Skip to content

Create Draft Release #38

Create Draft Release

Create Draft Release #38

name: Create Draft Release
on:
workflow_dispatch:
inputs:
git_tag:
description: Git Tag To Release From. Last Git Tag Is Used If Omitted
required: false
release_branch:
description: Release Branch Where Recent Bump Occurred
required: true
permissions:
contents: read
defaults:
run:
shell: bash
jobs:
create_release:
permissions:
contents: write
name: Initiate Draft Release
runs-on: ubuntu-20.04
environment: release
outputs:
upload_url: ${{ steps.release_upload_url.outputs.upload_url }}
version: ${{ steps.release_version.outputs.version }}
env:
BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
AWS_REGION: ${{ vars.AWS_REGION }}
AWS_ROLE: ${{ vars.AWS_ROLE }}
steps:
- name: Checkout Ockam
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
fetch-depth: 0
ref: ${{ github.event.inputs.release_branch }}
- name: Import GPG key
uses: build-trust/.github/actions/import_gpg@ae127cb92387ed76f24d4d1c6d6bfc2d382f7946
with:
gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}'
gpg_password: '${{ secrets.GPG_PASSPHRASE }}'
gpg_name: '${{ secrets.GPG_USER_NAME }}'
gpg_email: '${{ secrets.GPG_EMAIL }}'
- name: Get Release Text
id: release_version
env:
GIT_TAG: '${{ github.event.inputs.git_tag }}'
run: |
cargo install tomlq
set -x
source tools/scripts/release/crates-to-publish.sh
# Add Ockam as first crate
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml")
text="Ockam $ockam_version"
text="$text
# Homebrew
To install this release using Homebrew:
\`\`\`bash
$ brew install build-trust/ockam/ockam
\`\`\`"
# Install Docker image
text="$text
# Docker
To use the Docker OCI package:
\`\`\`bash
docker pull ghcr.io/build-trust/ockam:$ockam_version
\`\`\`"
url_head="https://${{ env.BUCKET_NAME }}.s3.amazonaws.com/${ockam_version}"
text="$text
# Precompiled Binaries
\`\`\`bash
# download sha256sums.txt
curl --proto '=https' --tlsv1.2 -sSfL -O \\
${url_head}/sha256sums.txt
# download sha256sums.txt.sig
curl --proto '=https' --tlsv1.2 -sSfL -O \\
${url_head}/sha256sums.txt.sig
# download our release public key
curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \\
https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub
# verify signatures
cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt
# download ockam command binary for your architecture
curl --proto '=https' --tlsv1.2 -sSfL -O \\
${url_head}/ockam.x86_64-unknown-linux-gnu
# verify that the sha256 hash of the downloaded binary is the same as
# the corresponding hash mentioned in sha256sums.txt
cat sha256sums.txt | grep ockam.x86_64-unknown-linux-gnu | sha256sum -c
# rename the download binary and give it permission to execute
mv ockam.x86_64-unknown-linux-gnu ockam
chmod u+x ockam
\`\`\`"
text="$text
# Rust Crates
To use Ockam as a Rust library, run the following command within your project directory:
\`\`\`bash
cargo add ockam@$ockam_version
\`\`\`
The following crates were published as part of this release:
- \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"
for crate in ${updated_crates[@]}; do
version=$(eval "tomlq package.version -f $crate/Cargo.toml")
name=$(eval "tomlq package.name -f $crate/Cargo.toml")
if [[ $name == "ockam" ]]; then
echo "Skipping ockam crate"
continue
fi
text="$text
- \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))";
done
echo "version=$ockam_version" >> $GITHUB_OUTPUT
echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT
echo "$text" > release_note.md
cat release_note.md
# Add tag
git tag -s ockam_v$ockam_version -m "Ockam Release"
git push --tags
- name: Create GitHub release
id: release_upload_url
uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_name: 'Ockam v${{ steps.release_version.outputs.version }}'
tag_name: '${{ steps.release_version.outputs.tag_name }}'
body_path: 'release_note.md'
prerelease: true
- name: Echo Link
run: echo "${{ steps.release_upload_url.outputs.html_url }}"
build_release:
name: Build Binaries
needs: create_release
environment: release
env:
DEVELOPMENT_TEAM: ${{ vars.DEVELOPMENT_TEAM }}
PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_SPECIFIER }}
CODE_SIGN_IDENTITY: ${{ vars.CODE_SIGN_IDENTITY }}
NOTARIZATION_EMAIL: ${{ vars.NOTARIZATION_EMAIL }}
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
AWS_REGION: ${{ vars.AWS_REGION }}
AWS_ROLE: ${{ vars.AWS_ROLE }}
permissions:
contents: write
id-token: write # This is required for requesting the JWT
strategy:
fail-fast: false
matrix:
build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86]
include:
- build: linux_arm64
os: ubuntu-22.04
toolchain: stable
target: aarch64-unknown-linux-musl
build_app: false
use-cross-build: true
- build: linux_armv7
os: ubuntu-22.04
toolchain: stable
target: armv7-unknown-linux-musleabihf
use-cross-build: true
build_app: false
- build: linux_86
os: ubuntu-22.04
toolchain: stable
target: x86_64-unknown-linux-musl
use-cross-build: true
build_app: false
- build: linux_86_gnu
os: ubuntu-22.04
toolchain: stable
target: x86_64-unknown-linux-gnu
use-cross-build: false
build_app: true
build_command: false
- build: macos_silicon
os: macos-14
toolchain: stable
target: aarch64-apple-darwin
use-cross-build: false
build_app: true
- build: macos_86
os: macos-14
toolchain: stable
target: x86_64-apple-darwin
use-cross-build: false
build_app: true
runs-on: ${{ matrix.os }}
steps:
- name: Checkout repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
ref: ${{ github.event.inputs.release_branch }}
- name: Echo Link
run: echo "${{ needs.create_release.outputs.upload_url }}"
- name: Apple Signing Initialization
if: ${{ matrix.os == 'macos-14' }}
shell: bash
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
set -ex
# Switch to xcode 15
sudo xcode-select --switch /Applications/Xcode_15.0.app/
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
# Add keychain path to env
echo "KEYCHAIN_PATH=${KEYCHAIN_PATH}" >> "$GITHUB_ENV"
- uses: ./.github/actions/build_binaries
with:
use_cross_build: ${{ matrix.use-cross-build }}
toolchain: ${{ matrix.toolchain }}
target: ${{ matrix.target }}
platform_operating_system: ${{ matrix.os }}
build_app: ${{ matrix.build_app }}
- name: Copy Artifacts
run: |
set -x
cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }}
echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV
if [ -e "implementations/swift/build/Ockam.dmg" ]; then
cp "implementations/swift/build/Ockam.dmg" "ockam.app.${{ matrix.target }}.dmg"
echo "ASSET_OCKAM_APP_DMG=ockam.app.${{ matrix.target }}.dmg" >> $GITHUB_ENV
fi
ls $GITHUB_WORKSPACE
- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
with:
cosign-release: 'v2.0.0'
- name: Sign Binaries
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: |
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig"
if [ -n "${{ env.ASSET_OCKAM_APP_DMG }}" ]; then
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_APP_DMG }}" > "${{ env.ASSET_OCKAM_APP_DMG }}.sig"
fi
- name: Upload CLI release archive to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}
asset_name: ${{ env.ASSET_OCKAM_CLI }}
asset_content_type: application/octet-stream
- name: Upload CLI Signature to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_name: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_content_type: application/octet-stream
- name: Upload CLI release archive to AWS
uses: ./.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: ${{ env.ASSET_OCKAM_CLI }}
release_version: "v${{ needs.create_release.outputs.version }}"
- name: Upload CLI Signature to AWS
uses: ./.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: ${{ env.ASSET_OCKAM_CLI }}.sig
release_version: "v${{ needs.create_release.outputs.version }}"
- name: Upload MacOS App release to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
if: ${{ env.ASSET_OCKAM_APP_DMG }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}
asset_content_type: application/octet-stream
- name: Upload MacOS App release Signature to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
if: ${{ env.ASSET_OCKAM_APP_DMG }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
asset_content_type: application/octet-stream
- name: Upload MacOS App release to AWS
uses: ./.github/actions/aws_upload
if: ${{ env.ASSET_OCKAM_APP_DMG }}
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: ${{ env.ASSET_OCKAM_APP_DMG }}
release_version: "v${{ needs.create_release.outputs.version }}"
- name: Upload MacOS App release Signature to AWS
uses: ./.github/actions/aws_upload
if: ${{ env.ASSET_OCKAM_APP_DMG }}
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
release_version: "v${{ needs.create_release.outputs.version }}"
build_elixir_nifs:
name: Build Elixir NIFs
needs: create_release
environment: release
permissions:
contents: write
id-token: write # This is required for requesting the JWT
env:
BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
AWS_REGION: ${{ vars.AWS_REGION }}
AWS_ROLE: ${{ vars.AWS_ROLE }}
strategy:
fail-fast: false
matrix:
job:
- { target: aarch64-unknown-linux-gnu , os: ubuntu-20.04 , use-cross: true }
- { target: x86_64-unknown-linux-gnu , os: ubuntu-20.04 }
- { target: aarch64-apple-darwin , os: macos-14 }
- { target: x86_64-apple-darwin , os: macos-14 }
runs-on: ${{ matrix.job.os }}
steps:
- name: Checkout repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
with:
ref: ${{ github.event.inputs.release_branch }}
- name: Install Rust toolchain
run: |
# This will allow us update to rust version indicated in our rust-toolchain.toml file
rustup show
rustup target add ${{ matrix.job.target }}
- name: Install Cross
if: matrix.job.use-cross == true
run: cargo install --version 0.2.4 cross
- shell: bash
if: matrix.job.target == 'ubuntu-20.04'
run: |
set -x
use_cross_build=${{ matrix.job.use-cross }}
if [[ $use_cross_build != true ]]; then
sudo apt update
sudo apt -y --no-install-recommends install libclang-dev clang
fi
- name: Build NIFs
run: |
set -ex
if [[ '${{ matrix.job.use-cross }}' == 'true' ]]; then
# When building using cross use rust crypto (slower) since the cross image doesn't have an up-to-date libclang
cross build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release --no-default-features -F rust-crypto
exit
fi
rustup target add ${{ matrix.job.target }}
cargo build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release --no-default-features -F aws-lc
- name: List
run: |
ls target/${{ matrix.job.target }}/release/
- name: Rename Build
run: |
cargo install tomlq
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
final_name="libockam_rust_elixir_nifs-v${ockam_version}-nif-2.15-${{ matrix.job.target }}.so"
if [[ "${{ matrix.job.target }}" == *"darwin"* ]]; then
cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.dylib "$final_name"
else
cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.so "$final_name"
fi
tar -zcvf "${final_name}.tar.gz" "$final_name"
echo "FILE_NAME=${final_name}.tar.gz" >> $GITHUB_ENV
- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
with:
cosign-release: 'v2.0.0'
- name: Sign NIFs
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: |
cosign sign-blob --yes --key env://PRIVATE_KEY ${{ env.FILE_NAME }} > "${{ env.FILE_NAME }}.sig"
- name: Upload NIF to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: "${{ env.FILE_NAME }}"
asset_name: "${{ env.FILE_NAME }}"
asset_content_type: application/octet-stream
- name: Upload NIF Signature to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.FILE_NAME }}.sig
asset_name: ${{ env.FILE_NAME }}.sig
asset_content_type: application/octet-stream
- name: Upload NIF to AWS
uses: ./.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: "${{ env.FILE_NAME }}"
release_version: "v${{ needs.create_release.outputs.version }}"
- name: Upload NIF Signature to AWS
uses: ./.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: "${{ env.FILE_NAME }}.sig"
release_version: "v${{ needs.create_release.outputs.version }}"
sign_release:
name: Sign All Assets
needs: [build_release, create_release, build_elixir_nifs]
runs-on: ubuntu-20.04
environment: release
permissions:
contents: write
id-token: write # This is required for requesting the JWT
env:
BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
AWS_REGION: ${{ vars.AWS_REGION }}
AWS_ROLE: ${{ vars.AWS_ROLE }}
steps:
- name: Checkout repository
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
with:
ref: ${{ github.event.inputs.release_branch }}
path: aws
- name: Login to AWS
uses: ./aws/.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
- name: Fetch All Assets
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: aws s3 sync s3://${{ env.BUCKET_NAME }}/v${{ needs.create_release.outputs.version }} . && ls
- name: Generate File SHASum
run: shasum -a 256 *ockam* > sha256sums.txt
- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
with:
cosign-release: 'v2.0.0'
- name: Sign Files
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig
- name: Upload SHASum File to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt
asset_name: sha256sums.txt
asset_content_type: application/octet-stream
- name: Upload SHASum Signature File to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt.sig
asset_name: sha256sums.txt.sig
asset_content_type: application/octet-stream
- name: Upload SHASum File to AWS
uses: ./aws/.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: sha256sums.txt
release_version: "v${{ needs.create_release.outputs.version }}"
- name: Upload SHASum Signature File to AWS
uses: ./aws/.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: sha256sums.txt.sig
release_version: "v${{ needs.create_release.outputs.version }}"