Skip to content

release: AUR auto-publish job #4

release: AUR auto-publish job

release: AUR auto-publish job #4

Workflow file for this run

# .github/workflows/release.yml
# cargo-dist driven release pipeline.
# Spec: zerodds-deployment-1.0.md §6.
# Triggers on git tag push v*.*.*, computes a release plan, builds per-target
# artefacts, then dispatches the platform-specific publish-jobs declared in
# [workspace.metadata.dist].publish-jobs.
name: release
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+*"
workflow_dispatch:
inputs:
tag:
description: "Release tag (e.g. v1.0.0-rc.1)"
required: true
type: string
permissions:
contents: write
packages: write
id-token: write # OIDC for cosign keyless signing
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
jobs:
plan:
name: cargo-dist plan
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.plan.outputs.tag }}
val: ${{ steps.plan.outputs.val }}
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Install cargo-dist
run: cargo install cargo-dist --version 0.22.1 --locked
- name: Plan
id: plan
run: |
TAG="${{ github.event.inputs.tag || github.ref_name }}"
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
PLAN=$(cargo dist plan --output-format=json)
echo "val<<JSON_EOF" >> "$GITHUB_OUTPUT"
echo "$PLAN" >> "$GITHUB_OUTPUT"
echo "JSON_EOF" >> "$GITHUB_OUTPUT"
build:
name: Build (${{ matrix.target }})
needs: plan
strategy:
fail-fast: false
matrix:
include:
- target: x86_64-unknown-linux-gnu
os: ubuntu-22.04
- target: aarch64-unknown-linux-gnu
os: ubuntu-22.04
- target: x86_64-unknown-linux-musl
os: ubuntu-22.04
- target: aarch64-unknown-linux-musl
os: ubuntu-22.04
- target: x86_64-apple-darwin
os: macos-13
- target: aarch64-apple-darwin
os: macos-14
- target: x86_64-pc-windows-msvc
os: windows-2022
- target: aarch64-pc-windows-msvc
os: windows-2022
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- name: Install cross deps (Linux)
if: runner.os == 'Linux'
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends pkg-config libssl-dev musl-tools
if [ "${{ matrix.target }}" = "aarch64-unknown-linux-gnu" ]; then
sudo apt-get install -y --no-install-recommends gcc-aarch64-linux-gnu
fi
# macOS-Codesigning: importiere Developer ID Application/Installer
# in einen ad-hoc Keychain, sodass `codesign` und `productsign` ihn
# finden. Wird nur auf macos-Runnern aktiv.
- name: Import Apple codesigning certs (macOS)
if: runner.os == 'macOS'
uses: apple-actions/import-codesign-certs@v3
with:
p12-file-base64: ${{ secrets.APPLE_CERT_APP_BASE64 }}
p12-password: ${{ secrets.APPLE_CERT_APP_PASSWORD }}
keychain: zerodds-signing
create-keychain: true
- name: Import Apple installer cert (macOS)
if: runner.os == 'macOS'
uses: apple-actions/import-codesign-certs@v3
with:
p12-file-base64: ${{ secrets.APPLE_CERT_INSTALLER_BASE64 }}
p12-password: ${{ secrets.APPLE_CERT_INSTALLER_PASSWORD }}
keychain: zerodds-signing
create-keychain: false
- name: Install cargo-dist
run: cargo install cargo-dist --version 0.22.1 --locked
- name: Build target
run: cargo dist build --target ${{ matrix.target }}
- name: Sign with minisign (Linux)
if: runner.os == 'Linux'
env:
MINISIGN_KEY: ${{ secrets.MINISIGN_SECRET_KEY }}
MINISIGN_PWD: ${{ secrets.MINISIGN_PASSWORD }}
run: bash packaging/github-actions/sign-artifacts.sh target/distrib
- name: Codesign + notarize macOS binaries
if: runner.os == 'macOS'
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_NOTARY_PASSWORD: ${{ secrets.APPLE_NOTARY_PASSWORD }}
DEV_ID_APPLICATION: "Developer ID Application: Sandra Theresa Keler (YU6XNW6DG7)"
run: bash packaging/github-actions/sign-macos.sh target/distrib
- uses: actions/upload-artifact@v4
with:
name: artifacts-${{ matrix.target }}
path: target/distrib/
package-deb:
name: Build .deb packages
needs: build
uses: ./packaging/linux/deb/publish-deb.yml

Check failure on line 133 in .github/workflows/release.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/release.yml

Invalid workflow file

invalid value workflow reference: no version specified
secrets: inherit
with:
plan: ${{ needs.plan.outputs.val }}
package-rpm:
name: Build .rpm packages
needs: build
uses: ./packaging/linux/rpm/publish-rpm.yml
secrets: inherit
with:
plan: ${{ needs.plan.outputs.val }}
package-docker:
name: Build + push Docker images
needs: build
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
daemon: [ws-bridged, mqtt-bridged, coap-bridged, amqp-bridged, grpc-bridged, corba-bridged, ros2-shim, cli]
steps:
- uses: actions/checkout@v4
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build + push (${{ matrix.daemon }})
uses: docker/build-push-action@v5
with:
context: .
file: packaging/docker/${{ matrix.daemon }}/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: |
fishermen21/zerodds-${{ matrix.daemon }}:${{ needs.plan.outputs.tag }}
fishermen21/zerodds-${{ matrix.daemon }}:1.0
ghcr.io/zero-objects/zerodds-${{ matrix.daemon }}:${{ needs.plan.outputs.tag }}
ghcr.io/zero-objects/zerodds-${{ matrix.daemon }}:1.0
cache-from: type=gha
cache-to: type=gha,mode=max
package-msi:
name: Build Windows MSI
needs: build
runs-on: windows-2022
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: artifacts-x86_64-pc-windows-msvc
path: payload\
- name: Install WiX 4
run: dotnet tool install --global wix --version 4.0.5
- name: Compile MSI
run: |
wix build -arch x64 -d PayloadDir=payload `
packaging/windows/msi/zerodds.wxs -o dist/zerodds-1.0.0-x64.msi
- name: Sign MSI
env:
WIN_CERT_PFX: ${{ secrets.WIN_CERT_PFX_BASE64 }}
WIN_CERT_PWD: ${{ secrets.WIN_CERT_PWD }}
run: |
[System.IO.File]::WriteAllBytes("cert.pfx",
[Convert]::FromBase64String($env:WIN_CERT_PFX))
signtool sign /f cert.pfx /p $env:WIN_CERT_PWD `
/tr http://timestamp.digicert.com /td SHA256 /fd SHA256 `
dist/zerodds-1.0.0-x64.msi
- uses: actions/upload-artifact@v4
with:
name: zerodds-msi
path: dist/*.msi
publish-homebrew-tap:
name: Update Homebrew tap
needs: [build, package-msi]
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
with:
repository: zero-objects/homebrew-zerodds
token: ${{ secrets.HOMEBREW_TAP_PAT }}
path: tap
- name: Render formulae
run: bash packaging/github-actions/render-homebrew.sh tap/Formula
- name: Commit + push
working-directory: tap
run: |
git config user.name "zerodds-release-bot"
git config user.email "release@zerodds.org"
git add Formula
git commit -m "release: ${{ needs.plan.outputs.tag }}"
git push
publish-aur:
name: Update AUR (zerodds + zerodds-bin)
needs: [github-release]
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Setup AUR SSH key
run: |
mkdir -p ~/.ssh
chmod 700 ~/.ssh
printf '%s\n' "${{ secrets.AUR_SSH_KEY }}" > ~/.ssh/aur
chmod 600 ~/.ssh/aur
cat <<'CFG' > ~/.ssh/config
Host aur.archlinux.org
User aur
IdentityFile ~/.ssh/aur
IdentitiesOnly yes
StrictHostKeyChecking accept-new
CFG
- name: Render + push PKGBUILDs
env:
TAG: ${{ needs.plan.outputs.tag }}
run: bash packaging/github-actions/aur-publish.sh "$TAG"
publish-scoop-bucket:
name: Update Scoop bucket
needs: [build, package-msi]
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
with:
repository: zero-objects/scoop-zerodds
token: ${{ secrets.SCOOP_BUCKET_PAT }}
path: bucket
- name: Render manifest
run: cp packaging/windows/scoop/zerodds.json bucket/zerodds.json
- name: Commit + push
working-directory: bucket
run: |
git config user.name "zerodds-release-bot"
git config user.email "release@zerodds.org"
git add zerodds.json
git commit -m "release: ${{ needs.plan.outputs.tag }}"
git push
github-release:
name: Publish GitHub release
needs: [build, package-deb, package-rpm, package-docker, package-msi]
runs-on: ubuntu-22.04
steps:
- uses: actions/download-artifact@v4
with: { path: dist }
- name: Create release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ needs.plan.outputs.tag }}
generate_release_notes: true
files: |
dist/**/*.tar.gz
dist/**/*.zip
dist/**/*.deb
dist/**/*.rpm
dist/**/*.msi
dist/**/*.AppImage
dist/**/SHA512SUMS*