-
-
Notifications
You must be signed in to change notification settings - Fork 563
537 lines (449 loc) · 18.3 KB
/
release-draft-binaries.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
name: Create Draft Release
on:
workflow_dispatch:
inputs:
git_tag:
description: Git Tag To Release From. Last Git Tag Is Used If Omitted
required: false
release_branch:
description: Release Branch Where Recent Bump Occurred
required: true
permissions:
contents: read
defaults:
run:
shell: bash
jobs:
create_release:
permissions:
contents: write
name: Initiate Draft Release
runs-on: ubuntu-20.04
environment: release
outputs:
upload_url: ${{ steps.release_upload_url.outputs.upload_url }}
version: ${{ steps.release_version.outputs.version }}
env:
BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
AWS_REGION: ${{ vars.AWS_REGION }}
AWS_ROLE: ${{ vars.AWS_ROLE }}
steps:
- name: Checkout Ockam
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0
ref: ${{ github.event.inputs.release_branch }}
- name: Import GPG key
uses: build-trust/.github/actions/import_gpg@ae127cb92387ed76f24d4d1c6d6bfc2d382f7946
with:
gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}'
gpg_password: '${{ secrets.GPG_PASSPHRASE }}'
gpg_name: '${{ secrets.GPG_USER_NAME }}'
gpg_email: '${{ secrets.GPG_EMAIL }}'
- name: Get Release Text
id: release_version
env:
GIT_TAG: '${{ github.event.inputs.git_tag }}'
run: |
cargo install tomlq@0.1.0
set -x
source tools/scripts/release/crates-to-publish.sh
# Add Ockam as first crate
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml")
text="Ockam $ockam_version"
text="$text
# Homebrew
To install this release using Homebrew:
\`\`\`bash
$ brew install build-trust/ockam/ockam
\`\`\`"
# Install Docker image
text="$text
# Docker
To use the Docker OCI package:
\`\`\`bash
docker pull ghcr.io/build-trust/ockam:$ockam_version
\`\`\`"
url_head="https://${{ env.BUCKET_NAME }}.s3.amazonaws.com/${ockam_version}"
text="$text
# Precompiled Binaries
\`\`\`bash
# download sha256sums.txt
curl --proto '=https' --tlsv1.2 -sSfL -O \\
${url_head}/sha256sums.txt
# download sha256sums.txt.sig
curl --proto '=https' --tlsv1.2 -sSfL -O \\
${url_head}/sha256sums.txt.sig
# download our release public key
curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \\
https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub
# verify signatures
cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt
# download ockam command binary for your architecture
curl --proto '=https' --tlsv1.2 -sSfL -O \\
${url_head}/ockam.x86_64-unknown-linux-gnu
# verify that the sha256 hash of the downloaded binary is the same as
# the corresponding hash mentioned in sha256sums.txt
cat sha256sums.txt | grep ockam.x86_64-unknown-linux-gnu | sha256sum -c
# rename the download binary and give it permission to execute
mv ockam.x86_64-unknown-linux-gnu ockam
chmod u+x ockam
\`\`\`"
text="$text
# Rust Crates
To use Ockam as a Rust library, run the following command within your project directory:
\`\`\`bash
cargo add ockam@$ockam_version
\`\`\`
The following crates were published as part of this release:
- \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"
for crate in ${updated_crates[@]}; do
version=$(eval "tomlq package.version -f $crate/Cargo.toml")
name=$(eval "tomlq package.name -f $crate/Cargo.toml")
if [[ $name == "ockam" ]]; then
echo "Skipping ockam crate"
continue
fi
text="$text
- \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))";
done
echo "version=$ockam_version" >> $GITHUB_OUTPUT
echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT
echo "$text" > release_note.md
cat release_note.md
# Add tag
git tag -s ockam_v$ockam_version -m "Ockam Release"
git push --tags
- name: Create GitHub release
id: release_upload_url
uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_name: 'Ockam v${{ steps.release_version.outputs.version }}'
tag_name: '${{ steps.release_version.outputs.tag_name }}'
body_path: 'release_note.md'
prerelease: true
- name: Echo Link
run: echo "${{ steps.release_upload_url.outputs.html_url }}"
build_release:
name: Build Binaries
needs: create_release
environment: release
env:
DEVELOPMENT_TEAM: ${{ vars.DEVELOPMENT_TEAM }}
PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_SPECIFIER }}
CODE_SIGN_IDENTITY: ${{ vars.CODE_SIGN_IDENTITY }}
NOTARIZATION_EMAIL: ${{ vars.NOTARIZATION_EMAIL }}
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
AWS_REGION: ${{ vars.AWS_REGION }}
AWS_ROLE: ${{ vars.AWS_ROLE }}
permissions:
contents: write
id-token: write # This is required for requesting the JWT
strategy:
fail-fast: false
matrix:
build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86]
include:
- build: linux_arm64
os: ubuntu-22.04
toolchain: stable
target: aarch64-unknown-linux-musl
build_app: false
use-cross-build: true
- build: linux_armv7
os: ubuntu-22.04
toolchain: stable
target: armv7-unknown-linux-musleabihf
use-cross-build: true
build_app: false
- build: linux_86
os: ubuntu-22.04
toolchain: stable
target: x86_64-unknown-linux-musl
use-cross-build: true
build_app: false
- build: linux_86_gnu
os: ubuntu-22.04
toolchain: stable
target: x86_64-unknown-linux-gnu
use-cross-build: false
build_app: false
- build: linux_aarch64_gnu
os: ubuntu-22.04
toolchain: stable
target: aarch64-unknown-linux-gnu
use-cross-build: true
build_app: false
- build: macos_silicon
os: macos-14
toolchain: stable
target: aarch64-apple-darwin
use-cross-build: false
build_app: true
- build: macos_86
os: macos-14
toolchain: stable
target: x86_64-apple-darwin
use-cross-build: false
build_app: true
runs-on: ${{ matrix.os }}
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
ref: ${{ github.event.inputs.release_branch }}
- name: Echo Link
run: echo "${{ needs.create_release.outputs.upload_url }}"
- uses: ./.github/actions/build_binaries
with:
use_cross_build: ${{ matrix.use-cross-build }}
toolchain: ${{ matrix.toolchain }}
target: ${{ matrix.target }}
platform_operating_system: ${{ matrix.os }}
build_app: ${{ matrix.build_app }}
- name: Copy Artifacts
run: |
set -x
cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }}
echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV
ls $GITHUB_WORKSPACE
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
with:
cosign-release: 'v2.0.0'
- name: Sign Binaries
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: |
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig"
- name: Upload CLI release archive to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}
asset_name: ${{ env.ASSET_OCKAM_CLI }}
asset_content_type: application/octet-stream
- name: Upload CLI Signature to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_name: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_content_type: application/octet-stream
- name: Upload CLI release archive to AWS
uses: ./.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: ${{ env.ASSET_OCKAM_CLI }}
release_version: "v${{ needs.create_release.outputs.version }}"
- name: Upload CLI Signature to AWS
uses: ./.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: ${{ env.ASSET_OCKAM_CLI }}.sig
release_version: "v${{ needs.create_release.outputs.version }}"
build_elixir_nifs:
name: Build Elixir NIFs
needs: create_release
environment: release
permissions:
contents: write
id-token: write # This is required for requesting the JWT
env:
BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
AWS_REGION: ${{ vars.AWS_REGION }}
AWS_ROLE: ${{ vars.AWS_ROLE }}
strategy:
fail-fast: false
matrix:
job:
- { target: aarch64-unknown-linux-gnu , os: ubuntu-20.04 , use-cross: true }
- { target: x86_64-unknown-linux-gnu , os: ubuntu-20.04 }
- { target: aarch64-apple-darwin , os: macos-14 }
- { target: x86_64-apple-darwin , os: macos-14 }
runs-on: ${{ matrix.job.os }}
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
ref: ${{ github.event.inputs.release_branch }}
- name: Install Rust toolchain
run: |
# This will allow us update to rust version indicated in our rust-toolchain.toml file
rustup show
rustup target add ${{ matrix.job.target }}
- name: Install Cross
if: matrix.job.use-cross == true
run: cargo install --version 0.2.4 cross
- shell: bash
if: matrix.job.target == 'ubuntu-20.04'
run: |
set -x
use_cross_build=${{ matrix.job.use-cross }}
if [[ $use_cross_build != true ]]; then
sudo apt update
sudo apt -y --no-install-recommends install libclang-dev clang
fi
- name: Build NIFs
run: |
set -ex
if [[ '${{ matrix.job.use-cross }}' == 'true' ]]; then
# When building using cross use rust crypto (slower) since the cross image doesn't have an up-to-date libclang
cross build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release --no-default-features -F rust-crypto
exit
fi
rustup target add ${{ matrix.job.target }}
cargo build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release --no-default-features -F aws-lc
- name: List
run: |
ls target/${{ matrix.job.target }}/release/
- name: Rename Build
run: |
cargo install tomlq@0.1.0
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
final_name="libockam_rust_elixir_nifs-v${ockam_version}-nif-2.15-${{ matrix.job.target }}.so"
if [[ "${{ matrix.job.target }}" == *"darwin"* ]]; then
cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.dylib "$final_name"
else
cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.so "$final_name"
fi
tar -zcvf "${final_name}.tar.gz" "$final_name"
echo "FILE_NAME=${final_name}.tar.gz" >> $GITHUB_ENV
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
with:
cosign-release: 'v2.0.0'
- name: Sign NIFs
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: |
cosign sign-blob --yes --key env://PRIVATE_KEY ${{ env.FILE_NAME }} > "${{ env.FILE_NAME }}.sig"
- name: Upload NIF to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: "${{ env.FILE_NAME }}"
asset_name: "${{ env.FILE_NAME }}"
asset_content_type: application/octet-stream
- name: Upload NIF Signature to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.FILE_NAME }}.sig
asset_name: ${{ env.FILE_NAME }}.sig
asset_content_type: application/octet-stream
- name: Upload NIF to AWS
uses: ./.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: "${{ env.FILE_NAME }}"
release_version: "v${{ needs.create_release.outputs.version }}"
- name: Upload NIF Signature to AWS
uses: ./.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: "${{ env.FILE_NAME }}.sig"
release_version: "v${{ needs.create_release.outputs.version }}"
sign_release:
name: Sign All Assets
needs: [build_release, create_release, build_elixir_nifs]
runs-on: ubuntu-20.04
environment: release
permissions:
contents: write
id-token: write # This is required for requesting the JWT
env:
BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }}
AWS_REGION: ${{ vars.AWS_REGION }}
AWS_ROLE: ${{ vars.AWS_ROLE }}
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
ref: ${{ github.event.inputs.release_branch }}
path: aws
- name: Login to AWS
uses: ./aws/.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
- name: Fetch All Assets
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: aws s3 sync s3://${{ env.BUCKET_NAME }}/v${{ needs.create_release.outputs.version }} . && ls
- name: Generate File SHASum
run: shasum -a 256 *ockam* > sha256sums.txt
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
with:
cosign-release: 'v2.0.0'
- name: Sign Files
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig
- name: Upload SHASum File to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt
asset_name: sha256sums.txt
asset_content_type: application/octet-stream
- name: Upload SHASum Signature File to GitHub
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt.sig
asset_name: sha256sums.txt.sig
asset_content_type: application/octet-stream
- name: Upload SHASum File to AWS
uses: ./aws/.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: sha256sums.txt
release_version: "v${{ needs.create_release.outputs.version }}"
- name: Upload SHASum Signature File to AWS
uses: ./aws/.github/actions/aws_upload
with:
aws_role: ${{ env.AWS_ROLE }}
aws_role_session_name: aws_upload
aws_region: ${{ env.AWS_REGION }}
bucket_name: ${{ env.BUCKET_NAME }}
file_name: sha256sums.txt.sig
release_version: "v${{ needs.create_release.outputs.version }}"