cosmonaut/.github/workflows/release.yml at main · linuskendall/cosmonaut · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: Release

on:
  push:
    tags:
      - "v*"

jobs:
  linux:
    name: Linux
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: DeterminateSystems/nix-installer-action@main

      - uses: nix-community/cache-nix-action@v7
        with:
          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-
          gc-max-store-size-linux: 5G

      - name: Build release tarball
        run: |
          nix build .#packages.x86_64-linux.release -o result-release
          cp "$(readlink result-release)" dist-cosmonaut-amd64.tar.gz

      - name: Build AppImage
        run: |
          nix build .#packages.x86_64-linux.appimage -o result-appimage
          cp "$(readlink result-appimage)" dist-cosmonaut-amd64.AppImage

      - uses: actions/upload-artifact@v4
        with:
          name: linux
          path: dist-*

  macos:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main

      - uses: nix-community/cache-nix-action@v7
        with:
          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-
          gc-max-store-size-macos: 3G

      - name: Build package
        run: nix build .#packages.aarch64-darwin.default -o result

      - name: Create DMG
        run: |
          # Ship the real Go binary (.cosmonaut-wrapped), not result/bin/cosmonaut,
          # which is a nix shell wrapper that references /nix/store paths and will
          # fail on end-user Macs. The Go binary's enrichPath() discovers gh via
          # the user's login shell, so no wrapper is needed.
          mkdir -p dmg-staging
          cp result/bin/.cosmonaut-wrapped dmg-staging/cosmonaut
          chmod +w dmg-staging/cosmonaut

          # Go stdlib's internal/syscall/unix/net_darwin.go has a
          # //go:cgo_ldflag "-lresolv" that fires regardless of the netgo
          # build tag, so the linker bakes nixpkgs's libresolv dylib path
          # into LC_LOAD_DYLIB. Rewrite it to the macOS system path, which
          # dyld resolves from the shared cache on every Mac.
          nix_resolv=$(otool -L dmg-staging/cosmonaut \
            | awk '/\/nix\/store.*libresolv/ {print $1; exit}')
          if [ -n "$nix_resolv" ]; then
            install_name_tool -change "$nix_resolv" \
              /usr/lib/libresolv.9.dylib dmg-staging/cosmonaut
          fi

          # Sanity-check: no LC_LOAD_DYLIB or LC_RPATH may reference
          # /nix/store after the rewrite, or dyld will abort on end-user
          # Macs. (String-table references — Go's tzdata/mailcap/iana
          # fallback paths — are runtime probes that fail open, so we
          # don't gate on them.)
          if otool -L dmg-staging/cosmonaut | grep -q '/nix/store'; then
            echo "ERROR: binary references /nix/store dylibs:" >&2
            otool -L dmg-staging/cosmonaut | grep '/nix/store' >&2
            exit 1
          fi
          if otool -l dmg-staging/cosmonaut | grep -A2 LC_RPATH \
              | grep -q '/nix/store'; then
            echo "ERROR: binary has /nix/store in LC_RPATH:" >&2
            otool -l dmg-staging/cosmonaut | grep -A2 LC_RPATH >&2
            exit 1
          fi

          cp dist/cosmonaut.config.example.json dmg-staging/
          hdiutil create -volname "cosmonaut" -srcfolder dmg-staging \
            -ov -format UDZO dist-cosmonaut-macos-arm64.dmg

      - uses: actions/upload-artifact@v4
        with:
          name: macos
          path: dist-*

  release:
    name: Create Release
    needs: [linux, macos]
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
    steps:
      - uses: sigstore/cosign-installer@v3

      - uses: actions/download-artifact@v4
        with:
          path: artifacts
          merge-multiple: true

      - name: Rename artifacts
        run: |
          cd artifacts
          for f in dist-*; do
            mv "$f" "${f#dist-}"
          done

      - name: Generate checksums and sign
        run: |
          cd artifacts
          sha256sum $(ls -1 | grep -v '\.sig$\|\.pem$\|SHA256SUMS') > SHA256SUMS
          for f in *; do
            cosign sign-blob --yes \
              --output-signature "${f}.sig" \
              --output-certificate "${f}.pem" \
              "$f"
          done

      - name: Create Release
        uses: softprops/action-gh-release@v2
        with:
          generate_release_notes: true
          files: artifacts/*