Create Draft Release #73
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Create Draft Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| git_tag: | |
| description: Git Tag To Release From. Last Git Tag Is Used If Omitted | |
| required: false | |
| release_branch: | |
| description: Release Branch Where Recent Bump Occurred | |
| required: true | |
| permissions: | |
| contents: read | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| create_release: | |
| permissions: | |
| contents: write | |
| name: Initiate Draft Release | |
| runs-on: ubuntu-22.04 | |
| environment: release | |
| outputs: | |
| upload_url: ${{ steps.release_upload_url.outputs.upload_url }} | |
| version: ${{ steps.release_version.outputs.version }} | |
| tag_name: ${{ steps.release_version.outputs.tag_name }} | |
| env: | |
| BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }} | |
| AWS_REGION: ${{ vars.AWS_REGION }} | |
| AWS_ROLE: ${{ vars.AWS_ROLE }} | |
| steps: | |
| - name: Checkout Ockam | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.inputs.release_branch }} | |
| - name: Import GPG key | |
| uses: build-trust/.github/actions/import_gpg@ae127cb92387ed76f24d4d1c6d6bfc2d382f7946 | |
| with: | |
| gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}' | |
| gpg_password: '${{ secrets.GPG_PASSPHRASE }}' | |
| gpg_name: '${{ secrets.GPG_USER_NAME }}' | |
| gpg_email: '${{ secrets.GPG_EMAIL }}' | |
| - name: Get Release Text | |
| id: release_version | |
| env: | |
| GIT_TAG: '${{ github.event.inputs.git_tag }}' | |
| run: | | |
| cargo install [email protected] | |
| set -x | |
| source tools/scripts/release/crates-to-publish.sh | |
| # Add Ockam as first crate | |
| ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml") | |
| name=$(eval "tomlq package.name -f implementations/rust/ockam/ockam/Cargo.toml") | |
| text="Ockam $ockam_version" | |
| text="$text | |
| # Homebrew | |
| To install this release using Homebrew: | |
| \`\`\`bash | |
| brew install build-trust/ockam/ockam | |
| \`\`\`" | |
| # Install Docker image | |
| text="$text | |
| # Docker | |
| To use the Docker OCI package: | |
| \`\`\`bash | |
| docker pull ghcr.io/build-trust/ockam:$ockam_version | |
| \`\`\`" | |
| text="$text | |
| # Curl Install | |
| To install this release using curl: | |
| \`\`\`bash | |
| curl --proto '=https' --tlsv1.2 -sSfL https://install.command.ockam.io | bash | |
| \`\`\`" | |
| text="$text | |
| # Rust Crates | |
| To use Ockam as a Rust library, run the following command within your project directory: | |
| \`\`\`bash | |
| cargo add ockam@$ockam_version | |
| \`\`\` | |
| The following crates were published as part of this release: | |
| - \`$name $ockam_version\` ([Documentation](https://docs.rs/$name/$ockam_version/$name/), \ | |
| [CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))" | |
| for crate in ${updated_crates[@]}; do | |
| version=$(eval "tomlq package.version -f $crate/Cargo.toml") | |
| name=$(eval "tomlq package.name -f $crate/Cargo.toml") | |
| if [[ $name == "ockam" ]]; then | |
| echo "Skipping ockam crate" | |
| continue | |
| fi | |
| text="$text | |
| - \`$name $version\` ([Documentation](https://docs.rs/$name/$version/$name/), \ | |
| [CHANGELOG](https://github.com/build-trust/ockam/blob/ockam_v$ockam_version/implementations/rust/ockam/$name/CHANGELOG.md))"; | |
| done | |
| echo "version=$ockam_version" >> $GITHUB_OUTPUT | |
| echo "tag_name=ockam_v$ockam_version" >> $GITHUB_OUTPUT | |
| echo "$text" > release_note.md | |
| cat release_note.md | |
| # Check if a recent tag has been created and delete upstream | |
| if git tag | grep "ockam_v$ockam_version"; then | |
| git tag -d "ockam_v$ockam_version" | |
| git push --delete origin "ockam_v$ockam_version" | |
| fi | |
| # Add tag | |
| git tag -s ockam_v$ockam_version -m "Ockam Release" | |
| git push --tags | |
| - name: Create GitHub release | |
| id: release_upload_url | |
| uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| release_name: 'Ockam v${{ steps.release_version.outputs.version }}' | |
| tag_name: '${{ steps.release_version.outputs.tag_name }}' | |
| body_path: 'release_note.md' | |
| prerelease: true | |
| - name: Echo Link | |
| run: echo "${{ steps.release_upload_url.outputs.html_url }}" | |
| build_release: | |
| name: Build Binaries | |
| needs: create_release | |
| environment: release | |
| env: | |
| DEVELOPMENT_TEAM: ${{ vars.DEVELOPMENT_TEAM }} | |
| PROVISIONING_PROFILE_SPECIFIER: ${{ vars.PROVISIONING_PROFILE_SPECIFIER }} | |
| CODE_SIGN_IDENTITY: ${{ vars.CODE_SIGN_IDENTITY }} | |
| NOTARIZATION_EMAIL: ${{ vars.NOTARIZATION_EMAIL }} | |
| NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} | |
| BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }} | |
| AWS_REGION: ${{ vars.AWS_REGION }} | |
| AWS_ROLE: ${{ vars.AWS_ROLE }} | |
| permissions: | |
| contents: write | |
| id-token: write # This is required for requesting the JWT | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| build: [linux_arm64, linux_86, linux_armv7, macos_silicon, macos_86] | |
| include: | |
| - build: linux_arm64 | |
| os: ubuntu-22.04 | |
| toolchain: stable | |
| target: aarch64-unknown-linux-musl | |
| build_app: false | |
| use-cross-build: true | |
| - build: linux_armv7 | |
| os: ubuntu-22.04 | |
| toolchain: stable | |
| target: armv7-unknown-linux-musleabihf | |
| use-cross-build: true | |
| build_app: false | |
| - build: linux_86 | |
| os: ubuntu-22.04 | |
| toolchain: stable | |
| target: x86_64-unknown-linux-musl | |
| use-cross-build: true | |
| build_app: false | |
| - build: linux_86_gnu | |
| os: ubuntu-22.04 | |
| toolchain: stable | |
| target: x86_64-unknown-linux-gnu | |
| use-cross-build: false | |
| build_app: false | |
| - build: linux_aarch64_gnu | |
| os: ubuntu-22.04 | |
| toolchain: stable | |
| target: aarch64-unknown-linux-gnu | |
| use-cross-build: true | |
| build_app: false | |
| - build: macos_silicon | |
| os: macos-14 | |
| toolchain: stable | |
| target: aarch64-apple-darwin | |
| use-cross-build: false | |
| build_app: true | |
| - build: macos_86 | |
| os: macos-14 | |
| toolchain: stable | |
| target: x86_64-apple-darwin | |
| use-cross-build: false | |
| build_app: true | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| ref: ${{ github.event.inputs.release_branch }} | |
| - name: Echo Link | |
| run: echo "${{ needs.create_release.outputs.upload_url }}" | |
| - uses: ./.github/actions/build_binaries | |
| with: | |
| use_cross_build: ${{ matrix.use-cross-build }} | |
| toolchain: ${{ matrix.toolchain }} | |
| target: ${{ matrix.target }} | |
| platform_operating_system: ${{ matrix.os }} | |
| build_app: ${{ matrix.build_app }} | |
| - name: Copy Artifacts | |
| run: | | |
| set -x | |
| cp target/${{ matrix.target }}/release/ockam_command ockam.${{ matrix.target }} | |
| echo "ASSET_OCKAM_CLI=ockam.${{ matrix.target }}" >> $GITHUB_ENV | |
| ls $GITHUB_WORKSPACE | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da | |
| with: | |
| cosign-release: 'v2.0.0' | |
| - name: Sign Binaries | |
| env: | |
| PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
| COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
| run: | | |
| cosign sign-blob --yes --key env://PRIVATE_KEY "${{ env.ASSET_OCKAM_CLI }}" > "${{ env.ASSET_OCKAM_CLI }}.sig" | |
| - name: Upload CLI release archive to AWS | |
| uses: ./.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: ${{ env.ASSET_OCKAM_CLI }} | |
| release_version: "v${{ needs.create_release.outputs.version }}" | |
| - name: Upload CLI Signature to AWS | |
| uses: ./.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: ${{ env.ASSET_OCKAM_CLI }}.sig | |
| release_version: "v${{ needs.create_release.outputs.version }}" | |
| build_elixir_nifs: | |
| name: Build Elixir NIFs | |
| needs: create_release | |
| environment: release | |
| permissions: | |
| contents: write | |
| id-token: write # This is required for requesting the JWT | |
| env: | |
| BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }} | |
| AWS_REGION: ${{ vars.AWS_REGION }} | |
| AWS_ROLE: ${{ vars.AWS_ROLE }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| job: | |
| - { target: aarch64-unknown-linux-gnu , os: ubuntu-22.04 , use-cross: true } | |
| - { target: x86_64-unknown-linux-gnu , os: ubuntu-22.04 } | |
| - { target: aarch64-apple-darwin , os: macos-14 } | |
| - { target: x86_64-apple-darwin , os: macos-14 } | |
| runs-on: ${{ matrix.job.os }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| ref: ${{ github.event.inputs.release_branch }} | |
| - name: Install Rust toolchain | |
| run: | | |
| # This will allow us update to rust version indicated in our rust-toolchain.toml file | |
| rustup show | |
| rustup target add ${{ matrix.job.target }} | |
| - name: Install Cross | |
| if: matrix.job.use-cross == true | |
| run: cargo install --version 0.2.4 cross | |
| - shell: bash | |
| if: matrix.job.target == 'ubuntu-22.04' | |
| run: | | |
| set -x | |
| use_cross_build=${{ matrix.job.use-cross }} | |
| if [[ $use_cross_build != true ]]; then | |
| sudo apt update | |
| sudo apt -y --no-install-recommends install libclang-dev clang | |
| fi | |
| - name: Build NIFs | |
| run: | | |
| set -ex | |
| if [[ '${{ matrix.job.use-cross }}' == 'true' ]]; then | |
| # When building using cross use rust crypto (slower) since the cross image doesn't have an up-to-date libclang | |
| cross build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release --no-default-features -F rust-crypto | |
| exit | |
| fi | |
| rustup target add ${{ matrix.job.target }} | |
| cargo build --target ${{ matrix.job.target }} -p ockam_rust_elixir_nifs --release --no-default-features -F aws-lc | |
| - name: List | |
| run: | | |
| ls target/${{ matrix.job.target }}/release/ | |
| - name: Rename Build | |
| run: | | |
| cargo install [email protected] | |
| ockam_version=$(eval "tomlq package.version -f implementations/rust/ockam/ockam/Cargo.toml") | |
| final_name="libockam_rust_elixir_nifs-v${ockam_version}-nif-2.15-${{ matrix.job.target }}.so" | |
| if [[ "${{ matrix.job.target }}" == *"darwin"* ]]; then | |
| cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.dylib "$final_name" | |
| else | |
| cp target/${{ matrix.job.target }}/release/libockam_rust_elixir_nifs.so "$final_name" | |
| fi | |
| tar -zcvf "${final_name}.tar.gz" "$final_name" | |
| echo "FILE_NAME=${final_name}.tar.gz" >> $GITHUB_ENV | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da | |
| with: | |
| cosign-release: 'v2.0.0' | |
| - name: Sign NIFs | |
| env: | |
| PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
| COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
| run: | | |
| cosign sign-blob --yes --key env://PRIVATE_KEY ${{ env.FILE_NAME }} > "${{ env.FILE_NAME }}.sig" | |
| - name: Upload NIF to AWS | |
| uses: ./.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: "${{ env.FILE_NAME }}" | |
| release_version: "v${{ needs.create_release.outputs.version }}" | |
| - name: Upload NIF Signature to AWS | |
| uses: ./.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: "${{ env.FILE_NAME }}.sig" | |
| release_version: "v${{ needs.create_release.outputs.version }}" | |
| sign_release: | |
| name: Sign All Assets | |
| needs: [build_release, create_release, build_elixir_nifs] | |
| runs-on: ubuntu-22.04 | |
| environment: release | |
| permissions: | |
| contents: write | |
| id-token: write # This is required for requesting the JWT | |
| env: | |
| BUCKET_NAME: ${{ vars.AWS_BUCKET_NAME }} | |
| AWS_REGION: ${{ vars.AWS_REGION }} | |
| AWS_ROLE: ${{ vars.AWS_ROLE }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
| with: | |
| ref: ${{ github.event.inputs.release_branch }} | |
| path: aws | |
| - name: Download Assets From AWS | |
| uses: ./aws/.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| release_version: "v${{ needs.create_release.outputs.version }}" | |
| download_release_dir: "." | |
| - name: Generate File SHASum | |
| run: shasum -a 256 *ockam* > sha256sums.txt | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da | |
| with: | |
| cosign-release: 'v2.0.0' | |
| - name: Sign Files | |
| env: | |
| PRIVATE_KEY: '${{ secrets.COSIGN_PRIVATE_KEY }}' | |
| COSIGN_PASSWORD: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}' | |
| run: cosign sign-blob --yes --key env://PRIVATE_KEY sha256sums.txt > sha256sums.txt.sig | |
| - name: Upload SHASum File to AWS | |
| uses: ./aws/.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: sha256sums.txt | |
| release_version: "v${{ needs.create_release.outputs.version }}" | |
| - name: Upload SHASum Signature File to AWS | |
| uses: ./aws/.github/actions/aws_upload | |
| with: | |
| aws_role: ${{ env.AWS_ROLE }} | |
| aws_role_session_name: aws_upload | |
| aws_region: ${{ env.AWS_REGION }} | |
| bucket_name: ${{ env.BUCKET_NAME }} | |
| file_name: sha256sums.txt.sig | |
| release_version: "v${{ needs.create_release.outputs.version }}" |