mirror of
https://github.com/fmtlib/fmt.git
synced 2026-06-15 08:26:13 +08:00
6f35d8d1a8
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](1af3b93b68...df4cb1c069)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
70 lines
2.3 KiB
YAML
70 lines
2.3 KiB
YAML
# Builds the release source package in CI when a draft release is created
|
|
# (typically via support/release.py), uploads the zip to that release, and
|
|
# attaches a SLSA v1.0 provenance attestation generated by the OpenSSF
|
|
# slsa-github-generator. The maintainer reviews the draft (which by then has
|
|
# both the zip and *.intoto.jsonl attached) and clicks Publish to finalize.
|
|
#
|
|
# This makes the provenance attest to the actual build that produced the
|
|
# artifact, rather than just attesting to a hash observed after the fact.
|
|
|
|
name: release
|
|
|
|
on:
|
|
release:
|
|
types: [created]
|
|
|
|
permissions: read-all
|
|
|
|
jobs:
|
|
build:
|
|
name: Build source package
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write
|
|
outputs:
|
|
hashes: ${{ steps.hash.outputs.hashes }}
|
|
package: ${{ steps.build.outputs.package }}
|
|
steps:
|
|
- name: Checkout the release ref
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
with:
|
|
ref: ${{ github.event.release.target_commitish }}
|
|
persist-credentials: false
|
|
|
|
- name: Build source zip via CPack
|
|
id: build
|
|
run: |
|
|
cmake -B build .
|
|
cmake --build build --target package_source
|
|
pkg=$(ls build/fmt-*.zip)
|
|
test -f "$pkg"
|
|
echo "package=$pkg" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Compute base64-encoded SHA-256 subjects
|
|
id: hash
|
|
run: |
|
|
file="${{ steps.build.outputs.package }}"
|
|
subjects=$(cd "$(dirname "$file")" && sha256sum "$(basename "$file")")
|
|
echo "hashes=$(printf '%s' "$subjects" | base64 -w0)" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Upload zip to the release
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
gh release upload "${{ github.event.release.tag_name }}" \
|
|
"${{ steps.build.outputs.package }}" \
|
|
--repo "${{ github.repository }}" --clobber
|
|
|
|
provenance:
|
|
needs: [build]
|
|
permissions:
|
|
actions: read
|
|
id-token: write
|
|
contents: write
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
|
|
with:
|
|
base64-subjects: ${{ needs.build.outputs.hashes }}
|
|
provenance-name: "fmt-${{ github.event.release.tag_name }}.intoto.jsonl"
|
|
upload-assets: true
|
|
upload-tag-name: ${{ github.event.release.tag_name }}
|