-
Notifications
You must be signed in to change notification settings - Fork 7
215 lines (194 loc) · 6.66 KB
/
Copy pathcli-binaries.yml
File metadata and controls
215 lines (194 loc) · 6.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
name: cli-binaries
on:
push:
tags:
- 'v*'
permissions:
contents: write
id-token: write
attestations: write
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- target: bun-darwin-arm64
asset: rb-darwin-arm64
ext: .tar.gz
- target: bun-darwin-x64
asset: rb-darwin-x64
ext: .tar.gz
- target: bun-linux-x64
asset: rb-linux-x64
ext: .tar.gz
- target: bun-linux-arm64
asset: rb-linux-arm64
ext: .tar.gz
- target: bun-windows-x64
asset: rb-windows-x64
ext: .zip
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with:
bun-version: 1.3.14
- uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 22
- name: Get pnpm store directory
shell: bash
run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-store-
- run: pnpm install --frozen-lockfile
- name: Generate version file
run: node scripts/generate-version.mjs
- name: Compile binary
run: |
OUTFILE=rb
if [[ "${{ matrix.target }}" == "bun-windows-x64" ]]; then
OUTFILE=rb.exe
fi
bun build --compile --minify \
--target=${{ matrix.target }} \
--define IS_STANDALONE="true" \
--define PLATFORM='"${{ matrix.asset }}"' \
src/main.ts \
--outfile $OUTFILE
- name: Archive
run: |
if [[ "${{ matrix.ext }}" == ".zip" ]]; then
zip ${{ matrix.asset }}.zip rb.exe
else
tar czf ${{ matrix.asset }}.tar.gz rb
fi
- name: Attest build provenance
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-path: ${{ matrix.asset }}${{ matrix.ext }}
- name: Generate SHA256
run: shasum -a 256 ${{ matrix.asset }}${{ matrix.ext }} > ${{ matrix.asset }}.sha256
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: ${{ matrix.asset }}
path: |
${{ matrix.asset }}${{ matrix.ext }}
${{ matrix.asset }}.sha256
release:
needs: build
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: dist
- name: Aggregate checksums
run: |
cat dist/*/*.sha256 > checksums.txt
cat checksums.txt
- uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
with:
tag_name: ${{ github.ref_name }}
name: Rendobar CLI ${{ github.ref_name }}
files: |
dist/*/*.tar.gz
dist/*/*.zip
checksums.txt
fail_on_unmatched_files: true
generate_release_notes: true
smoke-test:
needs: release
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
asset: rb-linux-x64
ext: .tar.gz
bin: rb
- os: macos-latest
asset: rb-darwin-arm64
ext: .tar.gz
bin: rb
- os: windows-latest
asset: rb-windows-x64
ext: .zip
bin: rb.exe
runs-on: ${{ matrix.os }}
steps:
- name: Compute version
id: ver
shell: bash
run: |
TAG="${{ github.ref_name }}"
VERSION="${TAG#v}"
echo "version=${VERSION}" >> $GITHUB_OUTPUT
- name: Download + verify + exec
shell: bash
run: |
TAG="${{ github.ref_name }}"
VERSION="${{ steps.ver.outputs.version }}"
ASSET="${{ matrix.asset }}${{ matrix.ext }}"
# Retry for CDN propagation
for i in 1 2 3 4 5; do
sleep $((i * 15))
if curl -fsSL -o "$ASSET" "https://github.com/rendobar/cli/releases/download/${TAG}/${ASSET}" && \
curl -fsSL -o checksums.txt "https://github.com/rendobar/cli/releases/download/${TAG}/checksums.txt"; then
echo "Download succeeded on attempt $i"
break
fi
echo "Download attempt $i failed, retrying..."
done
# Verify SHA256
if [[ "$RUNNER_OS" == "Windows" ]]; then
EXPECTED=$(grep "$ASSET" checksums.txt | awk '{print $1}')
ACTUAL=$(powershell -Command "(Get-FileHash -Algorithm SHA256 '$ASSET').Hash.ToLower()")
if [[ "$EXPECTED" != "$ACTUAL" ]]; then
echo "Checksum mismatch: expected $EXPECTED, got $ACTUAL"
exit 1
fi
powershell -Command "Expand-Archive -Path '$ASSET' -DestinationPath . -Force"
else
grep "$ASSET" checksums.txt | shasum -a 256 -c
tar xzf "$ASSET"
fi
# macOS: remove quarantine bit
if [[ "$RUNNER_OS" == "macOS" ]]; then
xattr -d com.apple.quarantine ./${{ matrix.bin }} || true
fi
# Execute and verify version
OUT=$(./${{ matrix.bin }} --version 2>&1)
echo "$OUT"
if ! echo "$OUT" | grep -q "$VERSION"; then
echo "Version mismatch: expected $VERSION, got $OUT"
exit 1
fi
rollback:
needs: smoke-test
if: failure()
runs-on: ubuntu-latest
permissions:
contents: write
issues: write
steps:
- name: Mark release prerelease
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release edit "${{ github.ref_name }}" --prerelease --repo ${{ github.repository }} || true
- name: Open rollback issue
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh issue create \
--repo ${{ github.repository }} \
--title "Binary release failure: ${{ github.ref_name }}" \
--body "Binary smoke test failed on one or more platforms. Release marked prerelease. Investigate before unmarking."