib | ||
| from pathlib import Path | ||
| print(tomllib.loads(Path("Cargo.toml").read_text())["package"]["version"]) | ||
| PY | ||
| )" | ||
| chart_app_version="$(python - <<'PY' | ||
| import re | ||
| from pathlib import Path | ||
| content = Path("charts/diffscope/Chart.yaml").read_text() | ||
| match = re.search(r'^appVersion:\s*"?(.*?)"?\s*$', content, re.MULTILINE) | ||
| if not match: | ||
| raise SystemExit("charts/diffscope/Chart.yaml is missing appVersion") | ||
| print(match.group(1)) | ||
| PY | ||
| )" | ||
| test "$cargo_version" = "$expected_version" || { | ||
| echo "Cargo.toml version ($cargo_version) does not match tag ($expected_version)" | ||
| exit 1 | ||
| } | ||
| test "$chart_app_version" = "$expected_version" || { | ||
| echo "Chart appVersion ($chart_app_version) does not match tag ($expected_version)" | ||
| exit 1 | ||
| } | ||
| - name: Create Release | ||
| id: create_release | ||
| uses: softprops/action-gh-release@v2 | ||
| with: | ||
| tag_name: ${{ github.ref }} | ||
| name: Release ${{ steps.get_version.outputs.VERSION }} | ||
| body: | | ||
| # DiffScope ${{ steps.get_version.outputs.VERSION }} | ||
| See [CHANGELOG.md](https://github.com/evalops/diffscope/blob/main/CHANGELOG.md) for details. | ||
| ## 🚀 Installation | ||
| ### Quick install (Linux/macOS): | ||
| ```bash | ||
| curl -sSL https://raw.githubusercontent.com/evalops/diffscope/main/install.sh | sh | ||
| ``` | ||
| ### Quick install (Windows): | ||
| ```powershell | ||
| iwr -useb https://raw.githubusercontent.com/evalops/diffscope/main/install.ps1 | iex | ||
| ``` | ||
| ### Manual installation: | ||
| Download the appropriate binary below for your platform and add it to your PATH. | ||
| ## 📦 Checksums | ||
| SHA256 checksums will be available once all builds complete. | ||
| draft: false | ||
| prerelease: false | ||
| generate_release_notes: true | ||
| build-release: | ||
| name: Build Release | ||
| needs: create-release | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| # Linux | ||
| - os: ubuntu-latest | ||
| target: x86_64-unknown-linux-gnu | ||
| artifact_name: diffscope | ||
| asset_name: diffscope-x86_64-unknown-linux-gnu | ||
| - os: ubuntu-latest | ||
| target: x86_64-unknown-linux-musl | ||
| artifact_name: diffscope | ||
| asset_name: diffscope-x86_64-unknown-linux-musl | ||
| - os: ubuntu-latest | ||
| target: aarch64-unknown-linux-gnu | ||
| artifact_name: diffscope | ||
| asset_name: diffscope-aarch64-unknown-linux-gnu | ||
| # macOS | ||
| - os: macos-latest | ||
| target: x86_64-apple-darwin | ||
| artifact_name: diffscope | ||
| asset_name: diffscope-x86_64-apple-darwin | ||
| - os: macos-latest | ||
| target: aarch64-apple-darwin | ||
| artifact_name: diffscope | ||
| asset_name: diffscope-aarch64-apple-darwin | ||
| # Windows | ||
| - os: windows-latest | ||
| target: x86_64-pc-windows-msvc | ||
| artifact_name: diffscope.exe | ||
| asset_name: diffscope-x86_64-pc-windows-msvc.exe | ||
| runs-on: ${{ matrix.os }} | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Install Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| - name: Build frontend | ||
| run: cd web && npm ci && npm run build | ||
| - name: Install Rust | ||
| uses: dtolnay/rust-toolchain@stable | ||
| with: | ||
| targets: ${{ matrix.target }} | ||
| - name: Install cross-compilation tools | ||
| if: matrix.target == 'aarch64-unknown-linux-gnu' | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y gcc-aarch64-linux-gnu | ||
| - name: Install musl tools | ||
| if: matrix.target == 'x86_64-unknown-linux-musl' | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y musl-tools | ||
| - name: Set up macOS cross-compilation | ||
| if: matrix.os == 'macos-latest' && matrix.target == 'aarch64-apple-darwin' | ||
| run: | | ||
| echo "SDKROOT=$(xcrun -sdk macosx --show-sdk-path)" >> "$GITHUB_ENV" | ||
| echo "MACOSX_DEPLOYMENT_TARGET=$(xcrun -sdk macosx --show-sdk-platform-version)" >> "$GITHUB_ENV" | ||
| - name: Build | ||
| run: cargo build --release --target ${{ matrix.target }} | ||
| - name: Strip binary (Linux and macOS) | ||
| if: matrix.os != 'windows-latest' && matrix.target != 'aarch64-apple-darwin' && matrix.target != 'aarch64-unknown-linux-gnu' | ||
| run: | | ||
| strip target/${{ matrix.target }}/release/${{ matrix.artifact_name }} | ||
| - name: Strip binary (macOS ARM64) | ||
| if: matrix.target == 'aarch64-apple-darwin' | ||
| run: | | ||
| # Skip stripping for cross-compiled ARM64 binary or use lipo if needed | ||
| echo "Skipping strip for cross-compiled ARM64 binary" | ||
| - name: Strip binary (Linux ARM64) | ||
| if: matrix.target == 'aarch64-unknown-linux-gnu' | ||
| run: | | ||
| # Use aarch64 strip for cross-compiled binary | ||
| aarch64-linux-gnu-strip target/${{ matrix.target }}/release/${{ matrix.artifact_name }} | ||
| - name: Create checksum (Unix) | ||
| if: matrix.os != 'windows-latest' | ||
| run: | | ||
| cd target/${{ matrix.target }}/release/ | ||
| if [ -f "${{ matrix.artifact_name }}" ]; then | ||
| if [[ "$RUNNER_OS" == "macOS" ]]; then | ||
| shasum -a 256 "${{ matrix.artifact_name }}" > "${{ matrix.asset_name }}.sha256" | ||
| else | ||
| sha256sum "${{ matrix.artifact_name }}" > "${{ matrix.asset_name }}.sha256" | ||
| fi | ||
| else | ||
| echo "Binary not found, build may have failed" | ||
| exit 1 | ||
| fi | ||
| - name: Create checksum (Windows) | ||
| if: matrix.os == 'windows-latest' | ||
| shell: pwsh | ||
| run: | | ||
| cd target/${{ matrix.target }}/release/ | ||
| (Get-FileHash -Algorithm SHA256 ${{ matrix.artifact_name }}).Hash + " " + "${{ matrix.artifact_name }}" | Out-File -Encoding ASCII ${{ matrix.asset_name }}.sha256 | ||
| - name: Upload Release Asset (Unix) | ||
| if: matrix.os != 'windows-latest' | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| cd target/${{ matrix.target }}/release/ | ||
| # Copy/rename binary to platform-specific name | ||
| if [ -f "${{ matrix.artifact_name }}" ]; then | ||
| cp "${{ matrix.artifact_name }}" "${{ matrix.asset_name }}" | ||
| echo "Uploading ${{ matrix.asset_name }}..." | ||
| gh release upload ${{ github.ref_name }} "${{ matrix.asset_name }}" --clobber || true | ||
| fi | ||
| # Upload checksum | ||
| if [ -f "${{ matrix.asset_name }}.sha256" ]; then | ||
| echo "Uploading ${{ matrix.asset_name }}.sha256..." | ||
| gh release upload ${{ github.ref_name }} "${{ matrix.asset_name }}.sha256" --clobber || true | ||
| fi | ||
| - name: Upload Release Asset (Windows) | ||
| if: matrix.os == 'windows-latest' | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| shell: pwsh | ||
| run: | | ||
| cd target/${{ matrix.target }}/release/ | ||
| # Upload binary | ||
| if (Test-Path "${{ matrix.artifact_name }}") { | ||
| Write-Host "Uploading ${{ matrix.artifact_name }}..." | ||
| gh release upload ${{ github.ref_name }} "${{ matrix.artifact_name }}" --clobber | ||
| } | ||
| # Upload checksum | ||
| if (Test-Path "${{ matrix.asset_name }}.sha256") { | ||
| Write-Host "Uploading ${{ matrix.asset_name }}.sha256..." | ||
| gh release upload ${{ github.ref_name }} "${{ matrix.asset_name }}.sha256" --clobber | ||
| } | ||
| build-docker: | ||
| name: Build and Push Docker Image | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Extract version from tag | ||
| id: get_version | ||
| run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT" | ||
| - name: Build and push Docker image | ||
| id: build-and-push | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: . | ||
| platforms: linux/amd64 | ||
| push: true | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max | ||
| tags: | | ||
| ghcr.io/evalops/diffscope:latest | ||
| ghcr.io/evalops/diffscope:${{ steps.get_version.outputs.VERSION }} | ||
| - name: Install cosign | ||
| uses: sigstore/cosign-installer@v3 | ||
| - name: Sign image (keyless) | ||
| env: | ||
| IMAGE_REF: ghcr.io/evalops/diffscope@${{ steps.build-and-push.outputs.digest }} | ||
| run: cosign sign --yes "${IMAGE_REF}" | ||
| - name: Generate SBOM | ||
| uses: anchore/sbom-action@v0 | ||
| with: | ||
| image: ghcr.io/evalops/diffscope@${{ steps.build-and-push.outputs.digest }} | ||
| format: spdx-json | ||
| output-file: sbom-diffscope.spdx.json | ||
| - name: Upload SBOM to release | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh release upload ${{ github.ref_name }} sbom-diffscope.spdx.json --clobber || true | ||
