Create Draft Release #12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create Draft Release | |
on: | |
workflow_dispatch: | |
inputs: | |
git_tag: | |
description: Git Tag To Release From. Last Git Tag Is Used If Omitted | |
required: false | |
release_branch: | |
description: Release Branch Where Recent Bump Occurred | |
required: true | |
permissions: | |
contents: read | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
create_release: | |
permissions: | |
contents: write | |
name: Initiate Draft Release | |
runs-on: ubuntu-20.04 | |
environment: release | |
outputs: | |
upload_url: ${{ steps.release_upload_url.outputs.upload_url }} | |
tag_name: ${{ steps.release_version.outputs.tag_name }} | |
steps: | |
- name: Checkout Ockam | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.inputs.release_branch }} | |
- name: Import GPG key | |
uses: build-trust/.github/actions/import_gpg@a6377d3c2dac878b92a0da26cdf3da2856c64840 | |
with: | |
gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}' | |
gpg_password: '${{ secrets.GPG_PASSPHRASE }}' | |
gpg_name: '${{ secrets.GPG_USER_NAME }}' | |
gpg_email: '${{ secrets.GPG_EMAIL }}' | |
- name: Get Release Text | |
id: release_version | |
env: | |
GIT_TAG: '${{ github.event.inputs.git_tag }}' | |
run: | | |
cargo install tomlq | |
set -x | |
source tools/scripts/release/crates-to-publish.sh | |
# Add Ockam as first crate | |
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml") | |
name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml") | |
text="Ockam $ockam_version" | |
text="$text | |
# Homebrew | |
To install this release using Homebrew: | |
\`\`\`bash | |
$ brew install build-trust/ockam/ockam | |
\`\`\`" | |
# Install Docker image | |
text="$text | |
# Docker | |
To use the Docker OCI package: | |
\`\`\`bash | |
docker pull ghcr.io/build-trust/ockam:$ockam_version | |
\`\`\`" | |
text="$text | |
# Precompiled Binaries | |
\`\`\`bash | |
# download sha256sums.txt | |
curl --proto '=https' --tlsv1.2 -sSfL -O \\ | |
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt | |
# download sha256sums.txt.sig | |
curl --proto '=https' --tlsv1.2 -sSfL -O \\ | |
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt.sig | |
# download our release public key | |
curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \\ | |
https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub | |
# verify signatures | |
cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt | |
# download ockam command binary for your architecture | |
curl --proto '=https' --tlsv1.2 -sSfL -O \\ | |
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/ockam.x86_64-unknown-linux-gnu | |
# verify that the sha256 hash of the downloaded binary is the same as | |
# the corresponding hash mentioned in sha256sums.txt | |
cat sha256sums.txt | grep ockam.x86_64-unknown-linux-gnu | sha256sum -c | |
# rename the download binary and give it permission to execute | |
mv ockam.x86_64-unknown-linux-gnu ockam | |
chmod u+x ockam | |
\`\`\`" | |
text="$text | |
# Terraform | |
To install the [Ockam Terraform Provider](https://registry.terraform.io/providers/build-trust/ockam/$ockam_version), copy and paste this code into your Terraform configuration. Then, run \`terraform init\`. | |
\`\`\` | |
terraform { | |
required_providers { | |
ockam = { | |
source = \"build-trust/ockam\" | |
version = \"$ockam_version\" | |
} | |
} | |
} | |
provider "ockam" {} | |
\`\`\`" | |
text="$text | |
# Rust Crates | |
To use Ockam as a Rust library, run the following command within your project directory: | |
\`\`\`bash | |
cargo add ockam@$ockam_version | |
\`\`\` | |
The following crates were published as part of this release: | |
- \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \ | |
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))" | |
for crate in ${updated_crates[@]}; do | |
version=$(eval "tomlq package.version -f $crate/Cargo.toml") | |
name=$(eval "tomlq package.name -f $crate/Cargo.toml") | |
if [[ $name == "ockam" ]]; then | |
echo "Skipping ockam crate" | |
continue | |
fi | |
text="$text | |
- \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \ | |
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"; | |
done | |
echo "version=$ockam_version" >> $GITHUB_OUTPUT | |
echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT | |
echo "$text" > release_note.md | |
cat release_note.md | |
# Add tag | |
git tag -s ockam_v$ockam_version -m "Ockam Release" | |
git push --tags | |
- name: Create GitHub release | |
id: release_upload_url | |
uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_name: 'Ockam v${{ steps.release_version.outputs.version }}' | |
tag_name: '${{ steps.release_version.outputs.tag_name }}' | |
body_path: 'release_note.md' | |
draft: true | |
- name: Echo Link | |
run: echo "${{ steps.release_upload_url.outputs.html_url }}" | |
build_release: | |
name: Build Binaries | |
needs: create_release | |
environment: release | |
env: | |
DEVELOPMENT_TEAM: ${{ vars.DEVELOPMENT_TEAM }} | |
PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_SPECIFIER }} | |
CODE_SIGN_IDENTITY: ${{ vars.CODE_SIGN_IDENTITY }} | |
permissions: | |
contents: write | |
strategy: | |
fail-fast: false | |
matrix: | |
build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86] | |
include: | |
- build: linux_arm64 | |
os: ubuntu-20.04 | |
toolchain: stable | |
target: aarch64-unknown-linux-musl | |
build_app: false | |
use-cross-build: true | |
- build: linux_armv7 | |
os: ubuntu-20.04 | |
toolchain: stable | |
target: armv7-unknown-linux-musleabihf | |
use-cross-build: true | |
build_app: false | |
- build: linux_86 | |
os: ubuntu-20.04 | |
toolchain: stable | |
target: x86_64-unknown-linux-musl | |
use-cross-build: true | |
build_app: false | |
- build: linux_86_gnu | |
os: ubuntu-22.04 | |
toolchain: stable | |
target: x86_64-unknown-linux-gnu | |
use-cross-build: false | |
build_app: true | |
build_command: false | |
- build: macos_silicon | |
os: macos-13 | |
toolchain: stable | |
target: aarch64-apple-darwin | |
use-cross-build: false | |
build_app: true | |
- build: macos_86 | |
os: macos-13 | |
toolchain: stable | |
target: x86_64-apple-darwin | |
use-cross-build: false | |
build_app: true | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
with: | |
ref: ${{ github.event.inputs.release_branch }} | |
- name: Echo Link | |
run: echo "${{ needs.create_release.outputs.upload_url }}" | |
- name: Apple Signing Initialization | |
if: ${{ matrix.os == 'macos-13' }} | |
shell: bash | |
env: | |
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} | |
P12_PASSWORD: ${{ secrets.P12_PASSWORD }} | |
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }} | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
run: | | |
set -ex | |
# Switch to xcode 15 | |
sudo xcode-select --switch /Applications/Xcode_15.0.app/ | |
# create variables | |
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile | |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
# import certificate and provisioning profile from secrets | |
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH | |
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH | |
# create temporary keychain | |
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# import certificate to keychain | |
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security list-keychain -d user -s $KEYCHAIN_PATH | |
# apply provisioning profile | |
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles | |
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles | |
- uses: ./.github/actions/build_binaries | |
with: | |
use_cross_build: ${{ matrix.use-cross-build }} | |
toolchain: ${{ matrix.toolchain }} | |
target: ${{ matrix.target }} | |
platform_operating_system: ${{ matrix.os }} | |
build_app: ${{ matrix.build_app }} | |
- name: Copy Artifacts | |
run: | | |
set -x | |
cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }} | |
echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV | |
if [ -e "implementations/swift/build/Ockam.dmg" ]; then | |
cp "implementations/swift/build/Ockam.dmg" "ockam.app.${{ matrix.target }}.dmg" | |
echo "ASSET_OCKAM_APP_DMG=ockam.app.${{ matrix.target }}.dmg" >> $GITHUB_ENV | |
fi | |
ls $GITHUB_WORKSPACE | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 | |
with: | |
cosign-release: 'v2.0.0' | |
- name: Sign Binaries | |
env: | |
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
run: | | |
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig" | |
if [ -n "${{ env.ASSET_OCKAM_APP_DMG }}" ]; then | |
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_APP_DMG }}" > "${{ env.ASSET_OCKAM_APP_DMG }}.sig" | |
fi | |
- name: Upload CLI release archive | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: ${{ env.ASSET_OCKAM_CLI }} | |
asset_name: ${{ env.ASSET_OCKAM_CLI }} | |
asset_content_type: application/octet-stream | |
- name: Upload CLI Signature | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: ${{ env.ASSET_OCKAM_CLI }}.sig | |
asset_name: ${{ env.ASSET_OCKAM_CLI }}.sig | |
asset_content_type: application/octet-stream | |
- name: Upload MacOS App release | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
if: ${{ env.ASSET_OCKAM_APP_DMG }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }} | |
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }} | |
asset_content_type: application/octet-stream | |
- name: Upload MacOS App release Signature | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
if: ${{ env.ASSET_OCKAM_APP_DMG }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}.sig | |
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}.sig | |
asset_content_type: application/octet-stream | |
# build_elixir_nifs: | |
# name: Build Elixir NIFs | |
# needs: create_release | |
# environment: release | |
# permissions: | |
# contents: write | |
# strategy: | |
# fail-fast: false | |
# matrix: | |
# build: [macos, linux_x86_64, linux_arm] | |
# include: | |
# - build: macos | |
# os: macos-latest | |
# release_path: implementations/elixir/ockam/ockam_vault_software/priv/darwin_universal/native | |
# release_asset_name: ockam.darwin_universal_elixir_ffi.so | |
# - build: linux_x86_64 | |
# os: ubuntu-20.04 | |
# release_path: implementations/elixir/ockam/ockam_vault_software/_build/dev/lib/ockam_vault_software/priv/native | |
# release_asset_name: ockam.linux_x86_64_gnu_elixir_ffi.so | |
# target: x86_64-unknown-linux-musl | |
# container: ghcr.io/build-trust/ockam-builder@sha256:4327749693be365d590cd210ef89729b95488005ecff2c9fe7a0fcd8b4c61f87 | |
# - build: linux_arm | |
# os: ubuntu-20.04 | |
# release_path: implementations/elixir/ockam/ockam_vault_software/_build/dev/lib/ockam_vault_software/priv/native | |
# release_asset_name: ockam.linux_aarch64_gnu_elixir_ffi.so | |
# target: aarch64-unknown-linux-musl | |
# container: ghcr.io/build-trust/ockam-builder@sha256:ef3171446e991d8462e88879a8fc9818d9e02b61a720bf96fb5f845b0cae6100 | |
# runs-on: ${{ matrix.os }} | |
# steps: | |
# - name: Checkout repository | |
# uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
# with: | |
# ref: ${{ github.event.inputs.release_branch }} | |
# - name: Install Rust | |
# uses: actions-rs/toolchain@b3ea035039aa8cb07d1f4a5168b0f8065c4a2eeb | |
# with: | |
# toolchain: stable | |
# profile: minimal | |
# override: true | |
# - name: Install QEMU | |
# if: matrix.build == 'linux_arm' | |
# run: | | |
# sudo apt-get update | |
# sudo apt-get install qemu binfmt-support qemu-user-static | |
# docker run --rm --privileged multiarch/qemu-user-static --reset -p yes | |
# - name: Build Rust Asset | |
# if: matrix.build != 'macos' | |
# run: | | |
# cargo install --version 0.1.16 cross | |
# cross build --release --package ockam-ffi --target ${{ matrix.target }} | |
# rm -rf target/release && mv target/${{ matrix.target }}/release target/ | |
# - name: Build NIF For Linux | |
# if: matrix.build != 'macos' | |
# run: | | |
# docker run --rm --user "$(id -u):$(id -g)" --volume $(pwd):/work ${{ matrix.container }} bash -c \ | |
# "cd implementations/elixir/ockam/ockam_vault_software; mix recompile.native; "; | |
# - name: Build NIF For MacOS | |
# if: matrix.build == 'macos' | |
# working-directory: implementations/elixir/ockam/ockam_vault_software | |
# run: | | |
# set -x | |
# brew install erlang | |
# rustup target add aarch64-apple-darwin | |
# rustup target add x86_64-apple-darwin | |
# ./build-elixir-universal-lib.sh | |
# - name: Install Cosign | |
# uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 | |
# with: | |
# cosign-release: 'v2.0.0' | |
# - name: Sign NIFs | |
# working-directory: ${{ matrix.release_path }} | |
# env: | |
# PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
# COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
# run: | | |
# cosign sign-blob --yes --key env://PRIVATE_KEY libockam_elixir_ffi.so > libockam_elixir_ffi.so.sig | |
# - name: Upload Library | |
# uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
# env: | |
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# with: | |
# upload_url: ${{ needs.create_release.outputs.upload_url }} | |
# asset_path: ${{ matrix.release_path }}/libockam_elixir_ffi.so | |
# asset_name: ${{ matrix.release_asset_name }} | |
# asset_content_type: application/octet-stream | |
# - name: Upload Signature | |
# uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
# env: | |
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# with: | |
# upload_url: ${{ needs.create_release.outputs.upload_url }} | |
# asset_path: ${{ matrix.release_path }}/libockam_elixir_ffi.so.sig | |
# asset_name: ${{ matrix.release_asset_name }}.sig | |
# asset_content_type: application/octet-stream | |
sign_release: | |
name: Sign All Assets | |
needs: [build_release, create_release] #, build_elixir_nifs] | |
runs-on: ubuntu-20.04 | |
environment: release | |
permissions: | |
contents: write | |
steps: | |
- name: Fetch All Assets | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: gh release download ${{ needs.create_release.outputs.tag_name }} -R ${{ github.repository_owner }}/ockam | |
- name: Generate File SHASum | |
run: shasum -a 256 ockam.* > sha256sums.txt | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 | |
with: | |
cosign-release: 'v2.0.0' | |
- name: Sign Files | |
env: | |
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig | |
- name: Upload SHASum File | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: sha256sums.txt | |
asset_name: sha256sums.txt | |
asset_content_type: application/octet-stream | |
- name: Upload SHASum Signature File | |
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create_release.outputs.upload_url }} | |
asset_path: sha256sums.txt.sig | |
asset_name: sha256sums.txt.sig | |
asset_content_type: application/octet-stream |