diff --git a/.github/workflows/nightly-sbuild.yaml b/.github/workflows/nightly-sbuild.yaml index c5491b2..7a7dc6d 100644 --- a/.github/workflows/nightly-sbuild.yaml +++ b/.github/workflows/nightly-sbuild.yaml @@ -1,5 +1,8 @@ name: sbuild nightly - +concurrency: + group: "${{ github.workflow }}-${{ github.ref }}" + cancel-in-progress: true + on: push: tags: @@ -7,7 +10,9 @@ on: workflow_dispatch: permissions: + attestations: write contents: write + id-token: write jobs: @@ -29,14 +34,22 @@ jobs: fail-fast: false matrix: build: - - { - NAME: x86_64-linux, - TARGET: x86_64-unknown-linux-musl, - } - { NAME: aarch64-linux, TARGET: aarch64-unknown-linux-musl, } + - { + NAME: loongarch64-linux, + TARGET: loongarch64-unknown-linux-musl + } + - { + NAME: riscv64-linux, + TARGET: riscv64gc-unknown-linux-musl + } + - { + NAME: x86_64-linux, + TARGET: x86_64-unknown-linux-musl, + } steps: - name: Checkout uses: actions/checkout@v4 @@ -50,40 +63,51 @@ jobs: - name: Install dependencies shell: bash run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends \ - --allow-unauthenticated musl-tools b3sum + sudo apt update -y + sudo apt install b3sum findutils file -y - name: Install Rust toolchain uses: dtolnay/rust-toolchain@nightly with: targets: ${{ matrix.build.TARGET }} - - name: Install cross-compilation tools - uses: taiki-e/setup-cross-toolchain-action@v1 - with: - target: ${{ matrix.build.TARGET }} - + - name: Install Cross + shell: bash + run: | + cargo install cross --git "https://github.com/cross-rs/cross" --jobs="$(($(nproc)+1))" + hash -r &>/dev/null + command -v cross &>/dev/null || { echo "cross command not found" >&2; exit 1; } + - name: Build - run: cargo build --bin sbuild --release --locked --target ${{ matrix.build.TARGET }} + env: + RUSTFLAGS: "-C target-feature=+crt-static \ + -C default-linker-libraries=yes \ + -C link-self-contained=yes \ + -C opt-level=3 \ + -C debuginfo=none \ + -C strip=symbols \ + -C link-arg=-Wl,-S \ + -C link-arg=-Wl,--build-id=none \ + -C link-arg=-Wl,--discard-all \ + -C link-arg=-Wl,--strip-all" + run: cross +nightly build --bin "sbuild" --release --locked --target "${{ matrix.build.TARGET }}" --jobs="$(($(nproc)+1))" --verbose - name: Prepare release assets + env: + ARTIFACT: "release/sbuild-${{ matrix.build.NAME }}" + ARCHIVE: "sbuild-${{ matrix.build.NAME }}.tar.gz" shell: bash run: | mkdir -p release cp {LICENSE,README.md} release/ - cp "target/${{ matrix.build.TARGET }}/release/sbuild" release/ - - - name: Create release artifacts - shell: bash - run: | - cp release/sbuild sbuild-${{ matrix.build.NAME }} - b3sum sbuild-${{ matrix.build.NAME }} \ - > sbuild-${{ matrix.build.NAME }}.b3sum - tar -czvf sbuild-${{ matrix.build.NAME }}.tar.gz \ - release/ - b3sum sbuild-${{ matrix.build.NAME }}.tar.gz \ - > sbuild-${{ matrix.build.NAME }}.tar.gz.b3sum + cp "target/${{ matrix.build.TARGET }}/release/sbuild" "${ARTIFACT}" + b3sum "${ARTIFACT}" > "${ARTIFACT}.b3sum" + cp "${ARTIFACT}" . + cp "${ARTIFACT}.b3sum" . + tar -czvf "${ARCHIVE}" release/ + b3sum "${ARCHIVE}" > "${ARCHIVE}.b3sum" + bash -c 'realpath "${ARTIFACT}" ; realpath "${ARCHIVE}"' | xargs -I "{}" bash -c \ + 'printf "\nFile: $(basename {})\n Type: $(file -b {})\n B3sum: $(b3sum {} | cut -d" " -f1)\n SHA256sum: $(sha256sum {} | cut -d" " -f1)\n Size: $(du -bh {} | cut -f1)\n"' - name: Publish to GitHub (nightly) uses: svenstaro/upload-release-action@v2 @@ -95,3 +119,11 @@ jobs: tag: nightly-sbuild release_name: "${{ steps.version.outputs.version }}" prerelease: true + + - name: Attest Build Provenance + uses: actions/attest-build-provenance@v2.4.0 + with: + subject-name: "sbuild-nightly-${{ matrix.build.NAME }}" + subject-path: | + sbuild-${{ matrix.build.NAME }}* + show-summary: true diff --git a/.github/workflows/release-linter.yaml b/.github/workflows/release-linter.yaml index ca8e0ec..bfdf288 100644 --- a/.github/workflows/release-linter.yaml +++ b/.github/workflows/release-linter.yaml @@ -1,12 +1,17 @@ name: sbuild-linter release - +concurrency: + group: "${{ github.workflow }}-${{ github.ref }}" + cancel-in-progress: true + on: workflow_dispatch: push: tags: - "v*.*.*-linter" permissions: + attestations: write contents: write + id-token: write jobs: publish-binaries: @@ -16,18 +21,22 @@ jobs: fail-fast: false matrix: build: - - { - NAME: x86_64-linux, - TARGET: x86_64-unknown-linux-musl, - } - { NAME: aarch64-linux, TARGET: aarch64-unknown-linux-musl, } + - { + NAME: loongarch64-linux, + TARGET: loongarch64-unknown-linux-musl + } - { NAME: riscv64-linux, TARGET: riscv64gc-unknown-linux-musl } + - { + NAME: x86_64-linux, + TARGET: x86_64-unknown-linux-musl, + } steps: - name: Checkout uses: actions/checkout@v4 @@ -39,40 +48,51 @@ jobs: - name: Install dependencies shell: bash run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends \ - --allow-unauthenticated musl-tools b3sum + sudo apt update -y + sudo apt install b3sum findutils file -y - name: Install Rust toolchain uses: dtolnay/rust-toolchain@nightly with: targets: ${{ matrix.build.TARGET }} - - name: Install cross-compilation tools - uses: taiki-e/setup-cross-toolchain-action@v1 - with: - target: ${{ matrix.build.TARGET }} - + - name: Install Cross + shell: bash + run: | + cargo install cross --git "https://github.com/cross-rs/cross" --jobs="$(($(nproc)+1))" + hash -r &>/dev/null + command -v cross &>/dev/null || { echo "cross command not found" >&2; exit 1; } + - name: Build - run: RUSTFLAGS="-C target-feature=+crt-static" cargo build --bin sbuild-linter --release --locked --target ${{ matrix.build.TARGET }} + env: + RUSTFLAGS: "-C target-feature=+crt-static \ + -C default-linker-libraries=yes \ + -C link-self-contained=yes \ + -C opt-level=3 \ + -C debuginfo=none \ + -C strip=symbols \ + -C link-arg=-Wl,-S \ + -C link-arg=-Wl,--build-id=none \ + -C link-arg=-Wl,--discard-all \ + -C link-arg=-Wl,--strip-all" + run: cross +nightly build --bin "sbuild-linter" --release --locked --target "${{ matrix.build.TARGET }}" --jobs="$(($(nproc)+1))" --verbose - name: Prepare release assets + env: + ARTIFACT: "release/sbuild-linter-${{ matrix.build.NAME }}" + ARCHIVE: "sbuild-linter-${{ matrix.build.NAME }}.tar.gz" shell: bash run: | mkdir -p release cp {LICENSE,README.md} release/ - cp "target/${{ matrix.build.TARGET }}/release/sbuild-linter" release/ - - - name: Create release artifacts - shell: bash - run: | - cp release/sbuild-linter sbuild-linter-${{ matrix.build.NAME }} - b3sum sbuild-linter-${{ matrix.build.NAME }} \ - > sbuild-linter-${{ matrix.build.NAME }}.b3sum - tar -czvf sbuild-linter-${{ matrix.build.NAME }}.tar.gz \ - release/ - b3sum sbuild-linter-${{ matrix.build.NAME }}.tar.gz \ - > sbuild-linter-${{ matrix.build.NAME }}.tar.gz.b3sum + cp "target/${{ matrix.build.TARGET }}/release/sbuild-linter" "${ARTIFACT}" + b3sum "${ARTIFACT}" > "${ARTIFACT}.b3sum" + cp "${ARTIFACT}" . + cp "${ARTIFACT}.b3sum" . + tar -czvf "${ARCHIVE}" release/ + b3sum "${ARCHIVE}" > "${ARCHIVE}.b3sum" + bash -c 'realpath "${ARTIFACT}" ; realpath "${ARCHIVE}"' | xargs -I "{}" bash -c \ + 'printf "\nFile: $(basename {})\n Type: $(file -b {})\n B3sum: $(b3sum {} | cut -d" " -f1)\n SHA256sum: $(sha256sum {} | cut -d" " -f1)\n Size: $(du -bh {} | cut -f1)\n"' - name: Publish to GitHub uses: svenstaro/upload-release-action@v2 @@ -83,3 +103,11 @@ jobs: overwrite: true tag: ${{ github.ref }} release_name: "sbuild-linter v${{ env.RELEASE_VERSION }}" + + - name: Attest Build Provenance + uses: actions/attest-build-provenance@v2.4.0 + with: + subject-name: "sbuild-linter-v${{ env.RELEASE_VERSION }}-${{ matrix.build.NAME }}" + subject-path: | + sbuild-linter-${{ matrix.build.NAME }}* + show-summary: true diff --git a/.github/workflows/release-sbuild.yaml b/.github/workflows/release-sbuild.yaml index e3433b5..1aa74ac 100644 --- a/.github/workflows/release-sbuild.yaml +++ b/.github/workflows/release-sbuild.yaml @@ -1,12 +1,17 @@ name: sbuild release - +concurrency: + group: "${{ github.workflow }}-${{ github.ref }}" + cancel-in-progress: true + on: workflow_dispatch: push: tags: - "v*.*.*-sbuild" permissions: + attestations: write contents: write + id-token: write jobs: publish-binaries: @@ -16,18 +21,22 @@ jobs: fail-fast: false matrix: build: - - { - NAME: x86_64-linux, - TARGET: x86_64-unknown-linux-musl, - } - { NAME: aarch64-linux, TARGET: aarch64-unknown-linux-musl, } + - { + NAME: loongarch64-linux, + TARGET: loongarch64-unknown-linux-musl + } - { NAME: riscv64-linux, TARGET: riscv64gc-unknown-linux-musl } + - { + NAME: x86_64-linux, + TARGET: x86_64-unknown-linux-musl, + } steps: - name: Checkout uses: actions/checkout@v4 @@ -39,40 +48,51 @@ jobs: - name: Install dependencies shell: bash run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends \ - --allow-unauthenticated musl-tools b3sum + sudo apt update -y + sudo apt install b3sum findutils file -y - name: Install Rust toolchain uses: dtolnay/rust-toolchain@nightly with: targets: ${{ matrix.build.TARGET }} - - name: Install cross-compilation tools - uses: taiki-e/setup-cross-toolchain-action@v1 - with: - target: ${{ matrix.build.TARGET }} - + - name: Install Cross + shell: bash + run: | + cargo install cross --git "https://github.com/cross-rs/cross" --jobs="$(($(nproc)+1))" + hash -r &>/dev/null + command -v cross &>/dev/null || { echo "cross command not found" >&2; exit 1; } + - name: Build - run: RUSTFLAGS="-C target-feature=+crt-static" cargo build --bin sbuild --release --locked --target ${{ matrix.build.TARGET }} + env: + RUSTFLAGS: "-C target-feature=+crt-static \ + -C default-linker-libraries=yes \ + -C link-self-contained=yes \ + -C opt-level=3 \ + -C debuginfo=none \ + -C strip=symbols \ + -C link-arg=-Wl,-S \ + -C link-arg=-Wl,--build-id=none \ + -C link-arg=-Wl,--discard-all \ + -C link-arg=-Wl,--strip-all" + run: cross +nightly build --bin "sbuild" --release --locked --target "${{ matrix.build.TARGET }}" --jobs="$(($(nproc)+1))" --verbose - name: Prepare release assets + env: + ARTIFACT: "release/sbuild-${{ matrix.build.NAME }}" + ARCHIVE: "sbuild-${{ matrix.build.NAME }}.tar.gz" shell: bash run: | mkdir -p release cp {LICENSE,README.md} release/ - cp "target/${{ matrix.build.TARGET }}/release/sbuild" release/ - - - name: Create release artifacts - shell: bash - run: | - cp release/sbuild sbuild-${{ matrix.build.NAME }} - b3sum sbuild-${{ matrix.build.NAME }} \ - > sbuild-${{ matrix.build.NAME }}.b3sum - tar -czvf sbuild-${{ matrix.build.NAME }}.tar.gz \ - release/ - b3sum sbuild-${{ matrix.build.NAME }}.tar.gz \ - > sbuild-${{ matrix.build.NAME }}.tar.gz.b3sum + cp "target/${{ matrix.build.TARGET }}/release/sbuild" "${ARTIFACT}" + b3sum "${ARTIFACT}" > "${ARTIFACT}.b3sum" + cp "${ARTIFACT}" . + cp "${ARTIFACT}.b3sum" . + tar -czvf "${ARCHIVE}" release/ + b3sum "${ARCHIVE}" > "${ARCHIVE}.b3sum" + bash -c 'realpath "${ARTIFACT}" ; realpath "${ARCHIVE}"' | xargs -I "{}" bash -c \ + 'printf "\nFile: $(basename {})\n Type: $(file -b {})\n B3sum: $(b3sum {} | cut -d" " -f1)\n SHA256sum: $(sha256sum {} | cut -d" " -f1)\n Size: $(du -bh {} | cut -f1)\n"' - name: Publish to GitHub uses: svenstaro/upload-release-action@v2 @@ -83,3 +103,11 @@ jobs: overwrite: true tag: ${{ github.ref }} release_name: "sbuild v${{ env.RELEASE_VERSION }}" + + - name: Attest Build Provenance + uses: actions/attest-build-provenance@v2.4.0 + with: + subject-name: "sbuild-v${{ env.RELEASE_VERSION }}-${{ matrix.build.NAME }}" + subject-path: | + sbuild-${{ matrix.build.NAME }}* + show-summary: true