gitnapse/.github/workflows/release.yml at main · xscriptor/gitnapse · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
name: Release

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      release_tag:
        description: "Existing tag to publish (for example: v1.2.3)"
        required: true
        type: string

permissions:
  contents: read

env:
  CARGO_TERM_COLOR: always
  RELEASE_TAG: ${{ github.event_name == 'workflow_dispatch' && inputs.release_tag || github.ref_name }}
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

jobs:
  # ── Ubuntu → .deb ──────────────────────────────────────────────────────────
  build-linux-ubuntu:
    name: Build Linux (Ubuntu)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v5
      - name: Install cargo-deb
        run: cargo install cargo-deb --locked
      - name: Build
        run: cargo build --release --locked
      - name: Package (.deb)
        run: |
          VERSION="${RELEASE_TAG#v}"
          cargo deb --no-build --deb-version "${VERSION}"
          asset="gitnapse-${RELEASE_TAG}-linux-ubuntu-amd64.deb"
          cp target/debian/gitnapse_${VERSION}_amd64.deb "${asset}"
          echo "ASSET=${asset}" >> "$GITHUB_ENV"
      - name: Upload artifact
        uses: actions/upload-artifact@v5
        with:
          name: asset-linux-ubuntu
          path: ${{ env.ASSET }}
          if-no-files-found: error
          retention-days: 7

  # ── Fedora → .rpm ──────────────────────────────────────────────────────────
  build-linux-fedora:
    name: Build Linux (Fedora)
    runs-on: ubuntu-latest
    container:
      image: fedora:latest
    steps:
      - name: Install build dependencies
        run: dnf -y install curl gcc gcc-c++ make pkgconf-pkg-config openssl-devel ca-certificates git tar gzip rpm-build
      - name: Install Rust
        run: |
          curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal
          echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
      - name: Checkout
        uses: actions/checkout@v5
      - name: Install cargo-generate-rpm
        run: cargo install cargo-generate-rpm --locked
      - name: Build
        run: cargo build --release --locked
      - name: Package (.rpm)
        run: |
          VERSION="${RELEASE_TAG#v}"
          cargo generate-rpm --set-metadata="version='${VERSION}'"
          asset="gitnapse-${RELEASE_TAG}-linux-fedora-x86_64.rpm"
          cp target/generate-rpm/gitnapse-${VERSION}-1.x86_64.rpm "${asset}"
          echo "ASSET=${asset}" >> "$GITHUB_ENV"
      - name: Upload artifact
        uses: actions/upload-artifact@v5
        with:
          name: asset-linux-fedora
          path: ${{ env.ASSET }}
          if-no-files-found: error
          retention-days: 7

  # ── Arch Linux → .pkg.tar.zst ──────────────────────────────────────────────
  build-linux-arch:
    name: Build Linux (Arch)
    runs-on: ubuntu-latest
    container:
      image: archlinux:latest
    steps:
      - name: Install build dependencies
        run: pacman -Syu --noconfirm --needed base-devel curl ca-certificates git openssl pkgconf fakeroot binutils
      - name: Install Rust
        run: |
          curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal
          echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
      - name: Checkout
        uses: actions/checkout@v5
      - name: Build
        run: cargo build --release --locked
      - name: Package (.pkg.tar.zst)
        run: |
          VERSION="${RELEASE_TAG#v}"
          PKGDIR="gitnapse-pkg"
          mkdir -p "${PKGDIR}/usr/bin"
          cp target/release/gitnapse "${PKGDIR}/usr/bin/gitnapse"

          # Generate .PKGINFO metadata file (must not be a directory)
          BINSIZE="$(du -sb "${PKGDIR}/usr/bin/gitnapse" | cut -f1)"
          {
            echo "pkgname = gitnapse"
            echo "pkgver = ${VERSION}-1"
            echo "arch = x86_64"
            echo "size = ${BINSIZE}"
          } > "${PKGDIR}/.PKGINFO"

          asset="gitnapse-${RELEASE_TAG}-linux-arch-x86_64.pkg.tar.zst"
          bsdtar --zstd -cf "${asset}" -C "${PKGDIR}" .
          echo "ASSET=${asset}" >> "$GITHUB_ENV"
      - name: Upload artifact
        uses: actions/upload-artifact@v5
        with:
          name: asset-linux-arch
          path: ${{ env.ASSET }}
          if-no-files-found: error
          retention-days: 7

  # ── Windows → .exe ────────────────────────────────────────────────────────
  build-windows:
    name: Build Windows
    runs-on: windows-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v5
      - name: Build
        run: cargo build --release --locked
      - name: Package (.exe)
        shell: pwsh
        run: |
          $asset = "gitnapse-$env:RELEASE_TAG-windows-x86_64.exe"
          Copy-Item -Path "target/release/gitnapse.exe" -Destination $asset
          "ASSET=$asset" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
      - name: Upload artifact
        uses: actions/upload-artifact@v5
        with:
          name: asset-windows
          path: ${{ env.ASSET }}
          if-no-files-found: error
          retention-days: 7

  # ── macOS → .dmg ───────────────────────────────────────────────────────────
  build-macos:
    name: Build macOS
    runs-on: macos-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v5
      - name: Build
        run: cargo build --release --locked
      - name: Package (.dmg)
        run: |
          arch="$(uname -m)"
          APP_DIR="gitnapse-dmg-staging"
          mkdir -p "${APP_DIR}"
          cp target/release/gitnapse "${APP_DIR}/gitnapse"

          asset="gitnapse-${RELEASE_TAG}-macos-${arch}.dmg"
          hdiutil create \
            -volname "gitnapse ${RELEASE_TAG}" \
            -srcfolder "${APP_DIR}" \
            -ov -format UDZO \
            "${asset}"
          echo "ASSET=${asset}" >> "$GITHUB_ENV"
      - name: Upload artifact
        uses: actions/upload-artifact@v5
        with:
          name: asset-macos
          path: ${{ env.ASSET }}
          if-no-files-found: error
          retention-days: 7

  # ── Publish ────────────────────────────────────────────────────────────────
  publish-release:
    name: Publish GitHub Release
    runs-on: ubuntu-latest
    needs:
      - build-linux-ubuntu
      - build-linux-fedora
      - build-linux-arch
      - build-windows
      - build-macos
    permissions:
      contents: write
      id-token: write
    steps:
      - name: Checkout repository metadata
        uses: actions/checkout@v6
      - name: Download build artifacts
        uses: actions/download-artifact@v5
        with:
          pattern: asset-*
          path: dist
          merge-multiple: true
      - name: Generate GitHub App token
        id: app_token
        uses: actions/create-github-app-token@v3
        continue-on-error: true
        with:
          app-id: ${{ secrets.RELEASE_GH_APP_ID }}
          private-key: ${{ secrets.RELEASE_GH_APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
      - name: Show assets
        run: ls -lah dist
      - name: Install cosign
        uses: sigstore/cosign-installer@v3
      - name: Sign assets (keyless)
        run: |
          for file in dist/*; do
            cosign sign-blob --yes "$file" \
              --output-signature "${file}.sig" \
              --output-certificate "${file}.pem"
          done
      - name: Create or update release
        env:
          GH_REPO: ${{ github.repository }}
          GH_APP_TOKEN: ${{ steps.app_token.outputs.token }}
          GH_WORKFLOW_TOKEN: ${{ github.token }}
        run: |
          publish_with_token() {
            local token="$1"
            GH_TOKEN="${token}" gh release view "${RELEASE_TAG}" --repo "${GH_REPO}" >/dev/null 2>&1 || \
            GH_TOKEN="${token}" gh release create "${RELEASE_TAG}" --repo "${GH_REPO}" --title "${RELEASE_TAG}" --generate-notes
            GH_TOKEN="${token}" gh release upload "${RELEASE_TAG}" dist/* --repo "${GH_REPO}" --clobber
          }

          # Prefer GitHub App token, but always fallback to workflow GITHUB_TOKEN if publish fails.
          if [ -n "${GH_APP_TOKEN}" ]; then
            echo "Publishing release using: GitHub App"
            if publish_with_token "${GH_APP_TOKEN}"; then
              exit 0
            fi
            echo "GitHub App token failed to publish release. Retrying with workflow GITHUB_TOKEN..."
          fi

          if [ -z "${GH_WORKFLOW_TOKEN}" ]; then
            echo "Workflow GITHUB_TOKEN is empty. Cannot publish release."
            exit 1
          fi

          echo "Publishing release using: Workflow GITHUB_TOKEN"
          publish_with_token "${GH_WORKFLOW_TOKEN}"