v0.2.1 #10

Workflow file for this run

.github/workflows/release.yml at 466294d

	name: Release

	on:
	release:
	types:
	- published

	permissions:
	contents: read

	jobs:
	build:
	name: Build and sign artifacts
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	built-gems: ${{ steps.list-gems.outputs.gems }}
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false

	- uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
	with:
	# NOTE: We intentionally don't use a cache in the release step,
	# to reduce the risk of cache poisoning.
	ruby-version: "3.3"
	bundler-cache: false

	- name: deps
	run: bundle install --jobs 4 --retry 3

	- name: Set source date epoch
	run: \|
	# Set SOURCE_DATE_EPOCH to the commit date of the last commit.
	export SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)
	echo "SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH" >> $GITHUB_ENV

	- name: build
	run: bin/rake build

	- name: List built gems
	id: list-gems
	run: \|
	echo "gems=$(find pkg -type f -name '*.gem' -print0 \| xargs -0 jq --compact-output --null-input --args '[$ARGS.positional[]]')" >> $GITHUB_OUTPUT

	- name: Check release and tag name match built version
	run: \|
	for gem in ${BUILT_GEMS}; do
	gemspec_version=$(gem spec ${gem} version \| ruby -ryaml -e 'puts YAML.safe_load(ARGF.read, permitted_classes: [Gem::Version])')
	if [ "${RELEASE_TAG_NAME}" != "v${gemspec_version}" ]; then
	echo "Release tag name '${RELEASE_TAG_NAME}' does not match gemspec version 'v${gemspec_version}'"
	exit 1
	fi
	done
	env:
	RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
	BUILT_GEMS: ${{ join(fromJson(steps.list-gems.outputs.gems), ' ') }}

	- name: sign
	run: \|
	./bin/smoketest ${BUILT_GEMS}
	env:
	BUILT_GEMS: ${{ join(fromJson(steps.list-gems.outputs.gems), ' ') }}

	- name: Generate hashes for provenance
	shell: bash
	id: hash
	working-directory: pkg
	run: \|
	# sha256sum generates sha256 hash for all artifacts.
	# base64 -w0 encodes to base64 and outputs on a single line.
	# sha256sum artifact1 artifact2 ... \| base64 -w0
	echo "hashes=$(sha256sum * \| base64 -w0)" >> $GITHUB_OUTPUT

	- name: Save hashes
	run: echo "$HASHES" \| base64 -d > pkg/sha256sum.txt
	env:
	HASHES: ${{ steps.hash.outputs.hashes }}

	- name: Upload built packages
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: built-packages
	path: ./pkg/
	if-no-files-found: warn

	- name: Upload smoketest-artifacts
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: smoketest-artifacts
	path: smoketest-artifacts/
	if-no-files-found: warn

	generate-provenance:
	needs: [build]
	name: Generate build provenance
	permissions:
	actions: read # To read the workflow path.
	id-token: write # To sign the provenance.
	contents: write # To add assets to a release.
	# Currently this action needs to be referred by tag. More details at:
	# https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance
	uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
	with:
	provenance-name: provenance-sigstore-${{ github.event.release.tag_name }}.intoto.jsonl
	base64-subjects: "${{ needs.build.outputs.hashes }}"
	upload-assets: true

	release-rubygems:
	needs: [build, generate-provenance]
	runs-on: ubuntu-latest
	permissions:
	# Used to authenticate to RubyGems.org via OIDC.
	id-token: write
	strategy:
	matrix:
	built-gem: ${{ fromJson(needs.build.outputs.built-gems) }}
	concurrency:
	group: release-rubygems
	name: Publish ${{ matrix.built-gem }} to RubyGems
	steps:
	- name: Download artifacts directories # goes to current working directory
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

	- name: Set up Ruby
	uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
	with:
	ruby-version: "3.3"
	bundler-cache: false

	- name: Clone rubygems HEAD
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	repository: rubygems/rubygems
	persist-credentials: false
	fetch-depth: 0
	ref: a5412d9a0e358893e20ac69a4c6c0c2bac59d888
	path: rubygems

	- name: Install rubygems HEAD
	run: ruby setup.rb
	working-directory: rubygems

	- name: Configure RubyGems credentials
	uses: rubygems/configure-rubygems-credentials@a2b9242bc411d79356771fc9b9ddebcc3cd1b5dd # main
	with:
	trusted-publisher: true

	- name: publish
	run: \|
	gem push "built-packages/$(basename $BUILT_GEM)" --attestation "smoketest-artifacts/$(basename $BUILT_GEM).sigstore.json"
	env:
	BUILT_GEM: ${{ matrix.built-gem }}

	release-github:
	needs: [build, generate-provenance]
	runs-on: ubuntu-latest
	permissions:
	# Needed to upload release assets.
	contents: write
	steps:
	- name: Download artifacts directories # goes to current working directory
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

	- name: Upload artifacts to github
	# Confusingly, this action also supports updating releases, not
	# just creating them. This is what we want here, since we've manually
	# created the release that triggered the action.
	uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
	with:
	# smoketest-artifacts/ contains the signatures and certificates.
	files: \|
	built-packages/*
	smoketest-artifacts/*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v0.2.1 #10

Workflow file

v0.2.1 #10

Jobs

Run details

Workflow file for this run