diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c9c32af2..95df4e1b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,6 +16,8 @@ name: Release permissions: contents: write + id-token: write + attestations: write # This task will run whenever you push a git tag that looks like a version # like "1.0.0", "v0.1.0-prerelease.1", "my-app/0.1.0", "releases/v1.0.0", etc. @@ -39,15 +41,15 @@ permissions: # If there's a prerelease-style suffix to the version, then the release(s) # will be marked as a prerelease. on: + pull_request: push: tags: - '**[0-9]+.[0-9]+.[0-9]+*' - pull_request: jobs: # Run 'cargo dist plan' (or host) to determine what tasks we need to do plan: - runs-on: ubuntu-latest + runs-on: "ubuntu-20.04" outputs: val: ${{ steps.plan.outputs.manifest }} tag: ${{ !github.event.pull_request && github.ref_name || '' }} @@ -64,7 +66,7 @@ jobs: # we specify bash to get pipefail; it guards against the `curl` command # failing. otherwise `sh` won't catch that `curl` returned non-0 shell: bash - run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.14.0-prerelease.6/cargo-dist-installer.sh | sh" + run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.16.0-prerelease.6/cargo-dist-installer.sh | sh" # sure would be cool if github gave us proper conditionals... # so here's a doubly-nested ternary-via-truthiness to try to provide the best possible # functionality based on whether this is a pull_request, and whether it's from a fork. @@ -116,6 +118,7 @@ jobs: - uses: swatinem/rust-cache@v2 with: key: ${{ join(matrix.targets, '-') }} + cache-provider: ${{ matrix.cache_provider }} - name: Install cargo-dist run: ${{ matrix.install_dist }} # Get the dist-manifest @@ -133,6 +136,10 @@ jobs: # Actually do builds and make zips and whatnot cargo dist build ${{ needs.plan.outputs.tag-flag }} --print=linkage --output-format=json ${{ matrix.dist_args }} > dist-manifest.json echo "cargo dist ran successfully" + - name: Attest + uses: actions/attest-build-provenance@v1 + with: + subject-path: "target/distrib/*${{ join(matrix.targets, ', ') }}*" - id: cargo-dist name: Post-build # We force bash here just because github makes it really hard to get values up @@ -169,7 +176,7 @@ jobs: submodules: recursive - name: Install cargo-dist shell: bash - run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.14.0-prerelease.6/cargo-dist-installer.sh | sh" + run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.16.0-prerelease.6/cargo-dist-installer.sh | sh" # Get all the local artifacts for the global tasks to use (for e.g. checksums) - name: Fetch local artifacts uses: actions/download-artifact@v4 @@ -224,7 +231,7 @@ jobs: with: submodules: recursive - name: Install cargo-dist - run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.14.0-prerelease.6/cargo-dist-installer.sh | sh" + run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.16.0-prerelease.6/cargo-dist-installer.sh | sh" # Fetch artifacts from scratch-storage - name: Fetch artifacts uses: actions/download-artifact@v4 @@ -352,7 +359,7 @@ jobs: with: submodules: recursive - name: Install cargo-dist - run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.14.0-prerelease.6/cargo-dist-installer.sh | sh" + run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.16.0-prerelease.6/cargo-dist-installer.sh | sh" - name: Fetch Axo Artifacts uses: actions/download-artifact@v4 with: @@ -373,10 +380,13 @@ jobs: # Remove the granular manifests rm -f artifacts/*-dist-manifest.json - name: Create GitHub Release - uses: ncipollo/release-action@v1 - with: - tag: ${{ needs.plan.outputs.tag }} - name: ${{ fromJson(needs.host.outputs.val).announcement_title }} - body: ${{ fromJson(needs.host.outputs.val).announcement_github_body }} - prerelease: ${{ fromJson(needs.host.outputs.val).announcement_is_prerelease }} - artifacts: "artifacts/*" + env: + PRERELEASE_FLAG: "${{ fromJson(needs.host.outputs.val).announcement_is_prerelease && '--prerelease' || '' }}" + ANNOUNCEMENT_TITLE: "${{ fromJson(needs.host.outputs.val).announcement_title }}" + ANNOUNCEMENT_BODY: "${{ fromJson(needs.host.outputs.val).announcement_github_body }}" + run: | + # Write and read notes from a file to avoid quoting breaking things + echo "$ANNOUNCEMENT_BODY" > $RUNNER_TEMP/notes.txt + + gh release create "${{ needs.plan.outputs.tag }}" --title "$ANNOUNCEMENT_TITLE" --notes-file "$RUNNER_TEMP/notes.txt" $PRERELEASE_FLAG + gh release upload "${{ needs.plan.outputs.tag }}" artifacts/* diff --git a/Cargo.toml b/Cargo.toml index 948c4f2f..40a3f1c7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -87,7 +87,7 @@ lto = "thin" # Config for 'cargo dist' [workspace.metadata.dist] # The preferred cargo-dist version to use in CI (Cargo.toml SemVer syntax) -cargo-dist-version = "0.14.0-prerelease.6" +cargo-dist-version = "0.16.0-prerelease.6" # CI backends to support ci = "github" # The installers to generate for each app @@ -112,14 +112,16 @@ pr-run-mode = "plan" hosting = ["axodotdev", "github"] # Whether to install an updater program install-updater = false +# Whether to enable GitHub Attestations +github-attestations = true [[workspace.metadata.dist.extra-artifacts]] artifacts = ["oranda-config-schema.json"] build = ["cargo", "run", "--", "config-schema", "--output=oranda-config-schema.json"] [[workspace.metadata.dist.extra-artifacts]] -artifacts = ["oranda.css"] -build = ["cargo", "run", "--", "generate-css", "--out-dir=./"] +artifacts = ["oranda-css/dist/oranda.css"] +build = ["cargo", "run", "--", "generate-css"] [workspace.metadata.dist.github-custom-runners] aarch64-unknown-linux-gnu = "buildjet-8vcpu-ubuntu-2204-arm"