Bump step-security/harden-runner from 2.10.2 to 2.10.4 #172
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) the JPEG XL Project Authors. | |
# | |
# Use of this source code is governed by a BSD-style | |
# license that can be found in the LICENSE file or at | |
# https://developers.google.com/open-source/licenses/bsd | |
# Workflow for building the release binaries. | |
# | |
# This workflow runs as a post-submit step, when pushing to main or the release | |
# branches (v*.*.x), and when creating a release in GitHub. | |
# | |
# In the GitHub release case, in addition to build the release binaries it also | |
# uploads the binaries to the given release automatically. | |
name: Release build / deploy | |
on: | |
merge_group: | |
push: | |
branches: | |
- main | |
- v*.*.x | |
pull_request: | |
types: [opened, reopened, labeled, unlabeled, synchronize] | |
paths-ignore: | |
- '**.md' | |
- 'AUTHORS' | |
release: | |
types: [ published ] | |
workflow_dispatch: | |
permissions: | |
contents: write | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} | |
cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
jobs: | |
ubuntu_static_x86_64: | |
name: Release linux x86_64 static | |
if: ${{ !contains(github.event.pull_request.labels.*.name, 'CI:none') }} | |
runs-on: [ubuntu-latest] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- name: Install build deps | |
run: | | |
sudo rm -f /var/lib/man-db/auto-update | |
sudo apt update | |
sudo apt install -y \ | |
asciidoc \ | |
clang \ | |
cmake \ | |
doxygen \ | |
graphviz \ | |
libbrotli-dev \ | |
libgdk-pixbuf2.0-dev \ | |
libgif-dev \ | |
libgtest-dev \ | |
libgtk2.0-dev \ | |
libjpeg-dev \ | |
libopenexr-dev \ | |
libpng-dev \ | |
libwebp-dev \ | |
ninja-build \ | |
pkg-config \ | |
# | |
echo "CC=clang" >> $GITHUB_ENV | |
echo "CXX=clang++" >> $GITHUB_ENV | |
- name: Checkout the source | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
submodules: true | |
fetch-depth: 1 | |
- name: Build | |
env: | |
SKIP_TEST: 1 | |
run: | | |
./ci.sh release \ | |
-DJPEGXL_DEP_LICENSE_DIR=/usr/share/doc \ | |
-DJPEGXL_STATIC=ON \ | |
-DBUILD_TESTING=OFF \ | |
-DJPEGXL_ENABLE_JPEGLI_LIBJPEG=OFF \ | |
-DJPEGXL_ENABLE_VIEWERS=OFF \ | |
-DJPEGXL_ENABLE_PLUGINS=OFF \ | |
-DJPEGXL_ENABLE_OPENEXR=OFF \ | |
-DJPEGXL_ENABLE_DEVTOOLS=OFF \ | |
- name: Package release tarball | |
run: | | |
cd build | |
tar -zcvf ${{ runner.workspace }}/release_file.tar.gz \ | |
LICENSE* tools/{cjpegli,djpegli} | |
ln -s ${{ runner.workspace }}/release_file.tar.gz \ | |
${{ runner.workspace }}/jpegli-linux-x86_64-static-${{ github.event.release.tag_name }}.tar.gz | |
- name: Upload artifacts | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: jpegli-linux-x86_64-static | |
path: ${{ runner.workspace }}/release_file.tar.gz | |
- name: Upload binaries to release | |
if: github.event_name == 'release' | |
uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0 | |
with: | |
files: ${{ runner.workspace }}/jpegli-linux-x86_64-static-${{ github.event.release.tag_name }}.tar.gz | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
# Build .deb packages Ubuntu/Debian | |
release_ubuntu_pkg: | |
name: .deb packages / ${{ matrix.os }} | |
if: ${{ !contains(github.event.pull_request.labels.*.name, 'CI:none') }} | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
os: | |
- ubuntu:24.04 | |
- ubuntu:22.04 | |
- ubuntu:20.04 | |
- debian:bullseye | |
- debian:bookworm | |
# GIMP package is removed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078402 | |
# - debian:trixie | |
- debian:sid | |
container: | |
image: ${{ matrix.os }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- name: Set env | |
shell: 'bash' | |
id: 'env' | |
run: | | |
artifact_name="jxl-debs-amd64-${matrix_os/:/-}" | |
echo ${artifact_name} | |
echo "artifact_name=${artifact_name}" >> $GITHUB_OUTPUT | |
env: | |
matrix_os: ${{ matrix.os }} | |
- name: Install build deps | |
run: | | |
rm -f /var/lib/man-db/auto-update | |
apt update | |
DEBIAN_FRONTEND=noninteractive apt install -y \ | |
build-essential \ | |
devscripts \ | |
# | |
- name: Set git safe dir | |
run: | | |
export GIT_CEILING_DIRECTORIES=/__w # only work before git v2.35.2 | |
git config --global --add safe.directory /__w/jpegli/jpegli | |
- name: Checkout the source | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
submodules: true | |
fetch-depth: 1 | |
- name: Stamp non-release versions | |
# Stamps the built package with the commit date as part of the version | |
# after the version number so newer release candidates can override older | |
# ones. | |
if: github.event_name != 'release' | |
shell: 'bash' | |
run: | | |
# Committer timestamp. | |
set -x | |
commit_timestamp=$(git show -s --format=%ct) | |
commit_datetime=$(date --utc "--date=@${commit_timestamp}" '+%Y%m%d%H%M%S') | |
commit_ref=$(git rev-parse --short HEAD) | |
sem_version=$(dpkg-parsechangelog --show-field Version) | |
sem_version="${sem_version%%-*}" | |
deb_version="${sem_version}~alpha${commit_datetime}-0+git${commit_ref}" | |
dch -M --distribution unstable -b --newversion "${deb_version}" \ | |
"Stamping build with version ${deb_version}" | |
- name: Stamp release versions | |
# Mark the version as released | |
if: github.event_name == 'release' | |
shell: 'bash' | |
run: | | |
if head -n1 debian/changelog | grep UNRELEASED; then | |
dch -M --distribution unstable --release '' | |
fi | |
- name: Configure hwy | |
if: ${{ github.event_name == 'schedule' || github.event_name == 'release' || contains(github.event.pull_request.labels.*.name, 'CI:full') }} | |
run: | | |
echo "HWY_PKG_OPTIONS=" >> $GITHUB_ENV | |
- name: Build hwy | |
run: | | |
apt build-dep -y ./third_party/highway | |
./ci.sh debian_build highway | |
dpkg -i build/debs/libhwy-dev_*_amd64.deb | |
- name: Build libjxl | |
run: | | |
apt build-dep -y . | |
./ci.sh debian_build jpeg-xl | |
- name: Stats | |
run: | | |
./ci.sh debian_stats | |
- name: Upload artifacts | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: ${{ steps.env.outputs.artifact_name }} | |
path: | | |
build/debs/*jxl*.* | |
- name: Package release tarball | |
if: github.event_name == 'release' | |
run: | | |
(cd build/debs/; find -maxdepth 1 -name '*jxl*.*') | \ | |
tar -zcvf release_file.tar.gz -C build/debs/ -T - | |
ln -s release_file.tar.gz \ | |
${{ steps.env.outputs.artifact_name }}-${{ github.event.release.tag_name }}.tar.gz | |
- name: Upload binaries to release | |
if: github.event_name == 'release' | |
uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0 | |
with: | |
files: ${{ steps.env.outputs.artifact_name }}-${{ github.event.release.tag_name }}.tar.gz | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
windows_build: | |
name: Windows Build (vcpkg / ${{ matrix.triplet }}) | |
if: ${{ !contains(github.event.pull_request.labels.*.name, 'CI:none') }} | |
runs-on: [windows-2022] | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- triplet: x86-windows-static | |
arch: '-A Win32' | |
- triplet: x64-windows-static | |
arch: '-A x64' | |
run_benchmark: true | |
- triplet: x86-windows | |
arch: '-A Win32' | |
static: 'OFF' | |
tools: 'OFF' | |
- triplet: x64-windows | |
arch: '-A x64' | |
static: 'OFF' | |
tools: 'OFF' | |
env: | |
VCPKG_VERSION: '2023.12.12' | |
VCPKG_ROOT: vcpkg | |
VCPKG_DISABLE_METRICS: 1 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- name: Checkout the source | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
submodules: true | |
fetch-depth: 2 | |
- uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
id: cache-vcpkg | |
with: | |
path: vcpkg | |
key: release-${{ runner.os }}-vcpkg-${{ env.VCPKG_VERSION }}-${{ matrix.triplet }} | |
- name: Download vcpkg | |
if: steps.cache-vcpkg.outputs.cache-hit != 'true' | |
# wget doesn't seem to work under bash. | |
shell: 'powershell' | |
run: | | |
C:\msys64\usr\bin\wget.exe -nv ` | |
https://github.com/microsoft/vcpkg/archive/refs/tags/${{ env.VCPKG_VERSION }}.zip ` | |
-O vcpkg.zip | |
- name: Bootstrap vcpkg | |
if: steps.cache-vcpkg.outputs.cache-hit != 'true' | |
shell: 'bash' | |
run: | | |
set -x | |
unzip -q vcpkg.zip | |
rm -rf ${VCPKG_ROOT} | |
mv vcpkg-${VCPKG_VERSION} ${VCPKG_ROOT} | |
${VCPKG_ROOT}/bootstrap-vcpkg.sh | |
- name: Install libraries with vcpkg | |
shell: 'bash' | |
run: | | |
set -x | |
${VCPKG_ROOT}/vcpkg --triplet ${{ matrix.triplet }} install \ | |
giflib \ | |
libjpeg-turbo \ | |
libpng \ | |
libwebp \ | |
pkgconf \ | |
# | |
- name: Configure | |
shell: 'bash' | |
run: | | |
set -x | |
mkdir build | |
cmake -Bbuild -H. ${{ matrix.arch }} \ | |
-DJPEGXL_STATIC=${{ matrix.static || 'ON'}} \ | |
-DJPEGXL_ENABLE_TOOLS=${{ matrix.tools || 'ON'}} \ | |
-DBUILD_TESTING=OFF \ | |
-DCMAKE_BUILD_TYPE=Release \ | |
-DCMAKE_INSTALL_PREFIX=`pwd`/prefix \ | |
-DCMAKE_TOOLCHAIN_FILE=${VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake \ | |
-DJPEGXL_ENABLE_JPEGLI_LIBJPEG=OFF \ | |
-DJPEGXL_ENABLE_OPENEXR=OFF \ | |
-DJPEGXL_ENABLE_PLUGINS=OFF \ | |
-DJPEGXL_ENABLE_TCMALLOC=OFF \ | |
-DJPEGXL_ENABLE_VIEWERS=OFF \ | |
-DJPEGXL_ENABLE_DEVTOOLS=${{ matrix.tools || 'ON'}} \ | |
-DVCPKG_TARGET_TRIPLET=${{ matrix.triplet }} \ | |
# | |
- name: Build | |
shell: 'bash' | |
run: | | |
set -x | |
cmake --build build --config Release | |
- name: Install | |
shell: 'bash' | |
run: | | |
set -x | |
cmake --build build --config Release --target install | |
for pkg in giflib libjpeg-turbo libpng libwebp zlib; do | |
cp vcpkg/installed/${{matrix.triplet}}/share/${pkg}/copyright \ | |
prefix/bin/LICENSE.${pkg} | |
done | |
cp third_party/sjpeg/COPYING prefix/bin/LICENSE.sjpeg | |
cp third_party/skcms/LICENSE prefix/bin/LICENSE.skcms | |
cp third_party/highway/LICENSE prefix/bin/LICENSE.highway | |
cp LICENSE prefix/bin/LICENSE.jpegli | |
- name: Fast benchmark ${{ matrix.triplet }} | |
shell: 'bash' | |
if: matrix.run_benchmark && true | |
run: | | |
systeminfo | grep -A 1 Processor | |
wmic cpu get Name, NumberofCores, NumberOfLogicalProcessors, MaxClockSpeed | |
mkdir tmp | |
export TMPDIR=`pwd`/tmp | |
export PATH=$PATH:`pwd`/build/lib | |
BUILD_CONFIG=Release/ BENCHMARK_NUM_THREADS=2 STORE_IMAGES=0 ./ci.sh fast_benchmark | |
- name: Upload artifacts | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: jpegli-${{matrix.triplet}} | |
path: | | |
prefix/bin/* | |
prefix/lib/* | |
- name: Package release zip | |
if: github.event_name == 'release' | |
shell: 'powershell' | |
run: | | |
Compress-Archive -Path prefix\bin\*, prefix\lib\* ` | |
-DestinationPath jpegli-${{matrix.triplet}}.zip | |
- name: Upload binaries to release | |
if: github.event_name == 'release' | |
uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0 | |
with: | |
files: jpegli-${{matrix.triplet}}.zip | |
repo-token: ${{ secrets.GITHUB_TOKEN }} |