-
-
Notifications
You must be signed in to change notification settings - Fork 563
477 lines (399 loc) · 16.8 KB
/
release-draft-binaries.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
name: Create Draft Release
on:
workflow_dispatch:
inputs:
git_tag:
description: Git Tag To Release From. Last Git Tag Is Used If Omitted
required: false
release_branch:
description: Release Branch Where Recent Bump Occurred
required: true
permissions:
contents: read
defaults:
run:
shell: bash
jobs:
create_release:
permissions:
contents: write
name: Initiate Draft Release
runs-on: ubuntu-20.04
environment: release
outputs:
upload_url: ${{ steps.release_upload_url.outputs.upload_url }}
tag_name: ${{ steps.release_version.outputs.tag_name }}
steps:
- name: Checkout Ockam
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
fetch-depth: 0
ref: ${{ github.event.inputs.release_branch }}
- name: Import GPG key
uses: build-trust/.github/actions/import_gpg@a6377d3c2dac878b92a0da26cdf3da2856c64840
with:
gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}'
gpg_password: '${{ secrets.GPG_PASSPHRASE }}'
gpg_name: '${{ secrets.GPG_USER_NAME }}'
gpg_email: '${{ secrets.GPG_EMAIL }}'
- name: Get Release Text
id: release_version
env:
GIT_TAG: '${{ github.event.inputs.git_tag }}'
run: |
cargo install tomlq
set -x
source tools/scripts/release/crates-to-publish.sh
# Add Ockam as first crate
ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml")
name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml")
text="Ockam $ockam_version"
text="$text
# Homebrew
To install this release using Homebrew:
\`\`\`bash
$ brew install build-trust/ockam/ockam
\`\`\`"
# Install Docker image
text="$text
# Docker
To use the Docker OCI package:
\`\`\`bash
docker pull ghcr.io/build-trust/ockam:$ockam_version
\`\`\`"
text="$text
# Precompiled Binaries
\`\`\`bash
# download sha256sums.txt
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt
# download sha256sums.txt.sig
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/sha256sums.txt.sig
# download our release public key
curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \\
https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub
# verify signatures
cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt
# download ockam command binary for your architecture
curl --proto '=https' --tlsv1.2 -sSfL -O \\
https://github.com/build-trust/ockam/releases/download/ockam_v${ockam_version}/ockam.x86_64-unknown-linux-gnu
# verify that the sha256 hash of the downloaded binary is the same as
# the corresponding hash mentioned in sha256sums.txt
cat sha256sums.txt | grep ockam.x86_64-unknown-linux-gnu | sha256sum -c
# rename the download binary and give it permission to execute
mv ockam.x86_64-unknown-linux-gnu ockam
chmod u+x ockam
\`\`\`"
text="$text
# Terraform
To install the [Ockam Terraform Provider](https://registry.terraform.io/providers/build-trust/ockam/$ockam_version), copy and paste this code into your Terraform configuration. Then, run \`terraform init\`.
\`\`\`
terraform {
required_providers {
ockam = {
source = \"build-trust/ockam\"
version = \"$ockam_version\"
}
}
}
provider "ockam" {}
\`\`\`"
text="$text
# Rust Crates
To use Ockam as a Rust library, run the following command within your project directory:
\`\`\`bash
cargo add ockam@$ockam_version
\`\`\`
The following crates were published as part of this release:
- \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"
for crate in ${updated_crates[@]}; do
version=$(eval "tomlq package.version -f $crate/Cargo.toml")
name=$(eval "tomlq package.name -f $crate/Cargo.toml")
if [[ $name == "ockam" ]]; then
echo "Skipping ockam crate"
continue
fi
text="$text
- \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \
[CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))";
done
echo "version=$ockam_version" >> $GITHUB_OUTPUT
echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT
echo "$text" > release_note.md
cat release_note.md
# Add tag
git tag -s ockam_v$ockam_version -m "Ockam Release"
git push --tags
- name: Create GitHub release
id: release_upload_url
uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_name: 'Ockam v${{ steps.release_version.outputs.version }}'
tag_name: '${{ steps.release_version.outputs.tag_name }}'
body_path: 'release_note.md'
draft: true
- name: Echo Link
run: echo "${{ steps.release_upload_url.outputs.html_url }}"
build_release:
name: Build Binaries
needs: create_release
environment: release
permissions:
contents: write
strategy:
fail-fast: false
matrix:
build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86]
include:
- build: linux_arm64
os: ubuntu-20.04
toolchain: stable
target: aarch64-unknown-linux-musl
build_app: false
use-cross-build: true
- build: linux_armv7
os: ubuntu-20.04
toolchain: stable
target: armv7-unknown-linux-musleabihf
use-cross-build: true
build_app: false
- build: linux_86
os: ubuntu-20.04
toolchain: stable
target: x86_64-unknown-linux-musl
use-cross-build: true
build_app: false
- build: linux_86_gnu
os: ubuntu-22.04
toolchain: stable
target: x86_64-unknown-linux-gnu
use-cross-build: false
build_app: true
build_command: false
- build: macos_silicon
os: macos-13
toolchain: stable
target: aarch64-apple-darwin
use-cross-build: false
build_app: true
- build: macos_86
os: macos-13
toolchain: stable
target: x86_64-apple-darwin
use-cross-build: false
build_app: true
runs-on: ${{ matrix.os }}
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
ref: ${{ github.event.inputs.release_branch }}
- name: Echo Link
run: echo "${{ needs.create_release.outputs.upload_url }}"
- uses: ./.github/actions/build_binaries
with:
use_cross_build: ${{ matrix.use-cross-build }}
toolchain: ${{ matrix.toolchain }}
target: ${{ matrix.target }}
platform_operating_system: ${{ matrix.os }}
build_app: ${{ matrix.build_app }}
- name: Copy Artifacts
run: |
set -x
cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }}
echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV
if [ -e "implementations/swift/build/Ockam.dmg" ]; then
cp "implementations/swift/build/Ockam.dmg" "ockam.app.${{ matrix.target }}.dmg"
echo "ASSET_OCKAM_APP_DMG=ockam.app.${{ matrix.target }}.dmg" >> $GITHUB_ENV
fi
ls $GITHUB_WORKSPACE
- name: Install Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149
with:
cosign-release: 'v2.0.0'
- name: Sign Binaries
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: |
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig"
if [ -n "${{ env.ASSET_OCKAM_APP_DMG }}" ]; then
cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_APP_DMG }}" > "${{ env.ASSET_OCKAM_APP_DMG }}.sig"
fi
- name: Upload CLI release archive
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}
asset_name: ${{ env.ASSET_OCKAM_CLI }}
asset_content_type: application/octet-stream
- name: Upload CLI Signature
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_name: ${{ env.ASSET_OCKAM_CLI }}.sig
asset_content_type: application/octet-stream
- name: Upload MacOS App release
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
if: ${{ env.ASSET_OCKAM_APP_DMG }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}
asset_content_type: application/octet-stream
- name: Upload MacOS App release Signature
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
if: ${{ env.ASSET_OCKAM_APP_DMG }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
asset_name: ${{ env.ASSET_OCKAM_APP_DMG }}.sig
asset_content_type: application/octet-stream
# build_elixir_nifs:
# name: Build Elixir NIFs
# needs: create_release
# environment: release
# permissions:
# contents: write
# strategy:
# fail-fast: false
# matrix:
# build: [macos, linux_x86_64, linux_arm]
# include:
# - build: macos
# os: macos-latest
# release_path: implementations/elixir/ockam/ockam_vault_software/priv/darwin_universal/native
# release_asset_name: ockam.darwin_universal_elixir_ffi.so
# - build: linux_x86_64
# os: ubuntu-20.04
# release_path: implementations/elixir/ockam/ockam_vault_software/_build/dev/lib/ockam_vault_software/priv/native
# release_asset_name: ockam.linux_x86_64_gnu_elixir_ffi.so
# target: x86_64-unknown-linux-musl
# container: ghcr.io/build-trust/ockam-builder@sha256:4327749693be365d590cd210ef89729b95488005ecff2c9fe7a0fcd8b4c61f87
# - build: linux_arm
# os: ubuntu-20.04
# release_path: implementations/elixir/ockam/ockam_vault_software/_build/dev/lib/ockam_vault_software/priv/native
# release_asset_name: ockam.linux_aarch64_gnu_elixir_ffi.so
# target: aarch64-unknown-linux-musl
# container: ghcr.io/build-trust/ockam-builder@sha256:ef3171446e991d8462e88879a8fc9818d9e02b61a720bf96fb5f845b0cae6100
# runs-on: ${{ matrix.os }}
# steps:
# - name: Checkout repository
# uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
# with:
# ref: ${{ github.event.inputs.release_branch }}
# - name: Install Rust
# uses: actions-rs/toolchain@b3ea035039aa8cb07d1f4a5168b0f8065c4a2eeb
# with:
# toolchain: stable
# profile: minimal
# override: true
# - name: Install QEMU
# if: matrix.build == 'linux_arm'
# run: |
# sudo apt-get update
# sudo apt-get install qemu binfmt-support qemu-user-static
# docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
# - name: Build Rust Asset
# if: matrix.build != 'macos'
# run: |
# cargo install --version 0.1.16 cross
# cross build --release --package ockam-ffi --target ${{ matrix.target }}
# rm -rf target/release && mv target/${{ matrix.target }}/release target/
# - name: Build NIF For Linux
# if: matrix.build != 'macos'
# run: |
# docker run --rm --user "$(id -u):$(id -g)" --volume $(pwd):/work ${{ matrix.container }} bash -c \
# "cd implementations/elixir/ockam/ockam_vault_software; mix recompile.native; ";
# - name: Build NIF For MacOS
# if: matrix.build == 'macos'
# working-directory: implementations/elixir/ockam/ockam_vault_software
# run: |
# set -x
# brew install erlang
# rustup target add aarch64-apple-darwin
# rustup target add x86_64-apple-darwin
# ./build-elixir-universal-lib.sh
# - name: Install Cosign
# uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149
# with:
# cosign-release: 'v2.0.0'
# - name: Sign NIFs
# working-directory: ${{ matrix.release_path }}
# env:
# PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
# COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
# run: |
# cosign sign-blob --yes --key env://PRIVATE_KEY libockam_elixir_ffi.so > libockam_elixir_ffi.so.sig
# - name: Upload Library
# uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# upload_url: ${{ needs.create_release.outputs.upload_url }}
# asset_path: ${{ matrix.release_path }}/libockam_elixir_ffi.so
# asset_name: ${{ matrix.release_asset_name }}
# asset_content_type: application/octet-stream
# - name: Upload Signature
# uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# upload_url: ${{ needs.create_release.outputs.upload_url }}
# asset_path: ${{ matrix.release_path }}/libockam_elixir_ffi.so.sig
# asset_name: ${{ matrix.release_asset_name }}.sig
# asset_content_type: application/octet-stream
sign_release:
name: Sign All Assets
needs: [build_release, create_release] #, build_elixir_nifs]
runs-on: ubuntu-20.04
environment: release
permissions:
contents: write
steps:
- name: Fetch All Assets
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release download ${{ needs.create_release.outputs.tag_name }} -R ${{ github.repository_owner }}/ockam
- name: Generate File SHASum
run: shasum -a 256 ockam.* > sha256sums.txt
- name: Install Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149
with:
cosign-release: 'v2.0.0'
- name: Sign Files
env:
PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}'
COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig
- name: Upload SHASum File
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt
asset_name: sha256sums.txt
asset_content_type: application/octet-stream
- name: Upload SHASum Signature File
uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_path: sha256sums.txt.sig
asset_name: sha256sums.txt.sig
asset_content_type: application/octet-stream