-
Notifications
You must be signed in to change notification settings - Fork 178
255 lines (213 loc) · 9.24 KB
/
build-all.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
# Build and test on each commit. Create a release on tagged commits.
#
# Binaries on each platform are stripped. This removes debug symbols.
name: Build
on: [push]
jobs:
build-all:
name: ${{ matrix.os-name }}-build
runs-on: ${{ matrix.os }}
container: ${{ matrix.container }}
defaults:
run:
shell: bash
strategy:
matrix:
os: ['windows-latest', 'ubuntu-latest', 'macos-latest']
include:
- os: ubuntu-latest
os-name: Linux
container: fossa/haskell-static-alpine:ghc-9.0.2
project-file: cabal.project.ci.linux
ghc: '9.0.2'
- os: macos-latest
os-name: macOS
project-file: cabal.project.ci.macos
ghc: '9.0.2'
- os: windows-latest
os-name: Windows
project-file: cabal.project.ci.windows
ghc: '9.0.2'
steps:
- uses: actions/checkout@v3
with:
lfs: true
- name: Install MacOS binary dependencies
if: ${{ contains(matrix.os, 'macos') }}
run: |
brew install jq
# Set up Haskell.
- uses: haskell/actions/setup@v2
id: setup-haskell
name: Setup ghc/cabal (non-alpine)
if: ${{ !contains(matrix.os, 'ubuntu') }}
with:
ghc-version: ${{ matrix.ghc }}
# Set up Rust.
- uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
- uses: taiki-e/install-action@nextest
- uses: Swatinem/rust-cache@v2
- name: Debugging information
run: |
ghc --version || echo "no ghc"
cabal --version || echo "no cabal"
ghcup --version || echo "no ghcup"
rustc -V || echo "no rustc"
cargo -V || echo "no cargo"
# Build Rust crates, which must be present when the CLI builds.
- name: Test Rust dependencies
run: cargo nextest run
- name: Build Rust dependencies
run: cargo build --release
# Build FOSSA CLI.
- uses: actions/cache@v3
name: Cache cabal store
with:
path: ${{ steps.setup-haskell.outputs.cabal-store || '~/.cabal/store' }}
key: ${{ runner.os }}-${{ matrix.ghc }}-cabal-cache-${{ hashFiles('**/*.cabal', format('{0}', matrix.project-file)) }}
restore-keys: |
${{ runner.os }}-${{ matrix.ghc }}-cabal-cache-
${{ runner.os }}-${{ matrix.ghc }}-
${{ runner.os }}-
- name: Update vendored binaries
run: |
mkdir vendor-bins
./vendor_download.sh
env:
GITHUB_TOKEN: ${{ secrets.BASIS_ACCESS_TOKEN }}
- name: Build test data
run: |
make build-test-data
- name: Check git status
# https://github.com/actions/checkout/issues/760#issuecomment-1099519159
run: |
git config --global --add safe.directory "$GITHUB_WORKSPACE"
git status --porcelain
- name: Build
# Occasionally, we run out of memory on the build process.
# Since cabal uses incremental compilation, we can retry from where we left off
# by simply re-running cabal if we fail.
env:
RUN_CMD: cabal build --project-file=${{ matrix.project-file }} all
run: |
cabal update
$RUN_CMD || $RUN_CMD
- name: Run unit tests
run: |
cabal test --project-file=${{ matrix.project-file }} unit-tests
# Save artifacts.
- name: Find and move binaries (Windows)
if: ${{ contains(matrix.os, 'windows') }}
run: |
mkdir release
find . -type f -path '*/fossa/fossa.exe' -exec cp {} release \;
find . -type f -path '*/pathfinder/pathfinder.exe' -exec cp {} release \;
- name: Find and move binaries (non-Windows)
if: ${{ !contains(matrix.os, 'windows') }}
run: |
mkdir release
find . -type f -path '*/fossa/fossa' -exec cp {} release \;
find . -type f -path '*/pathfinder/pathfinder' -exec cp {} release \;
- name: Strip binaries
run: |
strip release/*
- uses: actions/upload-artifact@v2
with:
name: ${{ runner.os }}-binaries
path: release
create-release:
name: create-release
runs-on: ubuntu-latest
needs: ['build-all']
permissions:
id-token: write
steps:
- uses: actions/download-artifact@v2
- name: Get version
id: get-version
run: |
case $GITHUB_REF in
refs/tags/v*)
# This strips the 'v' prefix from the tag.
echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\/v/}
;;
*)
echo ::set-output name=VERSION::${GITHUB_SHA}
;;
esac
- name: Check that version info was embedded correctly
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
run: |
chmod +x Linux-binaries/fossa
echo $GITHUB_REF_NAME
echo $GITHUB_REF_TYPE
echo $GITHUB_SHA
echo ${GITHUB_SHA:0:12}
echo $(Linux-binaries/fossa --version)
echo "fossa-cli version ${{ steps.get-version.outputs.VERSION }} (revision ${GITHUB_SHA:0:12} compiled with ghc-9.0)"
[ "$GITHUB_REF_TYPE" = "tag" ] && echo "Ref type OK"
[ "$(Linux-binaries/fossa --version)" = "fossa-cli version ${{ steps.get-version.outputs.VERSION }} (revision ${GITHUB_SHA:0:12} compiled with ghc-9.0)" ] && echo "CLI version OK"
# This uses names compatible with our install script.
#
# Originally, CLI >=2.x Linux releases were only packaged as zip files, but
# we added tar.gz to improve compatibility. Our install script depends on
# the unzip command, which is not installed in most Linux distributions by
# default. To avoid breaking compatibility with older install scripts, we
# release both formats but default to using tar.gz when installing.
- name: Bundle binaries
run: |
mkdir release
ls -R
chmod +x Linux-binaries/*
zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip Linux-binaries/fossa
zip -j release/pathfinder_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip Linux-binaries/pathfinder
tar --create --gzip --verbose --file release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz --directory Linux-binaries fossa
tar --create --gzip --verbose --file release/pathfinder_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz --directory Linux-binaries pathfinder
chmod +x macOS-binaries/*
zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-binaries/fossa
zip -j release/pathfinder_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-binaries/pathfinder
chmod +x Windows-binaries/*
zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/fossa.exe
zip -j release/pathfinder_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/pathfinder.exe
- name: Create checksums
# We have to run from within the release dir so that "release" isn't prepended to the relative path of the zip file.
run: |
cd release
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip.sha256"
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz.sha256"
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip.sha256"
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip.sha256"
echo "Sanity-checking the checksums."
cat *.sha256 | sha256sum --check --status
- name: Install Cosign
if: ${{ github.ref_type == 'tag' }}
uses: sigstore/[email protected]
- name: Sign Release
if: ${{ github.ref_type == 'tag' }}
run: |
cosign version
cosign sign-blob --yes --bundle "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.bundle" "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz"
- name: Verify Signature
if: ${{ github.ref_type == 'tag' }}
run:
cosign verify-blob --bundle "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz"
# Uploads the generated archives (tar.gz/zip) as build artifacts to allow
# verifying them without needing to do an actual release. This step does not
# need to run for tagged release versions.
- name: Upload release archives
if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
uses: actions/upload-artifact@v2
with:
name: release-archives
path: release
- name: Release
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
uses: softprops/action-gh-release@v1
with:
files: release/*
draft: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}