From 6a1c5ee84fd28543c0ad72846ba8b67c6e70a26b Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Mon, 16 Dec 2024 12:37:26 -0500
Subject: [PATCH] ci: build binary artifacts for pushes/PRs

* Windows (x86_64 MSVC)
* Linux (x86_64 GNU glibc)
* Apple (MacOS 14 ARM64 and MacOS 13 x86_64)

Binary artifacts are built in release mode using stable rust, with the
default crypto provider (aws-lc-rs) and cert compression enabled.

Linux binaries are built on ubuntu-20.04 for greatest compatibility.
Users will need glibc 2.31 or greater. For now I've opted not to include
a statically linked musl build.

For FIPS, no cert-compression, the ring crypto provider, debug builds,
or other customization you will need to build from source.

Users of the `.pc` files will need to override the `prefix` to wherever
they extract the archive, or use `cargo cinstall` from src. Package
config files in an archive aren't relocatable.
---
 .github/workflows/artifacts.yaml | 129 +++++++++++++++++++++++++++++++
 1 file changed, 129 insertions(+)
 create mode 100644 .github/workflows/artifacts.yaml

diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
new file mode 100644
index 00000000..3e79b7d7
--- /dev/null
+++ b/.github/workflows/artifacts.yaml
@@ -0,0 +1,129 @@
+name: binary artifacts
+
+permissions:
+  contents: read
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  windows-binaries:
+    runs-on: windows-2022 # x86_64
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install stable Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-c
+        env:
+          LINK: https://github.com/lu-zero/cargo-c/releases/latest/download
+          CARGO_C_FILE: cargo-c-windows-msvc.zip
+        run: |
+          curl -L "$env:LINK/$env:CARGO_C_FILE" -o cargo-c-windows-msvc.zip
+          powershell -Command "Expand-Archive -Path cargo-c-windows-msvc.zip -DestinationPath $env:USERPROFILE\\.cargo\\bin -Force"
+
+      - name: Build rusts-ffi
+        run: |
+          cargo cinstall --features cert_compression --release --prefix dist --target x86_64-pc-windows-msvc
+
+      - name: Upload binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: rustls-ffi-x86_64-windows
+          path: dist
+
+  linux-binaries:
+    runs-on: ubuntu-20.04 # x86_64. Using older Ubuntu for greater GLIBC compat.
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install stable Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-c (Ubuntu)
+        env:
+          LINK: https://github.com/lu-zero/cargo-c/releases/latest/download
+          CARGO_C_FILE: cargo-c-x86_64-unknown-linux-musl.tar.gz
+        run: |
+          curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin
+
+      - name: Build rusts-ffi
+        # The Ubuntu 20.04 GCC is too old to build aws-lc.
+        # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189.
+        env:
+          CC: clang
+          CXX: clang
+        run: |
+          cargo cinstall --locked --target x86_64-unknown-linux-gnu --features cert_compression --release --prefix dist
+
+      - name: Upload binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: rustls-ffi-x86_64-linux-gnu
+          path: dist
+
+  macos-binaries-arm64:
+    runs-on: macos-14 # arm64.
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install stable Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-c (macOS)
+        env:
+          LINK: https://github.com/lu-zero/cargo-c/releases/latest/download
+          CARGO_C_FILE: cargo-c-macos.zip
+        run: |
+          curl -L $LINK/$CARGO_C_FILE -o cargo-c-macos.zip
+          unzip cargo-c-macos.zip -d ~/.cargo/bin
+
+      - name: Build rusts-ffi
+        run: |
+          cargo cinstall --features cert_compression --release --prefix dist
+
+      - name: Fix rpath
+        run: |
+          install_name_tool -id @rpath/librustls.dylib dist/lib/librustls.dylib
+
+      - name: Upload binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: rustls-ffi-arm64-macos
+          path: dist
+
+  macos-binaries-x86_64:
+    runs-on: macos-13 # x86_64.
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install stable Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-c (macOS)
+        # This is slow, but upstream doesn't publish cargo-c binaries for x86_64 macos
+        run: cargo install cargo-c
+
+      - name: Build rusts-ffi
+        run: |
+          cargo cinstall --features cert_compression --release --prefix dist
+
+      - name: Fix rpath
+        run: |
+          install_name_tool -id @rpath/librustls.dylib dist/lib/librustls.dylib
+
+      - name: Upload binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: rustls-ffi-x86_64-macos
+          path: dist