73763f9864
* chore(workflows): complete migration to Blacksmith cloud runners Migrate remaining workflows from self-hosted axecap runners to Blacksmith: - docker.yml: publish job - release.yml: publish job - security.yml: audit and deny jobs (conditional on push events) This completes the transition away from self-hosted infrastructure. Axecap runner registrations (IDs 21, 22) have been removed. All workflows now use blacksmith-2vcpu-ubuntu-2404 label for consistency. * Merge branch 'main' into selfhost-blacksmith
117 lines
4.3 KiB
YAML
117 lines
4.3 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags: ["v*"]
|
|
|
|
permissions:
|
|
contents: write
|
|
id-token: write # Required for cosign keyless signing via OIDC
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
|
|
jobs:
|
|
build-release:
|
|
name: Build ${{ matrix.target }}
|
|
runs-on: ${{ matrix.os }}
|
|
timeout-minutes: 40
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- os: ubuntu-latest
|
|
target: blacksmith-2vcpu-ubuntu-2404
|
|
artifact: zeroclaw
|
|
- os: macos-latest
|
|
target: x86_64-apple-darwin
|
|
artifact: zeroclaw
|
|
- os: macos-latest
|
|
target: aarch64-apple-darwin
|
|
artifact: zeroclaw
|
|
- os: windows-latest
|
|
target: x86_64-pc-windows-msvc
|
|
artifact: zeroclaw.exe
|
|
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
|
|
- uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
|
|
with:
|
|
targets: ${{ matrix.target }}
|
|
|
|
- uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
|
|
|
|
- name: Build release
|
|
run: cargo build --release --locked --target ${{ matrix.target }}
|
|
|
|
- name: Check binary size (Unix)
|
|
if: runner.os != 'Windows'
|
|
run: |
|
|
SIZE=$(stat -f%z target/${{ matrix.target }}/release/${{ matrix.artifact }} 2>/dev/null || stat -c%s target/${{ matrix.target }}/release/${{ matrix.artifact }})
|
|
echo "Binary size: $((SIZE / 1024 / 1024))MB ($SIZE bytes)"
|
|
if [ "$SIZE" -gt 5242880 ]; then
|
|
echo "::warning::Binary exceeds 5MB target"
|
|
fi
|
|
|
|
- name: Package (Unix)
|
|
if: runner.os != 'Windows'
|
|
run: |
|
|
cd target/${{ matrix.target }}/release
|
|
tar czf ../../../zeroclaw-${{ matrix.target }}.tar.gz ${{ matrix.artifact }}
|
|
|
|
- name: Package (Windows)
|
|
if: runner.os == 'Windows'
|
|
run: |
|
|
cd target/${{ matrix.target }}/release
|
|
7z a ../../../zeroclaw-${{ matrix.target }}.zip ${{ matrix.artifact }}
|
|
|
|
- name: Upload artifact
|
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
|
|
with:
|
|
name: zeroclaw-${{ matrix.target }}
|
|
path: zeroclaw-${{ matrix.target }}.*
|
|
|
|
publish:
|
|
name: Publish Release
|
|
needs: build-release
|
|
runs-on: blacksmith-2vcpu-ubuntu-2404
|
|
timeout-minutes: 15
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
|
|
- name: Download all artifacts
|
|
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
|
with:
|
|
path: artifacts
|
|
|
|
- name: Generate SHA256 checksums
|
|
run: |
|
|
cd artifacts
|
|
find . -type f \( -name '*.tar.gz' -o -name '*.zip' \) -exec sha256sum {} + | sed 's| \./[^/]*/| |' > SHA256SUMS
|
|
echo "Generated checksums:"
|
|
cat SHA256SUMS
|
|
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
|
|
|
|
- name: Sign artifacts with cosign (keyless)
|
|
run: |
|
|
for file in artifacts/**/*; do
|
|
[ -f "$file" ] || continue
|
|
cosign sign-blob --yes \
|
|
--oidc-issuer=https://token.actions.githubusercontent.com \
|
|
--output-signature="${file}.sig" \
|
|
--output-certificate="${file}.pem" \
|
|
"$file"
|
|
done
|
|
|
|
- name: Create GitHub Release
|
|
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
|
|
with:
|
|
generate_release_notes: true
|
|
files: |
|
|
artifacts/**/*
|
|
artifacts/SHA256SUMS
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|