Skip to content
ci

Update CI contents permission to write; add SBOM note to README #17

Sign in to view logs

Update CI contents permission to write; add SBOM note to README

Update CI contents permission to write; add SBOM note to README #17

Workflow file for this run

.github/workflows/ci.yaml at 910285d
name: ci
# Only build and release when a tag is pushed with a version number like 1.2.3
on:
push:
tags:
- '[0-9].[0-9].[0-9]'
jobs:
build:
name: build and release
# https://github.com/actions/runner-images
runs-on: ubuntu-24.04
# Required for attestation and release
permissions:
id-token: write # attestation requires `write`
contents: write # release requires `write`, attestation requires at least `read`
attestations: write # attestation requires `write`
steps:
# Clone repository
- name: Checkout
# https://github.com/actions/checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
# Overwrite the placeholder version number in Cargo.toml with the commit tag
- name: Set version
run: |
sed -i "/^version /s/=.*$/= \"${GITHUB_REF_NAME}\"/" Cargo.toml
# Build for AMD64
- name: Standard x86 build (x86_64/amd64)
# https://github.com/uraimo/run-on-arch-action
uses: uraimo/run-on-arch-action@v2
with:
# Use a container with glibc 2.17
base_image: quay.io/pypa/manylinux2014_x86_64
# Mount the working directory as /libnss_shim in the container, and run commands there
dockerRunArgs: |
--volume "${PWD}:/libnss_shim"
-w "/libnss_shim"
# Speeds up builds, intermediate containers are cached publicly
githubToken: ${{ github.token }}
# Preinstall dependencies to be cached in the container for reuse
install: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
. "$HOME/.cargo/env"
cargo install --version 2.2.0 cargo-deb
cargo install --version 0.14.0 cargo-generate-rpm
run: |
. "$HOME/.cargo/env"
bash build.sh --install_rust=false --install_cargo_deps=false
- uses: uraimo/run-on-arch-action@v2
# Build for arm64/aarch64 by emulating in QEMU
name: QEMU ARM build (arm64/aarch64)
with:
# https://github.com/pypa/manylinux
base_image: quay.io/pypa/manylinux2014_aarch64
dockerRunArgs: |
--volume "${PWD}:/libnss_shim"
-w "/libnss_shim"
githubToken: ${{ github.token }}
install: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
. "$HOME/.cargo/env"
cargo install --version 2.2.0 cargo-deb
cargo install --version 0.14.0 cargo-generate-rpm
run: |
. "$HOME/.cargo/env"
bash build.sh --install_rust=false --install_cargo_deps=false
# Generate artifact attestations to establish provenance for builds
- name: Generate binary attestation
# https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
uses: actions/attest-build-provenance@v1
with:
subject-path: |
target/debian/*_amd64.deb
target/debian/*_arm64.deb
target/generate-rpm/*.x86_64.rpm
target/generate-rpm/*.aarch64.rpm
- name: Generate SBOM
# https://github.com/marketplace/actions/anchore-sbom-action
uses: anchore/sbom-action@v0
with:
output-file: '${{ github.workspace }}/sbom.spdx.json'
artifact-name: sbom.spdx.json
- name: Generate SBOM attestation for deb packages
# https://github.com/actions/attest-sbom
uses: actions/attest-sbom@v1
with:
subject-path: 'target/debian/*.deb'
sbom-path: '${{ github.workspace }}/sbom.spdx.json'
- name: Generate SBOM attestation for RPM packages
uses: actions/attest-sbom@v1
with:
subject-path: 'target/generate-rpm/*.rpm'
sbom-path: '${{ github.workspace }}/sbom.spdx.json'
# Publish GitHub release
- name: Release
# https://github.com/softprops/action-gh-release
uses: softprops/action-gh-release@v2
# Presumably redundant due to the `on: push: tags:` filter, but kept for safety
if: startsWith(github.ref, 'refs/tags/')
with:
# Add the release notes from the changelog file
body_path: ${{github.workspace}}/changelog/CHANGELOG.txt
fail_on_unmatched_files: true
files: |
target/debian/*_amd64.deb
target/debian/*_arm64.deb
target/generate-rpm/*.x86_64.rpm
target/generate-rpm/*.aarch64.rpm