ciphern 0.2.1

Enterprise-grade cryptographic library
Documentation
name: Release

on:
  push:
    tags:
      - 'v*'

env:
  CARGO_TERM_COLOR: always

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: true

jobs:
  validate:
    name: Validate Release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt, clippy

      - name: Install cargo-audit
        run: cargo install cargo-audit --locked

      - name: Rust Cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "release-shared"
          cache-targets: false

      - name: Format Check
        run: cargo fmt --all -- --check

      - name: Clippy Lint
        run: cargo clippy --all-targets --all-features -- -D warnings

      - name: Cargo Audit
        run: cargo audit --deny warnings

      - name: Build Check
        run: cargo build --all-targets --all-features

      - name: Run Tests
        run: cargo test --all-targets --all-features

  publish-cargo:
    name: Publish to Cargo.io
    needs: validate
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable

      - name: Rust Cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "publish-shared"
          cache-targets: false

      - name: Get crates.io auth token
        uses: rust-lang/crates-io-auth-action@v1
        id: auth

      - name: Publish to crates.io
        run: cargo publish
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}

  build-release:
    name: Build Release Binaries
    needs: publish-cargo
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
            artifact_name: ciphern
            asset_name: ciphern-linux-x86_64
            ext: ""
            target: x86_64-unknown-linux-gnu
          - os: ubuntu-latest
            artifact_name: ciphern
            asset_name: ciphern-linux-arm64
            ext: ""
            target: aarch64-unknown-linux-gnu
            cross: true
          - os: macos-latest
            artifact_name: ciphern
            asset_name: ciphern-macos-x86_64
            ext: ""
            target: x86_64-apple-darwin
          - os: macos-latest
            artifact_name: ciphern
            asset_name: ciphern-macos-arm64
            ext: ""
            target: aarch64-apple-darwin
          - os: windows-latest
            artifact_name: ciphern.exe
            asset_name: ciphern-windows-x86_64.exe
            ext: ".exe"
            target: x86_64-pc-windows-msvc

    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.target }}

      - name: Rust Cache
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: "build-${{ matrix.target }}"
          cache-targets: false

      - name: Install Cross (for arm64 Linux)
        if: matrix.cross == true
        run: cargo install cross

      - name: Build Release
        run: |
          if [ "${{ matrix.cross }}" == "true" ]; then
            cross build --release --locked --target ${{ matrix.target }}
          else
            cargo build --release --locked --target ${{ matrix.target }}
          fi

      - name: Create Artifact
        run: |
          mkdir -p release
          cp target/${{ matrix.target }}/release/${{ matrix.artifact_name }} release/${{ matrix.asset_name }}

      - name: Upload Artifact
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.asset_name }}
          path: release/${{ matrix.asset_name }}
          compression-level: 9
          retention-days: 30

  sign-artifacts:
    name: Sign Artifacts with Cosign
    needs: build-release
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
    steps:
      - name: Download Artifacts
        uses: actions/download-artifact@v4
        with:
          path: artifacts
          merge-multiple: true

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3
        with:
          cosign-release: 'v2.4.1'

      - name: Sign Artifacts
        run: |
          for file in artifacts/*; do
            if [ -f "$file" ]; then
              echo "Signing: $file"
              cosign sign-blob "$file" --output-signature "$file.sig" --fulcio-url=https://fulcio.sigstore.dev --rekor-url=https://rekor.sigstore.dev
            fi
          done

      - name: Upload Signatures
        uses: actions/upload-artifact@v4
        with:
          name: signatures
          path: artifacts/*.sig
          retention-days: 30

  github-release:
    name: Create GitHub Release
    needs: [ build-release, sign-artifacts ]
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Get Version
        id: version
        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT

      - name: Download Artifacts
        uses: actions/download-artifact@v4
        with:
          path: artifacts

      - name: Download Signatures
        uses: actions/download-artifact@v4
        with:
          name: signatures
          path: artifacts
          pattern: signatures
          merge-multiple: true

      - name: Prepare Release Assets
        run: |
          cd artifacts
          ls -la

      - name: Create Release
        uses: softprops/action-gh-release@v2
        with:
          files: artifacts/**
          name: Release v${{ steps.version.outputs.VERSION }}
          generate_release_notes: true
          draft: false
          prerelease: false
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  notify:
    name: Notify Status
    needs: [publish-cargo, github-release]
    runs-on: ubuntu-latest
    if: always()
    steps:
      - name: Check status
        run: |
          if [[ "${{ needs.publish-cargo.result }}" == "success" ]] && [[ "${{ needs.github-release.result }}" == "success" ]]; then
            echo "Release completed successfully!"
            exit 0
          else
            echo "Release failed!"
            exit 1
          fi