name: release
on:
push:
tags: ["v*"]
permissions:
contents: write
env:
CARGO_NET_RETRY: "10"
CARGO_HTTP_MULTIPLEXING: "false"
jobs:
create-release:
name: Create release
runs-on: ubuntu-latest
steps:
- uses: softprops/action-gh-release@v3
with:
generate_release_notes: false
build:
name: Build ${{ matrix.asset_name }}
needs: create-release
runs-on: ${{ matrix.os }}
defaults:
run:
shell: bash strategy:
fail-fast: false
matrix:
include:
- target: x86_64-unknown-linux-gnu
os: ubuntu-latest
asset_name: clauth-linux-x86_64
ext: ""
- target: aarch64-apple-darwin
os: macos-latest
asset_name: clauth-macos-aarch64
ext: ""
- target: x86_64-apple-darwin
os: macos-latest
asset_name: clauth-macos-x86_64
ext: ""
- target: x86_64-pc-windows-msvc
os: windows-latest
asset_name: clauth-windows-x86_64
ext: .exe
steps:
- uses: actions/checkout@v7
- uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- uses: Swatinem/rust-cache@v2
- name: Build
run: cargo build --release --target ${{ matrix.target }}
- name: Prepare asset
run: cp "target/${{ matrix.target }}/release/clauth${{ matrix.ext }}" "${{ matrix.asset_name }}${{ matrix.ext }}"
- name: Upload to release
uses: softprops/action-gh-release@v3
with:
files: ${{ matrix.asset_name }}${{ matrix.ext }}
- name: Upload artifact for checksum job
uses: actions/upload-artifact@v7
with:
name: ${{ matrix.asset_name }}${{ matrix.ext }}
path: ${{ matrix.asset_name }}${{ matrix.ext }}
if-no-files-found: error
checksums:
name: Checksums + signature
needs: [build]
if: always()
runs-on: ubuntu-latest
steps:
- name: Download all artifacts
uses: actions/download-artifact@v8
with:
path: artifacts
merge-multiple: true
- name: Generate sha256sums.txt
run: |
cd artifacts
sha256sum clauth-* > ../sha256sums.txt
- name: Upload sha256sums.txt to release
uses: softprops/action-gh-release@v3
with:
files: sha256sums.txt
- name: Sign sha256sums.txt with minisign
env:
MINISIGN_SECRET_KEY: ${{ secrets.MINISIGN_SECRET_KEY }}
run: |
if [ -z "${MINISIGN_SECRET_KEY:-}" ]; then
echo "MINISIGN_SECRET_KEY not set — shipping sha256-only (no signature)."
exit 0
fi
sudo apt-get update
sudo apt-get install -y minisign
# Remove the key file on ANY exit (incl. a signing failure under `set -e`).
trap 'rm -f minisign.key' EXIT
printf '%s\n' "${MINISIGN_SECRET_KEY}" > minisign.key
minisign -S -s minisign.key -m sha256sums.txt -t "clauth ${GITHUB_REF_NAME} checksums"
echo "Signed → sha256sums.txt.minisig"
- name: Upload signature to release
if: hashFiles('sha256sums.txt.minisig') != ''
uses: softprops/action-gh-release@v3
with:
files: sha256sums.txt.minisig