Create Draft Release #65
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Create Draft Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| git_tag: | |
| description: Git Tag To Release From. Last Git Tag Is Used If Omitted | |
| required: false | |
| release_branch: | |
| description: Release Branch Where Recent Bump Occurred | |
| required: true | |
| permissions: | |
| contents: read | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| create_release: | |
| permissions: | |
| contents: write | |
| name: Initiate Draft Release | |
| runs-on: ubuntu-20.04 | |
| environment: release | |
| outputs: | |
| upload_url: ${{ steps.release_upload_url.outputs.upload_url }} | |
| version: ${{ steps.release_version.outputs.version }} | |
| env: | |
| BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }} | |
| AWS_REGION: ${{ vars.AWS_REGION }} | |
| AWS_ROLE: ${{ vars.AWS_ROLE }} | |
| steps: | |
| - name: Checkout Ockam | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.inputs.release_branch }} | |
| - name: Import GPG key | |
| uses: build-trust/.github/actions/import_gpg@ae127cb92387ed76f24d4d1c6d6bfc2d382f7946 | |
| with: | |
| gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}' | |
| gpg_password: '${{ secrets.GPG_PASSPHRASE }}' | |
| gpg_name: '${{ secrets.GPG_USER_NAME }}' | |
| gpg_email: '${{ secrets.GPG_EMAIL }}' | |
| - name: Get Release Text | |
| id: release_version | |
| env: | |
| GIT_TAG: '${{ github.event.inputs.git_tag }}' | |
| run: | | |
| cargo install tomlq@0.1.0 | |
| set -x | |
| source tools/scripts/release/crates-to-publish.sh | |
| # Add Ockam as first crate | |
| ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml") | |
| name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml") | |
| text="Ockam $ockam_version" | |
| text="$text | |
| # Homebrew | |
| To install this release using Homebrew: | |
| \`\`\`bash | |
| $ brew install build-trust/ockam/ockam | |
| \`\`\`" | |
| # Install Docker image | |
| text="$text | |
| # Docker | |
| To use the Docker OCI package: | |
| \`\`\`bash | |
| docker pull ghcr.io/build-trust/ockam:$ockam_version | |
| \`\`\`" | |
| url_head="https://${{ env.BUCKET_NAME }}.s3.amazonaws.com/${ockam_version}" | |
| text="$text | |
| # Precompiled Binaries | |
| \`\`\`bash | |
| # download sha256sums.txt | |
| curl --proto '=https' --tlsv1.2 -sSfL -O \\ | |
| ${url_head}/sha256sums.txt | |
| # download sha256sums.txt.sig | |
| curl --proto '=https' --tlsv1.2 -sSfL -O \\ | |
| ${url_head}/sha256sums.txt.sig | |
| # download our release public key | |
| curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \\ | |
| https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub | |
| # verify signatures | |
| cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt | |
| # download ockam command binary for your architecture | |
| curl --proto '=https' --tlsv1.2 -sSfL -O \\ | |
| ${url_head}/ockam.x86_64-unknown-linux-gnu | |
| # verify that the sha256 hash of the downloaded binary is the same as | |
| # the corresponding hash mentioned in sha256sums.txt | |
| cat sha256sums.txt | grep ockam.x86_64-unknown-linux-gnu | sha256sum -c | |
| # rename the download binary and give it permission to execute | |
| mv ockam.x86_64-unknown-linux-gnu ockam | |
| chmod u+x ockam | |
| \`\`\`" | |
| text="$text | |
| # Rust Crates | |
| To use Ockam as a Rust library, run the following command within your project directory: | |
| \`\`\`bash | |
| cargo add ockam@$ockam_version | |
| \`\`\` | |
| The following crates were published as part of this release: | |
| - \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \ | |
| [CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))" | |
| for crate in ${updated_crates[@]}; do | |
| version=$(eval "tomlq package.version -f $crate/Cargo.toml") | |
| name=$(eval "tomlq package.name -f $crate/Cargo.toml") | |
| if [[ $name == "ockam" ]]; then | |
| echo "Skipping ockam crate" | |
| continue | |
| fi | |
| text="$text | |
| - \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \ | |
| [CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"; | |
| done | |
| echo "version=$ockam_version" >> $GITHUB_OUTPUT | |
| echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT | |
| echo "$text" > release_note.md | |
| cat release_note.md | |
| # Add tag | |
| git tag -s ockam_v$ockam_version -m "Ockam Release" | |
| git push --tags | |
| - name: Create GitHub release | |
| id: release_upload_url | |
| uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| release_name: 'Ockam v${{ steps.release_version.outputs.version }}' | |
| tag_name: '${{ steps.release_version.outputs.tag_name }}' | |
| body_path: 'release_note.md' | |
| prerelease: true | |
| - name: Echo Link | |
| run: echo "${{ steps.release_upload_url.outputs.html_url }}" | |
| build_release: | |
| name: Build Binaries | |
| needs: create_release | |
| environment: release | |
| env: | |
| DEVELOPMENT_TEAM: ${{ vars.DEVELOPMENT_TEAM }} | |
| PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_SPECIFIER }} | |
| CODE_SIGN_IDENTITY: ${{ vars.CODE_SIGN_IDENTITY }} | |
| NOTARIZATION_EMAIL: ${{ vars.NOTARIZATION_EMAIL }} | |
| NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} | |
| BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }} | |
| AWS_REGION: ${{ vars.AWS_REGION }} | |
| AWS_ROLE: ${{ vars.AWS_ROLE }} | |
| permissions: | |
| contents: write | |
| id-token: write # This is required for requesting the JWT | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86] | |
| include: | |
| - build: linux_arm64 | |
| os: ubuntu-22.04 | |
| toolchain: stable | |
| target: aarch64-unknown-linux-musl | |
| build_app: false | |
| use-cross-build: true | |
| - build: linux_armv7 | |
| os: ubuntu-22.04 | |
| toolchain: stable | |
| target: armv7-unknown-linux-musleabihf | |
| use-cross-build: true | |
| build_app: false | |
| - build: linux_86 | |
| os: ubuntu-22.04 | |
| toolchain: stable | |
| target: x86_64-unknown-linux-musl | |
| use-cross-build: true | |
| build_app: false | |
| - build: linux_86_gnu | |
| os: ubuntu-22.04 | |
| toolchain: stable | |
| target: x86_64-unknown-linux-gnu | |
| use-cross-build: false | |
| build_app: false | |
| - build: linux_aarch64_gnu | |
| os: ubuntu-22.04 | |
| toolchain: stable | |
| target: aarch64-unknown-linux-gnu | |
| use-cross-build: true | |
| build_app: false | |
| - build: macos_silicon | |
| os: macos-14 | |
| toolchain: stable | |
| target: aarch64-apple-darwin | |
| use-cross-build: false | |
| build_app: true | |
| - build: macos_86 | |
| os: macos-14 | |
| toolchain: stable | |
| target: x86_64-apple-darwin | |
| use-cross-build: false | |
| build_app: true | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| ref: ${{ github.event.inputs.release_branch }} | |
| - name: Echo Link | |
| run: echo "${{ needs.create_release.outputs.upload_url }}" | |
| - uses: ./.github/actions/build_binaries | |
| with: | |
| use_cross_build: ${{ matrix.use-cross-build }} | |
| toolchain: ${{ matrix.toolchain }} | |
| target: ${{ matrix.target }} | |
| platform_operating_system: ${{ matrix.os }} | |
| build_app: ${{ matrix.build_app }} | |
| - name: Copy Artifacts | |
| run: | | |
| set -x | |
| cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }} | |
| echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV | |
| ls $GITHUB_WORKSPACE | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da | |
| with: | |
| cosign-release: 'v2.0.0' | |
| - name: Sign Binaries | |
| env: | |
| PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
| COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
| run: | | |
| cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig" | |
| - name: Upload CLI release archive to GitHub | |
| uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ needs.create_release.outputs.upload_url }} | |
| asset_path: ${{ env.ASSET_OCKAM_CLI }} | |
| asset_name: ${{ env.ASSET_OCKAM_CLI }} | |
| asset_content_type: application/octet-stream | |
| - name: Upload CLI Signature to GitHub | |
| uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ needs.create_release.outputs.upload_url }} | |
| asset_path: ${{ env.ASSET_OCKAM_CLI }}.sig | |
| asset_name: ${{ env.ASSET_OCKAM_CLI }}.sig | |
| asset_content_type: application/octet-stream | |
| - name: Upload CLI release archive to AWS | |
| uses: ./.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: ${{ env.ASSET_OCKAM_CLI }} | |
| release_version: "v${{ needs.create_release.outputs.version }}" | |
| - name: Upload CLI Signature to AWS | |
| uses: ./.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: ${{ env.ASSET_OCKAM_CLI }}.sig | |
| release_version: "v${{ needs.create_release.outputs.version }}" | |
| build_elixir_nifs: | |
| name: Build Elixir NIFs | |
| needs: create_release | |
| environment: release | |
| permissions: | |
| contents: write | |
| id-token: write # This is required for requesting the JWT | |
| env: | |
| BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }} | |
| AWS_REGION: ${{ vars.AWS_REGION }} | |
| AWS_ROLE: ${{ vars.AWS_ROLE }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| job: | |
| - { target: aarch64-unknown-linux-gnu , os: ubuntu-20.04 , use-cross: true } | |
| - { target: x86_64-unknown-linux-gnu , os: ubuntu-20.04 } | |
| - { target: aarch64-apple-darwin , os: macos-14 } | |
| - { target: x86_64-apple-darwin , os: macos-14 } | |
| runs-on: ${{ matrix.job.os }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| ref: ${{ github.event.inputs.release_branch }} | |
| - name: Install Rust toolchain | |
| run: | | |
| # This will allow us update to rust version indicated in our rust-toolchain.toml file | |
| rustup show | |
| rustup target add ${{ matrix.job.target }} | |
| - name: Install Cross | |
| if: matrix.job.use-cross == true | |
| run: cargo install --version 0.2.4 cross | |
| - shell: bash | |
| if: matrix.job.target == 'ubuntu-20.04' | |
| run: | | |
| set -x | |
| use_cross_build=${{ matrix.job.use-cross }} | |
| if [[ $use_cross_build != true ]]; then | |
| sudo apt update | |
| sudo apt -y --no-install-recommends install libclang-dev clang | |
| fi | |
| - name: Build NIFs | |
| run: | | |
| set -ex | |
| if [[ '${{ matrix.job.use-cross }}' == 'true' ]]; then | |
| # When building using cross use rust crypto (slower) since the cross image doesn't have an up-to-date libclang | |
| cross build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release --no-default-features -F rust-crypto | |
| exit | |
| fi | |
| rustup target add ${{ matrix.job.target }} | |
| cargo build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release --no-default-features -F aws-lc | |
| - name: List | |
| run: | | |
| ls target/${{ matrix.job.target }}/release/ | |
| - name: Rename Build | |
| run: | | |
| cargo install tomlq@0.1.0 | |
| ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml") | |
| final_name="libockam_rust_elixir_nifs-v${ockam_version}-nif-2.15-${{ matrix.job.target }}.so" | |
| if [[ "${{ matrix.job.target }}" == *"darwin"* ]]; then | |
| cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.dylib "$final_name" | |
| else | |
| cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.so "$final_name" | |
| fi | |
| tar -zcvf "${final_name}.tar.gz" "$final_name" | |
| echo "FILE_NAME=${final_name}.tar.gz" >> $GITHUB_ENV | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da | |
| with: | |
| cosign-release: 'v2.0.0' | |
| - name: Sign NIFs | |
| env: | |
| PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
| COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
| run: | | |
| cosign sign-blob --yes --key env://PRIVATE_KEY ${{ env.FILE_NAME }} > "${{ env.FILE_NAME }}.sig" | |
| - name: Upload NIF to GitHub | |
| uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ needs.create_release.outputs.upload_url }} | |
| asset_path: "${{ env.FILE_NAME }}" | |
| asset_name: "${{ env.FILE_NAME }}" | |
| asset_content_type: application/octet-stream | |
| - name: Upload NIF Signature to GitHub | |
| uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ needs.create_release.outputs.upload_url }} | |
| asset_path: ${{ env.FILE_NAME }}.sig | |
| asset_name: ${{ env.FILE_NAME }}.sig | |
| asset_content_type: application/octet-stream | |
| - name: Upload NIF to AWS | |
| uses: ./.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: "${{ env.FILE_NAME }}" | |
| release_version: "v${{ needs.create_release.outputs.version }}" | |
| - name: Upload NIF Signature to AWS | |
| uses: ./.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: "${{ env.FILE_NAME }}.sig" | |
| release_version: "v${{ needs.create_release.outputs.version }}" | |
| sign_release: | |
| name: Sign All Assets | |
| needs: [build_release, create_release, build_elixir_nifs] | |
| runs-on: ubuntu-20.04 | |
| environment: release | |
| permissions: | |
| contents: write | |
| id-token: write # This is required for requesting the JWT | |
| env: | |
| BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }} | |
| AWS_REGION: ${{ vars.AWS_REGION }} | |
| AWS_ROLE: ${{ vars.AWS_ROLE }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| ref: ${{ github.event.inputs.release_branch }} | |
| path: aws | |
| - name: Login to AWS | |
| uses: ./aws/.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| - name: Fetch All Assets | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: aws s3 sync s3://${{ env.BUCKET_NAME }}/v${{ needs.create_release.outputs.version }} . && ls | |
| - name: Generate File SHASum | |
| run: shasum -a 256 *ockam* > sha256sums.txt | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da | |
| with: | |
| cosign-release: 'v2.0.0' | |
| - name: Sign Files | |
| env: | |
| PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
| COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
| run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig | |
| - name: Upload SHASum File to GitHub | |
| uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ needs.create_release.outputs.upload_url }} | |
| asset_path: sha256sums.txt | |
| asset_name: sha256sums.txt | |
| asset_content_type: application/octet-stream | |
| - name: Upload SHASum Signature File to GitHub | |
| uses: actions/upload-release-asset@ef2adfe8cb8ebfa540930c452c576b3819990faa | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ needs.create_release.outputs.upload_url }} | |
| asset_path: sha256sums.txt.sig | |
| asset_name: sha256sums.txt.sig | |
| asset_content_type: application/octet-stream | |
| - name: Upload SHASum File to AWS | |
| uses: ./aws/.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: sha256sums.txt | |
| release_version: "v${{ needs.create_release.outputs.version }}" | |
| - name: Upload SHASum Signature File to AWS | |
| uses: ./aws/.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: sha256sums.txt.sig | |
| release_version: "v${{ needs.create_release.outputs.version }}" |