goose/.github/workflows/canary.yml at 40c05c3fb225655b20e3b5b9325b3423487c7ade · aaif-goose/goose · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# This workflow is for canary releases, automatically triggered by push to main
# This workflow is identical to "release.yml" with these exceptions:
#  - Triggered by push to main
#  - GitHub Release tagged as "canary"
on:
  push:
    paths-ignore:
      - "documentation/**"
    branches:
      - main

name: Canary

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# Permissions for SLSA attestation, AWS OIDC codesigning, and release creation
permissions:
  id-token: write      # Required for Sigstore OIDC signing and AWS OIDC codesigning
  contents: write      # Required for creating releases and by actions/checkout
  actions: read        # Required by bundle-desktop-windows.yml reusable workflow
  attestations: write  # Required for SLSA build provenance attestations

jobs:
  # ------------------------------------
  # 1) Prepare Version
  # ------------------------------------
  prepare-version:
    name: Prepare Version
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.set-version.outputs.version }}
    steps:
      # checkout code so we can read the Cargo.toml
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
      - name: Generate a canary version
        id: set-version
        run: |
          # Extract the version from Cargo.toml
          SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7)
          VERSION=$(grep '^version\s*=' Cargo.toml | head -n 1 | cut -d\" -f2)
          VERSION="${VERSION}-canary+${SHORT_SHA}"
          echo "version=$VERSION" >> $GITHUB_OUTPUT

  # ------------------------------------
  # 2) Build CLI for multiple OS/Arch
  # ------------------------------------
  build-cli:
    needs: [prepare-version]
    uses: ./.github/workflows/build-cli.yml
    with:
      version: ${{ needs.prepare-version.outputs.version }}

  # ------------------------------------
  # 3) Upload Install CLI Script (we only need to do this once)
  # ------------------------------------
  install-script:
    name: Upload Install Script
    runs-on: ubuntu-latest
    needs: [build-cli]
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
        with:
          name: download_cli.sh
          path: download_cli.sh

  # ------------------------------------------------------------
  # 4) Bundle Desktop App (macOS only) - builds goosed and Electron app
  # ------------------------------------------------------------
  bundle-desktop:
    needs: [prepare-version]
    uses: ./.github/workflows/bundle-desktop.yml
    permissions:
      id-token: write
      contents: read
    with:
      version: ${{ needs.prepare-version.outputs.version }}
      signing: false

  # ------------------------------------------------------------
  # 5) Bundle Desktop App (Linux) - builds goosed and Electron app
  # ------------------------------------------------------------
  bundle-desktop-linux:
    needs: [prepare-version]
    uses: ./.github/workflows/bundle-desktop-linux.yml
    with:
      version: ${{ needs.prepare-version.outputs.version }}

  # ------------------------------------------------------------
  # 6) Bundle Desktop App (Windows) - builds goosed and Electron app
  # ------------------------------------------------------------
  bundle-desktop-windows:
    needs: [prepare-version]
    uses: ./.github/workflows/bundle-desktop-windows.yml
    with:
      version: ${{ needs.prepare-version.outputs.version }}
      signing: false

  # ------------------------------------
  # 7) Create/Update GitHub Release
  # ------------------------------------
  release:
    name: Release
    runs-on: ubuntu-latest
    needs: [build-cli, install-script, bundle-desktop, bundle-desktop-linux, bundle-desktop-windows]
    permissions:
      contents: write
      id-token: write      # Required for Sigstore OIDC signing
      attestations: write  # Required for SLSA build provenance attestations

    steps:
      - name: Download all artifacts
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131  # v7.0.0
        with:
          merge-multiple: true

      - name: Attest build provenance
        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f  # v3.2.0
        with:
          subject-path: |
            goose-*.tar.bz2
            Goose*.zip
            *.deb
            *.rpm
            *.flatpak
            download_cli.sh

      # Create/update the canary release
      - name: Release canary
        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b  # v1.20.0
        with:
          tag: canary
          name: Canary
          token: ${{ secrets.GITHUB_TOKEN }}
          artifacts: |
            goose-*.tar.bz2
            Goose*.zip
            *.deb
            *.rpm
            *.flatpak
            download_cli.sh
          allowUpdates: true
          omitBody: true
          omitPrereleaseDuringUpdate: true