Build

add a changelog #3355

Workflow file for this run

.github/workflows/build-all.yml at 4b7d2c7

	# Build and test on each commit. Create a release on tagged commits.
	#
	# Binaries on each platform are stripped. This removes debug symbols.
	name: Build
	on: [push]

	jobs:
	build-all:
	name: ${{ matrix.os-name }}-build
	runs-on: ${{ matrix.os }}
	container: ${{ matrix.container }}
	env:
	GHC_VERSION: '9.4.8'


	defaults:
	run:
	shell: bash

	strategy:
	matrix:
	os: ['windows-latest', 'ubuntu-latest', 'macos-12', 'macos-latest']
	include:
	- os: ubuntu-latest
	os-name: Linux
	container: fossa/haskell-static-alpine:ghc-9.4.8
	project-file: cabal.project.ci.linux
	ghc: '9.4.8'

	# macos-latest pointed at macos-12 this before it was changed to ARM.
	- os: macos-12
	os-name: macOS-intel
	project-file: cabal.project.ci.macos
	ghc: '9.4.8'

	- os: windows-latest
	os-name: Windows
	project-file: cabal.project.ci.windows
	ghc: '9.4.8'

	- os: macos-latest
	os-name: macOS-arm64
	project-file: cabal.project.ci.macos
	ghc: '9.4.8'

	steps:

	- uses: actions/checkout@v4
	with:
	lfs: true
	fetch-depth: 2

	- name: Install MacOS binary dependencies
	if: ${{ contains(matrix.os, 'macos') }}
	run: \|
	brew install jq

	# Set up Haskell.
	- uses: haskell-actions/setup@v2
	id: setup-haskell
	name: Setup ghc/cabal (non-alpine)
	if: ${{ !contains(matrix.os, 'ubuntu') }}
	with:
	ghc-version: ${{ matrix.ghc }}
	cabal-version: '3.10.2.1'

	# Set up Rust.
	# This action installs the 'minimal' profile.
	- uses: dtolnay/rust-toolchain@stable

	- name: Install additional Rust tooling
	uses: taiki-e/install-action@v2
	with:
	tool: nextest

	- uses: Swatinem/rust-cache@v2

	- name: Debugging information
	run: \|
	ghc --version \|\| echo "no ghc"
	cabal --version \|\| echo "no cabal"
	ghcup --version \|\| echo "no ghcup"
	rustc -V \|\| echo "no rustc"
	cargo -V \|\| echo "no cargo"

	# Linux builds are run in Alpine, which builds them statically;
	# using jemalloc reduces the performance impact of this
	# over the default libc allocator (which performs very poorly in static builds).
	- name: Build Rust dependencies (Linux)
	if: ${{ matrix.os-name == 'linux' }}
	run: cargo build --features jemalloc --release

	# Non-Linux environments generally don't need `jemalloc`
	# and in particular Windows doesn't support it.
	- name: Build Rust dependencies (non-Linux)
	if: ${{ matrix.os-name != 'linux' }}
	run: cargo build --release

	# Run tests in release mode to reduce the need for rebuilds.
	- name: Test Rust dependencies
	run: cargo nextest run --release

	- name: Ensure git ownership check does not lead to compiler error
	run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

	- name: Check git status and collect information
	# https://github.com/actions/checkout/issues/760#issuecomment-1099519159
	run: \|
	git status --porcelain
	echo "parent_commit=$(git rev-parse HEAD^)" >> $GITHUB_ENV

	# Compute cache key and save to a temporary file.
	#
	# We compute the cache key based on the solved install plan instead of just
	# hashing the `.cabal` file, since there are many kinds of changes that will
	# cause `.cabal` to change (e.g. adding new source modules).
	- name: Compute cache key
	id: compute-cache-key
	env:
	RUNNER_OS: ${{ runner.os }}
	run: \|
	cabal --project-file=${{ matrix.project-file }} update
	cabal --project-file=${{ matrix.project-file }} build --dry-run
	cat dist-newstyle/cache/plan.json \| jq '."install-plan"[]."id"' \| sort > /tmp/cabal-cache-key
	echo "Install plan:"
	cat /tmp/cabal-cache-key

	if [ "$RUNNER_OS" = "macOS" ]; then
	PLAN_SUM=$(shasum -a256 /tmp/cabal-cache-key)
	else
	PLAN_SUM=$(sha256sum /tmp/cabal-cache-key)
	fi

	export CABAL_CACHE_KEY=$(echo $PLAN_SUM \| awk '{print $1}')
	echo "Cabal cache key: $CABAL_CACHE_KEY"
	echo "cabal-cache-key=$CABAL_CACHE_KEY" >> $GITHUB_OUTPUT

	# Build FOSSA CLI.
	- uses: actions/cache@v4
	name: Cache cabal store
	with:
	path: ${{ steps.setup-haskell.outputs.cabal-store \|\| '~/.local/state/cabal' }}
	key: ${{ matrix.os-name }}-${{ matrix.ghc }}-cabal-cache-${{ steps.compute-cache-key.outputs.cabal-cache-key }}
	restore-keys: \|
	${{ matrix.os-name }}-${{ matrix.ghc }}-cabal-cache-
	${{ matrix.os-name }}-${{ matrix.ghc }}-
	${{ matrix.os-name }}-

	- uses: actions/cache@v4
	name: Cache dist-newstyle
	with:
	path: ${{ github.workspace }}/dist-newstyle
	key: ${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ github.sha }}
	restore-keys: \|
	${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ env.parent_commit }}
	${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-
	${{ matrix.os-name }}-${{ env.GHC_VERSION }}-
	${{ matrix.os-name }}-

	- name: Update vendored binaries
	run: \|
	mkdir vendor-bins
	./vendor_download.sh
	env:
	GITHUB_TOKEN: ${{ secrets.BASIS_ACCESS_TOKEN }}

	- name: Build test data
	run: \|
	make build-test-data

	- name: Build
	# Occasionally, we run out of memory on the build process.
	# Since cabal uses incremental compilation, we can retry from where we left off
	# by simply re-running cabal if we fail.
	env:
	RUN_CMD: cabal build --project-file=${{ matrix.project-file }} all
	run: \|
	: # With dist-newstyle caches:
	: # Cabal mainly knows to recompile based on changes to files.
	: # Tagging in git doesn't reliably change a file in a fixed location that cabal/GHC can track to indicate that there's a new tag.
	: # For our release process, we merge to master, which builds (and may store a dist-newstyle cache), then push a release tag.
	: # During the tag build, cabal/GHC may not realize that they have to rebuild the Version.hs file because the tag is invisible to it.
	: # This line adds a unique comment to our version source file to prompt cabal/GHC to rebuild Version.hs unconditionally.
	echo "{- $RANDOM$RANDOM$RANDOM -}" >> src/App/Version.hs
	cabal update
	$RUN_CMD \|\| $RUN_CMD

	- name: Run unit tests
	run: \|
	cabal test --project-file=${{ matrix.project-file }} unit-tests

	- name: Validate diagnose commands run on the platform
	run: \|
	cargo run --bin diagnose -- walk --trace-spans none --trace-level info

	# Test cabal-install
	- name: Test Cabal Install (Linux)
	if: ${{ contains(matrix.os, 'linux') }}
	run: cabal install --overwrite-policy=always --project=${{ matrix.project-file }} --ghc-options="-Wwarn"

	# Save artifacts.
	- name: Find and move binaries (Windows)
	if: ${{ contains(matrix.os, 'windows') }}
	run: \|
	mkdir release
	find . -type f -path '*/fossa/fossa.exe' -exec cp {} release \;
	./release/fossa.exe --version
	cp target/release/diagnose.exe release
	cp target/release/millhone.exe release

	- name: Find and move binaries (non-Windows)
	if: ${{ !contains(matrix.os, 'windows') }}
	run: \|
	mkdir release
	find . -type f -path '*/fossa/fossa' -exec cp {} release \;
	./release/fossa --version
	cp target/release/diagnose release
	cp target/release/millhone release

	- name: Strip binaries
	run: \|
	strip release/*

	- name: Sign and Notarize Binaries (Mac OS)
	if: ${{ contains(matrix.os, 'macos') && startsWith(github.ref, 'refs/tags/v') }}
	env:
	MACOS_BUILD_CERT_BASE64: ${{ secrets.MACOS_BUILD_CERT_BASE64 }}
	MACOS_BUILD_CERT_P12_PASSWORD: ${{ secrets.MACOS_BUILD_CERT_P12_PASSWORD }}
	MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
	APPLE_NOTARIZATION_DEV_PASS: ${{ secrets.APPLE_NOTARIZATION_DEV_PASS }}
	APPLE_NOTARIZATION_DEV_ID: ${{ secrets.APPLE_NOTARIZATION_DEV_ID }}
	APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
	OS_NAME: ${{ matrix.os-name }}
	run: \|
	# create variables
	CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

	# import certificate and provisioning profile from secrets
	echo -n "$MACOS_BUILD_CERT_BASE64" \| base64 --decode -o $CERTIFICATE_PATH

	# create temporary keychain
	security create-keychain -p "$MACOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
	security unlock-keychain -p "$MACOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	# import certificate to keychain
	security import $CERTIFICATE_PATH -P "$MACOS_BUILD_CERT_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security list-keychain -d user -s $KEYCHAIN_PATH


	chmod +x release/*
	# '--options runtime' enables the hardened runtime: https://developer.apple.com/documentation/security/hardened_runtime
	# On Apple Silicon there doesn't seem to be a default liblzma, and the one installed via homebrew is rejected.
	# The entitlement line will relax that check.
	# The hardened runtime is required for notarization.
	if [ "$OS_NAME" = "macOS-arm64" ] ; then
	codesign --entitlements .github/entitlements.plist --options runtime -s 'FOSSA, Inc.' release/fossa
	else
	# Intel does not need the entitlement to run liblzma, which is included in the base system.
	codesign --options runtime -s 'FOSSA, Inc.' release/fossa
	fi
	codesign --options runtime -s 'FOSSA, Inc.' release/diagnose
	codesign --options runtime -s 'FOSSA, Inc.' release/millhone

	# Perform notarization
	zip -rj notarization-archive.zip release
	NOTARY_RESULTS=$(xcrun notarytool submit notarization-archive.zip --apple-id "$APPLE_NOTARIZATION_DEV_ID" --password "$APPLE_NOTARIZATION_DEV_PASS" --team-id "$APPLE_TEAM_ID" --wait)
	echo "$NOTARY_RESULTS"
	rm notarization-archive.zip
	# The notarization tool doesn't set $?, so examine the output.
	if ! echo "$NOTARY_RESULTS" \| grep -q "status: Accepted"; then
	exit 1
	fi

	- uses: actions/upload-artifact@v4
	with:
	name: ${{ matrix.os-name }}-binaries
	path: release

	create-release:
	name: create-release
	runs-on: ubuntu-latest
	needs: ['build-all']
	permissions:
	id-token: write
	contents: write

	steps:
	- uses: actions/download-artifact@v4

	# Sets VERSION from git's tag or sha.
	# refer to: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-setting-an-output-parameter
	- name: Get version
	id: get-version
	run: \|
	case $GITHUB_REF in
	refs/tags/v*)
	# This strips the 'v' prefix from the tag.
	echo "VERSION=${GITHUB_REF/refs\/tags\/v/}" >> "$GITHUB_OUTPUT"
	;;
	*)
	echo "VERSION=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
	;;
	esac

	- name: Check that version info was embedded correctly
	if: ${{ startsWith(github.ref, 'refs/tags/v') }}
	run: \|
	chmod +x Linux-binaries/fossa

	echo $GITHUB_REF_NAME
	echo $GITHUB_REF_TYPE
	echo $GITHUB_SHA
	echo ${GITHUB_SHA:0:12}

	VERSION=$(echo $(Linux-binaries/fossa --version))
	EXPECTED="fossa-cli version ${{ steps.get-version.outputs.VERSION }} (revision ${GITHUB_SHA:0:12} compiled with ghc-9.4)"
	echo " VERSION: $VERSION"
	echo "EXPECTED: $EXPECTED"

	[ "$GITHUB_REF_TYPE" = "tag" ] && echo "Ref type OK"
	[ "$VERSION" = "$EXPECTED" ] && echo "CLI version OK"

	- name: Install Cosign
	if: ${{ github.ref_type == 'tag' }}
	uses: sigstore/[email protected]

	- name: Sign Release (Linux)
	if: ${{ github.ref_type == 'tag' }}
	run: \|
	cosign version
	cosign sign-blob --yes --bundle "Linux-binaries/fossa.bundle" "Linux-binaries/fossa"
	cosign sign-blob --yes --bundle "Linux-binaries/diagnose.bundle" "Linux-binaries/diagnose"
	cosign sign-blob --yes --bundle "Linux-binaries/millhone.bundle" "Linux-binaries/millhone"

	- name: Verify Signatures
	if: ${{ github.ref_type == 'tag' }}
	run: \|
	cosign verify-blob --bundle "Linux-binaries/fossa.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/fossa"
	cosign verify-blob --bundle "Linux-binaries/diagnose.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/diagnose"
	cosign verify-blob --bundle "Linux-binaries/millhone.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/millhone"

	# This uses names compatible with our install script.
	#
	# Originally, CLI >=2.x Linux releases were only packaged as zip files, but
	# we added tar.gz to improve compatibility. Our install script depends on
	# the unzip command, which is not installed in most Linux distributions by
	# default. To avoid breaking compatibility with older install scripts, we
	# release both formats but default to using tar.gz when installing.
	- name: Bundle binaries
	env:
	LINUX_FOSSA_TAR_PATH: "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar"
	LINUX_FOSSA_ZIP_PATH: "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip"
	LINUX_DIAGNOSE_TAR_PATH: "release/diagnose_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar"
	LINUX_DIAGNOSE_ZIP_PATH: "release/diagnose_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip"
	LINUX_MILLHONE_TAR_PATH: "release/millhone_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar"
	LINUX_MILLHONE_ZIP_PATH: "release/millhone_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip"
	run: \|
	mkdir release

	ls -R

	chmod +x Linux-binaries/*
	zip -j "$LINUX_FOSSA_ZIP_PATH" Linux-binaries/fossa
	zip -j "$LINUX_DIAGNOSE_ZIP_PATH" Linux-binaries/diagnose
	zip -j "$LINUX_MILLHONE_ZIP_PATH" Linux-binaries/millhone
	tar --create --verbose --file "$LINUX_FOSSA_TAR_PATH" --directory Linux-binaries fossa
	tar --create --verbose --file "$LINUX_DIAGNOSE_TAR_PATH" --directory Linux-binaries diagnose
	tar --create --verbose --file "$LINUX_MILLHONE_TAR_PATH" --directory Linux-binaries millhone

	if [ "$GITHUB_REF_TYPE" = "tag" ]; then
	tar --append --file "$LINUX_FOSSA_TAR_PATH" --directory Linux-binaries fossa.bundle
	tar --append --file "$LINUX_DIAGNOSE_TAR_PATH" --directory Linux-binaries diagnose.bundle
	tar --append --file "$LINUX_MILLHONE_TAR_PATH" --directory Linux-binaries millhone.bundle
	zip -j "$LINUX_FOSSA_ZIP_PATH" Linux-binaries/fossa.bundle
	zip -j "$LINUX_DIAGNOSE_ZIP_PATH" Linux-binaries/diagnose.bundle
	zip -j "$LINUX_MILLHONE_ZIP_PATH" Linux-binaries/millhone.bundle
	fi

	gzip "$LINUX_FOSSA_TAR_PATH"
	gzip "$LINUX_DIAGNOSE_TAR_PATH"
	gzip "$LINUX_MILLHONE_TAR_PATH"

	chmod +x macOS-intel-binaries/*
	zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/fossa
	zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/diagnose
	zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/millhone
	chmod +x macOS-arm64-binaries/*
	zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/fossa
	zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/diagnose
	zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/millhone

	chmod +x Windows-binaries/*
	zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/fossa.exe
	zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/diagnose.exe
	zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/millhone.exe

	- name: Create checksums
	# We have to run from within the release dir so that "release" isn't prepended to the relative path of the zip file.
	run: \|
	cd release
	sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip.sha256"
	sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz.sha256"
	sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip.sha256"
	sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip.sha256"
	sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip.sha256"

	echo "Sanity-checking the checksums."

	cat *.sha256 \| sha256sum --check --status

	# Uploads the generated archives (tar.gz/zip) as build artifacts to allow
	# verifying them without needing to do an actual release. This step does not
	# need to run for tagged release versions.
	- name: Upload release archives
	if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
	uses: actions/upload-artifact@v4
	with:
	name: release-archives
	path: release

	- name: Release
	if: ${{ startsWith(github.ref, 'refs/tags/v') }}
	uses: softprops/action-gh-release@v1
	with:
	files: release/*
	draft: true
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add a changelog #3355

Workflow file

add a changelog #3355

Jobs

Run details

Workflow file for this run