-
Notifications
You must be signed in to change notification settings - Fork 1
109 lines (93 loc) · 3.65 KB
/
Copy pathrelease.yml
File metadata and controls
109 lines (93 loc) · 3.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: Release
on:
push:
tags: ["v*"]
permissions:
contents: write
# For build-provenance attestation of the published binaries (verifiable with
# `gh attestation verify <asset> --repo outputlayer/rwa_cli`).
id-token: write
attestations: write
env:
CARGO_TERM_COLOR: always
jobs:
build:
name: Build ${{ matrix.target }}
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- target: x86_64-unknown-linux-gnu
os: ubuntu-latest
- target: aarch64-unknown-linux-gnu
os: ubuntu-latest
- target: x86_64-apple-darwin
os: macos-latest
- target: aarch64-apple-darwin
os: macos-latest
- target: x86_64-pc-windows-msvc
os: windows-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable
with:
targets: ${{ matrix.target }}
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
with:
key: ${{ matrix.target }}
- name: Install cross-compilation tools
if: matrix.target == 'aarch64-unknown-linux-gnu'
run: |
sudo apt-get update
sudo apt-get install -y gcc-aarch64-linux-gnu
echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc" >> $GITHUB_ENV
- name: Build
# --locked: build against the committed Cargo.lock exactly; never let a
# Cargo.toml drift silently regenerate deps for a published binary.
run: cargo build --release --target ${{ matrix.target }} --locked
- name: Package
shell: bash
run: |
if [[ "${{ matrix.target }}" == *windows* ]]; then
BIN=target/${{ matrix.target }}/release/rwa.exe
ARCHIVE=rwa-${{ matrix.target }}.zip
powershell -Command "Compress-Archive -Path '$BIN' -DestinationPath '$ARCHIVE'"
else
BIN=target/${{ matrix.target }}/release/rwa
ARCHIVE=rwa-${{ matrix.target }}.tar.gz
tar czf "$ARCHIVE" -C "$(dirname "$BIN")" "$(basename "$BIN")"
fi
echo "ARCHIVE=$ARCHIVE" >> $GITHUB_ENV
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: rwa-${{ matrix.target }}
path: ${{ env.ARCHIVE }}
release:
name: Create Release
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
path: artifacts
- name: Collect archives
run: |
mkdir -p release
find artifacts \( -name '*.tar.gz' -o -name '*.zip' \) -exec mv {} release/ \;
cd release
sha256sum rwa-* > SHA256SUMS.txt
ls -lh
# Build-provenance attestation: signs a statement (via GitHub's OIDC-backed
# Sigstore identity) binding each published archive to this repo+workflow+
# commit. Independent authenticity beyond the same-origin SHA256SUMS —
# verify with `gh attestation verify <asset> --repo outputlayer/rwa_cli`.
- name: Attest build provenance
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
with:
subject-path: 'release/rwa-*.tar.gz, release/rwa-*.zip'
- name: Create GitHub Release
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
with:
generate_release_notes: true
files: release/*