Merge pull request #1492 from atsign-foundation/cpswan_csshnpd_c0.2.1 #23
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: C_Release_Automation | |
| on: | |
| push: | |
| tags: | |
| - "c*.*.*" | |
| workflow_dispatch: | |
| inputs: | |
| native_build_only: | |
| description: "Run non-dockerx builds only" | |
| required: true | |
| default: false | |
| type: boolean | |
| permissions: # added using https://github.com/step-security/secure-repo | |
| contents: read | |
| jobs: | |
| verify_tags: | |
| permissions: | |
| contents: write # Needed to create workflow branch | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Create action branch | |
| run: | | |
| git config --global user.name 'Atsign Robot' | |
| git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com' | |
| git checkout -b c_release-${{github.run_number}} | |
| - name: | |
| Ensure pubspec.yaml matches git ref (if current git ref is a version | |
| tag) | |
| shell: bash | |
| if: startsWith(github.ref, 'refs/tags/c') | |
| working-directory: ./packages/c/sshnpd/include/sshnpd/ | |
| run: | | |
| REF=${{ github.ref }} | |
| VER=${REF:11} | |
| sed -i "0,/#define SSHNPD_VERSION/{s/#define SSHNPD_VERSION \(.*\)/#DEFINE SSHNPD_VERSION "${VER}"/}" version.h | |
| if [ "$(git status --porcelain)" ]; then | |
| git add . | |
| git commit -m 'ci: Updated version to tag' | |
| fi | |
| - name: Push changes to branch | |
| run: git push --set-upstream origin c_release-${{github.run_number}} | |
| native_build: | |
| needs: [verify_tags] | |
| runs-on: ${{ matrix.os }} | |
| defaults: | |
| run: | |
| working-directory: ./packages/c/sshnpd | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: macos-13 | |
| output-name: sshnp-macos-x64 | |
| ext: "" | |
| bundle: "shell" | |
| compiler: "clang" | |
| flags: "-Wno-error -pthread" | |
| - os: macos-14 | |
| output-name: sshnp-macos-arm64 | |
| ext: "" | |
| bundle: "shell" | |
| compiler: "clang" | |
| flags: "-Wno-error -pthread" | |
| # - os: windows-latest | |
| # output-name: sshnp-windows-x64 | |
| # ext: '.exe' | |
| # bundle: 'windows' | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: c_release-${{github.run_number}} | |
| # compile binaries | |
| - run: | | |
| cmake -B build -S . -DBUILD_SHARED_LIBS=off -DCMAKE_C_COMPILER=${{ matrix.compiler }} -DCMAKE_C_FLAGS="${{matrix.flags}}" | |
| cmake --build build | |
| mkdir tarball | |
| mv build/sshnpd . | |
| # zip the build | |
| - if: ${{ matrix.os == 'macOS-13' || matrix.os == 'macos-14'}} | |
| run: | |
| ditto -c -k --keepParent sshnpd tarball/${{ matrix.output-name }}.zip | |
| - if: ${{ matrix.os == 'ubuntu-latest' }} | |
| run: tar -cvzf tarball/${{ matrix.output-name }}.tgz sshnpd | |
| - if: ${{ matrix.os == 'windows-latest' }} | |
| run: | |
| Compress-Archive -Path sshnpd -Destination tarball/${{ | |
| matrix.output-name }}.zip | |
| # upload the build | |
| - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: | |
| ${{ matrix.output-name }}_${{ matrix.compiler | |
| }}-${{ github.ref_name | |
| }}-${{github.run_number}}-${{github.run_attempt}} | |
| path: ./packages/c/sshnpd/tarball | |
| if-no-files-found: error | |
| docker_build: | |
| needs: [verify_tags] | |
| runs-on: ubuntu-latest | |
| if: ${{ ! inputs.native_build_only }} | |
| defaults: | |
| run: | |
| working-directory: ./packages/c | |
| strategy: | |
| matrix: | |
| include: | |
| - platform: linux/amd64 | |
| output-name: sshnpd-linux-x64 | |
| - platform: linux/arm64 | |
| output-name: sshnpd-linux-arm64 | |
| ## 20240806: Clang and CMake that we use aren't packaged for | |
| ## armv7 or riscv64 (also no Debian 10 for RISC-V) | |
| # - platform: linux/arm/v7 | |
| # output-name: sshnpd-linux-arm | |
| # - platform: linux/riscv64 | |
| # output-name: sshnpd-linux-riscv64 | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: c_release-${{github.run_number}} | |
| - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
| - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
| - run: | | |
| docker buildx build -t atsigncompany/sshnpdc -f sshnpd/tools/Dockerfile.package \ | |
| --platform ${{ matrix.platform }} -o type=tar,dest=bins.tar . | |
| mkdir tarballs | |
| tar -xvf bins.tar -C tarballs | |
| - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: | |
| ${{ | |
| matrix.output-name }}-${{ github.ref_name }}-${{ github.run_number | |
| }}-${{ github.run_attempt }} | |
| path: ./packages/c/tarballs/${{ matrix.output-name }}.tgz | |
| musl_build: | |
| needs: [verify_tags] | |
| runs-on: ubuntu-latest | |
| if: ${{ ! inputs.native_build_only }} | |
| defaults: | |
| run: | |
| working-directory: ./packages/c | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - platform: linux/amd64 | |
| output-name: sshnpd-linux-x64-musl | |
| - platform: linux/arm/v7 | |
| output-name: sshnpd-linux-arm-musl | |
| - platform: linux/arm64 | |
| output-name: sshnpd-linux-arm64-musl | |
| - platform: linux/riscv64 | |
| output-name: sshnpd-linux-riscv64-musl | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: c_release-${{github.run_number}} | |
| - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
| - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
| - run: | | |
| docker buildx build -t atsigncompany/sshnpdcmusl -f sshnpd/tools/Dockerfile.musl \ | |
| --platform ${{ matrix.platform }} -o type=tar,dest=bins.tar . | |
| mkdir tarballs | |
| tar -xvf bins.tar -C tarballs | |
| - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: | |
| ${{ | |
| matrix.output-name }}-${{ github.ref_name }}-${{ github.run_number | |
| }}-${{ github.run_attempt }} | |
| path: ./packages/c/tarballs/${{ matrix.output-name }}.tgz | |
| source_tarball: | |
| needs: [verify_tags] | |
| name: Generate source tarball | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: c_release-${{github.run_number}} | |
| - name: Create tarball | |
| run: | | |
| mkdir tarball | |
| cd ./packages | |
| mv c csshnpd-${{ github.ref_name }} | |
| tar -cvzf ../tarball/csshnpd-${{ github.ref_name }}.tar.gz csshnpd-${{ github.ref_name }} | |
| - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: csshnpd-src-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} | |
| path: ./tarball/csshnpd-${{ github.ref_name }}.tar.gz | |
| github-release: | |
| name: >- | |
| Upload artifacts and generate checksums for provenance | |
| needs: [native_build, docker_build, musl_build, source_tarball] | |
| runs-on: ubuntu-latest | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| permissions: | |
| contents: write # IMPORTANT: mandatory for making GitHub Releases | |
| id-token: write # IMPORTANT: mandatory for sigstore | |
| attestations: write | |
| steps: | |
| - name: Download all the tarballs | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| path: tarballs/ | |
| ## 20240806: Need a different approach to SBOMs for C daemon | |
| # - name: Generate SBOMs | |
| # run: | | |
| # syft scan file:./packages/dart/sshnoports/pubspec.lock \ | |
| # -o 'spdx-json=tarballs/dart_sshnoports_sbom.spdx.json' \ | |
| # -o 'cyclonedx-json=tarballs/dart_sshnoports_sbom.cyclonedx.json' | |
| - name: Move packages for signing | |
| run: | | |
| cd tarballs | |
| echo "Before:" | |
| ls -latrR * | |
| mv */*.tgz . | |
| mv */*.tar.gz . | |
| mv */*.zip . | |
| rm -Rf -- */ | |
| echo "After:" | |
| ls -latrR * | |
| - name: Generate SHA256 checksums | |
| working-directory: tarballs | |
| run: sha256sum * > checksums.txt | |
| - name: Upload artifacts to GitHub Release | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: >- | |
| gh release upload '${{ github.ref_name }}' tarballs/** --repo '${{ | |
| github.repository }}' | |
| - id: hash | |
| name: Pass artifact hashes for SLSA provenance | |
| working-directory: tarballs | |
| run: | | |
| echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 | |
| with: | |
| subject-path: "tarballs/**" | |
| provenance: | |
| needs: [github-release] | |
| permissions: | |
| actions: read # Needed for detection of GitHub Actions environment. | |
| id-token: write # Needed for provenance signing and ID | |
| contents: write # Needed for release uploads | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # 5a775b367a56d5bd118a224a811bba288150a563 | |
| with: | |
| base64-subjects: "${{ needs.github-release.outputs.hashes }}" | |
| upload-assets: true |