anchor/.github/workflows/publish-crates.yaml at master · solana-foundation/anchor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: Publish Crates

on:
  workflow_call:
    inputs:
      dry_run:
        description: "If true, build crates instead of publishing them (packaging validation only)"
        required: true
        type: boolean

jobs:
  publish-crates-dry-run:
    name: Publish crates (dry-run)
    if: ${{ inputs.dry_run }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable

      - name: Install cargo-release
        run: cargo install cargo-release --version 1.1.1 --locked

      - name: Publish crates
        run: |
          set -xeuo pipefail

          echo "Publishing crates as a dry-run"
          cargo release publish --workspace --allow-branch "*" --no-confirm

  publish-crates:
    name: Publish crates
    if: ${{ !inputs.dry_run }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      attestations: write
      artifact-metadata: write
    environment:
      name: release
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable

      - name: Install cargo-release
        run: cargo install cargo-release --version 1.1.1 --locked

      - name: Authenticate with crates.io
        id: auth
        uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3

      - name: Publish crates
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
        run: |
          set -xeuo pipefail

          echo "Publishing crates"
          cargo release publish --workspace --allow-branch "*" --no-confirm --execute

      - name: Check for crate artifacts
        id: crate-artifacts
        if: ${{ !inputs.dry_run }}
        run: |
          shopt -s nullglob
          files=(target/package/*.crate)
          if [ ${#files[@]} -gt 0 ]; then
            echo "found=true" >> "$GITHUB_OUTPUT"
            cd target/package
            sha256sum *.crate > SHA256SUMS
            echo "--- Crate checksums ---"
            cat SHA256SUMS
          else
            echo "found=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Attest crate checksum manifest
        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
        if: ${{ !inputs.dry_run && steps.crate-artifacts.outputs.found == 'true' }}
        with:
          subject-path: target/package/SHA256SUMS

      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: ${{ !inputs.dry_run && steps.crate-artifacts.outputs.found == 'true' }}
        with:
          if-no-files-found: ignore
          name: published-crates
          path: |
            target/package/*.crate
            target/package/SHA256SUMS