|
| 1 | +name: Release CLI |
| 2 | + |
| 3 | +# Builds the herot CLI for linux/macos/windows on release events. Each |
| 4 | +# binary is signed with sigstore/cosign keyless (workflow OIDC identity) |
| 5 | +# and uploaded to the release as an artifact. |
| 6 | +# |
| 7 | +# Manual dispatch builds binaries against HEAD without signing, useful |
| 8 | +# for pre-release smoke tests. |
| 9 | + |
| 10 | +on: |
| 11 | + release: |
| 12 | + types: [published] |
| 13 | + workflow_dispatch: |
| 14 | + inputs: |
| 15 | + ref: |
| 16 | + description: Git ref to build from (default HEAD) |
| 17 | + required: false |
| 18 | + |
| 19 | +permissions: |
| 20 | + contents: write |
| 21 | + id-token: write |
| 22 | + |
| 23 | +concurrency: |
| 24 | + group: release-cli-${{ github.workflow }}-${{ github.ref }} |
| 25 | + cancel-in-progress: false |
| 26 | + |
| 27 | +jobs: |
| 28 | + build: |
| 29 | + name: Build / ${{ matrix.target }} |
| 30 | + if: github.server_url == 'https://github.com' |
| 31 | + strategy: |
| 32 | + fail-fast: false |
| 33 | + matrix: |
| 34 | + include: |
| 35 | + - target: x86_64-unknown-linux-gnu |
| 36 | + os: ubuntu-latest |
| 37 | + archive: tar.gz |
| 38 | + - target: aarch64-unknown-linux-gnu |
| 39 | + os: ubuntu-latest |
| 40 | + archive: tar.gz |
| 41 | + cross: true |
| 42 | + - target: x86_64-apple-darwin |
| 43 | + os: macos-latest |
| 44 | + archive: tar.gz |
| 45 | + - target: aarch64-apple-darwin |
| 46 | + os: macos-latest |
| 47 | + archive: tar.gz |
| 48 | + - target: x86_64-pc-windows-msvc |
| 49 | + os: windows-latest |
| 50 | + archive: zip |
| 51 | + runs-on: ${{ matrix.os }} |
| 52 | + steps: |
| 53 | + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 54 | + with: |
| 55 | + ref: ${{ inputs.ref || github.ref }} |
| 56 | + |
| 57 | + - uses: ./.github/actions/setup-rust |
| 58 | + with: |
| 59 | + targets: ${{ matrix.target }} |
| 60 | + |
| 61 | + - name: Install cross (linux aarch64 only) |
| 62 | + if: matrix.cross |
| 63 | + run: cargo install cross --locked --version 0.2.5 |
| 64 | + |
| 65 | + - name: Build |
| 66 | + shell: bash |
| 67 | + run: | |
| 68 | + if [ "${{ matrix.cross }}" = "true" ]; then |
| 69 | + cross build --release --target ${{ matrix.target }} -p herot-cli |
| 70 | + else |
| 71 | + cargo build --release --target ${{ matrix.target }} -p herot-cli |
| 72 | + fi |
| 73 | +
|
| 74 | + - name: Package |
| 75 | + id: pkg |
| 76 | + shell: bash |
| 77 | + run: | |
| 78 | + set -euo pipefail |
| 79 | + version="${GITHUB_REF##*/v}" |
| 80 | + if [ "$version" = "$GITHUB_REF" ]; then |
| 81 | + version="dev-${GITHUB_SHA::7}" |
| 82 | + fi |
| 83 | + name="herot-${version}-${{ matrix.target }}" |
| 84 | + mkdir -p "dist/${name}" |
| 85 | + if [ "${{ matrix.archive }}" = "zip" ]; then |
| 86 | + cp "target/${{ matrix.target }}/release/herot.exe" "dist/${name}/" |
| 87 | + cp README.md LICENSE-MIT LICENSE-APACHE "dist/${name}/" 2>/dev/null || true |
| 88 | + (cd dist && 7z a "${name}.zip" "${name}/") |
| 89 | + echo "artifact=dist/${name}.zip" >> "$GITHUB_OUTPUT" |
| 90 | + else |
| 91 | + cp "target/${{ matrix.target }}/release/herot" "dist/${name}/" |
| 92 | + cp README.md LICENSE-MIT LICENSE-APACHE "dist/${name}/" 2>/dev/null || true |
| 93 | + (cd dist && tar -czf "${name}.tar.gz" "${name}/") |
| 94 | + echo "artifact=dist/${name}.tar.gz" >> "$GITHUB_OUTPUT" |
| 95 | + fi |
| 96 | + echo "name=${name}" >> "$GITHUB_OUTPUT" |
| 97 | +
|
| 98 | + - name: Sign with cosign keyless |
| 99 | + if: github.event_name == 'release' |
| 100 | + uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 |
| 101 | + |
| 102 | + - name: Sign artifact |
| 103 | + if: github.event_name == 'release' |
| 104 | + shell: bash |
| 105 | + env: |
| 106 | + ARTIFACT: ${{ steps.pkg.outputs.artifact }} |
| 107 | + run: | |
| 108 | + set -euo pipefail |
| 109 | + cosign sign-blob --yes \ |
| 110 | + --output-signature "${ARTIFACT}.sig" \ |
| 111 | + --output-certificate "${ARTIFACT}.pem" \ |
| 112 | + "${ARTIFACT}" |
| 113 | +
|
| 114 | + - name: Upload to release |
| 115 | + if: github.event_name == 'release' |
| 116 | + env: |
| 117 | + GH_TOKEN: ${{ github.token }} |
| 118 | + ARTIFACT: ${{ steps.pkg.outputs.artifact }} |
| 119 | + shell: bash |
| 120 | + run: | |
| 121 | + gh release upload "${{ github.event.release.tag_name }}" \ |
| 122 | + "${ARTIFACT}" "${ARTIFACT}.sig" "${ARTIFACT}.pem" \ |
| 123 | + --clobber |
| 124 | +
|
| 125 | + - name: Upload as workflow artifact (manual dispatch) |
| 126 | + if: github.event_name == 'workflow_dispatch' |
| 127 | + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 |
| 128 | + with: |
| 129 | + name: ${{ steps.pkg.outputs.name }} |
| 130 | + path: ${{ steps.pkg.outputs.artifact }} |
| 131 | + if-no-files-found: error |
0 commit comments