Skip to content

Create Draft Release #15

Create Draft Release

Create Draft Release #15

name: Create Draft Release
on:
workflow_dispatch:
inputs:
git_tag:
description: Git Tag To Release From. Last Git Tag Is Used If Omitted
required: false
release_branch:
description: Release Branch Where Recent Bump Occurred
required: true
permissions:
contents: read
defaults:
run:
shell: bash
jobs:
create_release:
permissions:
contents: write
name: Initiate Draft Release
runs-on: ubuntu-20.04
environment: release
outputs:
upload_url: ${{ steps.release_upload_url.outputs.upload_url }}
tag_name: ${{ steps.release_version.outputs.tag_name }}
steps:
- name: Checkout Ockam
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 0
ref: ${{ github.event.inputs.release_branch }}
- name: Import GPG key
uses: build-trust/.github/actions/import_gpg@a6377d3c2dac878b92a0da26cdf3da2856c64840
with:
gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}'
gpg_password: '${{ secrets.GPG_PASSPHRASE }}'
gpg_name: '${{ secrets.GPG_USER_NAME }}'
gpg_email: '${{ secrets.GPG_EMAIL }}'
- name: Get Release Text
id: release_version
env:
GIT_TAG: '${{ github.event.inputs.git_tag }}'
run: |
cargo install tomlq
set -x
source tools/scripts/release/crates-to-publish.sh
# Add Ockam as first crate
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml")
text="Ockam $ockam_version"
text="$text
# Homebrew
To install this release using Homebrew:
\`\`\`bash
$ brew install build-trust/ockam/ockam
\`\`\`"
# Install Docker image
text="$text
# Docker
To use the Docker OCI package:
\`\`\`bash
docker pull ghcr.io/build-trust/ockam:$ockam_version
\`\`\`"
text="$text
# Precompiled Binaries
\`\`\`bash
# download sha256sums.txt
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt
# download sha256sums.txt.sig
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt.sig
# download our release public key
curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \\
https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub
# verify signatures
cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt
# download ockam command binary for your architecture
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/ockam.x86_64-unknown-linux-gnu
# verify that the sha256 hash of the downloaded binary is the same as
# the corresponding hash mentioned in sha256sums.txt
cat sha256sums.txt | grep ockam.x86_64-unknown-linux-gnu | sha256sum -c
# rename the download binary and give it permission to execute
mv ockam.x86_64-unknown-linux-gnu ockam
chmod u+x ockam
\`\`\`"
text="$text
# Terraform
To install the [Ockam Terraform Provider](https://registry.terraform.io/providers/build-trust/ockam/$ockam_version), copy and paste this code into your Terraform configuration. Then, run \`terraform init\`.
\`\`\`
terraform {
required_providers {
ockam = {
source = \"build-trust/ockam\"
version = \"$ockam_version\"
}
}
}
provider "ockam" {}
\`\`\`"
text="$text
# Rust Crates
To use Ockam as a Rust library, run the following command within your project directory:
\`\`\`bash
cargo add ockam@$ockam_version
\`\`\`
The following crates were published as part of this release:
- \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"
for crate in ${updated_crates[@]}; do
version=$(eval "tomlq package.version -f $crate/Cargo.toml")
name=$(eval "tomlq package.name -f $crate/Cargo.toml")
if [[ $name == "ockam" ]]; then
echo "Skipping ockam crate"
continue
fi
text="$text
- \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))";
done
echo "version=$ockam_version" >> $GITHUB_OUTPUT
echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT
echo "$text" > release_note.md
cat release_note.md
# Add tag
git tag -s ockam_v$ockam_version -m "Ockam Release"
git push --tags
- name: Create GitHub release
id: release_upload_url
uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_name: 'Ockam v${{ steps.release_version.outputs.version }}'
tag_name: '${{ steps.release_version.outputs.tag_name }}'
body_path: 'release_note.md'
draft: true
- name: Echo Link
run: echo "${{ steps.release_upload_url.outputs.html_url }}"
build_release:
name: Build Binaries
needs: create_release
environment: release
env:
DEVELOPMENT_TEAM: ${{ vars.DEVELOPMENT_TEAM }}
PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_SPECIFIER }}
CODE_SIGN_IDENTITY: ${{ vars.CODE_SIGN_IDENTITY }}
permissions:
contents: write
strategy:
fail-fast: false
matrix:
build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86]
include:
- build: linux_arm64
os: ubuntu-20.04
toolchain: stable
target: aarch64-unknown-linux-musl
build_app: false
use-cross-build: true
- build: linux_armv7
os: ubuntu-20.04
toolchain: stable
target: armv7-unknown-linux-musleabihf
use-cross-build: true
build_app: false
- build: linux_86
os: ubuntu-20.04
toolchain: stable
target: x86_64-unknown-linux-musl
use-cross-build: true
build_app: false
- build: linux_86_gnu
os: ubuntu-22.04
toolchain: stable
target: x86_64-unknown-linux-gnu
use-cross-build: false
build_app: true
build_command: false
- build: macos_silicon
os: macos-13
toolchain: stable
target: aarch64-apple-darwin
use-cross-build: false
build_app: true
- build: macos_86
os: macos-13
toolchain: stable
target: x86_64-apple-darwin
use-cross-build: false
build_app: true
runs-on: ${{ matrix.os }}
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
ref: ${{ github.event.inputs.release_branch }}
- name: Echo Link
run: echo "${{ needs.create_release.outputs.upload_url }}"
- name: Apple Signing Initialization
if: ${{ matrix.os == 'macos-13' }}
shell: bash
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
set -ex
# Switch to xcode 15
sudo xcode-select --switch /Applications/Xcode_15.0.app/
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
- uses: ./.github/actions/build_binaries
with:
use_cross_build: ${{ matrix.use-cross-build }}
toolchain: ${{ matrix.toolchain }}
target: ${{ matrix.target }}
platform_operating_system: ${{ matrix.os }}
build_app: ${{ matrix.build_app }}
- name: Copy Artifacts
run: |
set -x
cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }}
echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV
if [ -e "implementations/swift/build/Ockam.dmg" ]; then
cp "implementations/swift/build/Ockam.dmg" "ockam.app.${{ matrix.target }}.dmg"
echo "ASSET_OCKAM_APP_DMG=ockam.app.${{ matrix.target }}.dmg" >> $GITHUB_ENV
fi
ls $GITHUB_WORKSPACE
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.0.0'
- name: Sign Binaries
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: |
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig"
if [ -n "${{ env.ASSET_OCKAM_APP_DMG }}" ]; then
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_APP_DMG }}" > "${{ env.ASSET_OCKAM_APP_DMG }}.sig"
fi
- name: Upload CLI release archive
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}
asset_name: ${{ env.ASSET_OCKAM_CLI }}
asset_content_type: application/octet-stream
- name: Upload CLI Signature
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_name: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_content_type: application/octet-stream
- name: Upload MacOS App release
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
if: ${{ env.ASSET_OCKAM_APP_DMG }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}
asset_content_type: application/octet-stream
- name: Upload MacOS App release Signature
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
if: ${{ env.ASSET_OCKAM_APP_DMG }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
asset_content_type: application/octet-stream
# build_elixir_nifs:
# name: Build Elixir NIFs
# needs: create_release
# environment: release
# permissions:
# contents: write
# strategy:
# fail-fast: false
# matrix:
# build: [macos, linux_x86_64, linux_arm]
# include:
# - build: macos
# os: macos-latest
# release_path: implementations/elixir/ockam/ockam_vault_software/priv/darwin_universal/native
# release_asset_name: ockam.darwin_universal_elixir_ffi.so
# - build: linux_x86_64
# os: ubuntu-20.04
# release_path: implementations/elixir/ockam/ockam_vault_software/_build/dev/lib/ockam_vault_software/priv/native
# release_asset_name: ockam.linux_x86_64_gnu_elixir_ffi.so
# target: x86_64-unknown-linux-musl
# container: ghcr.io/build-trust/ockam-builder@sha256:4327749693be365d590cd210ef89729b95488005ecff2c9fe7a0fcd8b4c61f87
# - build: linux_arm
# os: ubuntu-20.04
# release_path: implementations/elixir/ockam/ockam_vault_software/_build/dev/lib/ockam_vault_software/priv/native
# release_asset_name: ockam.linux_aarch64_gnu_elixir_ffi.so
# target: aarch64-unknown-linux-musl
# container: ghcr.io/build-trust/ockam-builder@sha256:ef3171446e991d8462e88879a8fc9818d9e02b61a720bf96fb5f845b0cae6100
# runs-on: ${{ matrix.os }}
# steps:
# - name: Checkout repository
# uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
# with:
# ref: ${{ github.event.inputs.release_branch }}
# - name: Install Rust
# uses: actions-rs/toolchain@b3ea035039aa8cb07d1f4a5168b0f8065c4a2eeb
# with:
# toolchain: stable
# profile: minimal
# override: true
# - name: Install QEMU
# if: matrix.build == 'linux_arm'
# run: |
# sudo apt-get update
# sudo apt-get install qemu binfmt-support qemu-user-static
# docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
# - name: Build Rust Asset
# if: matrix.build != 'macos'
# run: |
# cargo install --version 0.1.16 cross
# cross build --release --package ockam-ffi --target ${{ matrix.target }}
# rm -rf target/release && mv target/${{ matrix.target }}/release target/
# - name: Build NIF For Linux
# if: matrix.build != 'macos'
# run: |
# docker run --rm --user "$(id -u):$(id -g)" --volume $(pwd):/work ${{ matrix.container }} bash -c \
# "cd implementations/elixir/ockam/ockam_vault_software; mix recompile.native; ";
# - name: Build NIF For MacOS
# if: matrix.build == 'macos'
# working-directory: implementations/elixir/ockam/ockam_vault_software
# run: |
# set -x
# brew install erlang
# rustup target add aarch64-apple-darwin
# rustup target add x86_64-apple-darwin
# ./build-elixir-universal-lib.sh
# - name: Install Cosign
# uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
# with:
# cosign-release: 'v2.0.0'
# - name: Sign NIFs
# working-directory: ${{ matrix.release_path }}
# env:
# PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
# COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
# run: |
# cosign sign-blob --yes --key env://PRIVATE_KEY libockam_elixir_ffi.so > libockam_elixir_ffi.so.sig
# - name: Upload Library
# uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# upload_url: ${{ needs.create_release.outputs.upload_url }}
# asset_path: ${{ matrix.release_path }}/libockam_elixir_ffi.so
# asset_name: ${{ matrix.release_asset_name }}
# asset_content_type: application/octet-stream
# - name: Upload Signature
# uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# upload_url: ${{ needs.create_release.outputs.upload_url }}
# asset_path: ${{ matrix.release_path }}/libockam_elixir_ffi.so.sig
# asset_name: ${{ matrix.release_asset_name }}.sig
# asset_content_type: application/octet-stream
sign_release:
name: Sign All Assets
needs: [build_release, create_release] #, build_elixir_nifs]
runs-on: ubuntu-20.04
environment: release
permissions:
contents: write
steps:
- name: Fetch All Assets
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release download ${{ needs.create_release.outputs.tag_name }} -R ${{ github.repository_owner }}/ockam
- name: Generate File SHASum
run: shasum -a 256 ockam.* > sha256sums.txt
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
with:
cosign-release: 'v2.0.0'
- name: Sign Files
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig
- name: Upload SHASum File
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt
asset_name: sha256sums.txt
asset_content_type: application/octet-stream
- name: Upload SHASum Signature File
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt.sig
asset_name: sha256sums.txt.sig
asset_content_type: application/octet-stream