1- # Publish / CD for rust/ digipin (library)
1+ # Publish / CD for digipin-rs (library)
22# - Keyless cosign via OIDC (id-token: write)
33# - Verified GitHub actions only (actions/*, github/*, sigstore/cosign-action); Syft pinned/verified
44# - Produces dual SBOMs (CycloneDX + SPDX), validates SBOM, creates GitHub SLSA attestation,
88# - CARGO_REGISTRY_TOKEN : (store as an Environment secret in 'production') crates.io API token
99# - SYFT_VERSION : pinned Syft version (e.g. "0.71.0")
1010# - SYFT_SHA256 : sha256 of the syft tarball you will download
11- # - COSIGN_EXPERIMENTAL: set to 1 in env when invoking cosign action if needed
1211# - TEST_MODE : set "true" for test/draft-only
13- name : CD — rust/ digipin
12+ name : CD — digipin-rs
1413
1514on :
1615 push :
1716 tags :
1817 - " v*"
19- paths :
20- - " rust/digipin/**"
2118 workflow_dispatch :
2219
2320permissions :
2421 contents : read
2522
2623concurrency :
27- group : publish-rust- digipin-${{ github.ref }}
24+ group : publish-digipin-rs -${{ github.ref }}
2825 cancel-in-progress : false
2926
3027jobs :
3128 publish :
32- name : Publish rust/ digipin
29+ name : Publish digipin-rs crate
3330 runs-on : ubuntu-latest
3431 permissions :
3532 contents : write
@@ -45,23 +42,17 @@ jobs:
4542 run :
4643 shell : bash
4744 steps :
48- - name : Checkout only rust/ digipin and workspace files
45+ - name : Checkout digipin-rs
4946 uses : actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
5047 with :
5148 fetch-depth : 0
52- sparse-checkout : |
53- rust/digipin
54- Cargo.toml
55- Cargo.lock
56- .cargo
5749
5850 - name : Inspect checkout (debug)
5951 run : |
6052 echo "GITHUB_REF=${GITHUB_REF}"
6153 echo "GITHUB_REF_NAME=${GITHUB_REF_NAME:-${GITHUB_REF##*/}}"
6254 echo "GITHUB_SHA=${GITHUB_SHA}"
6355 ls -la
64- ls -la rust/digipin || true
6556
6657name : Set derived variables
6758 id : set_vars
@@ -77,14 +68,13 @@ jobs:
7768
7869name : Validate tag matches Cargo.toml version
7970 id : check_tag_version
80- working-directory : rust/digipin
8171 run : |
8272 set -euo pipefail
8373 TAG="${TAG:-${GITHUB_REF_NAME:-${GITHUB_REF##*/}}}"
8474 TAG_NORMAL="${TAG#refs/tags/}"
8575 CRATE_VERSION=$(sed -n 's/^version *= *"\(.*\)".*/\1/p' Cargo.toml | head -n1 || true)
8676 if [ -z "$CRATE_VERSION" ]; then
87- echo "ERROR: Could not find version in rust/digipin/ Cargo.toml"
77+ echo "ERROR: Could not find version in Cargo.toml"
8878 exit 1
8979 fi
9080 if [ "v${CRATE_VERSION}" != "$TAG_NORMAL" ] && [ "${CRATE_VERSION}" != "$TAG_NORMAL" ]; then
9484 echo "Tag matches Cargo.toml version: $CRATE_VERSION"
9585 echo "CRATE_VERSION=${CRATE_VERSION}" >> $GITHUB_ENV
9686
97- name : Install Rust toolchain (pin if desired)
87+ name : Install Rust toolchain
9888 run : |
9989 set -euo pipefail
10090 if ! command -v rustup >/dev/null 2>&1; then
@@ -106,23 +96,22 @@ jobs:
10696 rustc --version
10797 cargo --version
10898
109- name : Cache cargo registry & build (keyed by crate Cargo.lock)
99+ name : Cache cargo registry & build
110100 uses : actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
111101 with :
112102 path : |
113103 ~/.cargo/registry
114104 ~/.cargo/git
115- rust/digipin/ target
116- key : ${{ runner.os }}-rust-digipin-${{ hashFiles('rust/digipin/**/ Cargo.lock') }}-cargo-target
105+ target
106+ key : ${{ runner.os }}-rust-digipin-${{ hashFiles('Cargo.lock') }}-cargo-target
117107 restore-keys : |
118108 ${{ runner.os }}-rust-digipin-
119109
120110name : Produce .crate (cargo package)
121- working-directory : rust/digipin
122111 run : |
123112 set -euo pipefail
124113 echo "Packaging crate (Cargo.toml version ${CRATE_VERSION})..."
125- cargo package --allow-dirty
114+ cargo package
126115 mkdir -p artifacts
127116 CRATE_PATH=$(ls target/package/*.crate | head -n1)
128117 if [ -z "$CRATE_PATH" ]; then
@@ -138,7 +127,6 @@ jobs:
138127 ls -la artifacts
139128
140129name : Create deterministic checksum for artifact
141- working-directory : rust/digipin
142130 run : |
143131 set -euo pipefail
144132 mkdir -p artifacts
@@ -169,7 +157,6 @@ jobs:
169157 /usr/local/bin/syft --version
170158
171159name : Generate dual SBOMs (CycloneDX + SPDX) for the .crate
172- working-directory : rust/digipin
173160 run : |
174161 set -euo pipefail
175162 mkdir -p sbom
@@ -186,22 +173,24 @@ jobs:
186173name : Attest provenance for crate
187174 uses : actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
188175 with :
189- subject-path : rust/digipin/artifacts/${{ env.CRATE_FILE }}
176+ subject-path : |
177+ artifacts/${{ env.CRATE_FILE }}
178+ artifacts/${{ env.CRATE_FILE }}.sha256
190179
191180name : Attest provenance for SBOMs
192181 uses : actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
193182 with :
194183 subject-path : |
195- rust/digipin/ sbom/sbom-cyclonedx.json
196- rust/digipin/ sbom/sbom-spdx.json
184+ sbom/sbom-cyclonedx.json
185+ sbom/sbom-spdx.json
197186
198- name : Create GitHub Release (DRAFT)
187+ name : Create GitHub Draft Release
199188 id : create_release
200189 uses : actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
201190 with :
202191 tag_name : ${{ env.TAG }}
203192 release_name : ${{ env.TAG }}
204- body : " Automated release for ${{ env.TAG }} — rust/ digipin"
193+ body : " Automated release for ${{ env.TAG }} — digipin-rs "
205194 draft : true # created as draft; will be published later when TEST_MODE != 'true'
206195 prerelease : false
207196 env :
@@ -211,7 +200,7 @@ jobs:
211200 uses : actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
212201 with :
213202 upload_url : ${{ steps.create_release.outputs.upload_url }}
214- asset_path : rust/digipin/ artifacts/${{ env.CRATE_FILE }}
203+ asset_path : artifacts/${{ env.CRATE_FILE }}
215204 asset_name : ${{ env.GIT_OWNER }}-rust-${{ env.CRATE_FILE }}
216205 asset_content_type : application/octet-stream
217206 env :
@@ -221,8 +210,8 @@ jobs:
221210 uses : actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
222211 with :
223212 upload_url : ${{ steps.create_release.outputs.upload_url }}
224- asset_path : rust/digipin/ sbom/sbom-cyclonedx.json
225- asset_name : rust/digipin/ sbom-cyclonedx.json
213+ asset_path : sbom/sbom-cyclonedx.json
214+ asset_name : sbom-cyclonedx.json
226215 asset_content_type : application/json
227216 env :
228217 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
@@ -231,8 +220,8 @@ jobs:
231220 uses : actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
232221 with :
233222 upload_url : ${{ steps.create_release.outputs.upload_url }}
234- asset_path : rust/digipin/ sbom/sbom-spdx.json
235- asset_name : rust/digipin/ sbom-spdx.json
223+ asset_path : sbom/sbom-spdx.json
224+ asset_name : sbom-spdx.json
236225 asset_content_type : application/json
237226 env :
238227 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
@@ -241,13 +230,13 @@ jobs:
241230 uses : actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
242231 with :
243232 upload_url : ${{ steps.create_release.outputs.upload_url }}
244- asset_path : rust/digipin/ artifacts/${{ env.CRATE_FILE }}.sha256
233+ asset_path : artifacts/${{ env.CRATE_FILE }}.sha256
245234 asset_name : ${{ env.CRATE_FILE }}.sha256
246235 asset_content_type : text/plain
247236 env :
248237 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
249238
250- - name : Publish draft release (make public)
239+ - name : Publish draft release on GitHub
251240 if : ${{ env.TEST_MODE != 'true' }}
252241 run : |
253242 set -euo pipefail
@@ -262,7 +251,6 @@ jobs:
262251
263252 - name : Publish crate to crates.io
264253 if : ${{ env.TEST_MODE != 'true' }}
265- working-directory : rust/digipin
266254 env :
267255 CARGO_REGISTRY_TOKEN : ${{ secrets.CARGO_REGISTRY_TOKEN }}
268256 run : |
@@ -275,7 +263,6 @@ jobs:
275263 echo "cargo publish completed"
276264
277265name : Finalize — print verification instructions
278- working-directory : rust/digipin
279266 run : |
280267 set -euo pipefail
281268 echo "Release completed for tag ${TAG}, artifact artifacts/${CRATE_FILE}"
0 commit comments