coffee/fmt
1
0
Fork 0
mirror of https://github.com/fmtlib/fmt.git synced 2026-06-15 00:16:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
fmt/.github/workflows/release.yml
Victor Zverovich 841040e781 Attach release artifacts to draft via workflow_dispatch 
Draft releases do not fire the `release: created` event, so the release
workflow never ran and the source zip and SLSA provenance were not
attached to the draft. Trigger the workflow explicitly from release.py
via workflow_dispatch, passing the tag to attach to and the ref to build
from, and resolve the tag/ref in the workflow for both event types.
2026-06-08 07:48:52 +02:00

93 lines
3.2 KiB
YAML
Raw Blame History

# Builds the release source package in CI for a draft release (typically
# created via support/release.py), uploads the zip to that release, and
# attaches a SLSA v1.0 provenance attestation generated by the OpenSSF
# slsa-github-generator. The maintainer reviews the draft (which by then has
# both the zip and *.intoto.jsonl attached) and clicks Publish to finalize.
#
# This makes the provenance attest to the actual build that produced the
# artifact, rather than just attesting to a hash observed after the fact.
#
# GitHub does not fire `release: created` for draft releases, so release.py
# triggers this workflow explicitly via workflow_dispatch, passing the tag to
# attach to and the ref to build from. The `release: created` trigger is kept
# for non-draft releases created directly through the GitHub UI.
name: release
on:
release:
types: [created]
workflow_dispatch:
inputs:
tag_name:
description: "Release tag to attach the artifacts to (e.g. 12.2.0)"
required: true
type: string
ref:
description: "Git ref to build the source package from"
required: false
default: release
type: string
permissions: read-all
jobs:
build:
name: Build source package
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
package: ${{ steps.build.outputs.package }}
tag: ${{ steps.vars.outputs.tag }}
steps:
- name: Resolve tag and ref for both event types
id: vars
run: |
echo "tag=${{ github.event.release.tag_name || inputs.tag_name }}" >> "$GITHUB_OUTPUT"
echo "ref=${{ github.event.release.target_commitish || inputs.ref }}" >> "$GITHUB_OUTPUT"
- name: Checkout the release ref
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
ref: ${{ steps.vars.outputs.ref }}
persist-credentials: false
- name: Build source zip via CPack
id: build
run: |
cmake -B build .
cmake --build build --target package_source
pkg=$(ls build/fmt-*.zip)
test -f "$pkg"
echo "package=$pkg" >> "$GITHUB_OUTPUT"
- name: Compute base64-encoded SHA-256 subjects
id: hash
run: |
file="${{ steps.build.outputs.package }}"
subjects=$(cd "$(dirname "$file")" && sha256sum "$(basename "$file")")
echo "hashes=$(printf '%s' "$subjects" | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload zip to the release
env:
GH_TOKEN: ${{ github.token }}
run: |
gh release upload "${{ steps.vars.outputs.tag }}" \
"${{ steps.build.outputs.package }}" \
--repo "${{ github.repository }}" --clobber
provenance:
needs: [build]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
base64-subjects: ${{ needs.build.outputs.hashes }}
provenance-name: "fmt-${{ needs.build.outputs.tag }}.intoto.jsonl"
upload-assets: true
upload-tag-name: ${{ needs.build.outputs.tag }}
Reference in New Issue View Git Blame Copy Permalink