Skip to content

build: switch to cross & create attestations #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

build: switch to cross & create attestations #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
366869f
Update release-sbuild.yaml
Azathothas Jun 23, 2025
1ed76e0
better
Azathothas Jun 23, 2025
42aae17
fix
Azathothas Jun 23, 2025
4c290c5
fix
Azathothas Jun 23, 2025
984f07f
fix
Azathothas Jun 23, 2025
a4e20d2
cross
Azathothas Jun 23, 2025
0f08db5
Update nightly-sbuild.yaml
Azathothas Jun 23, 2025
690fd65
Update release-linter.yaml
Azathothas Jun 23, 2025
0569881
Update release-sbuild.yaml
Azathothas Jun 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 58 additions & 26 deletions .github/workflows/nightly-sbuild.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,18 @@
name: sbuild nightly

concurrency:
group: "${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: true

on:
push:
tags:
- nightly-sbuild
workflow_dispatch:

permissions:
attestations: write
contents: write
id-token: write

jobs:

Expand All @@ -29,14 +34,22 @@ jobs:
fail-fast: false
matrix:
build:
- {
NAME: x86_64-linux,
TARGET: x86_64-unknown-linux-musl,
}
- {
NAME: aarch64-linux,
TARGET: aarch64-unknown-linux-musl,
}
- {
NAME: loongarch64-linux,
TARGET: loongarch64-unknown-linux-musl
}
- {
NAME: riscv64-linux,
TARGET: riscv64gc-unknown-linux-musl
}
- {
NAME: x86_64-linux,
TARGET: x86_64-unknown-linux-musl,
}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -50,40 +63,51 @@ jobs:
- name: Install dependencies
shell: bash
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
--allow-unauthenticated musl-tools b3sum
sudo apt update -y
sudo apt install b3sum findutils file -y

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@nightly
with:
targets: ${{ matrix.build.TARGET }}

- name: Install cross-compilation tools
uses: taiki-e/setup-cross-toolchain-action@v1
with:
target: ${{ matrix.build.TARGET }}

- name: Install Cross
shell: bash
run: |
cargo install cross --git "https://github.com/cross-rs/cross" --jobs="$(($(nproc)+1))"
hash -r &>/dev/null
command -v cross &>/dev/null || { echo "cross command not found" >&2; exit 1; }

- name: Build
run: cargo build --bin sbuild --release --locked --target ${{ matrix.build.TARGET }}
env:
RUSTFLAGS: "-C target-feature=+crt-static \
-C default-linker-libraries=yes \
-C link-self-contained=yes \
-C opt-level=3 \
-C debuginfo=none \
-C strip=symbols \
-C link-arg=-Wl,-S \
-C link-arg=-Wl,--build-id=none \
-C link-arg=-Wl,--discard-all \
-C link-arg=-Wl,--strip-all"
run: cross +nightly build --bin "sbuild" --release --locked --target "${{ matrix.build.TARGET }}" --jobs="$(($(nproc)+1))" --verbose

- name: Prepare release assets
env:
ARTIFACT: "release/sbuild-${{ matrix.build.NAME }}"
ARCHIVE: "sbuild-${{ matrix.build.NAME }}.tar.gz"
shell: bash
run: |
mkdir -p release
cp {LICENSE,README.md} release/
cp "target/${{ matrix.build.TARGET }}/release/sbuild" release/

- name: Create release artifacts
shell: bash
run: |
cp release/sbuild sbuild-${{ matrix.build.NAME }}
b3sum sbuild-${{ matrix.build.NAME }} \
> sbuild-${{ matrix.build.NAME }}.b3sum
tar -czvf sbuild-${{ matrix.build.NAME }}.tar.gz \
release/
b3sum sbuild-${{ matrix.build.NAME }}.tar.gz \
> sbuild-${{ matrix.build.NAME }}.tar.gz.b3sum
cp "target/${{ matrix.build.TARGET }}/release/sbuild" "${ARTIFACT}"
b3sum "${ARTIFACT}" > "${ARTIFACT}.b3sum"
cp "${ARTIFACT}" .
cp "${ARTIFACT}.b3sum" .
tar -czvf "${ARCHIVE}" release/
b3sum "${ARCHIVE}" > "${ARCHIVE}.b3sum"
bash -c 'realpath "${ARTIFACT}" ; realpath "${ARCHIVE}"' | xargs -I "{}" bash -c \
'printf "\nFile: $(basename {})\n Type: $(file -b {})\n B3sum: $(b3sum {} | cut -d" " -f1)\n SHA256sum: $(sha256sum {} | cut -d" " -f1)\n Size: $(du -bh {} | cut -f1)\n"'

- name: Publish to GitHub (nightly)
uses: svenstaro/upload-release-action@v2
Expand All @@ -95,3 +119,11 @@ jobs:
tag: nightly-sbuild
release_name: "${{ steps.version.outputs.version }}"
prerelease: true

- name: Attest Build Provenance
uses: actions/[email protected]
with:
subject-name: "sbuild-nightly-${{ matrix.build.NAME }}"
subject-path: |
sbuild-${{ matrix.build.NAME }}*
show-summary: true
80 changes: 54 additions & 26 deletions .github/workflows/release-linter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
name: sbuild-linter release

concurrency:
group: "${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: true

on:
workflow_dispatch:
push:
tags:
- "v*.*.*-linter"
permissions:
attestations: write
contents: write
id-token: write

jobs:
publish-binaries:
Expand All @@ -16,18 +21,22 @@ jobs:
fail-fast: false
matrix:
build:
- {
NAME: x86_64-linux,
TARGET: x86_64-unknown-linux-musl,
}
- {
NAME: aarch64-linux,
TARGET: aarch64-unknown-linux-musl,
}
- {
NAME: loongarch64-linux,
TARGET: loongarch64-unknown-linux-musl
}
- {
NAME: riscv64-linux,
TARGET: riscv64gc-unknown-linux-musl
}
- {
NAME: x86_64-linux,
TARGET: x86_64-unknown-linux-musl,
}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -39,40 +48,51 @@ jobs:
- name: Install dependencies
shell: bash
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
--allow-unauthenticated musl-tools b3sum
sudo apt update -y
sudo apt install b3sum findutils file -y

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@nightly
with:
targets: ${{ matrix.build.TARGET }}

- name: Install cross-compilation tools
uses: taiki-e/setup-cross-toolchain-action@v1
with:
target: ${{ matrix.build.TARGET }}

- name: Install Cross
shell: bash
run: |
cargo install cross --git "https://github.com/cross-rs/cross" --jobs="$(($(nproc)+1))"
hash -r &>/dev/null
command -v cross &>/dev/null || { echo "cross command not found" >&2; exit 1; }

- name: Build
run: RUSTFLAGS="-C target-feature=+crt-static" cargo build --bin sbuild-linter --release --locked --target ${{ matrix.build.TARGET }}
env:
RUSTFLAGS: "-C target-feature=+crt-static \
-C default-linker-libraries=yes \
-C link-self-contained=yes \
-C opt-level=3 \
-C debuginfo=none \
-C strip=symbols \
-C link-arg=-Wl,-S \
-C link-arg=-Wl,--build-id=none \
-C link-arg=-Wl,--discard-all \
-C link-arg=-Wl,--strip-all"
run: cross +nightly build --bin "sbuild-linter" --release --locked --target "${{ matrix.build.TARGET }}" --jobs="$(($(nproc)+1))" --verbose

- name: Prepare release assets
env:
ARTIFACT: "release/sbuild-linter-${{ matrix.build.NAME }}"
ARCHIVE: "sbuild-linter-${{ matrix.build.NAME }}.tar.gz"
shell: bash
run: |
mkdir -p release
cp {LICENSE,README.md} release/
cp "target/${{ matrix.build.TARGET }}/release/sbuild-linter" release/

- name: Create release artifacts
shell: bash
run: |
cp release/sbuild-linter sbuild-linter-${{ matrix.build.NAME }}
b3sum sbuild-linter-${{ matrix.build.NAME }} \
> sbuild-linter-${{ matrix.build.NAME }}.b3sum
tar -czvf sbuild-linter-${{ matrix.build.NAME }}.tar.gz \
release/
b3sum sbuild-linter-${{ matrix.build.NAME }}.tar.gz \
> sbuild-linter-${{ matrix.build.NAME }}.tar.gz.b3sum
cp "target/${{ matrix.build.TARGET }}/release/sbuild-linter" "${ARTIFACT}"
b3sum "${ARTIFACT}" > "${ARTIFACT}.b3sum"
cp "${ARTIFACT}" .
cp "${ARTIFACT}.b3sum" .
tar -czvf "${ARCHIVE}" release/
b3sum "${ARCHIVE}" > "${ARCHIVE}.b3sum"
bash -c 'realpath "${ARTIFACT}" ; realpath "${ARCHIVE}"' | xargs -I "{}" bash -c \
'printf "\nFile: $(basename {})\n Type: $(file -b {})\n B3sum: $(b3sum {} | cut -d" " -f1)\n SHA256sum: $(sha256sum {} | cut -d" " -f1)\n Size: $(du -bh {} | cut -f1)\n"'

- name: Publish to GitHub
uses: svenstaro/upload-release-action@v2
Expand All @@ -83,3 +103,11 @@ jobs:
overwrite: true
tag: ${{ github.ref }}
release_name: "sbuild-linter v${{ env.RELEASE_VERSION }}"

- name: Attest Build Provenance
uses: actions/[email protected]
with:
subject-name: "sbuild-linter-v${{ env.RELEASE_VERSION }}-${{ matrix.build.NAME }}"
subject-path: |
sbuild-linter-${{ matrix.build.NAME }}*
show-summary: true
80 changes: 54 additions & 26 deletions .github/workflows/release-sbuild.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,17 @@
name: sbuild release

concurrency:
group: "${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: true

on:
workflow_dispatch:
push:
tags:
- "v*.*.*-sbuild"
permissions:
attestations: write
contents: write
id-token: write

jobs:
publish-binaries:
Expand All @@ -16,18 +21,22 @@ jobs:
fail-fast: false
matrix:
build:
- {
NAME: x86_64-linux,
TARGET: x86_64-unknown-linux-musl,
}
- {
NAME: aarch64-linux,
TARGET: aarch64-unknown-linux-musl,
}
- {
NAME: loongarch64-linux,
TARGET: loongarch64-unknown-linux-musl
}
- {
NAME: riscv64-linux,
TARGET: riscv64gc-unknown-linux-musl
}
- {
NAME: x86_64-linux,
TARGET: x86_64-unknown-linux-musl,
}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -39,40 +48,51 @@ jobs:
- name: Install dependencies
shell: bash
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
--allow-unauthenticated musl-tools b3sum
sudo apt update -y
sudo apt install b3sum findutils file -y

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@nightly
with:
targets: ${{ matrix.build.TARGET }}

- name: Install cross-compilation tools
uses: taiki-e/setup-cross-toolchain-action@v1
with:
target: ${{ matrix.build.TARGET }}

- name: Install Cross
shell: bash
run: |
cargo install cross --git "https://github.com/cross-rs/cross" --jobs="$(($(nproc)+1))"
hash -r &>/dev/null
command -v cross &>/dev/null || { echo "cross command not found" >&2; exit 1; }

- name: Build
run: RUSTFLAGS="-C target-feature=+crt-static" cargo build --bin sbuild --release --locked --target ${{ matrix.build.TARGET }}
env:
RUSTFLAGS: "-C target-feature=+crt-static \
-C default-linker-libraries=yes \
-C link-self-contained=yes \
-C opt-level=3 \
-C debuginfo=none \
-C strip=symbols \
-C link-arg=-Wl,-S \
-C link-arg=-Wl,--build-id=none \
-C link-arg=-Wl,--discard-all \
-C link-arg=-Wl,--strip-all"
run: cross +nightly build --bin "sbuild" --release --locked --target "${{ matrix.build.TARGET }}" --jobs="$(($(nproc)+1))" --verbose

- name: Prepare release assets
env:
ARTIFACT: "release/sbuild-${{ matrix.build.NAME }}"
ARCHIVE: "sbuild-${{ matrix.build.NAME }}.tar.gz"
shell: bash
run: |
mkdir -p release
cp {LICENSE,README.md} release/
cp "target/${{ matrix.build.TARGET }}/release/sbuild" release/

- name: Create release artifacts
shell: bash
run: |
cp release/sbuild sbuild-${{ matrix.build.NAME }}
b3sum sbuild-${{ matrix.build.NAME }} \
> sbuild-${{ matrix.build.NAME }}.b3sum
tar -czvf sbuild-${{ matrix.build.NAME }}.tar.gz \
release/
b3sum sbuild-${{ matrix.build.NAME }}.tar.gz \
> sbuild-${{ matrix.build.NAME }}.tar.gz.b3sum
cp "target/${{ matrix.build.TARGET }}/release/sbuild" "${ARTIFACT}"
b3sum "${ARTIFACT}" > "${ARTIFACT}.b3sum"
cp "${ARTIFACT}" .
cp "${ARTIFACT}.b3sum" .
tar -czvf "${ARCHIVE}" release/
b3sum "${ARCHIVE}" > "${ARCHIVE}.b3sum"
bash -c 'realpath "${ARTIFACT}" ; realpath "${ARCHIVE}"' | xargs -I "{}" bash -c \
'printf "\nFile: $(basename {})\n Type: $(file -b {})\n B3sum: $(b3sum {} | cut -d" " -f1)\n SHA256sum: $(sha256sum {} | cut -d" " -f1)\n Size: $(du -bh {} | cut -f1)\n"'

- name: Publish to GitHub
uses: svenstaro/upload-release-action@v2
Expand All @@ -83,3 +103,11 @@ jobs:
overwrite: true
tag: ${{ github.ref }}
release_name: "sbuild v${{ env.RELEASE_VERSION }}"

- name: Attest Build Provenance
uses: actions/[email protected]
with:
subject-name: "sbuild-v${{ env.RELEASE_VERSION }}-${{ matrix.build.NAME }}"
subject-path: |
sbuild-${{ matrix.build.NAME }}*
show-summary: true