Skip to content

Release

Release #21

Workflow file for this run

name: Release
on:
release:
types: [published]
workflow_dispatch:
permissions: read-all
jobs:
build:
strategy:
matrix:
os: [macos-13, macos-14]
runs-on: ${{ matrix.os }}
outputs:
artifact-filename-darwin-arm64: ${{ steps.artifact.outputs.artifact-filename-darwin-arm64 }}
artifact-filename-darwin-x86_64: ${{ steps.artifact.outputs.artifact-filename-darwin-x86_64 }}
sha256-checksum-darwin-arm64: ${{ steps.checksum.outputs.sha256-checksum-darwin-arm64 }}
sha256-checksum-darwin-x86_64: ${{ steps.checksum.outputs.sha256-checksum-darwin-x86_64 }}
sha256-filename-darwin-arm64: ${{ steps.checksum.outputs.sha256-filename-darwin-arm64 }}
sha256-filename-darwin-x86_64: ${{ steps.checksum.outputs.sha256-filename-darwin-x86_64 }}
steps:
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Install runtime dependencies
run: brew install popt
- name: Install test dependencies
run: brew install cmocka
- name: Install build tools
run: brew install just pandoc
- id: arch
name: Get machine hardware name
run: |
set -euo pipefail
arch=$(uname -m)
if [[ "${arch}" != "x86_64" && "${arch}" != "arm64" ]]; then
echo "Unexpected machine hardware name: ${arch}"
exit 1
fi
echo "name=${arch}" >> "${GITHUB_OUTPUT}"
- id: artifact
name: Generate build artifact
env:
ARCHITECTURE: ${{ steps.arch.outputs.name }}
run: |
set -euo pipefail
just package "${GITHUB_REF_NAME}"
artifact="flog-${GITHUB_REF_NAME}-darwin-${ARCHITECTURE}.tar.xz"
if [[ ! -f "${artifact}" ]]; then
echo "Failed to generated expected build artifact: ${artifact}"
fi
echo "name=${artifact}" >> "${GITHUB_OUTPUT}"
echo "artifact-filename-darwin-${{ steps.arch.outputs.name }}=${artifact}" >> "${GITHUB_OUTPUT}"
- id: checksum
name: Generate build artifact SHA-256 checksum file
env:
ARCHITECTURE: ${{ steps.arch.outputs.name }}
ARTIFACT_NAME: ${{ steps.artifact.outputs.name }}
run: |
set -euo pipefail
shasum -a 256 "${ARTIFACT_NAME}" > "${ARTIFACT_NAME}.sha256"
echo "sha256-checksum-darwin-${ARCHITECTURE}=$(cat "${ARTIFACT_NAME}.sha256" | base64)" >> "${GITHUB_OUTPUT}"
echo "sha256-filename-darwin-${ARCHITECTURE}=${ARTIFACT_NAME}.sha256" >> "${GITHUB_OUTPUT}"
- name: Upload build artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ steps.artifact.outputs.name }}
path: ${{ steps.artifact.outputs.name }}
if-no-files-found: error
retention-days: 7
- name: Upload SHA-256 checksum file
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ steps.artifact.outputs.name }}.sha256
path: ${{ steps.artifact.outputs.name }}.sha256
if-no-files-found: error
retention-days: 7
combine-checksums:
needs: [build]
runs-on: ubuntu-latest
outputs:
checksums: ${{ steps.checksums.outputs.combined }}
env:
CHECKSUMS: ${{ toJSON(needs.build.outputs) }}
steps:
- id: checksums
run: |
set -euo pipefail
echo "${CHECKSUMS}" | jq -r 'with_entries(select(.key | match("sha256-checksum-.*-.*")))[] | @base64d' | sed "/^$/d" > checksums.txt
echo "combined=$(cat checksums.txt | base64 -w0)" >> "${GITHUB_OUTPUT}"
provenance:
needs: [build, combine-checksums]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # Must specify version tag; see https://github.com/slsa-framework/slsa-verifier/issues/12
with:
base64-subjects: ${{ needs.combine-checksums.outputs.checksums }}
provenance-name: flog-${{ github.ref_name }}.intoto.jsonl
upload-assets: ${{ startsWith(github.ref, 'refs/tags/v') }}
release:
needs: [build, combine-checksums, provenance]
permissions:
contents: write
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- name: Download x86_64 build artifact
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.artifact-filename-darwin-x86_64 }}
- name: Download x86_64 SHA-256 checksum file
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.sha256-filename-darwin-x86_64 }}
- name: Download arm64 build artifact
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.artifact-filename-darwin-arm64 }}
- name: Download arm64 SHA-256 checksum file
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.sha256-filename-darwin-arm64 }}
- name: Install SLSA verifier
uses: slsa-framework/slsa-verifier/actions/installer@7e1e47d7d793930ab0082c15c2b971fdb53a3c95 # v2.4.1
- name: Verify SLSA provenance
env:
CHECKSUMS: ${{ needs.combine-checksums.outputs.checksums }}
PROVENANCE: ${{ needs.provenance.outputs.provenance-name }}
run: |
set -euo pipefail
checksums=$(echo "${CHECKSUMS}" | base64 -d)
while read -r line; do
filename=$(echo ${line} | cut -d ' ' -f2)
echo "Verifying ${filename}.."
slsa-verifier verify-artifact \
--provenance-path "${PROVENANCE}" \
--source-uri "github.com/${GITHUB_REPOSITORY}" \
--source-tag "${GITHUB_REF_NAME}" \
"${filename}"
echo
done <<< "${checksums}"
- name: Upload release assets
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
with:
files: |
${{ needs.build.outputs.artifact-filename-darwin-x86_64 }}
${{ needs.build.outputs.sha256-filename-darwin-x86_64 }}
${{ needs.build.outputs.artifact-filename-darwin-arm64 }}
${{ needs.build.outputs.sha256-filename-darwin-arm64 }}