Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 28 additions & 16 deletions .github/workflows/publish-rust.yml
Original file line number Diff line number Diff line change
Expand Up @@ -207,13 +207,29 @@ jobs:
name: Publish crate
runs-on: ubuntu-latest
needs: [format, clippy, detached-minimal-versions, semver, docsrs]
environment: prod
permissions:
contents: write
id-token: write
attestations: write
Comment on lines +213 to +214

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm assuming we don't want artifact metadata storage records, but just making sure: does this also need artifact-metadata: write?

https://github.com/actions/attest-build-provenance?tab=readme-ov-file#usage

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good spot, yep we need this here

steps:
- uses: actions/create-github-app-token@v2
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}

- name: Set git config
run: |
git config --global user.email "github-actions@github.com"
git config --global user.name "github-actions"
git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf https://github.com/
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

- name: Git Checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.ANZA_TEAM_PAT }}
fetch-depth: 0 # get the whole history for git-cliff

- name: Setup Environment
Expand All @@ -228,27 +244,16 @@ jobs:
with:
tool: cargo-release

- name: Ensure CARGO_REGISTRY_TOKEN variable is set
env:
token: ${{ secrets.CARGO_REGISTRY_TOKEN }}
if: ${{ env.token == '' }}
run: |
echo "The CARGO_REGISTRY_TOKEN secret variable is not set"
echo "Go to \"Settings\" -> \"Secrets and variables\" -> \"Actions\" -> \"New repository secret\"."
exit 1

- name: Set Git Author
run: |
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"

- name: Rebase (in case any changes landed after)
run: git pull --rebase origin

- uses: rust-lang/crates-io-auth-action@v1
id: auth

- name: Publish Crate
id: publish
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
run: |
if [ "${{ inputs.level }}" == "version" ]; then
LEVEL=${{ inputs.version }}
Expand All @@ -264,6 +269,12 @@ jobs:

./scripts/publish-rust.sh "${{ inputs.package_path }}" $LEVEL "${{ inputs.dependent_version }}" $OPTIONS

- name: Generate SLSA provenance
if: github.event.inputs.dry_run != 'true'
uses: actions/attest-build-provenance@v3
with:
subject-path: target/package/*.crate

- name: Generate a changelog
if: github.event.inputs.create_release == 'true'
uses: orhun/git-cliff-action@v4
Expand All @@ -280,3 +291,4 @@ jobs:
with:
tag: ${{ steps.publish.outputs.new_git_tag }}
bodyFile: TEMP_CHANGELOG.md
token: ${{ steps.app-token.outputs.token }}
Loading