-
Notifications
You must be signed in to change notification settings - Fork 0
124 lines (111 loc) · 4.72 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
name: ci
# Only build and release when a tag is pushed with a version number like 1.2.3
on:
push:
tags:
- '[0-9].[0-9].[0-9]'
jobs:
build:
name: build and release
# https://github.com/actions/runner-images
runs-on: ubuntu-24.04
# Required for `attest-build-provenance`, `attest-sbom`, `run-on-arch-action`, and `action-gh-release`
permissions:
id-token: write # `attest-build-provenance` requires `write`
contents: write # `action-gh-release` requires `write`, `attest-sbom` requires `read`
attestations: write # `attest-build-provenance` requires `write`
packages: write # `run-on-arch-action` requires `write` for container caching
steps:
# Clone repository
- name: Checkout
# https://github.com/actions/checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
# Overwrite the placeholder version number in Cargo.toml with the commit tag
- name: Set version
run: |
sed -i "/^version /s/=.*$/= \"${GITHUB_REF_NAME}\"/" Cargo.toml
# Build for AMD64
- name: Standard x86 build (x86_64/amd64)
# https://github.com/uraimo/run-on-arch-action
uses: uraimo/run-on-arch-action@v2
with:
# Use a container with glibc 2.17
base_image: quay.io/pypa/manylinux2014_x86_64
# Mount the working directory as /libnss_shim in the container, and run commands there
dockerRunArgs: |
--volume "${PWD}:/libnss_shim"
-w "/libnss_shim"
# Speeds up builds, intermediate containers are cached publicly
githubToken: ${{ github.token }}
# Preinstall dependencies to be cached in the container for reuse
install: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
. "$HOME/.cargo/env"
cargo install --version 2.2.0 cargo-deb
cargo install --version 0.14.0 cargo-generate-rpm
run: |
. "$HOME/.cargo/env"
bash build.sh --install_rust=false --install_cargo_deps=false
- uses: uraimo/run-on-arch-action@v2
# Build for arm64/aarch64 by emulating in QEMU
name: QEMU ARM build (arm64/aarch64)
with:
# https://github.com/pypa/manylinux
base_image: quay.io/pypa/manylinux2014_aarch64
dockerRunArgs: |
--volume "${PWD}:/libnss_shim"
-w "/libnss_shim"
githubToken: ${{ github.token }}
install: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
. "$HOME/.cargo/env"
cargo install --version 2.2.0 cargo-deb
cargo install --version 0.14.0 cargo-generate-rpm
run: |
. "$HOME/.cargo/env"
bash build.sh --install_rust=false --install_cargo_deps=false
# Generate artifact attestations to establish provenance for builds
- name: Generate binary attestation
# https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
uses: actions/attest-build-provenance@v1
with:
subject-path: |
target/debian/*_amd64.deb
target/debian/*_arm64.deb
target/generate-rpm/*.x86_64.rpm
target/generate-rpm/*.aarch64.rpm
- name: Generate SBOM
# https://github.com/marketplace/actions/anchore-sbom-action
uses: anchore/sbom-action@v0
with:
output-file: '${{ github.workspace }}/sbom.spdx.json'
artifact-name: sbom.spdx.json
- name: Generate SBOM attestation for deb packages
# https://github.com/actions/attest-sbom
uses: actions/attest-sbom@v1
with:
subject-path: 'target/debian/*.deb'
sbom-path: '${{ github.workspace }}/sbom.spdx.json'
- name: Generate SBOM attestation for RPM packages
uses: actions/attest-sbom@v1
with:
subject-path: 'target/generate-rpm/*.rpm'
sbom-path: '${{ github.workspace }}/sbom.spdx.json'
# Publish GitHub release
- name: Release
# https://github.com/softprops/action-gh-release
uses: softprops/action-gh-release@v2
# Presumably redundant due to the `on: push: tags:` filter, but kept for safety
if: startsWith(github.ref, 'refs/tags/')
with:
# Add the release notes from the changelog file
body_path: ${{github.workspace}}/changelog/CHANGELOG.txt
fail_on_unmatched_files: true
files: |
sbom.spdx.json
target/debian/*_amd64.deb
target/debian/*_arm64.deb
target/generate-rpm/*.x86_64.rpm
target/generate-rpm/*.aarch64.rpm