-
-
Notifications
You must be signed in to change notification settings - Fork 563
492 lines (408 loc) · 17.2 KB
/
release-draft-binaries.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
name: Create Draft Release
on:
workflow_dispatch:
inputs:
git_tag:
description: Git Tag To Release From. Last Git Tag Is Used If Omitted
required: false
release_branch:
description: Release Branch Where Recent Bump Occurred
required: true
permissions:
contents: read
defaults:
run:
shell: bash
jobs:
create_release:
permissions:
contents: write
name: Initiate Draft Release
runs-on: ubuntu-20.04
environment: release
outputs:
upload_url: ${{ steps.release_upload_url.outputs.upload_url }}
tag_name: ${{ steps.release_version.outputs.tag_name }}
steps:
- name: Checkout Ockam
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 0
ref: ${{ github.event.inputs.release_branch }}
- name: Import GPG key
uses: build-trust/.github/actions/import_gpg@a6377d3c2dac878b92a0da26cdf3da2856c64840
with:
gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}'
gpg_password: '${{ secrets.GPG_PASSPHRASE }}'
gpg_name: '${{ secrets.GPG_USER_NAME }}'
gpg_email: '${{ secrets.GPG_EMAIL }}'
- name: Get Release Text
id: release_version
env:
GIT_TAG: '${{ github.event.inputs.git_tag }}'
run: |
cargo install tomlq
set -x
source tools/scripts/release/crates-to-publish.sh
# Add Ockam as first crate
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml")
text="Ockam $ockam_version"
text="$text
# Homebrew
To install this release using Homebrew:
\`\`\`bash
$ brew install build-trust/ockam/ockam
\`\`\`"
# Install Docker image
text="$text
# Docker
To use the Docker OCI package:
\`\`\`bash
docker pull ghcr.io/build-trust/ockam:$ockam_version
\`\`\`"
text="$text
# Precompiled Binaries
\`\`\`bash
# download sha256sums.txt
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt
# download sha256sums.txt.sig
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt.sig
# download our release public key
curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \\
https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub
# verify signatures
cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt
# download ockam command binary for your architecture
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/ockam.x86_64-unknown-linux-gnu
# verify that the sha256 hash of the downloaded binary is the same as
# the corresponding hash mentioned in sha256sums.txt
cat sha256sums.txt | grep ockam.x86_64-unknown-linux-gnu | sha256sum -c
# rename the download binary and give it permission to execute
mv ockam.x86_64-unknown-linux-gnu ockam
chmod u+x ockam
\`\`\`"
text="$text
# Rust Crates
To use Ockam as a Rust library, run the following command within your project directory:
\`\`\`bash
cargo add ockam@$ockam_version
\`\`\`
The following crates were published as part of this release:
- \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"
for crate in ${updated_crates[@]}; do
version=$(eval "tomlq package.version -f $crate/Cargo.toml")
name=$(eval "tomlq package.name -f $crate/Cargo.toml")
if [[ $name == "ockam" ]]; then
echo "Skipping ockam crate"
continue
fi
text="$text
- \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))";
done
echo "version=$ockam_version" >> $GITHUB_OUTPUT
echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT
echo "$text" > release_note.md
cat release_note.md
# Add tag
git tag -s ockam_v$ockam_version -m "Ockam Release"
git push --tags
- name: Create GitHub release
id: release_upload_url
uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_name: 'Ockam v${{ steps.release_version.outputs.version }}'
tag_name: '${{ steps.release_version.outputs.tag_name }}'
body_path: 'release_note.md'
draft: true
- name: Echo Link
run: echo "${{ steps.release_upload_url.outputs.html_url }}"
build_release:
name: Build Binaries
needs: create_release
environment: release
env:
DEVELOPMENT_TEAM: ${{ vars.DEVELOPMENT_TEAM }}
PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_SPECIFIER }}
CODE_SIGN_IDENTITY: ${{ vars.CODE_SIGN_IDENTITY }}
NOTARIZATION_EMAIL: ${{ vars.NOTARIZATION_EMAIL }}
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
permissions:
contents: write
strategy:
fail-fast: false
matrix:
build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86]
include:
- build: linux_arm64
os: ubuntu-20.04
toolchain: stable
target: aarch64-unknown-linux-musl
build_app: false
use-cross-build: true
- build: linux_armv7
os: ubuntu-20.04
toolchain: stable
target: armv7-unknown-linux-musleabihf
use-cross-build: true
build_app: false
- build: linux_86
os: ubuntu-20.04
toolchain: stable
target: x86_64-unknown-linux-musl
use-cross-build: true
build_app: false
- build: linux_86_gnu
os: ubuntu-22.04
toolchain: stable
target: x86_64-unknown-linux-gnu
use-cross-build: false
build_app: true
build_command: false
- build: macos_silicon
os: macos-13
toolchain: stable
target: aarch64-apple-darwin
use-cross-build: false
build_app: true
- build: macos_86
os: macos-13
toolchain: stable
target: x86_64-apple-darwin
use-cross-build: false
build_app: true
runs-on: ${{ matrix.os }}
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
ref: ${{ github.event.inputs.release_branch }}
- name: Echo Link
run: echo "${{ needs.create_release.outputs.upload_url }}"
- name: Apple Signing Initialization
if: ${{ matrix.os == 'macos-13' }}
shell: bash
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
set -ex
# Switch to xcode 15
sudo xcode-select --switch /Applications/Xcode_15.0.app/
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
# Add keychain path to env
echo "KEYCHAIN_PATH=${KEYCHAIN_PATH}" >> "$GITHUB_ENV"
- uses: ./.github/actions/build_binaries
with:
use_cross_build: ${{ matrix.use-cross-build }}
toolchain: ${{ matrix.toolchain }}
target: ${{ matrix.target }}
platform_operating_system: ${{ matrix.os }}
build_app: ${{ matrix.build_app }}
- name: Copy Artifacts
run: |
set -x
cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }}
echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV
if [ -e "implementations/swift/build/Ockam.dmg" ]; then
cp "implementations/swift/build/Ockam.dmg" "ockam.app.${{ matrix.target }}.dmg"
echo "ASSET_OCKAM_APP_DMG=ockam.app.${{ matrix.target }}.dmg" >> $GITHUB_ENV
fi
ls $GITHUB_WORKSPACE
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.0.0'
- name: Sign Binaries
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: |
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig"
if [ -n "${{ env.ASSET_OCKAM_APP_DMG }}" ]; then
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_APP_DMG }}" > "${{ env.ASSET_OCKAM_APP_DMG }}.sig"
fi
- name: Upload CLI release archive
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}
asset_name: ${{ env.ASSET_OCKAM_CLI }}
asset_content_type: application/octet-stream
- name: Upload CLI Signature
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_name: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_content_type: application/octet-stream
- name: Upload MacOS App release
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
if: ${{ env.ASSET_OCKAM_APP_DMG }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}
asset_content_type: application/octet-stream
- name: Upload MacOS App release Signature
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
if: ${{ env.ASSET_OCKAM_APP_DMG }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
asset_content_type: application/octet-stream
build_elixir_nifs:
name: Build Elixir NIFs
needs: create_release
environment: release
permissions:
contents: write
strategy:
fail-fast: false
matrix:
job:
- { target: aarch64-unknown-linux-gnu , os: ubuntu-20.04 , use-cross: true }
- { target: x86_64-unknown-linux-gnu , os: ubuntu-20.04 }
- { target: aarch64-apple-darwin , os: macos-14 }
- { target: x86_64-apple-darwin , os: macos-14 }
runs-on: ${{ matrix.job.os }}
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
ref: ${{ github.event.inputs.release_branch }}
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
target: ${{ matrix.job.target }}
- name: Install Cross
if: matrix.job.use-cross == true
run: cargo install --version 0.2.4 cross
- name: Build NIFs
run: |
set -ex
if [[ '${{ matrix.job.use-cross }}' == 'true' ]]; then
cross build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release
exit
fi
rustup target add ${{ matrix.job.target }}
cargo build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release
- name: List
run: |
ls target/${{ matrix.job.target }}/release/
- name: Rename Build
run: |
cargo install tomlq
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
final_name="libockam_rust_elixir_nifs-v${ockam_version}-nif-2.15-${{ matrix.job.target }}.so"
if [[ "${{ matrix.job.target }}" == *"darwin"* ]]; then
cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.dylib "$final_name"
else
cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.so "$final_name"
fi
tar -zcvf "${final_name}.tar.gz" "$final_name"
echo "FILE_NAME=${final_name}.tar.gz" >> $GITHUB_ENV
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.0.0'
- name: Sign NIFs
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: |
cosign sign-blob --yes --key env://PRIVATE_KEY ${{ env.FILE_NAME }} > "${{ env.FILE_NAME }}.sig"
- name: Upload Library
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: "${{ env.FILE_NAME }}"
asset_name: "${{ env.FILE_NAME }}"
asset_content_type: application/octet-stream
- name: Upload Signature
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.FILE_NAME }}.sig
asset_name: ${{ env.FILE_NAME }}.sig
asset_content_type: application/octet-stream
sign_release:
name: Sign All Assets
needs: [build_release, create_release, build_elixir_nifs]
runs-on: ubuntu-20.04
environment: release
permissions:
contents: write
steps:
- name: Fetch All Assets
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release download ${{ needs.create_release.outputs.tag_name }} -R ${{ github.repository_owner }}/ockam
- name: Generate File SHASum
run: shasum -a 256 .* > sha256sums.txt
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.0.0'
- name: Sign Files
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig
- name: Upload SHASum File
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt
asset_name: sha256sums.txt
asset_content_type: application/octet-stream
- name: Upload SHASum Signature File
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt.sig
asset_name: sha256sums.txt.sig
asset_content_type: application/octet-stream