Merge remote-tracking branch 'origin/main' into merge-main-into-release

Author: strombetta

.github/CODEOWNERS

@@ -0,0 +1,13 @@
+# Default owners
+* @strombetta
+
+# CI / release workflows
+/.github/workflows/ @strombetta
+
+# Build system and scripts
+/Makefile @strombetta
+/Makefile.check @strombetta
+/Makefile.help @strombetta
+/make/ @strombetta
+/scripts/ @strombetta
+/config/ @strombetta

.github/workflows/release.yml

@@ -4,6 +4,7 @@ on:
   push:
     tags:
       - "v*"
+  workflow_dispatch:
 
 jobs:
   build:
@@ -15,12 +16,10 @@ jobs:
         include:
           - arch: x86_64
             runs-on: ubuntu-latest
-            target: x86_64
             triple: x86_64-bugleos-linux-musl
             label: x86_64
           - arch: aarch64
             runs-on: ubuntu-24.04-arm
-            target: aarch64
             triple: aarch64-bugleos-linux-musl
             label: aarch64
     permissions:
@@ -31,6 +30,26 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Read package versions
+        shell: bash
+        run: |
+          set -euo pipefail
+          binutils_version="$(awk -F ' := ' '/^BINUTILS_VERSION/ {print $2; exit}' make/binutils-stage1.mk)"
+          gcc_version="$(awk -F ' := ' '/^GCC_VERSION/ {print $2; exit}' make/gcc-stage1.mk)"
+          musl_version="$(awk -F ' := ' '/^MUSL_VERSION/ {print $2; exit}' make/musl.mk)"
+          linux_version="$(awk -F ' := ' '/^LINUX_VERSION/ {print $2; exit}' make/linux-headers.mk)"
+
+          if [ -z "$binutils_version" ] || [ -z "$gcc_version" ] || [ -z "$musl_version" ] || [ -z "$linux_version" ]; then
+            echo "Failed to read one or more package versions." >&2
+            exit 1
+          fi
+
+          echo "BINUTILS_VERSION=${binutils_version}" >> "$GITHUB_ENV"
+          echo "GCC_VERSION=${gcc_version}" >> "$GITHUB_ENV"
+          echo "MUSL_VERSION=${musl_version}" >> "$GITHUB_ENV"
+          echo "LINUX_VERSION=${linux_version}" >> "$GITHUB_ENV"
+          echo "VERSIONS_KEY=binutils-${binutils_version}-gcc-${gcc_version}-musl-${musl_version}-linux-${linux_version}" >> "$GITHUB_ENV"
+
       - name: Validate tag format
         run: |
           set -euo pipefail
@@ -49,6 +68,24 @@ jobs:
             build-essential binutils bash coreutils tar gzip xz-utils bison flex texinfo gawk file curl wget gpg \
             libgmp-dev libmpfr-dev libmpc-dev python3
 
+      - name: Restore download cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            downloads/
+            sources/
+          key: downloads-${{ runner.os }}-${{ matrix.arch }}-${{ env.VERSIONS_KEY }}
+
+      - name: Restore build cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            builds/
+            out/progress/
+            out/toolchain/
+            out/toolchain-stage1/
+          key: build-${{ runner.os }}-${{ matrix.arch }}-${{ env.VERSIONS_KEY }}-${{ hashFiles('Makefile', 'make/*.mk', 'config/*.mk', 'scripts/*.sh') }}
+
       - name: Fetch sources
         run: |
           set -euo pipefail
@@ -59,10 +96,35 @@ jobs:
           set -euo pipefail
           ./scripts/verify-checksums.sh
 
-      - name: Build ${{ matrix.arch }} toolchain
+      - name: Build binutils stage1
+        run: |
+          set -euo pipefail
+          make TARGET=${{ matrix.triple }} binutils-stage1
+
+      - name: Build Linux headers
+        run: |
+          set -euo pipefail
+          make TARGET=${{ matrix.triple }} linux-headers
+
+      - name: Build GCC stage1
         run: |
           set -euo pipefail
-          make ${{ matrix.target }}
+          make TARGET=${{ matrix.triple }} gcc-stage1
+
+      - name: Build musl
+        run: |
+          set -euo pipefail
+          make TARGET=${{ matrix.triple }} musl
+
+      - name: Build binutils stage2
+        run: |
+          set -euo pipefail
+          make TARGET=${{ matrix.triple }} binutils-stage2
+
+      - name: Build GCC stage2
+        run: |
+          set -euo pipefail
+          make TARGET=${{ matrix.triple }} gcc-stage2
         
       - name: Upload build logs
         if: always()
@@ -92,6 +154,39 @@ jobs:
           path: dist/bugleos-toolchain-${{ env.VERSION }}-${{ matrix.label }}.tar.gz
           if-no-files-found: error
 
+  hash-artifacts:
+    name: Prepare SLSA subjects
+    runs-on: ubuntu-latest
+    needs: build
+    outputs:
+      base64_subjects: ${{ steps.hashes.outputs.base64_subjects }}
+    steps:
+      - name: Download toolchain tarballs
+        uses: actions/download-artifact@v4
+        with:
+          path: dist
+
+      - name: Compute base64 subjects
+        id: hashes
+        shell: bash
+        run: |
+          set -euo pipefail
+          mapfile -d '' files < <(find dist -name 'bugleos-toolchain-*.tar.gz' -print0 | sort -z)
+          if [ "${#files[@]}" -eq 0 ]; then
+            echo "No toolchain tarballs found under dist/." >&2
+            exit 1
+          fi
+
+          tmp="$(mktemp)"
+          for f in "${files[@]}"; do
+            hash="$(sha256sum "$f" | awk '{print $1}')"
+            name="$(basename "$f")"
+            printf '%s  %s\n' "$hash" "$name" >> "$tmp"
+          done
+
+          sort "$tmp" | base64 -w0 > "$tmp.b64"
+          echo "base64_subjects=$(cat "$tmp.b64")" >> "$GITHUB_OUTPUT"
+
   publish:
     name: Publish Release
     runs-on: ubuntu-latest
@@ -115,6 +210,71 @@ jobs:
             echo "PRERELEASE=false" >> "$GITHUB_ENV"
           fi
 
+      - name: Install signing tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y minisign gnupg
+
+      - name: Install SBOM tool (syft)
+        run: |
+          set -euo pipefail
+          curl -sSfL https://get.anchore.io/syft | sh -s -- -b /usr/local/bin
+          syft version
+
+      - name: Generate SBOMs (SPDX + CycloneDX)
+        run: |
+          set -euo pipefail
+          mapfile -d '' files < <(find dist -name 'bugleos-toolchain-*.tar.gz' -print0 | sort -z)
+          if [ "${#files[@]}" -eq 0 ]; then
+            echo "No toolchain tarballs found under dist/." >&2
+            exit 1
+          fi
+
+          for f in "${files[@]}"; do
+            base="$(basename "$f" .tar.gz)"
+            workdir="$(mktemp -d)"
+            tar -C "$workdir" -xzf "$f"
+            syft "dir:$workdir" -o spdx-json > "dist/${base}.spdx.json"
+            syft "dir:$workdir" -o cyclonedx-json > "dist/${base}.cdx.json"
+            rm -rf "$workdir"
+          done
+
+      - name: Generate SHA256SUMS and signatures
+        env:
+          MINISIGN_KEY: ${{ secrets.MINISIGN_KEY }}
+          MINISIGN_PUB: ${{ secrets.MINISIGN_PUB }}
+        run: |
+          set -euo pipefail
+
+          if [ -z "${MINISIGN_KEY:-}" ] || [ -z "${MINISIGN_PUB:-}" ]; then
+            echo "Missing minisign secrets (MINISIGN_KEY / MINISIGN_PUB)." >&2
+            exit 1
+          fi
+
+          mkdir -p out dist
+          printf '%s' "$MINISIGN_KEY" | base64 -d > out/minisign.key
+          printf '%s' "$MINISIGN_PUB" | base64 -d > out/minisign.pub
+          chmod 600 out/minisign.key
+          cp out/minisign.pub dist/minisign.pub
+
+          mapfile -d '' files < <(find dist -name 'bugleos-toolchain-*.tar.gz' -print0 | sort -z)
+          if [ "${#files[@]}" -eq 0 ]; then
+            echo "No toolchain tarballs found under dist/." >&2
+            exit 1
+          fi
+
+          mapfile -d '' sboms < <(find dist -maxdepth 1 \( -name 'bugleos-toolchain-*.spdx.json' -o -name 'bugleos-toolchain-*.cdx.json' \) -print0 | sort -z)
+          if [ "${#sboms[@]}" -eq 0 ]; then
+            echo "No SBOM files found under dist/." >&2
+            exit 1
+          fi
+
+          sha256sum "${files[@]}" "${sboms[@]}" > dist/SHA256SUMS
+          minisign -S -s out/minisign.key -m dist/SHA256SUMS
+          for f in "${files[@]}"; do
+            minisign -S -s out/minisign.key -m "$f"
+          done
+
       - name: Publish GitHub Release
         uses: softprops/action-gh-release@v2
         with:
@@ -123,11 +283,44 @@ jobs:
           draft: false
           prerelease: ${{ env.PRERELEASE }}
           body: |
-            Supported architectures:
-            Architecture | Download Link
-            ------------ | -------------
-            x86_64      | [bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz](dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz)
-            aarch64     | [bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz](dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz)
+              # Supported architectures
+
+              ## ![64-bit architecture (x86_64)](https://img.shields.io/badge/arch-x86__64-blue)
+              - Toolchain: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz
+              - Signature (minisign): https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz.minisig
+
+              ## ![ARM64 architecture (aarch64)](https://img.shields.io/badge/arch-aarch64-green)
+              - Toolchain: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz
+              - Signature (minisign): https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz.minisig
+
+              ## Verification
+              - Public key: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/minisign.pub
+              - Checksums: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/SHA256SUMS
+              - Checksums signature: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/SHA256SUMS.minisig
+            
           files: |
             dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz
+            dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz.minisig
             dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz
+            dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz.minisig
+            dist/bugleos-toolchain-${{ env.VERSION }}-x86_64.spdx.json
+            dist/bugleos-toolchain-${{ env.VERSION }}-aarch64.spdx.json
+            dist/bugleos-toolchain-${{ env.VERSION }}-x86_64.cdx.json
+            dist/bugleos-toolchain-${{ env.VERSION }}-aarch64.cdx.json
+            dist/SHA256SUMS
+            dist/SHA256SUMS.minisig
+            dist/minisign.pub
+
+  provenance:
+    name: Generate SLSA provenance
+    needs: [hash-artifacts, publish]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      base64-subjects: "${{ needs.hash-artifacts.outputs.base64_subjects }}"
+      upload-assets: true
+      upload-tag-name: ${{ github.ref_name }}
+      provenance-name: bugleos-toolchain-${{ github.ref_name }}.intoto.jsonl

CODE_OF_CONDUCT.md

@@ -0,0 +1,66 @@
+# Code of Conduct
+
+## Our Pledge
+
+We as contributors and maintainers pledge to make participation in this project
+a harassment-free experience for everyone, regardless of age, body size,
+visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment include:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes
+- Focusing on what is best for the community
+
+Examples of unacceptable behavior include:
+
+- Sexualized language or imagery, and sexual attention or advances
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information without explicit permission
+- Other conduct which could reasonably be considered inappropriate
+
+## Enforcement Responsibilities
+
+Project maintainers are responsible for clarifying and enforcing standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior they deem inappropriate, threatening, offensive, or
+harmful.
+
+## Scope
+
+This Code of Conduct applies within all project spaces and also applies when an
+individual is officially representing the project in public spaces.
+
+## Reporting
+
+Report incidents to the maintainers by contacting the repository owner via the
+email listed on their GitHub profile. If you are unable to use email, open a
+private GitHub discussion (if enabled) or request a private contact channel
+through a maintainer.
+
+We will acknowledge receipt within 5 business days and will keep you informed
+about the process when possible.
+
+## Enforcement Guidelines
+
+Maintainers will follow these Community Impact Guidelines in determining the
+consequences for any action they deem in violation of this Code of Conduct:
+
+1. **Correction**: A private, written warning with clarification.
+2. **Warning**: A formal warning with consequences for continued behavior.
+3. **Temporary Ban**: A temporary ban from participation.
+4. **Permanent Ban**: Permanent removal from the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the Contributor Covenant, version 2.1.
+For details, see:
+https://www.contributor-covenant.org/version/2/1/code_of_conduct.html

MAINTAINERS.md

@@ -0,0 +1,21 @@
+# Maintainers
+
+This document lists the active maintainers for the BugleOS Cross Toolchain
+repository and their areas of responsibility.
+
+## Active Maintainers
+
+- Sebastiano Trombetta (@strombetta) — Lead Maintainer
+  - Toolchain build system (Makefiles, scripts)
+  - Release process and artifacts
+  - CI/CD workflows
+
+## Contact
+
+For questions or support, see SUPPORT.md.
+For security issues, follow SECURITY.md.
+
+## Changes to This File
+
+Updates to this file should be made via pull request and require approval from
+an existing maintainer.