chore: add security policy #923
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
workflow_dispatch: | |
push: | |
tags: [v*] | |
branches: [main] | |
paths-ignore: | |
- '**.md' | |
pull_request: | |
branches: [main] | |
release: | |
types: [published] | |
jobs: | |
build-chisel: | |
name: Build Chisel | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- arch: 'amd64' | |
machine_arch: 'X86-64' | |
- arch: 'arm' | |
machine_arch: 'ARM' | |
- arch: 'arm64' | |
machine_arch: 'AArch64' | |
- arch: 'ppc64le' | |
machine_arch: 'PowerPC64' | |
- arch: 'riscv64' | |
machine_arch: 'RISC-V' | |
- arch: 's390x' | |
machine_arch: 'S/390' | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
# The checkout action in previous step overwrites annonated tag | |
# with lightweight tags breaking ``git describe`` | |
# See https://github.com/actions/checkout/issues/882 | |
# and https://github.com/actions/checkout/issues/290 | |
# The following step is a workaround to restore the latest tag | |
# to it's original state. | |
- name: Restore (annonated) tag | |
run: git fetch --force origin ${GITHUB_REF}:${GITHUB_REF} | |
if: ${{ github.ref_type == 'tag' }} | |
- uses: actions/setup-go@v3 | |
with: | |
go-version-file: 'go.mod' | |
- name: Build Chisel for linux/${{ matrix.arch }} | |
id: build | |
env: | |
GOOS: "linux" | |
GOARCH: ${{ matrix.arch }} | |
CGO_ENABLED: "0" | |
run: | | |
echo "Generating version file" | |
go generate ./cmd/ | |
echo "Building for $GOOS $GOARCH" | |
go build -trimpath -ldflags='-s -w' ./cmd/chisel | |
# Get version via "chisel version" to ensure it matches that exactly | |
CHISEL_VERSION=$(GOOS=linux GOARCH=amd64 go run ./cmd/chisel version) | |
echo "Version: $CHISEL_VERSION" | |
# Version should not be "unknown" | |
[ "$CHISEL_VERSION" != "unknown" ] || exit 1 | |
# Share variables with subsequent steps | |
echo "CHISEL_VERSION=${CHISEL_VERSION}" >>$GITHUB_OUTPUT | |
- name: Test if is executable | |
run: test -x ./chisel | |
- name: Test if binary has the right machine architecture | |
run: | | |
[ "$(readelf -h chisel | grep 'Machine:' | awk -F' ' '{print $NF}')" == "${{ matrix.machine_arch }}" ] | |
- name: Create archive | |
id: archive | |
env: | |
GOOS: "linux" | |
GOARCH: ${{ matrix.arch }} | |
CHISEL_VERSION: ${{ steps.build.outputs.CHISEL_VERSION }} | |
run: | | |
ARCHIVE_FILE=chisel_${CHISEL_VERSION}_${GOOS}_${GOARCH}.tar.gz | |
ARCHIVE_FILE_SHA384="${ARCHIVE_FILE}.sha384" | |
echo "Creating archive $ARCHIVE_FILE" | |
mkdir -p dist/ | |
cp chisel LICENSE README.md dist/ | |
find dist -printf "%P\n" | tar -czf $ARCHIVE_FILE --no-recursion -C dist -T - | |
sha384sum "${ARCHIVE_FILE}" > "${ARCHIVE_FILE_SHA384}" | |
# Share variables with subsequent steps | |
echo "ARCHIVE_FILE=${ARCHIVE_FILE}" >>$GITHUB_OUTPUT | |
echo "ARCHIVE_FILE_SHA384=${ARCHIVE_FILE_SHA384}" >>$GITHUB_OUTPUT | |
- name: Upload archive as Actions artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ steps.archive.outputs.ARCHIVE_FILE }} | |
path: | | |
${{ steps.archive.outputs.ARCHIVE_FILE }} | |
${{ steps.archive.outputs.ARCHIVE_FILE_SHA384 }} | |
- name: Upload archive to release | |
env: | |
CHISEL_VERSION: ${{ steps.build.outputs.CHISEL_VERSION }} | |
ARCHIVE_FILE: ${{ steps.archive.outputs.ARCHIVE_FILE }} | |
ARCHIVE_FILE_SHA384: ${{ steps.archive.outputs.ARCHIVE_FILE_SHA384 }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
if: ${{ github.event_name == 'release' }} | |
run: | | |
echo "Uploading $ARCHIVE_FILE to release $CHISEL_VERSION" | |
gh release upload $CHISEL_VERSION $ARCHIVE_FILE | |
gh release upload $CHISEL_VERSION $ARCHIVE_FILE_SHA384 |