coffee/fmt
1
0
Fork 0
mirror of https://github.com/fmtlib/fmt.git synced 2026-06-15 00:16:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
fmt/.github/workflows/release.yml
Victor Zverovich 11ddbcb789 Build docs in the release workflow so the source zip includes doc-html 
The source-zip build moved to CI, which configured out-of-source and never
ran the doc target, so the pre-rendered HTML docs (doc-html/) silently
dropped out of the package. Install the doc toolchain, build the docs, and
stage them into the source tree before package_source so CPack picks them up.
2026-06-12 17:01:05 +02:00

144 lines
5.7 KiB
YAML
Raw Blame History

# Builds the release source package in CI for a draft release (typically
# created via support/release.py), uploads the zip to that release, and
# attaches a SLSA v1.0 provenance attestation generated by the OpenSSF
# slsa-github-generator. The maintainer reviews the draft (which by then has
# both the zip and *.intoto.jsonl attached) and clicks Publish to finalize.
#
# The source package includes the pre-rendered HTML documentation (doc-html/),
# so this workflow builds the docs and stages them into the source tree before
# running CPack's package_source target.
#
# This makes the provenance attest to the actual build that produced the
# artifact, rather than just attesting to a hash observed after the fact.
#
# GitHub does not fire `release: created` for draft releases, so release.py
# triggers this workflow explicitly via workflow_dispatch, passing the tag to
# attach to and the ref to build from. The `release: created` trigger is kept
# for non-draft releases created directly through the GitHub UI.
name: release
on:
release:
types: [created]
workflow_dispatch:
inputs:
tag_name:
description: "Release tag to attach the artifacts to (e.g. 12.2.0)"
required: true
type: string
ref:
description: "Git ref to build the source package from"
required: false
default: release
type: string
permissions: read-all
jobs:
build:
name: Build source package
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
package: ${{ steps.build.outputs.package }}
tag: ${{ steps.vars.outputs.tag }}
steps:
- name: Resolve tag and ref for both event types
id: vars
run: |
echo "tag=${{ github.event.release.tag_name || inputs.tag_name }}" >> "$GITHUB_OUTPUT"
echo "ref=${{ github.event.release.target_commitish || inputs.ref }}" >> "$GITHUB_OUTPUT"
- name: Checkout the release ref
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
ref: ${{ steps.vars.outputs.ref }}
persist-credentials: false
- name: Install the documentation toolchain
# The source zip ships the pre-rendered HTML docs (doc-html/), so the
# docs must be built before packaging. doxygen feeds the API reference;
# mkdocs plus the pinned, hash-verified deps render the site. The venv
# lives outside the checkout so it is not swept into the source zip, and
# is added to PATH so CMake's find_program(MKDOCS) and the doxygen call
# in the mkdocstrings handler both resolve in later steps.
run: |
sudo apt-get update
sudo apt-get install -y doxygen
python3 -m venv "$RUNNER_TEMP/doc-venv"
"$RUNNER_TEMP/doc-venv/bin/pip" install --quiet --upgrade pip
"$RUNNER_TEMP/doc-venv/bin/pip" install --quiet --require-hashes \
-r support/doc-requirements.txt
echo "$RUNNER_TEMP/doc-venv/bin" >> "$GITHUB_PATH"
- name: Build source zip via CPack
id: build
# Configure first so the doc target picks up doxygen/mkdocs, build the
# docs, then stage the generated site into the source tree so the CPack
# source package (which packages the source dir) includes doc-html/.
run: |
cmake -B build .
cmake --build build --target doc
cp -r build/doc-html doc-html
cmake --build build --target package_source
pkg=$(ls build/fmt-*.zip)
test -f "$pkg"
echo "package=$pkg" >> "$GITHUB_OUTPUT"
- name: Compute base64-encoded SHA-256 subjects
id: hash
run: |
file="${{ steps.build.outputs.package }}"
subjects=$(cd "$(dirname "$file")" && sha256sum "$(basename "$file")")
echo "hashes=$(printf '%s' "$subjects" | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload zip to the release
env:
GH_TOKEN: ${{ github.token }}
run: |
gh release upload "${{ steps.vars.outputs.tag }}" \
"${{ steps.build.outputs.package }}" \
--repo "${{ github.repository }}" --clobber
# Generate the provenance only; do not let the generator upload it. With
# upload-assets, the generator creates and publishes its own release (and
# tag) to host the attestation, which duplicates our draft. Instead we
# download the attestation artifact and attach it to the draft below.
provenance:
needs: [build]
permissions:
actions: read
id-token: write
# contents: write is required because the generator's (skipped)
# upload-assets job declares it, and a reusable workflow's job
# permissions may not exceed the caller's, or the run fails at startup.
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
base64-subjects: ${{ needs.build.outputs.hashes }}
provenance-name: "fmt-${{ needs.build.outputs.tag }}.intoto.jsonl"
upload-assets: false
attach-provenance:
name: Attach provenance to the release
needs: [build, provenance]
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Download the provenance attestation
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- name: Attach provenance to the draft release
env:
GH_TOKEN: ${{ github.token }}
run: |
gh release upload "${{ needs.build.outputs.tag }}" \
"${{ needs.provenance.outputs.provenance-name }}" \
--repo "${{ github.repository }}" --clobber
Reference in New Issue View Git Blame Copy Permalink