-
Notifications
You must be signed in to change notification settings - Fork 0
91 lines (87 loc) · 3.47 KB
/
Copy pathcontinuous-dev.yml
File metadata and controls
91 lines (87 loc) · 3.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# On code/CI/keys changes to main: cross-compile (aarch64), sign-smoke
# (when PLUGIN_SIGNING_KEY_PEM is set and the OOP sample bundle exists),
# optional artefact upload. Publishing to evo-device-audio-artefacts is
# deferred until the artefact manifest pipeline is wired.
name: continuous-dev
"on":
push:
branches: [main]
paths:
- "plugins/**"
- "ci/**"
- "keys/**"
- "Cargo.toml"
- "Cross.toml"
- ".github/**"
concurrency:
group: continuous-dev-main
cancel-in-progress: true
env:
EVO_CORE_TAG: v0.1.12
CROSS_AARCH64_TARGET: aarch64-unknown-linux-gnu
jobs:
build-sign-upload:
runs-on: ubuntu-latest
steps:
- name: Check out
uses: actions/checkout@v5
- name: Install Rust 1.85
uses: dtolnay/rust-toolchain@1.85
with:
components: clippy, rustfmt
- name: Set up Docker / Buildx
uses: docker/setup-buildx-action@v4
- name: Install cross
run: cargo install cross --locked
- name: Install evo-plugin-tool
run: cargo install --git https://github.com/foonerd/evo-core.git --tag ${EVO_CORE_TAG} --locked evo-plugin-tool
- name: Fmt, clippy, test
run: |
cargo fmt --all -- --check
cargo clippy --all-targets -- -D warnings
cargo test --workspace
- name: Cross build (aarch64, release) when workspace has members
run: |
if [ -d plugins ] && [ -n "$(ls -A plugins 2>/dev/null | grep -v '^\.gitkeep$' || true)" ]; then
cross build --release --target "$CROSS_AARCH64_TARGET" --workspace
else
echo "No plugin crates to cross-build; skipping (scaffold state)."
fi
- name: evo-plugin-tool sign + verify (OOP sign-smoke, when bundle exists)
env:
PLUGIN_SIGNING_KEY_PEM: ${{ secrets.PLUGIN_SIGNING_KEY_PEM }}
run: |
set -e
if [ -z "$PLUGIN_SIGNING_KEY_PEM" ]; then
echo "PLUGIN_SIGNING_KEY_PEM not set; skipping sign-smoke."
exit 0
fi
if [ ! -d ci/oob-sign-smoke ]; then
echo "No OOP sign-smoke bundle present; skipping (lands with first plugin)."
exit 0
fi
umask 077
printenv PLUGIN_SIGNING_KEY_PEM > /tmp/plugin-signing.key.pem
P="$GITHUB_WORKSPACE"
T="$RUNNER_TEMP/trust-opt"
mkdir -p "$T" "$RUNNER_TEMP/trust-etc"
cp "$P/keys/commons-plugin-signing-public.pem" "$P/keys/commons-plugin-signing-public.meta.toml" "$T/"
evo-plugin-tool lint "$P/ci/oob-sign-smoke"
evo-plugin-tool sign "$P/ci/oob-sign-smoke" --key /tmp/plugin-signing.key.pem
evo-plugin-tool verify "$P/ci/oob-sign-smoke" \
--trust-dir-opt "$T" \
--trust-dir-etc "$RUNNER_TEMP/trust-etc" \
--revocations /tmp/evo-revocations-not-present.toml
- name: Upload OOP sign-smoke bundle
# Keyed off the sign step's output (manifest.sig) rather than
# the secret directly: GitHub Actions does not allow the
# secrets context inside step-level `if:` expressions, and the
# .sig file is created only when the sign step ran end-to-end.
if: ${{ success() && hashFiles('ci/oob-sign-smoke/manifest.sig') != '' }}
uses: actions/upload-artifact@v7
with:
name: oob-sign-smoke
path: |
ci/oob-sign-smoke/manifest.toml
ci/oob-sign-smoke/manifest.sig
ci/oob-sign-smoke/plugin.bin