SunLitOrchestra/.github/workflows/release-zip.yml at main · kerberosmansour/SunLitOrchestra · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Release zip workflow — sap-imp M4
#
# Triggered on tag push (v*); generates a release zip from `git archive HEAD`
# (tracked files only — no runner working-dir leakage). SHA-pinned per
# F-ENG-5 / F-SEC-4 / F-SEC-5 critique resolutions.

name: Release zip

on:
  push:
    tags:
      - 'v*'

# Minimum-privilege per F-SEC-4 (sap-imp M4 critique resolution).
# `contents: write` is required for `gh release create`; nothing else.
permissions:
  contents: write

jobs:
  release-zip:
    name: Build and upload release zip
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - name: Checkout
        # actions/checkout pinned by SHA per F-ENG-5.
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
        with:
          # Fetch the exact commit; no need for full history.
          fetch-depth: 1

      - name: Build release zip via git archive
        # Per F-SEC-5: emit only tracked files at HEAD; no runner working-dir
        # leakage (no tar / cp / zip of the working directory).
        run: |
          set -e
          TAG="${GITHUB_REF_NAME}"
          PREFIX="sunlit-orchestra-${TAG}"
          mkdir -p dist
          git archive --format=zip --prefix="${PREFIX}/" HEAD -o "dist/${PREFIX}.zip"
          ls -la dist/

      - name: Upload release artifact
        # softprops/action-gh-release pinned by SHA per F-ENG-5 / F-SEC-4.
        # SHA captured 2026-05-01 from `gh api repos/softprops/action-gh-release/branches/master`.
        # Re-pin via the same command on tag movement.
        uses: softprops/action-gh-release@9ed3cf9a6863b31f005d951c8d19de20628cf4eb
        with:
          files: dist/*.zip
          fail_on_unmatched_files: true