Nightly Builder #1653
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Nightly Builder | |
"on": | |
push: | |
tags: | |
- "*" | |
schedule: | |
- cron: "0 0 * * *" # build nightly! | |
workflow_dispatch: | |
inputs: | |
tag: | |
description: Release tag | |
required: true | |
name: | |
description: Release name | |
required: true | |
jobs: | |
create-release: | |
name: Create Release | |
runs-on: ubuntu-latest | |
steps: | |
- name: Create artifacts directory | |
run: mkdir artifacts | |
- name: Get the release version from the tag | |
id: release_version | |
run: | | |
if [[ "${{ github.event_name }}" == "schedule" ]]; then | |
release_name="nightly-$(date '+%Y-%m-%d')" | |
release_tag="$release_name" | |
elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
release_name=${{ github.event.inputs.name }} | |
release_tag=${{ github.event.inputs.tag }} | |
else | |
release_name="$(basename "${{ github.ref }}")" | |
release_tag="$release_name" | |
fi | |
echo "Release name is: ${release_name}" | |
echo "Release version is: ${release_tag}" | |
echo "name=${release_name}" >> $GITHUB_OUTPUT | |
echo "tag=${release_tag}" >> $GITHUB_OUTPUT | |
- name: Clone Artichoke | |
uses: actions/[email protected] | |
with: | |
repository: artichoke/artichoke | |
path: artichoke | |
- name: Set latest_commit | |
id: latest_commit | |
working-directory: artichoke | |
run: | | |
artichoke_head=$(git rev-parse HEAD) | |
echo "Artichoke HEAD commit is: ${artichoke_head}" | |
echo "commit=${artichoke_head}" >> $GITHUB_OUTPUT | |
- name: Create GitHub release | |
id: release | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ steps.release_version.outputs.tag }} | |
draft: true | |
prerelease: false | |
name: ${{ steps.release_version.outputs.name }} | |
body: artichoke/artichoke@${{ steps.latest_commit.outputs.commit }} | |
- name: Save release commit hash to artifact | |
run: echo "${{ steps.latest_commit.outputs.commit }}" > artifacts/release-commit-hash | |
- name: Save release ID to artifact | |
run: echo "${{ steps.release.outputs.id }}" > artifacts/release-id | |
- name: Save release upload URL to artifact | |
run: echo "${{ steps.release.outputs.upload_url }}" > artifacts/release-upload-url | |
- name: Save version number to artifact | |
run: echo "${{ steps.release_version.outputs.tag }}" > artifacts/release-version | |
- name: Upload artifacts | |
uses: actions/[email protected] | |
with: | |
name: artifacts | |
path: artifacts | |
build-release: | |
name: Build Release | |
needs: ["create-release"] | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
build: | |
- linux-x64 | |
- linux-x64-musl | |
- linux-arm64 | |
- macos-x64 | |
- macos-arm64 | |
- windows-x64 | |
include: | |
- build: linux-x64 | |
os: ubuntu-latest | |
target: x86_64-unknown-linux-gnu | |
- build: linux-x64-musl | |
os: ubuntu-latest | |
target: x86_64-unknown-linux-musl | |
- build: linux-arm64 | |
os: ubuntu-latest | |
target: aarch64-unknown-linux-gnu | |
- build: macos-x64 | |
os: macos-latest | |
target: x86_64-apple-darwin | |
- build: macos-arm64 | |
os: macos-latest | |
target: aarch64-apple-darwin | |
- build: windows-x64 | |
os: windows-latest | |
target: x86_64-pc-windows-msvc | |
env: | |
RUST_BACKTRACE: 1 | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Get release download URL | |
uses: actions/[email protected] | |
with: | |
name: artifacts | |
path: artifacts | |
- name: Set release upload URL and release version | |
shell: bash | |
id: release_info | |
run: | | |
release_upload_url="$(cat artifacts/release-upload-url)" | |
release_version="$(cat artifacts/release-version)" | |
release_commit="$(cat artifacts/release-commit-hash)" | |
echo "Release upload url: ${release_upload_url}" | |
echo "Release version: ${release_version}" | |
echo "Release commit: ${release_commit}" | |
echo "upload_url=${release_upload_url}" >> $GITHUB_OUTPUT | |
echo "version=${release_version}" >> $GITHUB_OUTPUT | |
echo "commit=${release_commit}" >> $GITHUB_OUTPUT | |
- name: Generate THIRDPARTY license listing | |
uses: artichoke/[email protected] | |
with: | |
artichoke_ref: ${{ steps.release_info.outputs.commit }} | |
target_triple: ${{ matrix.target }} | |
output_file: ${{ github.workspace }}/THIRDPARTY.txt | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Clone Artichoke | |
uses: actions/[email protected] | |
with: | |
repository: artichoke/artichoke | |
path: artichoke | |
ref: ${{ steps.release_info.outputs.commit }} | |
# Fetch all history. | |
# | |
# The Artichoke release metadata build script calculates Ruby | |
# constants like `RUBY_REVISION` by walking the git history. | |
fetch-depth: 0 | |
- name: Setup Python | |
uses: actions/[email protected] | |
with: | |
python-version-file: ".python-version" | |
- name: Set Python executable path based on OS | |
shell: bash | |
run: | | |
if [[ "$RUNNER_OS" == "Windows" ]]; then | |
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV | |
else | |
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV | |
fi | |
- name: Install Python dependencies | |
shell: bash | |
run: | | |
python3 -m venv --upgrade-deps venv | |
$VENV_PYTHON -m pip install --upgrade pip wheel | |
$VENV_PYTHON -m pip install --require-hashes -r requirements.txt | |
- name: Set Artichoke Rust toolchain version | |
shell: bash | |
id: rust_toolchain | |
run: | | |
$VENV_PYTHON -m artichoke_nightly.rust_toolchain_version \ | |
--file artichoke/rust-toolchain.toml \ | |
--format github | |
- name: Install Rust toolchain | |
uses: artichoke/setup-rust/[email protected] | |
with: | |
toolchain: ${{ steps.rust_toolchain.outputs.version }} | |
target: ${{ matrix.target }} | |
# ``` | |
# $ gpg --fingerprint --with-subkey-fingerprints [email protected] | |
# pub ed25519 2021-01-03 [SC] | |
# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4 | |
# uid [ultimate] Code signing for Artichoke Ruby <[email protected]> | |
# sub cv25519 2021-01-03 [E] | |
# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA | |
# sub ed25519 2021-01-03 [S] | |
# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452 | |
# ``` | |
- name: Import GPG key | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }} | |
fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452 | |
# Set the GPG key to full trust (value 4) to ensure reliable signing | |
# and verification in CI. Full trust balances security and practicality | |
# in automated environments, avoiding prompts or failures that can | |
# occur with marginal trust, while not compromising security like | |
# ultimate trust. | |
trust_level: 4 | |
- name: List keys | |
run: gpg -K | |
- name: Install musl x86_64 | |
if: matrix.build == 'linux-x64-musl' | |
run: | | |
sudo apt update | |
sudo apt install musl-tools | |
- name: Install gcc aarch64 cross compiler | |
if: matrix.build == 'linux-arm64' | |
run: | | |
sudo apt update | |
sudo apt install gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu | |
# https://github.com/rust-lang/rust-bindgen/issues/1229 | |
echo 'BINDGEN_EXTRA_CLANG_ARGS=--sysroot=/usr/aarch64-linux-gnu' >> $GITHUB_ENV | |
# https://github.com/rust-lang/rust/issues/28924 | |
echo 'CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc' >> $GITHUB_ENV | |
- name: Build release artifacts | |
working-directory: artichoke | |
run: cargo build --verbose --release --target ${{ matrix.target }} | |
# This will codesign binaries in place which means that the tarballed | |
# binaries will be codesigned as well. | |
- name: Run Apple Codesigning and Notarization | |
shell: bash | |
id: apple_codesigning | |
if: runner.os == 'macOS' | |
run: | | |
$VENV_PYTHON -m artichoke_nightly.macos_sign_and_notarize \ | |
"artichoke-nightly-${{ matrix.target }}" \ | |
--binary "artichoke/target/${{ matrix.target }}/release/artichoke" \ | |
--binary "artichoke/target/${{ matrix.target }}/release/airb" \ | |
--resource artichoke/LICENSE \ | |
--resource artichoke/README.md \ | |
--resource THIRDPARTY.txt \ | |
--dmg-icon-url "https://artichoke.github.io/logo/Artichoke-dmg.icns" | |
env: | |
MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }} | |
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | |
MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }} | |
- name: GPG sign Apple DMG | |
shell: bash | |
id: apple_codesigning_gpg | |
if: runner.os == 'macOS' | |
run: | | |
$VENV_PYTHON -m artichoke_nightly.gpg_sign \ | |
"artichoke-nightly-${{ matrix.target }}" \ | |
--artifact "${{ steps.apple_codesigning.outputs.asset }}" | |
- name: Upload release archive | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
if: runner.os == 'macOS' | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ steps.release_info.outputs.version }} | |
draft: true | |
allowUpdates: true | |
omitBodyDuringUpdate: true | |
omitNameDuringUpdate: true | |
omitPrereleaseDuringUpdate: true | |
artifacts: ${{ steps.apple_codesigning.outputs.asset }} | |
artifactContentType: ${{ steps.apple_codesigning.outputs.content_type }} | |
- name: Upload release signature | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
if: runner.os == 'macOS' | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ steps.release_info.outputs.version }} | |
draft: true | |
allowUpdates: true | |
omitBodyDuringUpdate: true | |
omitNameDuringUpdate: true | |
omitPrereleaseDuringUpdate: true | |
artifacts: ${{ steps.apple_codesigning_gpg.outputs.signature }} | |
artifactContentType: "text/plain" | |
- name: Build archive | |
shell: bash | |
id: build | |
run: | | |
staging="artichoke-nightly-${{ matrix.target }}" | |
mkdir -p "$staging"/ | |
cp artichoke/{README.md,LICENSE} THIRDPARTY.txt "$staging/" | |
if [ "${{ runner.os }}" = "Windows" ]; then | |
cp "artichoke/target/${{ matrix.target }}/release/artichoke.exe" "$staging/" | |
cp "artichoke/target/${{ matrix.target }}/release/airb.exe" "$staging/" | |
7z a "$staging.zip" "$staging" | |
echo "asset=$staging.zip" >> $GITHUB_OUTPUT | |
echo "content_type=application/zip" >> $GITHUB_OUTPUT | |
else | |
cp "artichoke/target/${{ matrix.target }}/release/artichoke" "$staging/" | |
cp "artichoke/target/${{ matrix.target }}/release/airb" "$staging/" | |
tar czf "$staging.tar.gz" "$staging" | |
echo "asset=$staging.tar.gz" >> $GITHUB_OUTPUT | |
echo "content_type=application/gzip" >> $GITHUB_OUTPUT | |
fi | |
- name: GPG sign archive | |
shell: bash | |
id: gpg_signing | |
run: | | |
$VENV_PYTHON -m artichoke_nightly.gpg_sign \ | |
"artichoke-nightly-${{ matrix.target }}" \ | |
--artifact "${{ steps.build.outputs.asset }}" | |
- name: Upload release archive | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ steps.release_info.outputs.version }} | |
draft: true | |
allowUpdates: true | |
omitBodyDuringUpdate: true | |
omitNameDuringUpdate: true | |
omitPrereleaseDuringUpdate: true | |
artifacts: ${{ steps.build.outputs.asset }} | |
artifactContentType: ${{ steps.build.outputs.content_type }} | |
- name: Upload release signature | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ steps.release_info.outputs.version }} | |
draft: true | |
allowUpdates: true | |
omitBodyDuringUpdate: true | |
omitNameDuringUpdate: true | |
omitPrereleaseDuringUpdate: true | |
artifacts: ${{ steps.gpg_signing.outputs.signature }} | |
artifactContentType: "text/plain" | |
package-source-archive: | |
name: Package Source Archive | |
needs: ["create-release"] | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
archive: | |
- tar.gz | |
- zip | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Get release download URL | |
uses: actions/[email protected] | |
with: | |
name: artifacts | |
path: artifacts | |
- name: Set release upload URL and release version | |
shell: bash | |
id: release_info | |
run: | | |
release_upload_url="$(cat artifacts/release-upload-url)" | |
release_version="$(cat artifacts/release-version)" | |
release_commit="$(cat artifacts/release-commit-hash)" | |
echo "Release upload url: ${release_upload_url}" | |
echo "Release version: ${release_version}" | |
echo "Release commit: ${release_commit}" | |
echo "upload_url=${release_upload_url}" >> $GITHUB_OUTPUT | |
echo "version=${release_version}" >> $GITHUB_OUTPUT | |
echo "commit=${release_commit}" >> $GITHUB_OUTPUT | |
- name: Clone Artichoke | |
uses: actions/[email protected] | |
with: | |
repository: artichoke/artichoke | |
path: artichoke | |
ref: ${{ steps.release_info.outputs.commit }} | |
- name: Setup Python | |
uses: actions/[email protected] | |
with: | |
python-version-file: ".python-version" | |
- name: Set Python executable path based on OS | |
shell: bash | |
run: | | |
if [[ "$RUNNER_OS" == "Windows" ]]; then | |
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV | |
else | |
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV | |
fi | |
- name: Install Python dependencies | |
shell: bash | |
run: | | |
python3 -m venv --upgrade-deps venv | |
$VENV_PYTHON -m pip install --upgrade pip wheel | |
$VENV_PYTHON -m pip install --require-hashes -r requirements.txt | |
# ``` | |
# $ gpg --fingerprint --with-subkey-fingerprints [email protected] | |
# pub ed25519 2021-01-03 [SC] | |
# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4 | |
# uid [ultimate] Code signing for Artichoke Ruby <[email protected]> | |
# sub cv25519 2021-01-03 [E] | |
# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA | |
# sub ed25519 2021-01-03 [S] | |
# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452 | |
# ``` | |
- name: Import GPG key | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }} | |
fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452 | |
# Set the GPG key to full trust (value 4) to ensure reliable signing | |
# and verification in CI. Full trust balances security and practicality | |
# in automated environments, avoiding prompts or failures that can | |
# occur with marginal trust, while not compromising security like | |
# ultimate trust. | |
trust_level: 4 | |
- name: List keys | |
run: gpg -K | |
- name: Build source archive | |
run: | | |
git -C artichoke archive \ | |
--format ${{ matrix.archive }} \ | |
-9 \ | |
--output=`pwd`/artichoke-nightly.source.${{ matrix.archive }} \ | |
${{ steps.release_info.outputs.commit }} | |
- name: Build archive | |
shell: bash | |
id: build | |
run: | | |
if [ "${{ matrix.archive }}" = "zip" ]; then | |
echo "asset=artichoke-nightly.source.zip" >> $GITHUB_OUTPUT | |
echo "content_type=application/zip" >> $GITHUB_OUTPUT | |
else | |
echo "asset=artichoke-nightly.source.tar.gz" >> $GITHUB_OUTPUT | |
echo "content_type=application/gzip" >> $GITHUB_OUTPUT | |
fi | |
- name: GPG sign archive | |
shell: bash | |
id: gpg_signing | |
run: | | |
$VENV_PYTHON -m artichoke_nightly.gpg_sign \ | |
"artichoke-nightly-source-archive" \ | |
--artifact "${{ steps.build.outputs.asset }}" | |
- name: Upload release archive | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ steps.release_info.outputs.version }} | |
draft: true | |
allowUpdates: true | |
omitBodyDuringUpdate: true | |
omitNameDuringUpdate: true | |
omitPrereleaseDuringUpdate: true | |
artifacts: ${{ steps.build.outputs.asset }} | |
artifactContentType: ${{ steps.build.outputs.content_type }} | |
- name: Upload release signature | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ steps.release_info.outputs.version }} | |
draft: true | |
allowUpdates: true | |
omitBodyDuringUpdate: true | |
omitNameDuringUpdate: true | |
omitPrereleaseDuringUpdate: true | |
artifacts: ${{ steps.gpg_signing.outputs.signature }} | |
artifactContentType: "text/plain" | |
finalize-release: | |
name: Publish Release | |
needs: ["build-release", "package-source-archive"] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Get release download URL | |
uses: actions/[email protected] | |
with: | |
name: artifacts | |
path: artifacts | |
- name: Set publish_info | |
id: publish_info | |
run: echo "release_tag=$(cat artifacts/release-version)" >> $GITHUB_OUTPUT | |
- name: Publish release | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ steps.publish_info.outputs.release_tag }} | |
draft: false | |
allowUpdates: true | |
omitBodyDuringUpdate: true | |
omitNameDuringUpdate: true | |
omitPrereleaseDuringUpdate: true | |
- uses: eregon/keep-last-n-releases@c662ecf90e35b1070a4894539d8804a286e55151 # v1 | |
if: github.event_name == 'schedule' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
n: 7 |