release: AUR auto-publish job #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/release.yml | ||
| # cargo-dist driven release pipeline. | ||
| # Spec: zerodds-deployment-1.0.md §6. | ||
| # Triggers on git tag push v*.*.*, computes a release plan, builds per-target | ||
| # artefacts, then dispatches the platform-specific publish-jobs declared in | ||
| # [workspace.metadata.dist].publish-jobs. | ||
| name: release | ||
| on: | ||
| push: | ||
| tags: | ||
| - "v[0-9]+.[0-9]+.[0-9]+*" | ||
| workflow_dispatch: | ||
| inputs: | ||
| tag: | ||
| description: "Release tag (e.g. v1.0.0-rc.1)" | ||
| required: true | ||
| type: string | ||
| permissions: | ||
| contents: write | ||
| packages: write | ||
| id-token: write # OIDC for cosign keyless signing | ||
| env: | ||
| CARGO_TERM_COLOR: always | ||
| RUST_BACKTRACE: 1 | ||
| jobs: | ||
| plan: | ||
| name: cargo-dist plan | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| tag: ${{ steps.plan.outputs.tag }} | ||
| val: ${{ steps.plan.outputs.val }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: dtolnay/rust-toolchain@stable | ||
| - name: Install cargo-dist | ||
| run: cargo install cargo-dist --version 0.22.1 --locked | ||
| - name: Plan | ||
| id: plan | ||
| run: | | ||
| TAG="${{ github.event.inputs.tag || github.ref_name }}" | ||
| echo "tag=$TAG" >> "$GITHUB_OUTPUT" | ||
| PLAN=$(cargo dist plan --output-format=json) | ||
| echo "val<<JSON_EOF" >> "$GITHUB_OUTPUT" | ||
| echo "$PLAN" >> "$GITHUB_OUTPUT" | ||
| echo "JSON_EOF" >> "$GITHUB_OUTPUT" | ||
| build: | ||
| name: Build (${{ matrix.target }}) | ||
| needs: plan | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - target: x86_64-unknown-linux-gnu | ||
| os: ubuntu-22.04 | ||
| - target: aarch64-unknown-linux-gnu | ||
| os: ubuntu-22.04 | ||
| - target: x86_64-unknown-linux-musl | ||
| os: ubuntu-22.04 | ||
| - target: aarch64-unknown-linux-musl | ||
| os: ubuntu-22.04 | ||
| - target: x86_64-apple-darwin | ||
| os: macos-13 | ||
| - target: aarch64-apple-darwin | ||
| os: macos-14 | ||
| - target: x86_64-pc-windows-msvc | ||
| os: windows-2022 | ||
| - target: aarch64-pc-windows-msvc | ||
| os: windows-2022 | ||
| runs-on: ${{ matrix.os }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: dtolnay/rust-toolchain@stable | ||
| with: | ||
| targets: ${{ matrix.target }} | ||
| - name: Install cross deps (Linux) | ||
| if: runner.os == 'Linux' | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y --no-install-recommends pkg-config libssl-dev musl-tools | ||
| if [ "${{ matrix.target }}" = "aarch64-unknown-linux-gnu" ]; then | ||
| sudo apt-get install -y --no-install-recommends gcc-aarch64-linux-gnu | ||
| fi | ||
| # macOS-Codesigning: importiere Developer ID Application/Installer | ||
| # in einen ad-hoc Keychain, sodass `codesign` und `productsign` ihn | ||
| # finden. Wird nur auf macos-Runnern aktiv. | ||
| - name: Import Apple codesigning certs (macOS) | ||
| if: runner.os == 'macOS' | ||
| uses: apple-actions/import-codesign-certs@v3 | ||
| with: | ||
| p12-file-base64: ${{ secrets.APPLE_CERT_APP_BASE64 }} | ||
| p12-password: ${{ secrets.APPLE_CERT_APP_PASSWORD }} | ||
| keychain: zerodds-signing | ||
| create-keychain: true | ||
| - name: Import Apple installer cert (macOS) | ||
| if: runner.os == 'macOS' | ||
| uses: apple-actions/import-codesign-certs@v3 | ||
| with: | ||
| p12-file-base64: ${{ secrets.APPLE_CERT_INSTALLER_BASE64 }} | ||
| p12-password: ${{ secrets.APPLE_CERT_INSTALLER_PASSWORD }} | ||
| keychain: zerodds-signing | ||
| create-keychain: false | ||
| - name: Install cargo-dist | ||
| run: cargo install cargo-dist --version 0.22.1 --locked | ||
| - name: Build target | ||
| run: cargo dist build --target ${{ matrix.target }} | ||
| - name: Sign with minisign (Linux) | ||
| if: runner.os == 'Linux' | ||
| env: | ||
| MINISIGN_KEY: ${{ secrets.MINISIGN_SECRET_KEY }} | ||
| MINISIGN_PWD: ${{ secrets.MINISIGN_PASSWORD }} | ||
| run: bash packaging/github-actions/sign-artifacts.sh target/distrib | ||
| - name: Codesign + notarize macOS binaries | ||
| if: runner.os == 'macOS' | ||
| env: | ||
| APPLE_ID: ${{ secrets.APPLE_ID }} | ||
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | ||
| APPLE_NOTARY_PASSWORD: ${{ secrets.APPLE_NOTARY_PASSWORD }} | ||
| DEV_ID_APPLICATION: "Developer ID Application: Sandra Theresa Keler (YU6XNW6DG7)" | ||
| run: bash packaging/github-actions/sign-macos.sh target/distrib | ||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: artifacts-${{ matrix.target }} | ||
| path: target/distrib/ | ||
| package-deb: | ||
| name: Build .deb packages | ||
| needs: build | ||
| uses: ./packaging/linux/deb/publish-deb.yml | ||
| secrets: inherit | ||
| with: | ||
| plan: ${{ needs.plan.outputs.val }} | ||
| package-rpm: | ||
| name: Build .rpm packages | ||
| needs: build | ||
| uses: ./packaging/linux/rpm/publish-rpm.yml | ||
| secrets: inherit | ||
| with: | ||
| plan: ${{ needs.plan.outputs.val }} | ||
| package-docker: | ||
| name: Build + push Docker images | ||
| needs: build | ||
| runs-on: ubuntu-22.04 | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| daemon: [ws-bridged, mqtt-bridged, coap-bridged, amqp-bridged, grpc-bridged, corba-bridged, ros2-shim, cli] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: docker/setup-qemu-action@v3 | ||
| - uses: docker/setup-buildx-action@v3 | ||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
| - name: Login to GHCR | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Build + push (${{ matrix.daemon }}) | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: . | ||
| file: packaging/docker/${{ matrix.daemon }}/Dockerfile | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: true | ||
| tags: | | ||
| fishermen21/zerodds-${{ matrix.daemon }}:${{ needs.plan.outputs.tag }} | ||
| fishermen21/zerodds-${{ matrix.daemon }}:1.0 | ||
| ghcr.io/zero-objects/zerodds-${{ matrix.daemon }}:${{ needs.plan.outputs.tag }} | ||
| ghcr.io/zero-objects/zerodds-${{ matrix.daemon }}:1.0 | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max | ||
| package-msi: | ||
| name: Build Windows MSI | ||
| needs: build | ||
| runs-on: windows-2022 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/download-artifact@v4 | ||
| with: | ||
| name: artifacts-x86_64-pc-windows-msvc | ||
| path: payload\ | ||
| - name: Install WiX 4 | ||
| run: dotnet tool install --global wix --version 4.0.5 | ||
| - name: Compile MSI | ||
| run: | | ||
| wix build -arch x64 -d PayloadDir=payload ` | ||
| packaging/windows/msi/zerodds.wxs -o dist/zerodds-1.0.0-x64.msi | ||
| - name: Sign MSI | ||
| env: | ||
| WIN_CERT_PFX: ${{ secrets.WIN_CERT_PFX_BASE64 }} | ||
| WIN_CERT_PWD: ${{ secrets.WIN_CERT_PWD }} | ||
| run: | | ||
| [System.IO.File]::WriteAllBytes("cert.pfx", | ||
| [Convert]::FromBase64String($env:WIN_CERT_PFX)) | ||
| signtool sign /f cert.pfx /p $env:WIN_CERT_PWD ` | ||
| /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ` | ||
| dist/zerodds-1.0.0-x64.msi | ||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: zerodds-msi | ||
| path: dist/*.msi | ||
| publish-homebrew-tap: | ||
| name: Update Homebrew tap | ||
| needs: [build, package-msi] | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| repository: zero-objects/homebrew-zerodds | ||
| token: ${{ secrets.HOMEBREW_TAP_PAT }} | ||
| path: tap | ||
| - name: Render formulae | ||
| run: bash packaging/github-actions/render-homebrew.sh tap/Formula | ||
| - name: Commit + push | ||
| working-directory: tap | ||
| run: | | ||
| git config user.name "zerodds-release-bot" | ||
| git config user.email "release@zerodds.org" | ||
| git add Formula | ||
| git commit -m "release: ${{ needs.plan.outputs.tag }}" | ||
| git push | ||
| publish-aur: | ||
| name: Update AUR (zerodds + zerodds-bin) | ||
| needs: [github-release] | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Setup AUR SSH key | ||
| run: | | ||
| mkdir -p ~/.ssh | ||
| chmod 700 ~/.ssh | ||
| printf '%s\n' "${{ secrets.AUR_SSH_KEY }}" > ~/.ssh/aur | ||
| chmod 600 ~/.ssh/aur | ||
| cat <<'CFG' > ~/.ssh/config | ||
| Host aur.archlinux.org | ||
| User aur | ||
| IdentityFile ~/.ssh/aur | ||
| IdentitiesOnly yes | ||
| StrictHostKeyChecking accept-new | ||
| CFG | ||
| - name: Render + push PKGBUILDs | ||
| env: | ||
| TAG: ${{ needs.plan.outputs.tag }} | ||
| run: bash packaging/github-actions/aur-publish.sh "$TAG" | ||
| publish-scoop-bucket: | ||
| name: Update Scoop bucket | ||
| needs: [build, package-msi] | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| repository: zero-objects/scoop-zerodds | ||
| token: ${{ secrets.SCOOP_BUCKET_PAT }} | ||
| path: bucket | ||
| - name: Render manifest | ||
| run: cp packaging/windows/scoop/zerodds.json bucket/zerodds.json | ||
| - name: Commit + push | ||
| working-directory: bucket | ||
| run: | | ||
| git config user.name "zerodds-release-bot" | ||
| git config user.email "release@zerodds.org" | ||
| git add zerodds.json | ||
| git commit -m "release: ${{ needs.plan.outputs.tag }}" | ||
| git push | ||
| github-release: | ||
| name: Publish GitHub release | ||
| needs: [build, package-deb, package-rpm, package-docker, package-msi] | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: actions/download-artifact@v4 | ||
| with: { path: dist } | ||
| - name: Create release | ||
| uses: softprops/action-gh-release@v2 | ||
| with: | ||
| tag_name: ${{ needs.plan.outputs.tag }} | ||
| generate_release_notes: true | ||
| files: | | ||
| dist/**/*.tar.gz | ||
| dist/**/*.zip | ||
| dist/**/*.deb | ||
| dist/**/*.rpm | ||
| dist/**/*.msi | ||
| dist/**/*.AppImage | ||
| dist/**/SHA512SUMS* | ||