actions/cargo-binstall
1
0
Fork 0
mirror of https://github.com/cargo-bins/cargo-binstall.git synced 2025-04-24 14:28:42 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix release build again (#1400)

Browse source 
* Fix build again

* Recommend (r)age over minisign password

* Dry-run the entire release process

* Reorg a bit so dry-run works

* Fix secret name

* Add check on age key

* Pass secrets down

* Use a cross-platform "date"

* Delete signing key artifact to be extra safe

* Last little bits
This commit is contained in:
Félix Saparelli 2023-09-27 00:17:17 +13:00 committed by GitHub
parent 3f29e13e42
commit 5d4333d5c8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 189 additions and 140 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.github/scripts/ephemeral-crate.sh vendored Executable file
View file

@ -0,0 +1,12 @@
#!/usr/bin/env bash
set -euxo pipefail
cat >> crates/bin/Cargo.toml <<EOF
[package.metadata.binstall.signing]
algorithm = "minisign"
pubkey = "$(tail -n1 minisign.pub)"
EOF
cp minisign.pub crates/bin/minisign.pub

13
.github/scripts/ephemeral-gen.sh vendored
View file

@ -2,21 +2,12 @@
set -euxo pipefail
cargo binstall -y rsign2
cargo binstall -y rsign2 rage
rsign generate -f -W -p minisign.pub -s minisign.key
cat >> crates/bin/Cargo.toml <<EOF
[package.metadata.binstall.signing]
algorithm = "minisign"
pubkey = "$(tail -n1 minisign.pub)"
EOF
echo "public=$(tail -n1 minisign.pub)" >> "$GITHUB_OUTPUT"
cp minisign.pub crates/bin/minisign.pub
set +x
echo "::add-mask::$(tail -n1 minisign.key)"
echo "private=$(tail -n1 minisign.key)" >> "$GITHUB_OUTPUT"
set -x
rage --encrypt --recipient "$AGE_KEY_PUBLIC" --output minisign.key.age minisign.key
rm minisign.key

10
.github/scripts/ephemeral-sign.sh vendored
View file

@ -2,14 +2,15 @@
set -euo pipefail
echo "untrusted comment: rsign encrypted secret key" > minisign.key
cat >> minisign.key <<< "$SIGNING_KEY"
[[ -z "$AGE_KEY_SECRET" ]] && { echo "!!! Empty age key secret !!!"; exit 1; }
cat >> age.key <<< "$AGE_KEY_SECRET"
set -x
cargo binstall -y rsign2
cargo binstall -y rsign2 rage
rage --decrypt --identity age.key --output minisign.key minisign.key.age
ts=$(date --utc --iso-8601=seconds)
ts=$(node -e 'console.log((new Date).toISOString())')
git=$(git rev-parse HEAD)
comment="gh=$GITHUB_REPOSITORY git=$git ts=$ts run=$GITHUB_RUN_ID"
@ -17,3 +18,4 @@ for file in "$@"; do
rsign sign -W -s minisign.key -x "$file.sig" -t "$comment" "$file"
done
rm age.key minisign.key

14
.github/workflows/ci.yml vendored
View file

@ -125,9 +125,17 @@ jobs:
- run: just avoid-dev-deps
- run: just lint
release-builds:
uses: ./.github/workflows/release-build.yml
release-dry-run:
uses: ./.github/workflows/release-cli.yml
secrets: inherit
with:
info: |
{
"is-release": false,
"crate": "cargo-binstall",
"version": "0.0.0",
"notes": ""
}
CARGO_PROFILE_RELEASE_LTO: no
CARGO_PROFILE_RELEASE_CODEGEN_UNITS: 4
@ -179,7 +187,7 @@ jobs:
- test
- cross-check
- lint
- release-builds
- release-dry-run
- detect-targets-alpine-test
- detect-targets-ubuntu-test
if: always() # always run even if dependencies fail

108
.github/workflows/release-cli.yml vendored Normal file
View file

@ -0,0 +1,108 @@
name: Release CLI
on:
workflow_call:
inputs:
info:
description: "The release metadata JSON"
required: true
type: string
CARGO_PROFILE_RELEASE_LTO:
description: "Used to speed up CI"
required: false
type: string
CARGO_PROFILE_RELEASE_CODEGEN_UNITS:
description: "Used to speed up CI"
required: false
type: string
jobs:
tag:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- if: fromJSON(inputs.info).is-release == 'true'
name: Push cli release tag
uses: mathieudutour/github-tag-action@v6.1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
custom_tag: ${{ fromJSON(inputs.info).version }}
tag_prefix: v
keygen:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cargo-bins/cargo-binstall@main
- name: Create ephemeral keypair
id: keypair
env:
AGE_KEY_PUBLIC: ${{ vars.AGE_KEY_PUBLIC }}
run: .github/scripts/ephemeral-gen.sh
- uses: actions/upload-artifact@v3
with:
name: minisign.pub
path: minisign.pub
- uses: actions/upload-artifact@v3
with:
name: minisign.key.age
path: minisign.key.age
retention-days: 1
- name: Check that key can be decrypted
env:
AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
shell: bash
run: .github/scripts/ephemeral-sign.sh minisign.pub
package:
needs:
- tag
- keygen
uses: ./.github/workflows/release-packages.yml
secrets: inherit
with:
publish: ${{ inputs.info }}
CARGO_PROFILE_RELEASE_LTO: ${{ inputs.CARGO_PROFILE_RELEASE_LTO }}
CARGO_PROFILE_RELEASE_CODEGEN_UNITS: ${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}
publish:
needs: package
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v3
with:
name: minisign.pub
- run: .github/scripts/ephemeral-crate.sh
- if: fromJSON(inputs.info).is-release != 'true'
name: DRY-RUN Publish to crates.io
env:
crate: ${{ fromJSON(inputs.info).crate }}
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
run: cargo publish -p "$crate" --allow-dirty --dry-run
- if: fromJSON(inputs.info).is-release == 'true'
name: Publish to crates.io
env:
crate: ${{ fromJSON(inputs.info).crate }}
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
run: cargo publish -p "$crate" --allow-dirty
- if: fromJSON(inputs.info).is-release == 'true'
name: Make release latest
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
release_name: v${{ fromJSON(inputs.info).version }}
tag: v${{ fromJSON(inputs.info).version }}
body: ${{ fromJSON(inputs.info).notes }}
promote: true
file: minisign.pub
- if: fromJSON(inputs.info).is-release == 'true'
name: Delete signing key artifact
uses: geekyeggo/delete-artifact@v2
with:
name: minisign.key.age
failOnError: false

78
.github/workflows/release-build.yml → .github/workflows/release-packages.yml vendored
View file

@ -1,29 +1,20 @@
name: Build for release
name: Build packages for release
on:
workflow_dispatch: # can't publish from dispatch
workflow_call:
inputs:
publish:
description: "Set to the release metadata JSON to publish the release"
required: false
type: string
publickey:
description: "Minisign public key. Required when publishing"
required: false
description: "The release metadata JSON"
required: true
type: string
CARGO_PROFILE_RELEASE_LTO:
description: "Set to override default release profile lto settings"
description: "Used to speed up CI"
required: false
type: string
CARGO_PROFILE_RELEASE_CODEGEN_UNITS:
description: "Set to override default release profile codegen-units settings"
description: "Used to speed up CI"
required: false
type: string
secrets:
signingkey:
description: "Minisign private key. Required when publishing"
required: false
env:
CARGO_TERM_COLOR: always
@ -69,15 +60,7 @@ jobs:
if: inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS
run: echo "CARGO_PROFILE_RELEASE_CODEGEN_UNITS=${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}" >> "$GITHUB_ENV"
- name: Include public key in package
if: inputs.publickey
env:
PUBLIC_KEY: ${{ inputs.publickey }}
shell: bash
run: |
echo "untrusted comment: minisign public key" > minisign.pub
cat >> minisign.pub <<< "$PUBLIC_KEY"
- uses: cargo-bins/cargo-binstall@main
- uses: ./.github/actions/just-setup
with:
tools: cargo-auditable
@ -89,6 +72,9 @@ jobs:
- run: just toolchain rust-src
- run: just ci-install-deps
- uses: actions/download-artifact@v3
with:
name: minisign.pub
- run: just package
- if: runner.os == 'Windows'
run: Get-ChildItem packages/
@ -101,16 +87,16 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- if: inputs.publish
uses: cargo-bins/cargo-binstall@main
- if: inputs.publish
- uses: actions/download-artifact@v3
with:
name: minisign.key.age
- name: Sign package
env:
SIGNING_KEY: ${{ secrets.signingkey }}
AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
shell: bash
run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-*
- if: inputs.publish
- if: fromJSON(inputs.publish).is-release == 'true'
name: Upload to release
uses: svenstaro/upload-release-action@v2
with:
@ -120,7 +106,8 @@ jobs:
body: ${{ fromJSON(inputs.publish).notes }}
file: packages/cargo-binstall-*
file_glob: true
- if: "! inputs.publish || runner.os == 'macOS'"
prerelease: true
- if: "fromJSON(inputs.publish).is-release != 'true' || runner.os == 'macOS'"
name: Upload artifact
uses: actions/upload-artifact@v3
with:
@ -144,16 +131,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Include public key in package
if: inputs.publickey
env:
PUBLIC_KEY: ${{ inputs.publickey }}
shell: bash
run: |
echo "untrusted comment: minisign public key" > minisign.pub
cat >> minisign.pub <<< "$PUBLIC_KEY"
- uses: cargo-bins/cargo-binstall@main
- uses: taiki-e/install-action@v2
with:
tool: just
@ -171,19 +149,22 @@ jobs:
name: aarch64-apple-darwin
path: packages/
- uses: actions/download-artifact@v3
with:
name: minisign.pub
- run: ls -shalr packages/
- run: just repackage-lipo
- run: ls -shal packages/
- if: inputs.publish
uses: cargo-bins/cargo-binstall@main
- if: inputs.publish
env:
SIGNING_KEY: ${{ secrets.signingkey }}
- uses: actions/download-artifact@v3
with:
name: minisign.key.age
- env:
AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
shell: bash
run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-universal-*
- if: inputs.publish
- if: fromJSON(inputs.publish).is-release == 'true'
name: Upload to release
uses: svenstaro/upload-release-action@v2
with:
@ -194,7 +175,8 @@ jobs:
file: packages/cargo-binstall-universal-*
file_glob: true
overwrite: true
- if: "! inputs.publish"
prerelease: true
- if: fromJSON(inputs.publish).is-release != 'true'
name: Upload artifact
uses: actions/upload-artifact@v3
with:

50
.github/workflows/release.yml vendored
View file

@ -22,7 +22,7 @@ jobs:
event-data: ${{ toJSON(github.event) }}
extract-notes-under: '### Release notes'
libtag:
release-lib:
if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate != 'cargo-binstall'
needs: info
runs-on: ubuntu-latest
@ -41,47 +41,11 @@ jobs:
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
clitag:
if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate == 'cargo-binstall'
release-cli:
if: needs.info.outputs.crate == 'cargo-binstall'
needs: info
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Push cli release tag
uses: mathieudutour/github-tag-action@v6.1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
custom_tag: ${{ needs.info.outputs.version }}
tag_prefix: v
- uses: cargo-bins/cargo-binstall@main
- name: Create ephemeral keypair
id: keypair
run: .github/scripts/ephemeral-gen.sh
- name: Publish to crates.io
env:
crate: ${{ needs.info.outputs.crate }}
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
run: cargo publish -p "$crate" --allow-dirty
- name: Upload public key to release
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
release_name: v${{ needs.info.outputs.version }}
tag: v${{ needs.info.outputs.version }}
body: ${{ needs.info.outputs.notes }}
file: minisign.pub
outputs:
publickey: ${{ steps.keypair.outputs.public }}
signingkey: ${{ steps.keypair.outputs.private }}
package:
if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate == 'cargo-binstall'
needs:
- info
- clitag
uses: ./.github/workflows/release-build.yml
uses: ./.github/workflows/release-cli.yml
secrets: inherit
with:
publish: ${{ toJSON(needs.info.outputs) }}
publickey: ${{ needs.clitag.publickey }}
secrets:
signingkey: ${{ needs.clitag.signingkey }}
info: ${{ toJSON(needs.info.outputs) }}