chore(deps): bump actions/setup-go from 6.2.0 to 6.3.0 (#644) #587
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: publish | |
| on: | |
| push: | |
| branches: ['main'] | |
| tags: | |
| - 'v*.*.*' | |
| concurrency: ${{ github.ref }} | |
| env: | |
| APPLICATION_NAME: 'adder' | |
| jobs: | |
| create-draft-release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| outputs: | |
| RELEASE_ID: ${{ steps.create-release.outputs.result }} | |
| steps: | |
| - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV" | |
| - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script/releases/tag/v8.0.0 | |
| id: create-release | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| result-encoding: string | |
| script: | | |
| try { | |
| const response = await github.rest.repos.createRelease({ | |
| draft: true, | |
| generate_release_notes: true, | |
| name: process.env.RELEASE_TAG, | |
| owner: context.repo.owner, | |
| prerelease: false, | |
| repo: context.repo.repo, | |
| tag_name: process.env.RELEASE_TAG, | |
| }); | |
| return response.data.id; | |
| } catch (error) { | |
| core.setFailed(error.message); | |
| } | |
| build-binaries: | |
| strategy: | |
| matrix: | |
| include: | |
| - runner: macos-latest | |
| os: darwin | |
| arch: arm64 | |
| - runner: ubuntu-latest | |
| os: freebsd | |
| arch: amd64 | |
| - runner: ubuntu-latest | |
| os: freebsd | |
| arch: arm64 | |
| - runner: ubuntu-latest | |
| os: linux | |
| arch: amd64 | |
| - runner: ubuntu-latest | |
| os: linux | |
| arch: arm64 | |
| - runner: windows-latest | |
| os: windows | |
| arch: amd64 | |
| - runner: windows-latest | |
| os: windows | |
| arch: arm64 | |
| runs-on: ${{ matrix.runner }} | |
| needs: [create-draft-release] | |
| permissions: | |
| actions: write | |
| attestations: write | |
| checks: write | |
| contents: write | |
| id-token: write | |
| packages: write | |
| statuses: write | |
| steps: | |
| - name: Set RELEASE_TAG (Windows) | |
| if: matrix.os == 'windows' | |
| shell: pwsh | |
| run: | | |
| $tagName = $env:GITHUB_REF -replace 'refs/tags/', '' | |
| echo "RELEASE_TAG=$tagName" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append | |
| - name: Set RELEASE_TAG | |
| if: matrix.os != 'windows' | |
| run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV" | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout/releases/tag/v6.0.2 | |
| with: | |
| fetch-depth: '0' | |
| - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 https://github.com/actions/setup-go/releases/tag/v6.3.0 | |
| with: | |
| go-version: 1.24.x | |
| - name: Build binary (Windows) | |
| if: matrix.os == 'windows' | |
| shell: pwsh | |
| run: | | |
| $env:GOOS = "${{ matrix.os }}" | |
| $env:GOARCH = "${{ matrix.arch }}" | |
| make build | |
| - name: Build binary | |
| if: matrix.os != 'windows' | |
| run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} make build | |
| # Sign Windows build | |
| - name: Set up Java | |
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 https://github.com/actions/setup-java/releases/tag/v5.2.0 | |
| if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }} | |
| with: | |
| java-version: 17 | |
| distribution: 'temurin' | |
| - id: 'auth' | |
| name: Authenticate with Google Cloud | |
| if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }} | |
| uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 https://github.com/google-github-actions/auth/releases/tag/v3.0.0 | |
| with: | |
| credentials_json: '${{ secrets.CERTIFICATE_SA_CREDENTIALS }}' | |
| - name: Set up Cloud SDK | |
| if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }} | |
| uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1 https://github.com/google-github-actions/setup-gcloud/releases/tag/v3.0.1 | |
| - name: Sign binary (Windows) | |
| if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }} | |
| shell: pwsh | |
| run: | | |
| Write-Host "Downloading jsign.jar" | |
| Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar" -OutFile "jsign.jar" | |
| Write-Host "Verifying jsign.jar checksum" | |
| $expectedHash = "05ca18d4ab7b8c2183289b5378d32860f0ea0f3bdab1f1b8cae5894fb225fa8a" | |
| $actualHash = (Get-FileHash -Path "jsign.jar" -Algorithm SHA256).Hash.ToLower() | |
| if ($actualHash -ne $expectedHash) { | |
| Write-Error "Hash verification failed for jsign.jar" | |
| Write-Error "Expected: $expectedHash" | |
| Write-Error "Actual: $actualHash" | |
| exit 1 | |
| } | |
| [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("${{ secrets.CERTIFICATE_CHAIN }}")) | Out-File -FilePath "codesign-chain.pem" -Encoding utf8 | |
| $filename = "${{ env.APPLICATION_NAME }}.exe" | |
| $ACCESS_TOKEN = & gcloud auth print-access-token | |
| Write-Host "::add-mask::$ACCESS_TOKEN" | |
| java -jar jsign.jar ` | |
| --storetype ${{ secrets.CERTIFICATE_STORE_TYPE }} ` | |
| --storepass "$ACCESS_TOKEN" ` | |
| --keystore ${{ secrets.CERTIFICATE_KEYSTORE }} ` | |
| --alias ${{ secrets.CERTIFICATE_KEY_NAME }} ` | |
| --certfile "codesign-chain.pem" ` | |
| --tsmode RFC3161 ` | |
| --tsaurl "http://timestamp.globalsign.com/tsa/r6advanced1" ` | |
| $filename | |
| $ACCESS_TOKEN = $null | |
| Write-Host "Signed Windows binary: $filename" | |
| Write-Host "Cleaning up certificate chain" | |
| Remove-Item -Path "codesign-chain.pem" -Force | |
| # Sign MacOS build | |
| - name: Create .app package and sign macos binary | |
| if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'darwin' }} | |
| run: | | |
| echo "Decoding and importing Apple certificate..." | |
| echo -n "${{ secrets.APPLE_CERTIFICATE }}" | base64 --decode -o apple_certificate.p12 | |
| security create-keychain -p "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain | |
| security default-keychain -s build.keychain | |
| security set-keychain-settings -lut 21600 build.keychain | |
| security unlock-keychain -p "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain | |
| security import apple_certificate.p12 -k build.keychain -P "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain | |
| echo "Packaging ${{ env.APPLICATION_NAME }}..." | |
| mkdir -p ${{ env.APPLICATION_NAME }}.app/Contents/MacOS | |
| mkdir -p ${{ env.APPLICATION_NAME }}.app/Contents/Resources | |
| cp ${{ env.APPLICATION_NAME }} ${{ env.APPLICATION_NAME }}.app/Contents/MacOS/${{ env.APPLICATION_NAME }} | |
| chmod +x ${{ env.APPLICATION_NAME }}.app/Contents/MacOS/${{ env.APPLICATION_NAME }} | |
| cp .github/assets/${{ env.APPLICATION_NAME }}.icns ${{ env.APPLICATION_NAME }}.app/Contents/Resources | |
| export RELEASE_TAG="${{ env.RELEASE_TAG }}" | |
| CLEAN_VERSION="${RELEASE_TAG#v}" | |
| cat <<EOF > ${{ env.APPLICATION_NAME }}.app/Contents/Info.plist | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>CFBundleExecutable</key> | |
| <string>${{ env.APPLICATION_NAME }}</string> | |
| <key>CFBundleIdentifier</key> | |
| <string>com.blinklabssoftware.${{ env.APPLICATION_NAME }}</string> | |
| <key>CFBundleName</key> | |
| <string>${{ env.APPLICATION_NAME }}</string> | |
| <key>CFBundleIconFile</key> | |
| <string>${{ env.APPLICATION_NAME }}</string> | |
| <key>CFBundleVersion</key> | |
| <string>${CLEAN_VERSION}</string> | |
| <key>CFBundleShortVersionString</key> | |
| <string>${CLEAN_VERSION}</string> | |
| </dict> | |
| </plist> | |
| EOF | |
| /usr/bin/codesign --force -s "Developer ID Application: Blink Labs Software (${{ secrets.APPLE_TEAM_ID }})" --options runtime ${{ env.APPLICATION_NAME }}.app -v | |
| xcrun notarytool store-credentials "notarytool-profile" --apple-id "${{ secrets.APPLE_ID }}" --team-id "${{ secrets.APPLE_TEAM_ID }}" --password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" | |
| ditto -c -k --keepParent "${{ env.APPLICATION_NAME }}.app" "notarization.zip" | |
| xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait | |
| xcrun stapler staple "${{ env.APPLICATION_NAME }}.app" | |
| - name: Upload release asset (Windows) | |
| if: startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' | |
| shell: pwsh | |
| run: | | |
| $filename = "${{ env.APPLICATION_NAME }}-${{ env.RELEASE_TAG }}-${{ matrix.os }}-${{ matrix.arch }}.zip" | |
| Compress-Archive "${{ env.APPLICATION_NAME }}.exe" "$filename" | |
| Write-Host "Uploading file: $filename" | |
| # Upload file using PowerShell | |
| $headers = @{ | |
| "Authorization" = "token ${{ secrets.GITHUB_TOKEN }}" | |
| "Content-Type" = "application/octet-stream" | |
| } | |
| $uploadUrl = "https://uploads.github.com/repos/${{ github.repository }}/releases/${{ needs.create-draft-release.outputs.RELEASE_ID }}/assets?name=$filename" | |
| Invoke-RestMethod -Uri $uploadUrl -Method Post -Headers $headers -InFile $filename | |
| - name: Upload release asset | |
| if: startsWith(github.ref, 'refs/tags/') && matrix.os != 'windows' | |
| run: | | |
| _filename=${{ env.APPLICATION_NAME }}-${{ env.RELEASE_TAG }}-${{ matrix.os }}-${{ matrix.arch }}.tar.gz | |
| if [[ "${{ matrix.os }}" != "windows" ]]; then | |
| tar czf ${_filename} ${{ env.APPLICATION_NAME }} | |
| fi | |
| if [[ "${{ matrix.os }}" == "darwin" ]]; then | |
| _filename=${{ env.APPLICATION_NAME }}-${{ env.RELEASE_TAG }}-${{ matrix.os }}-${{ matrix.arch }}.zip | |
| zip -r ${_filename} ${{ env.APPLICATION_NAME }}.app | |
| fi | |
| curl \ | |
| -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "Content-Type: application/octet-stream" \ | |
| --data-binary @${_filename} \ | |
| https://uploads.github.com/repos/${{ github.repository_owner }}/adder/releases/${{ needs.create-draft-release.outputs.RELEASE_ID }}/assets?name=${_filename} | |
| - name: Attest binary (Windows) | |
| if: startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' | |
| uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 https://github.com/actions/attest-build-provenance/releases/tag/v3.2.0 | |
| with: | |
| subject-path: '${{ env.APPLICATION_NAME }}.exe' | |
| - name: Attest binary | |
| if: startsWith(github.ref, 'refs/tags/') && matrix.os != 'windows' | |
| uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 https://github.com/actions/attest-build-provenance/releases/tag/v3.2.0 | |
| with: | |
| subject-path: '${{ env.APPLICATION_NAME }}' | |
| build-images: | |
| needs: [create-draft-release] | |
| permissions: | |
| actions: write | |
| attestations: write | |
| checks: write | |
| contents: write | |
| id-token: write | |
| packages: write | |
| statuses: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| arch: amd64 | |
| - os: ubuntu-24.04-arm | |
| arch: arm64 | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV" | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout/releases/tag/v6.0.2 | |
| with: | |
| fetch-depth: '0' | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 https://github.com/docker/setup-buildx-action/releases/tag/v3.12.0 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 https://github.com/docker/login-action/releases/tag/v3.7.0 | |
| with: | |
| username: blinklabs | |
| password: ${{ secrets.DOCKER_PASSWORD }} # uses token | |
| - name: Login to GHCR | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 https://github.com/docker/login-action/releases/tag/v3.7.0 | |
| with: | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: ghcr.io | |
| - id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 https://github.com/docker/metadata-action/releases/tag/v5.10.0 | |
| with: | |
| images: | | |
| blinklabs/adder | |
| ghcr.io/${{ github.repository }} | |
| flavor: | | |
| latest=false | |
| suffix=-${{ matrix.arch }} | |
| tags: | | |
| # Only version, no revision | |
| type=match,pattern=v(.*)-(.*),group=1 | |
| # branch | |
| type=ref,event=branch | |
| # semver | |
| type=semver,pattern={{version}} | |
| - name: Build images | |
| id: push | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 https://github.com/docker/build-push-action/releases/tag/v6.19.2 | |
| with: | |
| outputs: "type=registry,push=true" | |
| platforms: linux/${{ matrix.arch }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Attest Docker Hub image | |
| uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 https://github.com/actions/attest-build-provenance/releases/tag/v3.2.0 | |
| with: | |
| subject-name: index.docker.io/blinklabs/adder | |
| subject-digest: ${{ steps.push.outputs.digest }} | |
| push-to-registry: true | |
| - name: Attest GHCR image | |
| uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 https://github.com/actions/attest-build-provenance/releases/tag/v3.2.0 | |
| with: | |
| subject-name: ghcr.io/${{ github.repository }} | |
| subject-digest: ${{ steps.push.outputs.digest }} | |
| push-to-registry: true | |
| build-image-manifest: | |
| needs: [build-images] | |
| permissions: | |
| contents: read | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 https://github.com/docker/login-action/releases/tag/v3.7.0 | |
| with: | |
| username: blinklabs | |
| password: ${{ secrets.DOCKER_PASSWORD }} # uses token | |
| - name: Login to GHCR | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 https://github.com/docker/login-action/releases/tag/v3.7.0 | |
| with: | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: ghcr.io | |
| - id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 https://github.com/docker/metadata-action/releases/tag/v5.10.0 | |
| with: | |
| images: | | |
| blinklabs/adder | |
| ghcr.io/${{ github.repository }} | |
| flavor: | | |
| latest=false | |
| tags: | | |
| # Only version, no revision | |
| type=match,pattern=v(.*)-(.*),group=1 | |
| # branch | |
| type=ref,event=branch | |
| # semver | |
| type=semver,pattern={{version}} | |
| - name: manifest-create | |
| shell: bash | |
| run: | | |
| for t in `echo '${{ steps.meta.outputs.tags }}'`; do | |
| # Extract the underlying manifests from each manifests list and create a new single manifest list | |
| docker manifest create ${t} \ | |
| $(docker manifest inspect ${t}-amd64 | jq -r '.manifests[] | .digest' | sed -e "s|^|${t%:*}@|") \ | |
| $(docker manifest inspect ${t}-arm64 | jq -r '.manifests[] | .digest' | sed -e "s|^|${t%:*}@|") | |
| docker manifest push ${t} | |
| done | |
| # Checkout repo so README.md is available for next step | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 https://github.com/actions/checkout/releases/tag/v6.0.2 | |
| # Update Docker Hub from README | |
| - name: Docker Hub Description | |
| uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0 https://github.com/peter-evans/dockerhub-description/releases/tag/v5.0.0 | |
| with: | |
| username: blinklabs | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| repository: blinklabs/adder | |
| readme-filepath: ./README.md | |
| short-description: "Adder is a tool for tailing the Cardano blockchain and emitting events" | |
| finalize-release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| needs: [create-draft-release, build-binaries, build-images, build-image-manifest] | |
| steps: | |
| - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 https://github.com/actions/github-script/releases/tag/v8.0.0 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| try { | |
| await github.rest.repos.updateRelease({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| release_id: ${{ needs.create-draft-release.outputs.RELEASE_ID }}, | |
| draft: false, | |
| }); | |
| } catch (error) { | |
| core.setFailed(error.message); | |
| } | |
| # This updates the documentation on pkg.go.dev and the latest version available via the Go module proxy | |
| - name: Pull new module version | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: andrewslotin/go-proxy-pull-action@e5aea3b8b3478fc5b76befda4390513868ed2dc8 # v1.4.0 https://github.com/andrewslotin/go-proxy-pull-action/releases/tag/v1.4.0 |