fed1997f62
- Add sigstore/cosign keyless signing to the release workflow
- Each artifact gets a detached .sig signature and .pem certificate
- Uses GitHub Actions OIDC for keyless signing (no secret management)
- Adds id-token: write permission for OIDC token generation
- Signatures and certificates are uploaded alongside binaries
Users can verify artifacts with:
cosign verify-blob --certificate <file>.pem --signature <file>.sig \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity-regexp="github.com/zeroclaw-labs/zeroclaw" \
<file>
Closes #365
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
108 lines
3.1 KiB
YAML
108 lines
3.1 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags: ["v*"]
|
|
|
|
permissions:
|
|
contents: write
|
|
id-token: write # Required for cosign keyless signing via OIDC
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
|
|
jobs:
|
|
build-release:
|
|
name: Build ${{ matrix.target }}
|
|
runs-on: ${{ matrix.os }}
|
|
timeout-minutes: 40
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- os: ubuntu-latest
|
|
target: x86_64-unknown-linux-gnu
|
|
artifact: zeroclaw
|
|
- os: macos-latest
|
|
target: x86_64-apple-darwin
|
|
artifact: zeroclaw
|
|
- os: macos-latest
|
|
target: aarch64-apple-darwin
|
|
artifact: zeroclaw
|
|
- os: windows-latest
|
|
target: x86_64-pc-windows-msvc
|
|
artifact: zeroclaw.exe
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
targets: ${{ matrix.target }}
|
|
|
|
- uses: Swatinem/rust-cache@v2
|
|
|
|
- name: Build release
|
|
run: cargo build --release --locked --target ${{ matrix.target }}
|
|
|
|
- name: Check binary size (Unix)
|
|
if: runner.os != 'Windows'
|
|
run: |
|
|
SIZE=$(stat -f%z target/${{ matrix.target }}/release/${{ matrix.artifact }} 2>/dev/null || stat -c%s target/${{ matrix.target }}/release/${{ matrix.artifact }})
|
|
echo "Binary size: $((SIZE / 1024 / 1024))MB ($SIZE bytes)"
|
|
if [ "$SIZE" -gt 5242880 ]; then
|
|
echo "::warning::Binary exceeds 5MB target"
|
|
fi
|
|
|
|
- name: Package (Unix)
|
|
if: runner.os != 'Windows'
|
|
run: |
|
|
cd target/${{ matrix.target }}/release
|
|
tar czf ../../../zeroclaw-${{ matrix.target }}.tar.gz ${{ matrix.artifact }}
|
|
|
|
- name: Package (Windows)
|
|
if: runner.os == 'Windows'
|
|
run: |
|
|
cd target/${{ matrix.target }}/release
|
|
7z a ../../../zeroclaw-${{ matrix.target }}.zip ${{ matrix.artifact }}
|
|
|
|
- name: Upload artifact
|
|
uses: actions/upload-artifact@v6
|
|
with:
|
|
name: zeroclaw-${{ matrix.target }}
|
|
path: zeroclaw-${{ matrix.target }}.*
|
|
|
|
publish:
|
|
name: Publish Release
|
|
needs: build-release
|
|
runs-on: [self-hosted, Linux, X64, lxc-ci]
|
|
timeout-minutes: 15
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Download all artifacts
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
path: artifacts
|
|
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
|
|
|
|
- name: Sign artifacts with cosign (keyless)
|
|
run: |
|
|
for file in artifacts/**/*; do
|
|
[ -f "$file" ] || continue
|
|
cosign sign-blob --yes \
|
|
--oidc-issuer=https://token.actions.githubusercontent.com \
|
|
--output-signature="${file}.sig" \
|
|
--output-certificate="${file}.pem" \
|
|
"$file"
|
|
done
|
|
|
|
- name: Create GitHub Release
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
generate_release_notes: true
|
|
files: artifacts/**/*
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|