ci: make release builds agnostic of runner version #97
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: ['*'] | |
| # When making changes to this file, temporarily uncomment the next line to run the release | |
| # workflow for your pull request. This will run additional steps prefixed with `Debugging` and | |
| # attach the release artifacts to GHA workflow run Summary page, where you can download them for | |
| # inspection. | |
| # REMEMBER TO REVERT BACK THE CHANGE BEFORE LANDING YOUR PULL REQUEST! | |
| branches: ['*'] | |
| env: | |
| CARGO_INCREMENTAL: 0 | |
| CARGO_NET_RETRY: 10 | |
| RUSTUP_MAX_RETRIES: 10 | |
| MACOSX_DEPLOYMENT_TARGET: 10.9 | |
| # Emit backtraces on panics. | |
| RUST_BACKTRACE: 1 | |
| jobs: | |
| github_build: | |
| name: Build ${{ matrix.name }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # List of platforms, this must be in sync with the list of platforms in ci.yaml | |
| - target: x86_64-unknown-linux-gnu | |
| os: ubuntu-latest | |
| name: linux-x64.tar.gz | |
| # Build using `cross` to link against an older `glibc` version that's compatible | |
| # with more Linux distros. When building on `ubuntu-latest`, we link against the | |
| # latest glibc version, and `zinniad` cannot start e.g. in `node:18` Docker image | |
| # based on Debian Bullseye distro. | |
| builder: cross | |
| - target: aarch64-unknown-linux-gnu | |
| os: ubuntu-latest | |
| name: linux-arm64.tar.gz | |
| builder: cross | |
| # Not supported by Deno yet, see | |
| # https://github.com/denoland/rusty_v8/pull/999 | |
| # https://github.com/filecoin-station/zinnia/issues/178 | |
| # - target: x86_64-unknown-linux-musl | |
| # os: ubuntu-latest | |
| # name: linux-x64-musl.tar.gz | |
| # builder: cross | |
| # Not supported by Deno yet, see | |
| # https://github.com/denoland/rusty_v8/issues/596 | |
| # https://github.com/filecoin-station/zinnia/issues/178 | |
| # - target: aarch64-unknown-linux-musl | |
| # os: ubuntu-latest | |
| # name: linux-arm64-musl.tar.gz | |
| # builder: cross | |
| - target: x86_64-apple-darwin | |
| os: macos-14 | |
| name: macos-x64.zip | |
| - target: aarch64-apple-darwin | |
| os: macos-14 | |
| name: macos-arm64.zip | |
| - target: x86_64-pc-windows-msvc | |
| os: windows-latest | |
| name: windows-x64.zip | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Setup | Apple codesign | |
| if: startsWith(matrix.os, 'macos-') | |
| env: | |
| LOCAL_KEYCHAIN_PASSWORD: ${{ secrets.LOCAL_KEYCHAIN_PASSWORD }} | |
| MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | |
| MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }} | |
| run: | | |
| echo -n "$MACOS_CERTIFICATE" | base64 --decode -o certificate.p12 | |
| [ "$MACOS_CERTIFICATE_PASSWORD" = "" ] && echo "WARNING: Certificate passphrase is not set" | |
| echo "Inspecting the signing certificate:" | |
| openssl pkcs12 -info -in certificate.p12 -password "pass:$MACOS_CERTIFICATE_PASSWORD" -nokeys | head -7 | |
| echo "Setting up keychain for codesign" | |
| security create-keychain -p "$LOCAL_KEYCHAIN_PASSWORD" build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p "$LOCAL_KEYCHAIN_PASSWORD" build.keychain | |
| security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/codesign | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$LOCAL_KEYCHAIN_PASSWORD" build.keychain | |
| security list-keychain -d user -s build.keychain | |
| - name: Setup | Checkout | |
| uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.20' | |
| cache: false # caching requires a go.sum file, which we don't have in our project | |
| - name: Setup | Rust | |
| uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8 # v1 | |
| with: | |
| toolchain: stable | |
| target: ${{ matrix.target }} | |
| - name: Setup | Cross | |
| if: ${{ matrix.builder == 'cross' }} | |
| run: | | |
| curl -L https://github.com/cross-rs/cross/releases/latest/download/cross-x86_64-unknown-linux-gnu.tar.gz -o /tmp/cross.tgz | |
| tar xzf /tmp/cross.tgz -C ~/.cargo/bin | |
| cross --version | |
| # When debugging this workflow, cache the build artefacts | |
| # Note that a build for one tag cannot access cache created by a build for a different tag, | |
| # therefore caching does not work for real release builds. | |
| - name: Debugging | Cache Rust deps | |
| uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 | |
| if: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| with: | |
| shared-key: release-${{ matrix.target }} | |
| cache-on-failure: true | |
| # On Windows, Lassie build script copies golassie.dll to the target directory. When | |
| # Swatinem/rust-cache loads cached data, it does not restore that DLL file. To fix the | |
| # problem, we remove the cached Lassie version to force `cargo build` to re-run the build | |
| # script, which will copy `golassie.dll`. | |
| - name: Debugging | Force rebuild of Lassie | |
| if: ${{ !startsWith(github.ref, 'refs/tags/') && startsWith(matrix.os, 'windows-') }} | |
| run: cargo clean --release --target ${{ matrix.target }} -p lassie | |
| - name: Build | Build | |
| run: ${{ matrix.builder || 'cargo' }} build --release --locked --target ${{ matrix.target }} | |
| - name: Post Build | Prepare artifacts [Windows] | |
| if: startsWith(matrix.os, 'windows-') | |
| run: | | |
| cd target/${{ matrix.target }}/release | |
| dir | |
| 7z a ../../../zinnia-${{ matrix.name }} zinnia.exe golassie.dll | |
| 7z a ../../../zinniad-${{ matrix.name }} zinniad.exe golassie.dll | |
| - name: Post Build | Prepare artifacts [Linux] | |
| if: startsWith(matrix.os, 'ubuntu-') | |
| run: | | |
| cd target/${{ matrix.target }}/release | |
| tar czvf ../../../zinnia-${{ matrix.name }} zinnia | |
| tar czvf ../../../zinniad-${{ matrix.name }} zinniad | |
| - name: Post Build | Sign the executables [macOS] | |
| if: startsWith(matrix.os, 'macos-') | |
| env: | |
| LOCAL_KEYCHAIN_PASSWORD: ${{ secrets.LOCAL_KEYCHAIN_PASSWORD }} | |
| MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} | |
| MACOS_APP_ID: io.filstation.zinnia | |
| run: | | |
| # Unlock the keychain again. Our builds take several minutes to complete, | |
| # which usually triggers a timeout that locks the keychain. | |
| security unlock-keychain -p "$LOCAL_KEYCHAIN_PASSWORD" build.keychain | |
| # Sign `zinnia` | |
| codesign --timestamp --force --verbose \ | |
| --options runtime \ | |
| --entitlements build/entitlements.mac.plist \ | |
| --sign "$MACOS_SIGNING_IDENTITY" \ | |
| --identifier "$MACOS_APP_ID" \ | |
| target/${{ matrix.target }}/release/zinnia | |
| # Sign `zinniad` | |
| codesign --timestamp --force --verbose \ | |
| --options runtime \ | |
| --entitlements build/entitlements.mac.plist \ | |
| --sign "$MACOS_SIGNING_IDENTITY" \ | |
| --identifier "$MACOS_APP_ID" \ | |
| target/${{ matrix.target }}/release/zinniad | |
| - name: Post Build | Prepare artifacts [macOS] | |
| if: startsWith(matrix.os, 'macos-') | |
| run: | | |
| cd target/${{ matrix.target }}/release | |
| zip ../../../zinnia-${{ matrix.name }} zinnia | |
| zip ../../../zinniad-${{ matrix.name }} zinniad | |
| - name: Post Build | Notarize the executables [macOS] | |
| if: startsWith(matrix.os, 'macos-') | |
| run: | | |
| xcrun notarytool submit zinnia-${{ matrix.name }} --wait \ | |
| --apple-id ${{ secrets.APPLE_ID }} \ | |
| --password ${{ secrets. APPLE_ID_PASSWORD }} \ | |
| --team-id ${{ secrets.APPLE_TEAM_ID }} | |
| xcrun notarytool submit zinniad-${{ matrix.name }} --wait \ | |
| --apple-id ${{ secrets.APPLE_ID }} \ | |
| --password ${{ secrets. APPLE_ID_PASSWORD }} \ | |
| --team-id ${{ secrets.APPLE_TEAM_ID }} | |
| - name: Release | Upload artifacts | |
| if: startsWith(github.ref, 'refs/tags/') # Don't create releases when debugging | |
| uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 | |
| with: | |
| draft: true | |
| files: "*-${{ matrix.name }}" | |
| fail_on_unmatched_files: true | |
| # When debugging this workflow, attach the artifacts to the workflow run | |
| - name: Debugging | Upload artifacts to workflow run | |
| if: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: archives-${{ matrix.name }} | |
| path: "*-${{ matrix.name }}" | |