name: build-and-release on: push: branches: - main release: types: [published] workflow_dispatch: inputs: tag: description: "Tag to publish (leave blank to use Cargo.toml version)" required: false type: string permissions: contents: read env: VCPKG_ROOT: C:\vcpkg VCPKG_DOWNLOADS: C:\vcpkg\downloads VCPKG_FEATURE_FLAGS: binarycaching VCPKG_BINARY_SOURCES: clear;x-gha,readwrite RUST_TOOLCHAIN: "1.94.1" jobs: # ──────────────── Linux (via Makefile) ──────────────── linux-x64: name: Linux x64 runs-on: ubuntu-24.04 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 # Free up disk space on Ubuntu runners - name: Free Disk Space run: | sudo rm -rf /usr/share/dotnet sudo rm -rf /usr/local/lib/android sudo rm -rf /opt/ghc sudo rm -rf /opt/hostedtoolcache/CodeQL sudo docker image prune --all --force df -h - uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master with: toolchain: ${{ env.RUST_TOOLCHAIN }} - uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 with: shared-key: kingfisher-${{ runner.os }}-${{ runner.arch }} cache-on-failure: true - name: Install packaging tools run: cargo install cargo-deb cargo-generate-rpm - name: Install Linux test dependencies run: | sudo apt-get update -qq sudo apt-get install -y --no-install-recommends \ cmake pkg-config libboost-all-dev patch perl ragel - name: Run tests run: make tests env: CARGO_BUILD_JOBS: 1 - name: Build (Makefile linux-x64) run: make ubuntu-x64 - name: Fix permissions run: sudo chown -R $(id -u):$(id -g) target - name: Build Debian package run: | cargo deb --no-build --target x86_64-unknown-linux-musl \ --output target/release/kingfisher-linux-x64.deb - name: Build RPM package run: | cargo generate-rpm --target x86_64-unknown-linux-musl \ --output target/release/kingfisher-linux-x64.rpm - name: Move artifact to dist shell: bash run: | mkdir -p dist cp target/release/kingfisher-linux-x64.tgz dist/ cp target/release/kingfisher-linux-x64.deb dist/ cp target/release/kingfisher-linux-x64.rpm dist/ - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kingfisher-linux-x64.tgz path: dist/kingfisher-linux-x64.tgz - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kingfisher-linux-x64.deb path: dist/kingfisher-linux-x64.deb - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kingfisher-linux-x64.rpm path: dist/kingfisher-linux-x64.rpm linux-arm64: name: Linux arm64 runs-on: ubuntu-24.04-arm steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 # Free up disk space on Ubuntu runners - name: Free Disk Space run: | sudo rm -rf /usr/share/dotnet sudo rm -rf /usr/local/lib/android sudo rm -rf /opt/ghc sudo rm -rf /opt/hostedtoolcache/CodeQL sudo docker image prune --all --force df -h - uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master with: toolchain: ${{ env.RUST_TOOLCHAIN }} - uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 with: shared-key: kingfisher-${{ runner.os }}-${{ runner.arch }} cache-on-failure: true - name: Install packaging tools run: cargo install cargo-deb cargo-generate-rpm - name: Install Linux test dependencies run: | sudo apt-get update -qq sudo apt-get install -y --no-install-recommends \ cmake pkg-config libboost-all-dev patch perl ragel - name: Run tests run: make tests env: CARGO_BUILD_JOBS: 1 - name: Build (Makefile linux-arm64) run: make ubuntu-arm64 - name: Fix permissions run: sudo chown -R $(id -u):$(id -g) target - name: Build Debian package run: | cargo deb --no-build --target aarch64-unknown-linux-musl \ --output target/release/kingfisher-linux-arm64.deb - name: Build RPM package run: | cargo generate-rpm --target aarch64-unknown-linux-musl \ --output target/release/kingfisher-linux-arm64.rpm - name: Move artifact to dist shell: bash run: | mkdir -p dist cp target/release/kingfisher-linux-arm64.tgz dist/ cp target/release/kingfisher-linux-arm64.deb dist/ cp target/release/kingfisher-linux-arm64.rpm dist/ - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kingfisher-linux-arm64.tgz path: dist/kingfisher-linux-arm64.tgz - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kingfisher-linux-arm64.deb path: dist/kingfisher-linux-arm64.deb - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kingfisher-linux-arm64.rpm path: dist/kingfisher-linux-arm64.rpm macos-x64: name: macOS x64 runs-on: macos-15-intel steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master with: toolchain: ${{ env.RUST_TOOLCHAIN }} - uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 with: shared-key: kingfisher-${{ runner.os }}-${{ runner.arch }} cache-on-failure: true - name: Install macOS test dependencies run: | brew list cmake >/dev/null 2>&1 || brew install cmake brew list boost >/dev/null 2>&1 || brew install boost brew list pkg-config >/dev/null 2>&1 || brew install pkg-config brew list ragel >/dev/null 2>&1 || brew install ragel - name: Run tests run: make tests - name: Build Darwin x64 run: make darwin-x64 - name: Move artifacts to dist shell: bash run: | mkdir -p dist cp target/release/kingfisher-darwin-x64.tgz dist/ - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kingfisher-darwin-x64.tgz path: dist/kingfisher-darwin-x64.tgz macos-arm64: name: macOS arm64 runs-on: macos-14 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master with: toolchain: ${{ env.RUST_TOOLCHAIN }} - uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 with: shared-key: kingfisher-${{ runner.os }}-${{ runner.arch }} cache-on-failure: true - name: Install macOS test dependencies run: | brew list cmake >/dev/null 2>&1 || brew install cmake brew list boost >/dev/null 2>&1 || brew install boost brew list pkg-config >/dev/null 2>&1 || brew install pkg-config brew list ragel >/dev/null 2>&1 || brew install ragel - name: Run tests run: make tests - name: Build Darwin arm64 run: make darwin-arm64 - name: Move artifacts to dist shell: bash run: | mkdir -p dist cp target/release/kingfisher-darwin-arm64.tgz dist/ - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kingfisher-darwin-arm64.tgz path: dist/kingfisher-darwin-arm64.tgz # ──────────────── Windows ──────────────── windows: name: Windows ${{ matrix.arch }} runs-on: ${{ matrix.runs_on }} strategy: fail-fast: false matrix: include: - arch: x64 runs_on: windows-latest msystem: MINGW64 - arch: arm64 runs_on: windows-11-arm msystem: CLANGARM64 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master with: toolchain: ${{ env.RUST_TOOLCHAIN }} - name: Set up MSYS2 uses: msys2/setup-msys2@e9898307ac31d1a803454791be09ab9973336e1c # v2.31.1 with: msystem: ${{ matrix.msystem }} update: true install: >- make git - uses: swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 with: shared-key: kingfisher-${{ runner.os }}-${{ runner.arch }} cache-on-failure: true - name: Prepare Windows dependencies shell: msys2 {0} run: WINDOWS_ONLY_DEPS=1 make windows-${{ matrix.arch }} - name: Run tests shell: msys2 {0} run: make windows-test-${{ matrix.arch }} - name: Build shell: msys2 {0} run: make windows-${{ matrix.arch }} - name: Move artifact to dist shell: bash run: | mkdir -p dist cp target/release/kingfisher-windows-${{ matrix.arch }}.zip dist/ - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kingfisher-windows-${{ matrix.arch }} path: dist/kingfisher-windows-${{ matrix.arch }}.zip release: name: Public GitHub Release needs: [linux-x64, linux-arm64, windows, macos-x64, macos-arm64] runs-on: ubuntu-latest outputs: tag: ${{ steps.version.outputs.tag }} permissions: contents: write id-token: write attestations: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Determine tag id: version shell: bash env: RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} INPUT_TAG: ${{ github.event.inputs.tag }} run: | set -euo pipefail if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then TAG="${RELEASE_TAG_NAME}" elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then TAG="${INPUT_TAG}" else VERSION=$(grep -m1 '^version\s*=' Cargo.toml | cut -d '"' -f2) TAG="v${VERSION}" fi echo "tag=${TAG}" >> "$GITHUB_OUTPUT" - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: target/release/kingfisher-* merge-multiple: true - name: Extract latest changelog section run: | awk ' BEGIN { grabbing = 0 } /^## \[/ { if (grabbing) exit; # already grabbed latest entry grabbing = 1 } grabbing { print } ' CHANGELOG.md > .latest_changelog.md # ── Sign every release artifact with a SLSA v1 build-provenance attestation. # actions/attest-build-provenance produces a multi-subject Sigstore Bundle # in JSONL format and writes it to bundle-path. We ship that file alongside # the binaries as `multiple.intoto.jsonl` so users can verify offline with # `gh attestation verify`, `cosign`, or `slsa-verifier` — no GitHub API call # required at verify time. This also satisfies the OSSF Scorecard # `Signed-Releases` check, which scans for *.intoto.jsonl in release assets. - name: Attest build provenance id: attest uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: # Match the actual artifact files under target/release/ (download-artifact # places them in a subdirectory, so we use ** to recurse). subject-path: | target/release/**/kingfisher-*.tgz target/release/**/kingfisher-*.zip target/release/**/kingfisher-*.deb target/release/**/kingfisher-*.rpm - name: Stage attestation bundle as a release asset shell: bash run: | set -euo pipefail BUNDLE_PATH='${{ steps.attest.outputs.bundle-path }}' if [[ -z "${BUNDLE_PATH}" || ! -f "${BUNDLE_PATH}" ]]; then echo "::error::attest-build-provenance did not produce a bundle at '${BUNDLE_PATH}'" exit 1 fi # Use the slsa-verifier-recognized filename for multi-subject bundles. mkdir -p target/release cp "${BUNDLE_PATH}" target/release/multiple.intoto.jsonl echo "Bundle line count (one DSSE-wrapped attestation per subject):" wc -l target/release/multiple.intoto.jsonl # ── create the release using just that snippet ───────────────────── - name: Create release & upload assets uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 with: tag: ${{ steps.version.outputs.tag }} name: "Kingfisher ${{ steps.version.outputs.tag }}" bodyFile: .latest_changelog.md # ← only the most-recent entry allowUpdates: true generateReleaseNotes: false artifacts: target/release/** # ──────────────── Publish Docker image ──────────────── publish-docker: needs: [release] uses: ./.github/workflows/release-docker.yml with: tag: ${{ needs.release.outputs.tag }} permissions: contents: read packages: write # ──────────────── Publish PyPI wheels ──────────────── publish-pypi: needs: [release] uses: ./.github/workflows/pypi.yml with: tag: ${{ needs.release.outputs.tag }} permissions: contents: read id-token: write