-
Notifications
You must be signed in to change notification settings - Fork 95
81 lines (70 loc) · 2.79 KB
/
ci-verifiable-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
name: Verifiable Build
on:
push:
tags:
- "v*"
env:
# Anchor 0.25.0 (latest) does not include x86_64 binary, use older version until resolved https://github.com/coral-xyz/anchor/issues/2076
ANCHOR_CLI_VERSION: 0.24.2
defaults:
run:
working-directory: ./dex
jobs:
build:
name: Build Verifiable Artifact
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
# - name: Install Anchor CLI
# run: |
# npm install -g @project-serum/anchor-cli@${{ env.ANCHOR_CLI_VERSION }}
# anchor --version
# Install CLI from a fork allowing env passthrough to docker
- name: Install Anchor CLI
run: |
cargo install --git https://github.com/riordanp/anchor.git --rev 0bd8aba891639651cefc4aa0fa0f15174958e725 anchor-cli --locked
anchor --version
- name: Verifiable Build
run: |
echo "APP_NAME=$(cargo metadata --no-deps --format-version 1 | jq --raw-output '.packages[0].name')" >> $GITHUB_ENV
anchor build --verifiable GITHUB_SHA=${{ github.sha }} GITHUB_REF_NAME=${{ github.ref_name }}
- name: Generate Checksum
run: |
echo "CHECKSUM=$(sha256sum ./target/verifiable/${{ env.APP_NAME }}.so | head -c 64)" >> $GITHUB_ENV
- name: Generate SBOM
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'cyclonedx'
output: '${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json'
- name: Create Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref_name }}
release_name: Release ${{ github.ref_name }}
body: |
sha256 checksum: ${{ env.CHECKSUM }}
github commit: ${{ github.sha }}
- name: Upload Build Artifact
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
# default working directory only applies to 'run' steps, hardcoded workspace path for now
asset_path: ./dex/target/verifiable/${{ env.APP_NAME }}.so
asset_name: ${{ env.APP_NAME }}.so
asset_content_type: application/x-sharedlib
- name: Upload SBOM
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./dex/${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json
asset_name: ${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json
asset_content_type: application/json