Skip to content

fix(intel): gate BufWriter import to unix — Windows all-features clippy #6

fix(intel): gate BufWriter import to unix — Windows all-features clippy

fix(intel): gate BufWriter import to unix — Windows all-features clippy #6

Workflow file for this run

name: release
on:
push:
tags: ["v*"]
# Least privilege per job; the container job adds packages + id-token.
permissions:
contents: read
jobs:
binaries:
permissions:
contents: write
strategy:
fail-fast: false
matrix:
include:
- target: x86_64-unknown-linux-gnu
os: ubuntu-latest
- target: x86_64-unknown-linux-musl
os: ubuntu-latest
- target: aarch64-apple-darwin
os: macos-latest
- target: x86_64-pc-windows-msvc
os: windows-latest
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- if: contains(matrix.target, 'musl')
run: sudo apt-get update && sudo apt-get install -y musl-tools
- uses: Swatinem/rust-cache@v2
- run: cargo build --release -p agentd --target ${{ matrix.target }}
- name: Package
shell: bash
run: |
bin=agentd
[[ "${{ matrix.target }}" == *windows* ]] && bin=agentd.exe
mkdir -p dist
cp "target/${{ matrix.target }}/release/$bin" dist/
cd dist
if [[ "${{ matrix.target }}" == *windows* ]]; then
7z a "agentd-${{ github.ref_name }}-${{ matrix.target }}.zip" "$bin"
else
tar czf "agentd-${{ github.ref_name }}-${{ matrix.target }}.tar.gz" "$bin"
fi
rm "$bin"
- uses: softprops/action-gh-release@v2
with:
files: dist/*
linux-packages:
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- run: cargo install cargo-deb cargo-generate-rpm
- run: cargo build --release -p agentd
- run: cargo deb -p agentd --no-build
- run: cargo generate-rpm -p crates/agentd
- uses: softprops/action-gh-release@v2
with:
files: |
target/debian/*.deb
target/generate-rpm/*.rpm
# Aggregate SHA256 checksums over every release artifact, after the
# binaries + packages are uploaded. One SHA256SUMS file to verify them.
checksums:
needs: [binaries, linux-packages]
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Download release assets
env:
GH_TOKEN: ${{ github.token }}
run: |
mkdir -p dist && cd dist
gh release download "${{ github.ref_name }}" \
--repo "${{ github.repository }}" \
--pattern 'agentd-*' --pattern '*.deb' --pattern '*.rpm'
sha256sum * > SHA256SUMS
cat SHA256SUMS
- uses: softprops/action-gh-release@v2
with:
files: dist/SHA256SUMS
# Multi-arch distroless image → GHCR, cosign-signed (keyless OIDC) with
# an SPDX SBOM attestation. See docs/operations.md §8.4.
container:
permissions:
contents: read
packages: write
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/agentd-dev/agentd
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=raw,value=latest
- id: build
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- uses: sigstore/cosign-installer@v3
- name: Sign image (keyless)
env:
DIGEST: ${{ steps.build.outputs.digest }}
run: cosign sign --yes "ghcr.io/agentd-dev/agentd@${DIGEST}"
- name: Generate SPDX SBOM
uses: anchore/sbom-action@v0
with:
image: ghcr.io/agentd-dev/agentd@${{ steps.build.outputs.digest }}
format: spdx-json
output-file: sbom.spdx.json
# We attest the SBOM to the image with cosign (next step); we
# don't attach it to the GitHub Release, which would need
# `contents: write` this least-privilege job deliberately omits.
upload-release-assets: false
- name: Attest SBOM
env:
DIGEST: ${{ steps.build.outputs.digest }}
run: cosign attest --yes --predicate sbom.spdx.json --type spdxjson "ghcr.io/agentd-dev/agentd@${DIGEST}"