-
Notifications
You must be signed in to change notification settings - Fork 0
152 lines (131 loc) · 5.69 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Release
on:
workflow_dispatch:
release:
types: [created]
permissions: {}
jobs:
build:
if: github.repository == 'mihaimaruseac/book-of-marks' # Don't do this in forks
runs-on: ubuntu-latest
# Keep these in sync with a subset of Cabal-based CI matrix. This way, we
# are not building a new cache here, just reusing an existing one.
env:
os: ubuntu-latest
ghc: 9.6.3
outputs:
hash_sdist: ${{ steps.hash_sdist.outputs.hash_sdist }}
hash_execs: ${{ steps.hash_execs.outputs.hash_execs }}
steps:
- name: Checkout code
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
persist-credentials: false
- name: Setup Haskell Compiler (cabal)
id: setup-haskell
uses: haskell-actions/setup@9933312ae77442f1fc8a613c182206d0e45ea0e8 # v2.5.0
with:
ghc-version: ${{ env.ghc }}
- name: Cache dist-newstyle
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: dist-newstyle
key: dist-newstyle-${{ env.os }}-${{ env.ghc }}-${{ hashFiles('**/*.cabal') }}-${{ hashFiles('src*') }}
restore-keys: |
dist-newstyle-${{ env.os }}-${{ env.ghc }}-${{ hashFiles('**/*.cabal') }}-
dist-newstyle-${{ env.os }}-${{ env.ghc }}-
- name: Cache ~/.cabal/store
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ${{ steps.setup-haskell.outputs.cabal-store }}
key: cabal-store-${{ env.os }}-${{ env.ghc }}-${{ hashFiles('**/*.cabal') }}
restore-keys: cabal-store-${{ env.os }}-${{ env.ghc }}-
- name: Build executables
run: cabal build all:exes
- name: Generate source distribution
run: cabal sdist --output .
- name: Generate documentation
run: cabal haddock --haddock-for-hackage --enable-doc --builddir=.
- name: Generate subject for provenance of source distribution
id: hash_sdist
run: |
set -euo pipefail
echo "hash_sdist=$(sha256sum bookmarks-*.tar.gz | base64 -w0)" >> "${GITHUB_OUTPUT}"
# Wehn uploading we pick a fixed name since we don't yet have access to
# the version string in the tarball. This can be fixed with some
# scripting if needed, but it works for our use cases as it is.
# TODO(mihaimaruseac): Maybe fix to upload the path as needed
- name: Upload sdist as an artifact for later jobs in workflow
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
path: bookmarks-*.tar.gz
name: sdist.zip # When downloading it is a zip containing the sdist tarball
if-no-files-found: error
retention-days: 1
- name: Copy all executables to root directory for ease of release
run: mkdir .execs && cp $(cabal list-bin all:exes) .execs
# TODO(mihaimaruseac): Strip executables
- name: Generate subject for provenance of executables
id: hash_execs
run: |
set -euo pipefail
echo "hash_execs=$(sha256sum .execs/* | base64 -w0)" >> "${GITHUB_OUTPUT}"
# When uploading executables we push them all to the same archive and
# later the action that downloads it automatically unpacks it. So, in
# effect this allows us to be transparent on what the executables we
# generate.
# However, on the CI run this will result in an artifact (short lived!)
# that has all of the executables in it. If we want to upload each
# executable by itself, maybe we can use automatic matrix generation[1]
# for this.
# [1]: https://frontside.com/blog/2022-12-12-dynamic-github-action-jobs/
# TODO(mihaimaruseac): Maybe use automatic matrix generation here
- name: Upload executables as an artifact for later jobs in workflow
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
path: .execs/
name: executables.zip # When downloading it is a zip with all executables
if-no-files-found: error
retention-days: 1
provenance-sdist:
needs: [build]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.hash_sdist }}"
upload-assets: true
provenance-name: source-distribution.intoto.jsonl
provenance-execs:
needs: [build]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.hash_execs }}"
upload-assets: true
provenance-name: executables.intoto.jsonl
release:
needs: [build, provenance-sdist, provenance-execs]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Download artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: executables.zip
- name: Download artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: sdist.zip
- name: Upload assets
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
files: ./*
# TODO(mihaimaruseac): Upload haddock and build report to Hackage
# Not doing this now because we don't want to store user/pass in GitHub
# secrets and there is no OIDC way to upload.