name: Release
on:
push:
tags:
- 'v*'
env:
CARGO_TERM_COLOR: always
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: true
jobs:
validate:
name: Validate Release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt, clippy
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Rust Cache
uses: Swatinem/rust-cache@v2
with:
shared-key: "release-shared"
cache-targets: false
- name: Format Check
run: cargo fmt --all -- --check
- name: Clippy Lint
run: cargo clippy --all-targets --all-features -- -D warnings
- name: Cargo Audit
run: cargo audit --deny warnings
- name: Build Check
run: cargo build --all-targets --all-features
- name: Run Tests
run: cargo test --all-targets --all-features
publish-cargo:
name: Publish to Cargo.io
needs: validate
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Rust Cache
uses: Swatinem/rust-cache@v2
with:
shared-key: "publish-shared"
cache-targets: false
- name: Get crates.io auth token
uses: rust-lang/crates-io-auth-action@v1
id: auth
- name: Publish to crates.io
run: cargo publish
env:
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
build-release:
name: Build Release Binaries
needs: publish-cargo
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
artifact_name: ciphern
asset_name: ciphern-linux-x86_64
ext: ""
target: x86_64-unknown-linux-gnu
- os: ubuntu-latest
artifact_name: ciphern
asset_name: ciphern-linux-arm64
ext: ""
target: aarch64-unknown-linux-gnu
cross: true
- os: macos-latest
artifact_name: ciphern
asset_name: ciphern-macos-x86_64
ext: ""
target: x86_64-apple-darwin
- os: macos-latest
artifact_name: ciphern
asset_name: ciphern-macos-arm64
ext: ""
target: aarch64-apple-darwin
- os: windows-latest
artifact_name: ciphern.exe
asset_name: ciphern-windows-x86_64.exe
ext: ".exe"
target: x86_64-pc-windows-msvc
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- name: Rust Cache
uses: Swatinem/rust-cache@v2
with:
shared-key: "build-${{ matrix.target }}"
cache-targets: false
- name: Install Cross (for arm64 Linux)
if: matrix.cross == true
run: cargo install cross
- name: Build Release
run: |
if [ "${{ matrix.cross }}" == "true" ]; then
cross build --release --locked --target ${{ matrix.target }}
else
cargo build --release --locked --target ${{ matrix.target }}
fi
- name: Create Artifact
run: |
mkdir -p release
cp target/${{ matrix.target }}/release/${{ matrix.artifact_name }} release/${{ matrix.asset_name }}
- name: Upload Artifact
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.asset_name }}
path: release/${{ matrix.asset_name }}
compression-level: 9
retention-days: 30
sign-artifacts:
name: Sign Artifacts with Cosign
needs: build-release
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- name: Download Artifacts
uses: actions/download-artifact@v4
with:
path: artifacts
merge-multiple: true
- name: Install Cosign
uses: sigstore/cosign-installer@v3
with:
cosign-release: 'v2.4.1'
- name: Sign Artifacts
run: |
for file in artifacts/*; do
if [ -f "$file" ]; then
echo "Signing: $file"
cosign sign-blob "$file" --output-signature "$file.sig" --fulcio-url=https://fulcio.sigstore.dev --rekor-url=https://rekor.sigstore.dev
fi
done
- name: Upload Signatures
uses: actions/upload-artifact@v4
with:
name: signatures
path: artifacts/*.sig
retention-days: 30
github-release:
name: Create GitHub Release
needs: [ build-release, sign-artifacts ]
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get Version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Download Artifacts
uses: actions/download-artifact@v4
with:
path: artifacts
- name: Download Signatures
uses: actions/download-artifact@v4
with:
name: signatures
path: artifacts
pattern: signatures
merge-multiple: true
- name: Prepare Release Assets
run: |
cd artifacts
ls -la
- name: Create Release
uses: softprops/action-gh-release@v2
with:
files: artifacts/**
name: Release v${{ steps.version.outputs.VERSION }}
generate_release_notes: true
draft: false
prerelease: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
notify:
name: Notify Status
needs: [publish-cargo, github-release]
runs-on: ubuntu-latest
if: always()
steps:
- name: Check status
run: |
if [[ "${{ needs.publish-cargo.result }}" == "success" ]] && [[ "${{ needs.github-release.result }}" == "success" ]]; then
echo "Release completed successfully!"
exit 0
else
echo "Release failed!"
exit 1
fi