.github/workflows/release-draft-binaries.yml

ci: use cross docker image that supports openssl for musl arch #30

Workflow file for this run

.github/workflows/release-draft-binaries.yml at e4b64bd

	name: Create Draft Release

	on:
	workflow_dispatch:
	inputs:
	git_tag:
	description: Git Tag To Release From. Last Git Tag Is Used If Omitted
	required: false
	release_branch:
	description: Release Branch Where Recent Bump Occurred
	required: true

	permissions:
	contents: read

	defaults:
	run:
	shell: bash

	jobs:
	create_release:
	permissions:
	contents: write

	name: Initiate Draft Release
	runs-on: ubuntu-20.04
	environment: release
	outputs:
	upload_url: ${{ steps.release_upload_url.outputs.upload_url }}
	tag_name: ${{ steps.release_version.outputs.tag_name }}
	steps:
	- name: Checkout Ockam
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
	with:
	fetch-depth: 0
	ref: ${{ github.event.inputs.release_branch }}

	- name: Import GPG key
	uses: build-trust/.github/actions/import_gpg@ae127cb92387ed76f24d4d1c6d6bfc2d382f7946
	with:
	gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}'
	gpg_password: '${{ secrets.GPG_PASSPHRASE }}'
	gpg_name: '${{ secrets.GPG_USER_NAME }}'
	gpg_email: '${{ secrets.GPG_EMAIL }}'

	- name: Get Release Text
	id: release_version
	env:
	GIT_TAG: '${{ github.event.inputs.git_tag }}'
	run: \|
	cargo install tomlq
	set -x
	source tools/scripts/release/crates-to-publish.sh

	# Add Ockam as first crate
	ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
	name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml")

	text="Ockam $ockam_version"


	text="$text

	# Homebrew

	To install this release using Homebrew:

	\`\`\`bash
	$ brew install build-trust/ockam/ockam
	\`\`\`"

	# Install Docker image
	text="$text

	# Docker

	To use the Docker OCI package:

	\`\`\`bash
	docker pull ghcr.io/build-trust/ockam:$ockam_version
	\`\`\`"

	text="$text

	# Precompiled Binaries

	\`\`\`bash
	# download sha256sums.txt
	curl --proto '=https' --tlsv1.2 -sSfL -O \\
	https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt

	# download sha256sums.txt.sig
	curl --proto '=https' --tlsv1.2 -sSfL -O \\
	https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt.sig

	# download our release public key
	curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \\
	https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub

	# verify signatures
	cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt

	# download ockam command binary for your architecture
	curl --proto '=https' --tlsv1.2 -sSfL -O \\
	https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/ockam.x86_64-unknown-linux-gnu

	# verify that the sha256 hash of the downloaded binary is the same as
	# the corresponding hash mentioned in sha256sums.txt
	cat sha256sums.txt \| grep ockam.x86_64-unknown-linux-gnu \| sha256sum -c

	# rename the download binary and give it permission to execute
	mv ockam.x86_64-unknown-linux-gnu ockam
	chmod u+x ockam
	\`\`\`"

	text="$text

	# Rust Crates

	To use Ockam as a Rust library, run the following command within your project directory:

	\`\`\`bash
	cargo add ockam@$ockam_version
	\`\`\`

	The following crates were published as part of this release:
	- \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \
	[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"

	for crate in ${updated_crates[@]}; do
	version=$(eval "tomlq package.version -f $crate/Cargo.toml")
	name=$(eval "tomlq package.name -f $crate/Cargo.toml")

	if [[ $name == "ockam" ]]; then
	echo "Skipping ockam crate"
	continue
	fi

	text="$text
	- \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \
	[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))";
	done

	echo "version=$ockam_version" >> $GITHUB_OUTPUT
	echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT

	echo "$text" > release_note.md
	cat release_note.md

	# Add tag
	git tag -s ockam_v$ockam_version -m "Ockam Release"
	git push --tags

	- name: Create GitHub release
	id: release_upload_url
	uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	release_name: 'Ockam v${{ steps.release_version.outputs.version }}'
	tag_name: '${{ steps.release_version.outputs.tag_name }}'
	body_path: 'release_note.md'
	prerelease: true

	- name: Echo Link
	run: echo "${{ steps.release_upload_url.outputs.html_url }}"


	build_release:
	name: Build Binaries
	needs: create_release
	environment: release
	env:
	DEVELOPMENT_TEAM: ${{ vars.DEVELOPMENT_TEAM }}
	PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_SPECIFIER }}
	CODE_SIGN_IDENTITY: ${{ vars.CODE_SIGN_IDENTITY }}
	NOTARIZATION_EMAIL: ${{ vars.NOTARIZATION_EMAIL }}
	NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
	permissions:
	contents: write

	strategy:
	fail-fast: false
	matrix:
	build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86]
	include:
	- build: linux_arm64
	os: ubuntu-22.04
	toolchain: stable
	target: aarch64-unknown-linux-musl
	build_app: false
	use-cross-build: true
	- build: linux_armv7
	os: ubuntu-22.04
	toolchain: stable
	target: armv7-unknown-linux-musleabihf
	use-cross-build: true
	build_app: false
	- build: linux_86
	os: ubuntu-22.04
	toolchain: stable
	target: x86_64-unknown-linux-musl
	use-cross-build: true
	build_app: false
	- build: linux_86_gnu
	os: ubuntu-22.04
	toolchain: stable
	target: x86_64-unknown-linux-gnu
	use-cross-build: false
	build_app: true
	build_command: false
	- build: macos_silicon
	os: macos-14
	toolchain: stable
	target: aarch64-apple-darwin
	use-cross-build: false
	build_app: true
	- build: macos_86
	os: macos-14
	toolchain: stable
	target: x86_64-apple-darwin
	use-cross-build: false
	build_app: true
	runs-on: ${{ matrix.os }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
	with:
	ref: ${{ github.event.inputs.release_branch }}

	- name: Echo Link
	run: echo "${{ needs.create_release.outputs.upload_url }}"

	- name: Apple Signing Initialization
	if: ${{ matrix.os == 'macos-14' }}
	shell: bash
	env:
	BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
	P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
	BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
	KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
	run: \|
	set -ex
	# Switch to xcode 15
	sudo xcode-select --switch /Applications/Xcode_15.0.app/

	# create variables
	CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
	PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

	# import certificate and provisioning profile from secrets
	echo -n "$BUILD_CERTIFICATE_BASE64" \| base64 --decode -o $CERTIFICATE_PATH
	echo -n "$BUILD_PROVISION_PROFILE_BASE64" \| base64 --decode -o $PP_PATH

	# create temporary keychain
	security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	# import certificate to keychain
	security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security list-keychain -d user -s $KEYCHAIN_PATH

	# apply provisioning profile
	mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
	cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles

	# Add keychain path to env
	echo "KEYCHAIN_PATH=${KEYCHAIN_PATH}" >> "$GITHUB_ENV"

	- uses: ./.github/actions/build_binaries
	with:
	use_cross_build: ${{ matrix.use-cross-build }}
	toolchain: ${{ matrix.toolchain }}
	target: ${{ matrix.target }}
	platform_operating_system: ${{ matrix.os }}
	build_app: ${{ matrix.build_app }}

	- name: Copy Artifacts
	run: \|
	set -x

	cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }}
	echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV
	if [ -e "implementations/swift/build/Ockam.dmg" ]; then
	cp "implementations/swift/build/Ockam.dmg" "ockam.app.${{ matrix.target }}.dmg"
	echo "ASSET_OCKAM_APP_DMG=ockam.app.${{ matrix.target }}.dmg" >> $GITHUB_ENV
	fi
	ls $GITHUB_WORKSPACE

	- name: Install Cosign
	uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
	with:
Check failure on line 294 in .github/workflows/release-draft-binaries.yml View workflow run for this annotation GitHub Actions / .github/workflows/release-draft-binaries.yml Invalid workflow file `You have an error in your yaml syntax on line 294`
	cosign-release: 'v2.0.0'

	- name: Sign Binaries
	env:
	PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
	COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
	run: \|
	cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig"
	if [ -n "${{ env.ASSET_OCKAM_APP_DMG }}" ]; then
	cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_APP_DMG }}" > "${{ env.ASSET_OCKAM_APP_DMG }}.sig"
	fi

	- name: Upload CLI release archive
	uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ needs.create_release.outputs.upload_url }}
	asset_path: ${{ env.ASSET_OCKAM_CLI }}
	asset_name: ${{ env.ASSET_OCKAM_CLI }}
	asset_content_type: application/octet-stream

	- name: Upload CLI Signature
	uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ needs.create_release.outputs.upload_url }}
	asset_path: ${{ env.ASSET_OCKAM_CLI }}.sig
	asset_name: ${{ env.ASSET_OCKAM_CLI }}.sig
	asset_content_type: application/octet-stream

	- name: Upload MacOS App release
	uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
	if: ${{ env.ASSET_OCKAM_APP_DMG }}
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ needs.create_release.outputs.upload_url }}
	asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}
	asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}
	asset_content_type: application/octet-stream

	- name: Upload MacOS App release Signature
	uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
	if: ${{ env.ASSET_OCKAM_APP_DMG }}
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ needs.create_release.outputs.upload_url }}
	asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
	asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
	asset_content_type: application/octet-stream


	build_elixir_nifs:
	name: Build Elixir NIFs
	needs: create_release
	environment: release
	permissions:
	contents: write

	strategy:
	fail-fast: false
	matrix:
	job:
	- {target: aarch64-unknown-linux-gnu , os: ubuntu-20.04 , use-cross: true}
	- {target: x86_64-unknown-linux-gnu , os: ubuntu-20.04}
	- {target: aarch64-apple-darwin , os: macos-14}
	- {target: x86_64-apple-darwin , os: macos-14}

	runs-on: ${{ matrix.job.os }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
	with:
	ref: ${{ github.event.inputs.release_branch }}

	- name: Install Rust toolchain
	run: \|
	# This will allow us update to rust version indicated in our rust-toolchain.toml file
	rustup show
	rustup target add ${{ matrix.job.target }}

	- name: Install Cross
	if: matrix.job.use-cross == true
	run: cargo install --version 0.2.5 cross

	- name: Build NIFs
	run: \|
	set -ex

	if [[ '${{ matrix.job.use-cross }}' == 'true' ]]; then
	cross build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release
	exit
	fi

	rustup target add ${{ matrix.job.target }}
	cargo build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release

	- name: List
	run: \|
	ls target/${{ matrix.job.target }}/release/

	- name: Rename Build
	run: \|
	cargo install tomlq
	ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")

	final_name="libockam_rust_elixir_nifs-v${ockam_version}-nif-2.15-${{ matrix.job.target }}.so"
	if [[ "${{ matrix.job.target }}" == "darwin" ]]; then
	cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.dylib "$final_name"
	else
	cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.so "$final_name"
	fi

	tar -zcvf "${final_name}.tar.gz" "$final_name"
	echo "FILE_NAME=${final_name}.tar.gz" >> $GITHUB_ENV

	- name: Install Cosign
	uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
	with:
	cosign-release: 'v2.0.0'

	- name: Sign NIFs
	env:
	PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
	COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
	run: \|
	cosign sign-blob --yes --key env://PRIVATE_KEY ${{ env.FILE_NAME }} > "${{ env.FILE_NAME }}.sig"

	- name: Upload Library
	uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ needs.create_release.outputs.upload_url }}
	asset_path: "${{ env.FILE_NAME }}"
	asset_name: "${{ env.FILE_NAME }}"
	asset_content_type: application/octet-stream

	- name: Upload Signature
	uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ needs.create_release.outputs.upload_url }}
	asset_path: ${{ env.FILE_NAME }}.sig
	asset_name: ${{ env.FILE_NAME }}.sig
	asset_content_type: application/octet-stream

	sign_release:
	name: Sign All Assets
	needs: [build_release, create_release, build_elixir_nifs]
	runs-on: ubuntu-20.04
	environment: release
	permissions:
	contents: write

	steps:
	- name: Fetch All Assets
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: gh release download ${{ needs.create_release.outputs.tag_name }} -R ${{ github.repository_owner }}/ockam

	- name: Generate File SHASum
	run: shasum -a 256 ockam > sha256sums.txt

	- name: Install Cosign
	uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
	with:
	cosign-release: 'v2.0.0'

	- name: Sign Files
	env:
	PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
	COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
	run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig

	- name: Upload SHASum File
	uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ needs.create_release.outputs.upload_url }}
	asset_path: sha256sums.txt
	asset_name: sha256sums.txt
	asset_content_type: application/octet-stream

	- name: Upload SHASum Signature File
	uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ needs.create_release.outputs.upload_url }}
	asset_path: sha256sums.txt.sig
	asset_name: sha256sums.txt.sig
	asset_content_type: application/octet-stream

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: use cross docker image that supports openssl for musl arch #30

Workflow file

ci: use cross docker image that supports openssl for musl arch #30

Jobs

Run details

Workflow file for this run

GitHub Actions / .github/workflows/release-draft-binaries.yml