-
Notifications
You must be signed in to change notification settings - Fork 66
182 lines (150 loc) · 5.49 KB
/
Copy pathrelease.yml
File metadata and controls
182 lines (150 loc) · 5.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
name: Release
on:
push:
tags:
- 'v*'
permissions:
contents: write
id-token: write
env:
CARGO_TERM_COLOR: always
jobs:
build:
strategy:
matrix:
include:
- target: x86_64-unknown-linux-musl
arch: amd64
- target: aarch64-unknown-linux-musl
arch: arm64
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
# Static musl binaries (zero glibc dependency) so the agent/API/CLI run on
# the whole support matrix regardless of distro libc version — Debian 11/12,
# Ubuntu 20.04+, CentOS/Rocky 9, Amazon Linux 2023 (#70). cargo-zigbuild uses
# Zig's bundled clang as the C cross-compiler, which builds aws-lc-sys (the
# only C dependency in the tree) statically for both musl targets from a
# single x86_64 runner. The rest of the TLS stack is pure rustls.
- name: Install Zig
uses: mlugg/setup-zig@v2
with:
version: 0.13.0
- name: Install cargo-zigbuild
uses: taiki-e/install-action@v2
with:
tool: cargo-zigbuild
- name: Cache Rust dependencies
uses: actions/cache@v5
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
panel/agent/target/
panel/backend/target/
panel/cli/target/
key: ${{ runner.os }}-${{ matrix.target }}-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-${{ matrix.target }}-cargo-
- name: Build agent (static musl)
run: cargo zigbuild --release --target ${{ matrix.target }} --manifest-path panel/agent/Cargo.toml
- name: Build API (static musl)
run: cargo zigbuild --release --target ${{ matrix.target }} --manifest-path panel/backend/Cargo.toml
- name: Build CLI (static musl)
run: cargo zigbuild --release --target ${{ matrix.target }} --manifest-path panel/cli/Cargo.toml
- name: Package binaries
run: |
mkdir -p release
cp panel/agent/target/${{ matrix.target }}/release/dockpanel-agent release/dockpanel-agent-linux-${{ matrix.arch }}
cp panel/backend/target/${{ matrix.target }}/release/dockpanel-api release/dockpanel-api-linux-${{ matrix.arch }}
cp panel/cli/target/${{ matrix.target }}/release/dockpanel release/dockpanel-cli-linux-${{ matrix.arch }}
chmod +x release/*
# Report binary sizes + confirm static linkage
echo "Binary sizes (${{ matrix.arch }}):"
ls -lh release/
echo "Linkage check:"
file release/dockpanel-agent-linux-${{ matrix.arch }}
- name: Install cargo-sbom
if: matrix.arch == 'amd64'
run: cargo install cargo-sbom --locked --version ^0.10 --force
- name: Generate SBOMs (SPDX JSON)
if: matrix.arch == 'amd64'
run: |
cargo sbom --project-directory panel/agent --output-format spdx_json_2_3 > release/dockpanel-agent.spdx.json
cargo sbom --project-directory panel/backend --output-format spdx_json_2_3 > release/dockpanel-api.spdx.json
cargo sbom --project-directory panel/cli --output-format spdx_json_2_3 > release/dockpanel-cli.spdx.json
- name: Upload artifacts
uses: actions/upload-artifact@v7
with:
name: binaries-${{ matrix.arch }}
path: release/
frontend:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '20'
- name: Build frontend
run: |
cd panel/frontend
npm ci
npx vite build
- name: Package frontend
run: |
cd panel/frontend
tar czf ../../dockpanel-frontend.tar.gz dist/
- name: Upload artifact
uses: actions/upload-artifact@v7
with:
name: frontend
path: dockpanel-frontend.tar.gz
release:
needs: [build, frontend]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Download all artifacts
uses: actions/download-artifact@v8
with:
path: artifacts/
- name: Prepare release assets
run: |
mkdir -p release
cp artifacts/binaries-amd64/* release/
cp artifacts/binaries-arm64/* release/
cp artifacts/frontend/dockpanel-frontend.tar.gz release/
# Create checksums (over binaries + SBOMs, before signatures)
cd release
sha256sum dockpanel-* > checksums.txt
echo "Release contents:"
ls -lh
- name: Install cosign
uses: sigstore/cosign-installer@v4.1.1
with:
cosign-release: 'v2.4.1'
- name: Sign release assets (keyless via Sigstore)
run: |
cd release
for f in $(ls | grep -v '\.sig$' | grep -v '\.pem$'); do
echo "Signing $f"
cosign sign-blob --yes \
--output-signature "${f}.sig" \
--output-certificate "${f}.pem" \
"$f"
done
echo "Signed assets:"
ls -lh *.sig *.pem
- name: Create GitHub Release
uses: softprops/action-gh-release@v3
with:
generate_release_notes: true
files: |
release/*