Skip to content

Bump step-security/harden-runner from 2.10.2 to 2.10.4 #172

Bump step-security/harden-runner from 2.10.2 to 2.10.4

Bump step-security/harden-runner from 2.10.2 to 2.10.4 #172

Workflow file for this run

# Copyright (c) the JPEG XL Project Authors.
#
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file or at
# https://developers.google.com/open-source/licenses/bsd
# Workflow for building the release binaries.
#
# This workflow runs as a post-submit step, when pushing to main or the release
# branches (v*.*.x), and when creating a release in GitHub.
#
# In the GitHub release case, in addition to build the release binaries it also
# uploads the binaries to the given release automatically.
name: Release build / deploy
on:
merge_group:
push:
branches:
- main
- v*.*.x
pull_request:
types: [opened, reopened, labeled, unlabeled, synchronize]
paths-ignore:
- '**.md'
- 'AUTHORS'
release:
types: [ published ]
workflow_dispatch:
permissions:
contents: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
ubuntu_static_x86_64:
name: Release linux x86_64 static
if: ${{ !contains(github.event.pull_request.labels.*.name, 'CI:none') }}
runs-on: [ubuntu-latest]
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit
- name: Install build deps
run: |
sudo rm -f /var/lib/man-db/auto-update
sudo apt update
sudo apt install -y \
asciidoc \
clang \
cmake \
doxygen \
graphviz \
libbrotli-dev \
libgdk-pixbuf2.0-dev \
libgif-dev \
libgtest-dev \
libgtk2.0-dev \
libjpeg-dev \
libopenexr-dev \
libpng-dev \
libwebp-dev \
ninja-build \
pkg-config \
#
echo "CC=clang" >> $GITHUB_ENV
echo "CXX=clang++" >> $GITHUB_ENV
- name: Checkout the source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: true
fetch-depth: 1
- name: Build
env:
SKIP_TEST: 1
run: |
./ci.sh release \
-DJPEGXL_DEP_LICENSE_DIR=/usr/share/doc \
-DJPEGXL_STATIC=ON \
-DBUILD_TESTING=OFF \
-DJPEGXL_ENABLE_JPEGLI_LIBJPEG=OFF \
-DJPEGXL_ENABLE_VIEWERS=OFF \
-DJPEGXL_ENABLE_PLUGINS=OFF \
-DJPEGXL_ENABLE_OPENEXR=OFF \
-DJPEGXL_ENABLE_DEVTOOLS=OFF \
- name: Package release tarball
run: |
cd build
tar -zcvf ${{ runner.workspace }}/release_file.tar.gz \
LICENSE* tools/{cjpegli,djpegli}
ln -s ${{ runner.workspace }}/release_file.tar.gz \
${{ runner.workspace }}/jpegli-linux-x86_64-static-${{ github.event.release.tag_name }}.tar.gz
- name: Upload artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: jpegli-linux-x86_64-static
path: ${{ runner.workspace }}/release_file.tar.gz
- name: Upload binaries to release
if: github.event_name == 'release'
uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0
with:
files: ${{ runner.workspace }}/jpegli-linux-x86_64-static-${{ github.event.release.tag_name }}.tar.gz
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Build .deb packages Ubuntu/Debian
release_ubuntu_pkg:
name: .deb packages / ${{ matrix.os }}
if: ${{ !contains(github.event.pull_request.labels.*.name, 'CI:none') }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os:
- ubuntu:24.04
- ubuntu:22.04
- ubuntu:20.04
- debian:bullseye
- debian:bookworm
# GIMP package is removed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078402
# - debian:trixie
- debian:sid
container:
image: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit
- name: Set env
shell: 'bash'
id: 'env'
run: |
artifact_name="jxl-debs-amd64-${matrix_os/:/-}"
echo ${artifact_name}
echo "artifact_name=${artifact_name}" >> $GITHUB_OUTPUT
env:
matrix_os: ${{ matrix.os }}
- name: Install build deps
run: |
rm -f /var/lib/man-db/auto-update
apt update
DEBIAN_FRONTEND=noninteractive apt install -y \
build-essential \
devscripts \
#
- name: Set git safe dir
run: |
export GIT_CEILING_DIRECTORIES=/__w # only work before git v2.35.2
git config --global --add safe.directory /__w/jpegli/jpegli
- name: Checkout the source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: true
fetch-depth: 1
- name: Stamp non-release versions
# Stamps the built package with the commit date as part of the version
# after the version number so newer release candidates can override older
# ones.
if: github.event_name != 'release'
shell: 'bash'
run: |
# Committer timestamp.
set -x
commit_timestamp=$(git show -s --format=%ct)
commit_datetime=$(date --utc "--date=@${commit_timestamp}" '+%Y%m%d%H%M%S')
commit_ref=$(git rev-parse --short HEAD)
sem_version=$(dpkg-parsechangelog --show-field Version)
sem_version="${sem_version%%-*}"
deb_version="${sem_version}~alpha${commit_datetime}-0+git${commit_ref}"
dch -M --distribution unstable -b --newversion "${deb_version}" \
"Stamping build with version ${deb_version}"
- name: Stamp release versions
# Mark the version as released
if: github.event_name == 'release'
shell: 'bash'
run: |
if head -n1 debian/changelog | grep UNRELEASED; then
dch -M --distribution unstable --release ''
fi
- name: Configure hwy
if: ${{ github.event_name == 'schedule' || github.event_name == 'release' || contains(github.event.pull_request.labels.*.name, 'CI:full') }}
run: |
echo "HWY_PKG_OPTIONS=" >> $GITHUB_ENV
- name: Build hwy
run: |
apt build-dep -y ./third_party/highway
./ci.sh debian_build highway
dpkg -i build/debs/libhwy-dev_*_amd64.deb
- name: Build libjxl
run: |
apt build-dep -y .
./ci.sh debian_build jpeg-xl
- name: Stats
run: |
./ci.sh debian_stats
- name: Upload artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ${{ steps.env.outputs.artifact_name }}
path: |
build/debs/*jxl*.*
- name: Package release tarball
if: github.event_name == 'release'
run: |
(cd build/debs/; find -maxdepth 1 -name '*jxl*.*') | \
tar -zcvf release_file.tar.gz -C build/debs/ -T -
ln -s release_file.tar.gz \
${{ steps.env.outputs.artifact_name }}-${{ github.event.release.tag_name }}.tar.gz
- name: Upload binaries to release
if: github.event_name == 'release'
uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0
with:
files: ${{ steps.env.outputs.artifact_name }}-${{ github.event.release.tag_name }}.tar.gz
repo-token: ${{ secrets.GITHUB_TOKEN }}
windows_build:
name: Windows Build (vcpkg / ${{ matrix.triplet }})
if: ${{ !contains(github.event.pull_request.labels.*.name, 'CI:none') }}
runs-on: [windows-2022]
strategy:
fail-fast: false
matrix:
include:
- triplet: x86-windows-static
arch: '-A Win32'
- triplet: x64-windows-static
arch: '-A x64'
run_benchmark: true
- triplet: x86-windows
arch: '-A Win32'
static: 'OFF'
tools: 'OFF'
- triplet: x64-windows
arch: '-A x64'
static: 'OFF'
tools: 'OFF'
env:
VCPKG_VERSION: '2023.12.12'
VCPKG_ROOT: vcpkg
VCPKG_DISABLE_METRICS: 1
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit
- name: Checkout the source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: true
fetch-depth: 2
- uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
id: cache-vcpkg
with:
path: vcpkg
key: release-${{ runner.os }}-vcpkg-${{ env.VCPKG_VERSION }}-${{ matrix.triplet }}
- name: Download vcpkg
if: steps.cache-vcpkg.outputs.cache-hit != 'true'
# wget doesn't seem to work under bash.
shell: 'powershell'
run: |
C:\msys64\usr\bin\wget.exe -nv `
https://github.com/microsoft/vcpkg/archive/refs/tags/${{ env.VCPKG_VERSION }}.zip `
-O vcpkg.zip
- name: Bootstrap vcpkg
if: steps.cache-vcpkg.outputs.cache-hit != 'true'
shell: 'bash'
run: |
set -x
unzip -q vcpkg.zip
rm -rf ${VCPKG_ROOT}
mv vcpkg-${VCPKG_VERSION} ${VCPKG_ROOT}
${VCPKG_ROOT}/bootstrap-vcpkg.sh
- name: Install libraries with vcpkg
shell: 'bash'
run: |
set -x
${VCPKG_ROOT}/vcpkg --triplet ${{ matrix.triplet }} install \
giflib \
libjpeg-turbo \
libpng \
libwebp \
pkgconf \
#
- name: Configure
shell: 'bash'
run: |
set -x
mkdir build
cmake -Bbuild -H. ${{ matrix.arch }} \
-DJPEGXL_STATIC=${{ matrix.static || 'ON'}} \
-DJPEGXL_ENABLE_TOOLS=${{ matrix.tools || 'ON'}} \
-DBUILD_TESTING=OFF \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_PREFIX=`pwd`/prefix \
-DCMAKE_TOOLCHAIN_FILE=${VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake \
-DJPEGXL_ENABLE_JPEGLI_LIBJPEG=OFF \
-DJPEGXL_ENABLE_OPENEXR=OFF \
-DJPEGXL_ENABLE_PLUGINS=OFF \
-DJPEGXL_ENABLE_TCMALLOC=OFF \
-DJPEGXL_ENABLE_VIEWERS=OFF \
-DJPEGXL_ENABLE_DEVTOOLS=${{ matrix.tools || 'ON'}} \
-DVCPKG_TARGET_TRIPLET=${{ matrix.triplet }} \
#
- name: Build
shell: 'bash'
run: |
set -x
cmake --build build --config Release
- name: Install
shell: 'bash'
run: |
set -x
cmake --build build --config Release --target install
for pkg in giflib libjpeg-turbo libpng libwebp zlib; do
cp vcpkg/installed/${{matrix.triplet}}/share/${pkg}/copyright \
prefix/bin/LICENSE.${pkg}
done
cp third_party/sjpeg/COPYING prefix/bin/LICENSE.sjpeg
cp third_party/skcms/LICENSE prefix/bin/LICENSE.skcms
cp third_party/highway/LICENSE prefix/bin/LICENSE.highway
cp LICENSE prefix/bin/LICENSE.jpegli
- name: Fast benchmark ${{ matrix.triplet }}
shell: 'bash'
if: matrix.run_benchmark && true
run: |
systeminfo | grep -A 1 Processor
wmic cpu get Name, NumberofCores, NumberOfLogicalProcessors, MaxClockSpeed
mkdir tmp
export TMPDIR=`pwd`/tmp
export PATH=$PATH:`pwd`/build/lib
BUILD_CONFIG=Release/ BENCHMARK_NUM_THREADS=2 STORE_IMAGES=0 ./ci.sh fast_benchmark
- name: Upload artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: jpegli-${{matrix.triplet}}
path: |
prefix/bin/*
prefix/lib/*
- name: Package release zip
if: github.event_name == 'release'
shell: 'powershell'
run: |
Compress-Archive -Path prefix\bin\*, prefix\lib\* `
-DestinationPath jpegli-${{matrix.triplet}}.zip
- name: Upload binaries to release
if: github.event_name == 'release'
uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0
with:
files: jpegli-${{matrix.triplet}}.zip
repo-token: ${{ secrets.GITHUB_TOKEN }}