Merge pull request #83 from nirs/ci-cleanups #190
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Forked from https://github.com/reproducible-containers/repro-get/blob/v0.2.1/.github/workflows/release.yml | |
| # Forked from https://github.com/containerd/nerdctl/blob/v0.8.1/.github/workflows/release.yml | |
| # Apache License 2.0 | |
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - 'master' | |
| tags: | |
| - 'v*' | |
| pull_request: | |
| branches: | |
| - 'master' | |
| permissions: | |
| contents: read | |
| jobs: | |
| release: | |
| runs-on: macos-15 | |
| # The maximum access is "read" for PRs from public forked repos | |
| # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
| permissions: | |
| contents: write # for releases | |
| id-token: write # for provenances | |
| attestations: write # for provenances | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
| with: | |
| # https://github.com/reproducible-containers/repro-get/issues/3 | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: "Install dependencies" | |
| # coreutils: For `gtouch -d @${SOURCE_DATE_EPOCH}` | |
| # diffoscope: For `make test.repro` | |
| run: brew install coreutils diffoscope | |
| - name: "Test reproducibility" | |
| run: | | |
| make test.repro | |
| git clean -xfd | |
| - name: "Make artifacts" | |
| run: make artifacts | |
| - name: "SHA256SUMS" | |
| run: | | |
| cat _artifacts/SHA256SUMS | |
| - name: "The sha256sum of the SHA256SUMS file" | |
| run: | | |
| (cd _artifacts; shasum -a 256 SHA256SUMS) | |
| - name: "Prepare the release note" | |
| run: | | |
| shasha=$(shasum -a 256 _artifacts/SHA256SUMS | awk '{print $1}') | |
| version="VERSION" | |
| [[ $GITHUB_REF == refs/tags/v* ]] && version="${GITHUB_REF#refs/tags/v}" | |
| cat <<-EOF | tee /tmp/release-note.txt | |
| (Changes to be documented) | |
| - - - | |
| The binaries were built automatically on GitHub Actions. | |
| The build log is available for 90 days: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| The sha256sum of the SHA256SUMS file itself is \`${shasha}\` . | |
| The [GitHub Artifact Attestations](https://cli.github.com/manual/gh_attestation_verify) can be verified by running: | |
| \`\`\` | |
| gh attestation verify socket_vmnet-${version}-arm64.tar.gz --owner lima-vm | |
| gh attestation verify socket_vmnet-${version}-x86_64.tar.gz --owner lima-vm | |
| \`\`\` | |
| EOF | |
| - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') | |
| with: | |
| subject-path: _artifacts/* | |
| - name: "Create release" | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| tag="${GITHUB_REF##*/}" | |
| gh release create -F /tmp/release-note.txt --draft --title "${tag}" "${tag}" _artifacts/* |