Security: merge Arena Model 2 hardening — rate-limit reorder, control… #38
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release SAME Binary | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| strategy: | |
| matrix: | |
| include: | |
| - os: macos-latest | |
| goos: darwin | |
| goarch: arm64 | |
| suffix: darwin-arm64 | |
| cc: "" | |
| # darwin-amd64 removed - Intel Macs rare, no free CI runner | |
| - os: ubuntu-latest | |
| goos: linux | |
| goarch: amd64 | |
| suffix: linux-amd64 | |
| cc: "" | |
| - os: ubuntu-24.04-arm | |
| goos: linux | |
| goarch: arm64 | |
| suffix: linux-arm64 | |
| cc: "" | |
| - os: ubuntu-latest | |
| goos: windows | |
| goarch: amd64 | |
| suffix: windows-amd64.exe | |
| cc: zig | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| cache-dependency-path: go.sum | |
| - name: Install zig (Windows cross-compile) | |
| if: matrix.cc == 'zig' | |
| uses: mlugg/setup-zig@v2 | |
| with: | |
| version: 0.13.0 | |
| - name: Run tests | |
| if: matrix.goos == 'darwin' && matrix.goarch == 'arm64' | |
| env: | |
| CGO_ENABLED: '1' | |
| run: go test ./... -v -count=1 | |
| - name: Build (native) | |
| if: matrix.cc == '' | |
| env: | |
| CGO_ENABLED: '1' | |
| GOOS: ${{ matrix.goos }} | |
| GOARCH: ${{ matrix.goarch }} | |
| run: | | |
| go build -ldflags "-s -w -X main.Version=${{ github.ref_name }}" \ | |
| -o build/same-${{ matrix.suffix }} ./cmd/same | |
| - name: Build (zig cross-compile) | |
| if: matrix.cc == 'zig' | |
| env: | |
| CGO_ENABLED: '1' | |
| GOOS: ${{ matrix.goos }} | |
| GOARCH: ${{ matrix.goarch }} | |
| CC: "zig cc -target x86_64-windows-gnu" | |
| CXX: "zig c++ -target x86_64-windows-gnu" | |
| CGO_CFLAGS: "-I${{ github.workspace }}/cgo-headers -fno-sanitize=undefined" | |
| run: | | |
| go build -ldflags "-s -w -X main.Version=${{ github.ref_name }}" \ | |
| -o build/same-${{ matrix.suffix }} ./cmd/same | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: same-${{ matrix.suffix }} | |
| path: build/same-${{ matrix.suffix }} | |
| release: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: artifacts | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| generate_release_notes: true | |
| files: | | |
| artifacts/same-darwin-arm64/same-darwin-arm64 | |
| artifacts/same-linux-amd64/same-linux-amd64 | |
| artifacts/same-linux-arm64/same-linux-arm64 | |
| artifacts/same-windows-amd64.exe/same-windows-amd64.exe | |
| npm-publish: | |
| needs: release | |
| runs-on: ubuntu-latest | |
| # npm requires 2FA (passkey) for publishing. CI token may not have bypass-2FA. | |
| # If this job fails, publish locally: cd npm && npm publish --access public --auth-type=web | |
| continue-on-error: true | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Verify version match | |
| run: | | |
| MAKE_VERSION=$(grep '^VERSION' Makefile | head -1 | awk '{print $NF}') | |
| NPM_VERSION=$(node -p "require('./npm/package.json').version") | |
| if [ "$MAKE_VERSION" != "$NPM_VERSION" ]; then | |
| echo "Version mismatch: Makefile=$MAKE_VERSION npm=$NPM_VERSION" | |
| exit 1 | |
| fi | |
| echo "Version match: $MAKE_VERSION" | |
| - name: Publish to npm | |
| working-directory: npm | |
| run: | | |
| PKG_NAME=$(node -p "require('./package.json').name") | |
| PKG_VER=$(node -p "require('./package.json').version") | |
| if npm view "${PKG_NAME}@${PKG_VER}" version 2>/dev/null; then | |
| echo "Version ${PKG_VER} already published — skipping" | |
| else | |
| npm publish --access public | |
| fi |