Release #23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
release: | |
types: [published] | |
workflow_dispatch: | |
permissions: read-all | |
jobs: | |
build: | |
strategy: | |
matrix: | |
os: [macos-13, macos-14] | |
runs-on: ${{ matrix.os }} | |
outputs: | |
artifact-filename-darwin-arm64: ${{ steps.artifact.outputs.artifact-filename-darwin-arm64 }} | |
artifact-filename-darwin-x86_64: ${{ steps.artifact.outputs.artifact-filename-darwin-x86_64 }} | |
sha256-checksum-darwin-arm64: ${{ steps.checksum.outputs.sha256-checksum-darwin-arm64 }} | |
sha256-checksum-darwin-x86_64: ${{ steps.checksum.outputs.sha256-checksum-darwin-x86_64 }} | |
sha256-filename-darwin-arm64: ${{ steps.checksum.outputs.sha256-filename-darwin-arm64 }} | |
sha256-filename-darwin-x86_64: ${{ steps.checksum.outputs.sha256-filename-darwin-x86_64 }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Install runtime dependencies | |
run: brew install popt | |
- name: Install test dependencies | |
run: brew install cmocka | |
- name: Install build tools | |
run: brew install just pandoc | |
- id: arch | |
name: Get machine hardware name | |
run: | | |
set -euo pipefail | |
arch=$(uname -m) | |
if [[ "${arch}" != "x86_64" && "${arch}" != "arm64" ]]; then | |
echo "Unexpected machine hardware name: ${arch}" | |
exit 1 | |
fi | |
echo "name=${arch}" >> "${GITHUB_OUTPUT}" | |
- id: artifact | |
name: Generate build artifact | |
env: | |
ARCHITECTURE: ${{ steps.arch.outputs.name }} | |
run: | | |
set -euo pipefail | |
just package "${GITHUB_REF_NAME}" | |
artifact="flog-${GITHUB_REF_NAME}-darwin-${ARCHITECTURE}.tar.xz" | |
if [[ ! -f "${artifact}" ]]; then | |
echo "Failed to generated expected build artifact: ${artifact}" | |
fi | |
echo "name=${artifact}" >> "${GITHUB_OUTPUT}" | |
echo "artifact-filename-darwin-${{ steps.arch.outputs.name }}=${artifact}" >> "${GITHUB_OUTPUT}" | |
- id: checksum | |
name: Generate build artifact SHA-256 checksum file | |
env: | |
ARCHITECTURE: ${{ steps.arch.outputs.name }} | |
ARTIFACT_NAME: ${{ steps.artifact.outputs.name }} | |
run: | | |
set -euo pipefail | |
shasum -a 256 "${ARTIFACT_NAME}" > "${ARTIFACT_NAME}.sha256" | |
echo "sha256-checksum-darwin-${ARCHITECTURE}=$(cat "${ARTIFACT_NAME}.sha256" | base64)" >> "${GITHUB_OUTPUT}" | |
echo "sha256-filename-darwin-${ARCHITECTURE}=${ARTIFACT_NAME}.sha256" >> "${GITHUB_OUTPUT}" | |
- name: Upload build artifact | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
with: | |
name: ${{ steps.artifact.outputs.name }} | |
path: ${{ steps.artifact.outputs.name }} | |
if-no-files-found: error | |
retention-days: 7 | |
- name: Upload SHA-256 checksum file | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
with: | |
name: ${{ steps.artifact.outputs.name }}.sha256 | |
path: ${{ steps.artifact.outputs.name }}.sha256 | |
if-no-files-found: error | |
retention-days: 7 | |
combine-checksums: | |
needs: [build] | |
runs-on: ubuntu-latest | |
outputs: | |
checksums: ${{ steps.checksums.outputs.combined }} | |
env: | |
CHECKSUMS: ${{ toJSON(needs.build.outputs) }} | |
steps: | |
- id: checksums | |
run: | | |
set -euo pipefail | |
echo "${CHECKSUMS}" | jq -r 'with_entries(select(.key | match("sha256-checksum-.*-.*")))[] | @base64d' | sed "/^$/d" > checksums.txt | |
echo "combined=$(cat checksums.txt | base64 -w0)" >> "${GITHUB_OUTPUT}" | |
provenance: | |
needs: [build, combine-checksums] | |
permissions: | |
actions: read | |
id-token: write | |
contents: write | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # Must specify version tag; see https://github.com/slsa-framework/slsa-verifier/issues/12 | |
with: | |
base64-subjects: ${{ needs.combine-checksums.outputs.checksums }} | |
provenance-name: flog-${{ github.ref_name }}.intoto.jsonl | |
upload-assets: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
release: | |
needs: [build, combine-checksums, provenance] | |
permissions: | |
contents: write | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- name: Download x86_64 build artifact | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: ${{ needs.build.outputs.artifact-filename-darwin-x86_64 }} | |
- name: Download x86_64 SHA-256 checksum file | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: ${{ needs.build.outputs.sha256-filename-darwin-x86_64 }} | |
- name: Download arm64 build artifact | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: ${{ needs.build.outputs.artifact-filename-darwin-arm64 }} | |
- name: Download arm64 SHA-256 checksum file | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: ${{ needs.build.outputs.sha256-filename-darwin-arm64 }} | |
- name: Install SLSA verifier | |
uses: slsa-framework/slsa-verifier/actions/[email protected] # Must specify version tag; see https://github.com/slsa-framework/slsa-verifier/issues/12 | |
- name: Verify SLSA provenance | |
env: | |
CHECKSUMS: ${{ needs.combine-checksums.outputs.checksums }} | |
PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} | |
run: | | |
set -euo pipefail | |
checksums=$(echo "${CHECKSUMS}" | base64 -d) | |
while read -r line; do | |
filename=$(echo ${line} | cut -d ' ' -f2) | |
echo "Verifying ${filename}.." | |
slsa-verifier verify-artifact \ | |
--provenance-path "${PROVENANCE}" \ | |
--source-uri "github.com/${GITHUB_REPOSITORY}" \ | |
--source-tag "${GITHUB_REF_NAME}" \ | |
"${filename}" | |
echo | |
done <<< "${checksums}" | |
- name: Upload release assets | |
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4 | |
with: | |
files: | | |
${{ needs.build.outputs.artifact-filename-darwin-x86_64 }} | |
${{ needs.build.outputs.sha256-filename-darwin-x86_64 }} | |
${{ needs.build.outputs.artifact-filename-darwin-arm64 }} | |
${{ needs.build.outputs.sha256-filename-darwin-arm64 }} |