Add attestation with sbom #31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Rust builds | |
| on: | |
| push: | |
| branches: [main] | |
| tags: | |
| - v* | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: write | |
| id-token: write | |
| attestations: write | |
| actions: read | |
| jobs: | |
| create-release: | |
| needs: | |
| - build | |
| - nixbuild | |
| runs-on: ubuntu-latest | |
| if: github.ref_type == 'tag' | |
| steps: | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: artifacts | |
| - name: Rename and move artifacts | |
| run: | | |
| for dir in artifacts/*/ | |
| do | |
| dir=${dir%*/} # remove the trailing "/" | |
| for file in $dir/* | |
| do | |
| file=${file##*/} # remove the path before the filename | |
| base=${file%.*} # remove the extension | |
| ext=${file#"$base"} # remove the filename before the extension | |
| echo "moving ${dir}/${file} to artifacts/${file%%.*}-${dir##*/}${ext}" | |
| mv "${dir}/${file}" "artifacts/${file%%.*}-${dir##*/}${ext}" | |
| done | |
| rm -r "${dir}" | |
| done | |
| - name: release | |
| uses: ncipollo/release-action@v1 | |
| id: create_release | |
| with: | |
| generateReleaseNotes: true | |
| artifacts: "artifacts/*" | |
| nixbuild: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: cachix/install-nix-action@v25 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-23.05 | |
| - uses: DeterminateSystems/magic-nix-cache-action@v3 | |
| - run: nix-build | |
| - run: nix-shell --run "echo OK" | |
| build: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| rust: [stable] | |
| target: [x86_64-unknown-linux-gnu, x86_64-pc-windows-msvc, i686-pc-windows-msvc, x86_64-apple-darwin, aarch64-apple-darwin] #x86_64-unknown-linux-musl, | |
| package: ["time", "timer", "counter"] | |
| include: | |
| - os: ubuntu-latest | |
| target: x86_64-unknown-linux-gnu | |
| name: linux_64-bit | |
| #- os: ubuntu-latest | |
| # target: x86_64-unknown-linux-musl | |
| - os: windows-latest | |
| target: x86_64-pc-windows-msvc | |
| name: windows_64-bit | |
| - os: windows-latest | |
| target: i686-pc-windows-msvc | |
| name: windows_32-bit | |
| - os: macos-latest | |
| target: x86_64-apple-darwin | |
| name: macos_64-bit | |
| - os: macos-latest | |
| target: aarch64-apple-darwin | |
| name: macos_aarch64 | |
| fail-fast: false | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: moonrepo/setup-rust@v1 | |
| with: | |
| cache-target: release | |
| targets: ${{ matrix.target }} | |
| - name: Linux Specific libs install | |
| if: matrix.os == 'ubuntu-latest' | |
| uses: awalsh128/cache-apt-pkgs-action@v1 | |
| with: | |
| packages: librust-atk-dev libglib2.0-dev libgtk-3-dev | |
| execute_install_scripts: true | |
| - name: Configure sccache env var and set build profile to ephemeral build | |
| run: | | |
| echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV | |
| echo "SCCACHE_GHA_ENABLED=true" >> $GITHUB_ENV | |
| - name: Run sccache-cache | |
| uses: mozilla-actions/[email protected] | |
| - name: Run build | |
| run: cargo build --target ${{ matrix.target }} --release --package ${{ matrix.package }} --bin ${{ matrix.package }} | |
| - uses: anchore/sbom-action@v0 | |
| with: | |
| artifact-name: "${{ matrix.package }}-${{ matrix.name }}-sbom.spdx.json" | |
| output-file: "${{ matrix.package }}-${{ matrix.name }}-sbom.spdx.json" | |
| - uses: actions/attest-sbom@v1 | |
| with: | |
| subject-path: | | |
| target/${{ matrix.target }}/release/${{ matrix.package }} | |
| target/${{ matrix.target }}/release/${{ matrix.package }}.exe | |
| !target/${{ matrix.target }}/release/deps | |
| !target/${{ matrix.target }}/release/build | |
| !target/${{ matrix.target }}/release/.fingerprint | |
| !target/${{ matrix.target }}/release/examples | |
| !target/${{ matrix.target }}/release/incremental | |
| !target/${{ matrix.target }}/release/.cargo-lock | |
| !target/${{ matrix.target }}/release/*.d | |
| !target/${{ matrix.target }}/release/*.pdb | |
| subject-name: "${{ matrix.package }}-${{ matrix.name }}" | |
| sbom-path: "${{ matrix.package }}-${{ matrix.name }}-sbom.spdx.json" | |
| push-to-registry: false | |
| - name: Upload build artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: "${{ matrix.package }}-${{ matrix.name }}" | |
| path: | | |
| target/${{ matrix.target }}/release/${{ matrix.package }}* | |
| !target/${{ matrix.target }}/release/deps | |
| !target/${{ matrix.target }}/release/build | |
| !target/${{ matrix.target }}/release/.fingerprint | |
| !target/${{ matrix.target }}/release/examples | |
| !target/${{ matrix.target }}/release/incremental | |
| !target/${{ matrix.target }}/release/.cargo-lock | |
| !target/${{ matrix.target }}/release/*.d | |
| !target/${{ matrix.target }}/release/*.pdb |