Fix release build again (#1400)

* Fix build again * Recommend (r)age over minisign password * Dry-run the entire release process * Reorg a bit so dry-run works * Fix secret name * Add check on age key * Pass secrets down * Use a cross-platform "date" * Delete signing key artifact to be extra safe * Last little bits
2025-04-24 22:30:03 +00:00 · 2023-09-27 00:17:17 +13:00 · 2023-09-27 00:17:17 +13:00 · 5d4333d5c8
commit 5d4333d5c8
parent 3f29e13e42
8 changed files with 189 additions and 140 deletions
--- a/.github/workflows/release-cli.yml
+++ b/.github/workflows/release-cli.yml
@ -0,0 +1,108 @@
+name: Release CLI
+on:
+  workflow_call:
+    inputs:
+      info:
+        description: "The release metadata JSON"
+        required: true
+        type: string
+      CARGO_PROFILE_RELEASE_LTO:
+        description: "Used to speed up CI"
+        required: false
+        type: string
+      CARGO_PROFILE_RELEASE_CODEGEN_UNITS:
+        description: "Used to speed up CI"
+        required: false
+        type: string
+
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - if: fromJSON(inputs.info).is-release == 'true'
+      name: Push cli release tag
+      uses: mathieudutour/github-tag-action@v6.1
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        custom_tag: ${{ fromJSON(inputs.info).version }}
+        tag_prefix: v
+
+  keygen:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: cargo-bins/cargo-binstall@main
+    - name: Create ephemeral keypair
+      id: keypair
+      env:
+        AGE_KEY_PUBLIC: ${{ vars.AGE_KEY_PUBLIC }}
+      run: .github/scripts/ephemeral-gen.sh
+    - uses: actions/upload-artifact@v3
+      with:
+        name: minisign.pub
+        path: minisign.pub
+    - uses: actions/upload-artifact@v3
+      with:
+        name: minisign.key.age
+        path: minisign.key.age
+        retention-days: 1
+    - name: Check that key can be decrypted
+      env:
+        AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
+      shell: bash
+      run: .github/scripts/ephemeral-sign.sh minisign.pub
+
+  package:
+    needs:
+    - tag
+    - keygen
+    uses: ./.github/workflows/release-packages.yml
+    secrets: inherit
+    with:
+      publish: ${{ inputs.info }}
+      CARGO_PROFILE_RELEASE_LTO: ${{ inputs.CARGO_PROFILE_RELEASE_LTO }}
+      CARGO_PROFILE_RELEASE_CODEGEN_UNITS: ${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}
+
+  publish:
+    needs: package
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/download-artifact@v3
+      with:
+        name: minisign.pub
+    - run: .github/scripts/ephemeral-crate.sh
+
+    - if: fromJSON(inputs.info).is-release != 'true'
+      name: DRY-RUN Publish to crates.io
+      env:
+        crate: ${{ fromJSON(inputs.info).crate }}
+        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+      run: cargo publish -p "$crate" --allow-dirty --dry-run
+
+    - if: fromJSON(inputs.info).is-release == 'true'
+      name: Publish to crates.io
+      env:
+        crate: ${{ fromJSON(inputs.info).crate }}
+        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+      run: cargo publish -p "$crate" --allow-dirty
+
+    - if: fromJSON(inputs.info).is-release == 'true'
+      name: Make release latest
+      uses: svenstaro/upload-release-action@v2
+      with:
+        repo_token: ${{ secrets.GITHUB_TOKEN }}
+        release_name: v${{ fromJSON(inputs.info).version }}
+        tag: v${{ fromJSON(inputs.info).version }}
+        body: ${{ fromJSON(inputs.info).notes }}
+        promote: true
+        file: minisign.pub
+
+    - if: fromJSON(inputs.info).is-release == 'true'
+      name: Delete signing key artifact
+      uses: geekyeggo/delete-artifact@v2
+      with:
+          name: minisign.key.age
+          failOnError: false
+