From 0e80165609294728451145f2be0a4806f8501f37 Mon Sep 17 00:00:00 2001 From: Ivan Valdes Date: Tue, 21 May 2024 21:44:17 -0700 Subject: [PATCH 1/2] github: add release action This is a pretty straightforward release process. Marker is built without support for networking so as to avoid the complications of certificate verification and dynamic linking. --- .github/workflows/release.yaml | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..f08c8c9 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,58 @@ +name: Release + +on: + push: + tags: + - "**" + +permissions: + contents: write + +jobs: + release: + name: Create release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - env: + GH_TOKEN: ${{ github.token }} + run: gh release create ${{ github.ref_name }} + + assets: + name: Create artifact + needs: release + strategy: + matrix: + include: + - target: x86_64-unknown-linux-musl + os: ubuntu-latest + - target: x86_64-apple-darwin + os: macos-latest + - target: aarch64-apple-darwin + os: macos-latest + runs-on: ${{ matrix.os }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Install toolchain + run: | + rustup toolchain install stable + rustup target install ${{ matrix.target }} + - name: Build executable + id: build + run: | + cargo build --release --target ${{ matrix.target }} --no-default-features + echo path=target/${{ matrix.target }}/release/marker >> $GITHUB_OUTPUT + - name: Package executable + id: package + env: + NAME: marker-${{ github.ref_name }}-${{ matrix.target }} + run: | + mkdir -p $NAME + cp ${{ steps.build.outputs.path }} $NAME/ + tar --create --gzip --file $NAME.tar.gz $NAME/ + echo path=$NAME.tar.gz >> $GITHUB_OUTPUT + - name: Upload artifact + env: + GH_TOKEN: ${{ github.token }} + run: gh release upload ${{ github.ref_name }} ${{ steps.package.outputs.path }} From 5a86e713f01ff43338cbdd63ee8c336a0d5eb601 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Fri, 12 Jul 2024 17:45:17 -0700 Subject: [PATCH 2/2] github: generate attestation for release This will allow folks to verify that the release artifacts were built by GitHub and not tampered with by me or anyone else (except GitHub). --- .github/workflows/release.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f08c8c9..bd86194 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,12 +5,11 @@ on: tags: - "**" -permissions: - contents: write - jobs: release: name: Create release + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -21,6 +20,10 @@ jobs: assets: name: Create artifact needs: release + permissions: + id-token: write + attestations: write + contents: write strategy: matrix: include: @@ -51,8 +54,14 @@ jobs: mkdir -p $NAME cp ${{ steps.build.outputs.path }} $NAME/ tar --create --gzip --file $NAME.tar.gz $NAME/ + echo name=$NAME >> $GITHUB_OUTPUT echo path=$NAME.tar.gz >> $GITHUB_OUTPUT - name: Upload artifact env: GH_TOKEN: ${{ github.token }} run: gh release upload ${{ github.ref_name }} ${{ steps.package.outputs.path }} + - name: Generate attestation + uses: actions/attest-build-provenance@v1 + with: + subject-path: ${{ steps.build.outputs.path }} + subject-name: ${{ steps.package.outputs.name }}