-
Notifications
You must be signed in to change notification settings - Fork 8
172 lines (160 loc) · 7.36 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: Release
permissions:
id-token: write
contents: write
attestations: write
on:
push:
tags:
- v[0-9]+.*
jobs:
create-release:
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.create-gh-release.outputs.computed-prefix }}${{ steps.create-gh-release.outputs.version }}
version: ${{ steps.create-gh-release.outputs.version }}
steps:
- uses: actions/checkout@v4
- name: Changelog variable
if: ${{ !(contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'prerelease') || contains(github.ref, 'rc')) }}
run: |
echo "changelog=CHANGELOG.md" >> $GITHUB_ENV
- id: create-gh-release
uses: taiki-e/create-gh-release-action@v1
with:
draft: true
changelog: ${{ env.changelog }}
# (required) GitHub token for creating GitHub Releases.
token: ${{ secrets.GITHUB_TOKEN }}
upload-assets:
needs: [create-release]
strategy:
matrix:
include:
# Linux (ARM and x86-64)
- target: aarch64-unknown-linux-gnu
os: ubuntu-latest
- target: x86_64-unknown-linux-gnu
os: ubuntu-latest
# macOS targets (Universal only)
- target: universal-apple-darwin
os: macos-latest
# Windows (x86-64)
- target: x86_64-pc-windows-msvc
os: windows-latest
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- name: Configure cache
uses: Swatinem/rust-cache@v2
- name: Include documentation files variable (macOS)
if: ${{ matrix.target == 'universal-apple-darwin' }}
run: |
echo "include_docs=target/aarch64-apple-darwin/release/man,target/aarch64-apple-darwin/release/completion" >> $GITHUB_ENV
- name: Install the Apple certificate, provisioning profile, and API key (macOS)
if: ${{ matrix.target == 'universal-apple-darwin' }}
id: keychain
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
AUTH_KEY_BASE64: ${{ secrets.AUTH_KEY_BASE64 }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
AUTH_KEY_PATH=$RUNNER_TEMP/AuthKey.p8
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
# create auth key file for notarization
echo -n "$AUTH_KEY_BASE64" | base64 --decode -o $AUTH_KEY_PATH
# setup outputs
echo "auth_key_path=$AUTH_KEY_PATH" >> $GITHUB_OUTPUT
echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT
echo "pp_path=$PP_PATH" >> $GITHUB_OUTPUT
echo "certificate_path=$CERTIFICATE_PATH" >> $GITHUB_OUTPUT
- name: Include documentation files variable (windows)
if: ${{ matrix.target == 'x86_64-pc-windows-msvc' }}
run: |
echo "include_docs=target/${{ matrix.target }}/release/man,target/${{ matrix.target }}/release/completion" >> $env:GITHUB_ENV
- name: Include documentation files variable (linux)
if: ${{ contains(matrix.target, 'linux') }}
run: |
echo "include_docs=target/${{ matrix.target }}/release/man,target/${{ matrix.target }}/release/completion" >> $GITHUB_ENV
- id: upload-rust-binary-action
uses: taiki-e/[email protected]
with:
# (required) Comma-separated list of binary names (non-extension portion of filename) to build and upload.
# Note that glob pattern is not supported yet.
bin: paper-age
# (optional) Comma-separated list of algorithms to be used for checksum (sha256, sha512, sha1, or md5)
checksum: sha256
# (optional) Target triple, default is host triple.
target: ${{ matrix.target }}
# (optional) Comma-separated list of additional files to be included to archive.
include: README.md,LICENSE.txt,src/assets/fonts/IBMPlexMono-LICENSE.txt,${{ env.include_docs }}
# (required) GitHub token for uploading assets to GitHub Releases.
token: ${{ secrets.GITHUB_TOKEN }}
# Sign build products using codesign on macOS
codesign: '7FP48PW9TN'
codesign-prefix: 'fi.matiaskorhonen.'
codesign-options: 'runtime'
- name: Zip the binary for notarization (macOS)
if: ${{ matrix.target == 'universal-apple-darwin' }}
run: zip -r $RUNNER_TEMP/paper-age-signed.zip target/${{ matrix.target }}/release/paper-age
- name: Upload the binary for notarization (macOS)
if: ${{ matrix.target == 'universal-apple-darwin' }}
env:
KEY_ID: ${{ secrets.KEY_ID }}
ISSUER: ${{ secrets.ISSUER }}
run: |
xcrun notarytool submit $RUNNER_TEMP/paper-age-signed.zip \
--key "${{ steps.keychain.outputs.auth_key_path }}" \
--key-id "$KEY_ID" \
--issuer "$ISSUER" \
--wait
- uses: actions/attest-build-provenance@v1
with:
subject-path: "${{ steps.upload-rust-binary-action.outputs.archive }}.*"
publish-release:
needs: [create-release, upload-assets]
runs-on: ubuntu-latest
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v4
- name: mark release as non-draft
run: |
gh release edit ${{ needs.create-release.outputs.tag }} --draft=false
update-homebrew:
needs: [create-release, upload-assets, publish-release]
if: ${{ !(contains(needs.create-release.outputs.tag, 'alpha') || contains(needs.create-release.outputs.tag, 'beta') || contains(needs.create-release.outputs.tag, 'prerelease') || contains(needs.create-release.outputs.tag, 'rc')) }}
runs-on: ubuntu-latest
steps:
- name: Update Homebrew Formula
uses: actions/github-script@v7
with:
github-token: ${{ secrets.PAT }}
script: |
github.rest.repos.createDispatchEvent({
owner: "matiaskorhonen",
repo: "homebrew-paper-age",
event_type: "Update Homebrew Formula",
client_payload: {
version: ${{ toJSON(needs.create-release.outputs.version) }}
}
})