Merge pull request #1126 from atsign-foundation/dependabot/docker/pac… #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release_Automation | |
| on: | |
| push: | |
| tags: | |
| - 'c*.*.*' | |
| workflow_dispatch: | |
| inputs: | |
| main_build_only: | |
| description: "Run non-dockerx builds only" | |
| required: true | |
| default: false | |
| type: boolean | |
| permissions: # added using https://github.com/step-security/secure-repo | |
| contents: read | |
| jobs: | |
| main_build: | |
| runs-on: ${{ matrix.os }} | |
| defaults: | |
| run: | |
| working-directory: ./packages/c/sshnpd | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macOS-latest] | |
| # os: [ubuntu-latest, macOS-latest, windows-latest] | |
| include: | |
| - os: ubuntu-latest | |
| output-name: sshnp-linux-x64 | |
| ext: '' | |
| bundle: 'shell' | |
| - os: macOS-latest | |
| output-name: sshnp-macos-x64 | |
| ext: '' | |
| bundle: 'shell' | |
| # - os: macos-14 | |
| # output-name: sshnp-macos-arm64 | |
| # ext: '' | |
| # bundle: 'shell' | |
| # - os: windows-latest | |
| # output-name: sshnp-windows-x64 | |
| # ext: '.exe' | |
| # bundle: 'windows' | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| # compile binaries | |
| - run: | | |
| cmake -B build -S . -DBUILD_SHARED_LIBS=off -DCMAKE_C_COMPILER=clang | |
| cmake --build build | |
| mkdir tarball | |
| mv build/sshnpd . | |
| # zip the build | |
| - if: ${{ matrix.os == 'macOS-latest' || matrix.os == 'macos-14'}} | |
| run: ditto -c -k --keepParent sshnpd tarball/${{ matrix.output-name }}.zip | |
| - if: ${{ matrix.os == 'ubuntu-latest' }} | |
| run: tar -cvzf tarball/${{ matrix.output-name }}.tgz sshnpd | |
| - if: ${{ matrix.os == 'windows-latest' }} | |
| run: Compress-Archive -Path sshnpd -Destination tarball/${{ matrix.output-name }}.zip | |
| # upload the build | |
| - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
| with: | |
| name: ${{ matrix.output-name }}_${{ matrix.compiler }}-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} | |
| path: ./packages/c/sshnpd/tarball | |
| if-no-files-found: error | |
| other_build: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./packages/c | |
| strategy: | |
| matrix: | |
| platform: [linux/arm/v7, linux/arm64] | |
| # platform: [linux/arm/v7, linux/arm64, linux/riscv64] | |
| include: | |
| - platform: linux/arm/v7 | |
| output-name: sshnpd-linux-arm | |
| - platform: linux/arm64 | |
| output-name: sshnpd-linux-arm64 | |
| # - platform: linux/riscv64 | |
| # output-name: sshnpd-linux-riscv64 | |
| steps: | |
| - if: ${{ ! inputs.main_build_only }} | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - if: ${{ ! inputs.main_build_only }} | |
| uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
| - if: ${{ ! inputs.main_build_only }} | |
| uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 | |
| - if: ${{ ! inputs.main_build_only }} | |
| run: | | |
| docker buildx build -t cpswan/sshnpdc -f sshnpd/tools/Dockerfile.package \ | |
| --platform ${{ matrix.platform }} -o type=tar,dest=bins.tar . | |
| mkdir tarballs | |
| tar -xvf bins.tar -C tarballs | |
| - if: ${{ ! inputs.main_build_only }} | |
| uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
| with: | |
| name: ${{ matrix.output-name }}-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} | |
| path: ./packages/c/tarballs/${{ matrix.output-name }}.tgz | |
| github-release: | |
| name: >- | |
| Upload artifacts and generate checksums for provenance | |
| needs: [main_build, other_build] | |
| runs-on: ubuntu-latest | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| permissions: | |
| contents: write # IMPORTANT: mandatory for making GitHub Releases | |
| id-token: write # IMPORTANT: mandatory for sigstore | |
| attestations: write | |
| steps: | |
| - name: Download all the tarballs | |
| uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
| with: | |
| path: tarballs/ | |
| # - name: Generate SBOMs | |
| # run: | | |
| # syft scan file:./packages/dart/sshnoports/pubspec.lock \ | |
| # -o 'spdx-json=tarballs/dart_sshnoports_sbom.spdx.json' \ | |
| # -o 'cyclonedx-json=tarballs/dart_sshnoports_sbom.cyclonedx.json' | |
| - name: Move packages for signing | |
| run: | | |
| cd tarballs | |
| echo "Before:" | |
| ls -latrR * | |
| mv */*.tgz . | |
| mv */*.zip . | |
| rm -Rf -- */ | |
| echo "After:" | |
| ls -latrR * | |
| - name: Generate SHA256 checksums | |
| working-directory: tarballs | |
| run: sha256sum * > checksums.txt | |
| - name: Upload artifacts to GitHub Release | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| # Upload to GitHub Release using the `gh` CLI. | |
| # `dist/` contains the built packages, and the | |
| # sigstore-produced signatures and certificates. | |
| run: >- | |
| gh release upload | |
| '${{ github.ref_name }}' tarballs/** | |
| --repo '${{ github.repository }}' | |
| - id: hash | |
| name: Pass artifact hashes for SLSA provenance | |
| working-directory: tarballs | |
| run: | | |
| echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| - uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a # v1.3.1 | |
| with: | |
| subject-path: 'tarballs/**' | |
| provenance: | |
| needs: [github-release] | |
| permissions: | |
| actions: read # Needed for detection of GitHub Actions environment. | |
| id-token: write # Needed for provenance signing and ID | |
| contents: write # Needed for release uploads | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # 5a775b367a56d5bd118a224a811bba288150a563 | |
| with: | |
| base64-subjects: "${{ needs.github-release.outputs.hashes }}" | |
| upload-assets: true |