murk-cli 0.5.11

Encrypted secrets manager for developers — one file, age encryption, git-friendly
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179

name: Release

on:
  push:
    tags: ["v*"]

permissions: read-all

env:
  CARGO_TERM_COLOR: always

jobs:
  build:
    name: Build (${{ matrix.target }})
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        include:
          - target: x86_64-unknown-linux-gnu
            os: ubuntu-latest
          - target: aarch64-unknown-linux-gnu
            os: ubuntu-latest
            cross: true
          - target: arm-unknown-linux-gnueabihf
            os: ubuntu-latest
            cross: true
          - target: x86_64-apple-darwin
            os: macos-14
          - target: aarch64-apple-darwin
            os: macos-latest
          - target: x86_64-pc-windows-msvc
            os: windows-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
        with:
          targets: ${{ matrix.target }}
      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2

      - name: Install cross
        if: matrix.cross
        run: cargo install cross --locked --version 0.2.5

      - name: Build
        run: |
          if [ "${{ matrix.cross }}" = "true" ]; then
            cross build --release --locked --target ${{ matrix.target }}
          else
            cargo build --release --locked --target ${{ matrix.target }}
          fi
        shell: bash

      - name: Package (Unix)
        if: runner.os != 'Windows'
        run: |
          cd target/${{ matrix.target }}/release
          tar czf ../../../murk-${{ github.ref_name }}-${{ matrix.target }}.tar.gz murk

      - name: Package (Windows)
        if: runner.os == 'Windows'
        shell: bash
        run: |
          cd target/${{ matrix.target }}/release
          7z a ../../../murk-${{ github.ref_name }}-${{ matrix.target }}.zip murk.exe

      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: murk-${{ matrix.target }}
          path: murk-${{ github.ref_name }}-${{ matrix.target }}.*

  release:
    name: GitHub Release
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
      attestations: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0

      - name: Generate release notes
        uses: orhun/git-cliff-action@c93ef52f3d0ddcdcc9bd5447d98d458a11cd4f72 # v4
        id: cliff
        with:
          config: cliff.toml
          args: --latest --strip header
        env:
          OUTPUT: CHANGES.md

      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          merge-multiple: true

      - name: Checksums
        run: sha256sum murk-* > SHA256SUMS

      - name: Attest build provenance
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-path: |
            murk-*
            SHA256SUMS

      - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
        with:
          body_path: CHANGES.md
          files: |
            murk-*
            SHA256SUMS

  homebrew:
    name: Update Homebrew tap
    needs: release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Download checksums
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh release download ${{ github.ref_name }} --pattern SHA256SUMS

      - name: Render formula
        run: |
          VERSION="${GITHUB_REF_NAME#v}"
          cp .github/formula/murk.rb.template murk.rb

          for target in x86_64-apple-darwin aarch64-apple-darwin x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu; do
            HASH=$(grep "murk-${{ github.ref_name }}-${target}.tar.gz" SHA256SUMS | awk '{print $1}')
            PLACEHOLDER="__SHA256_$(echo "$target" | tr '[:lower:]-' '[:upper:]_')__"
            sed -i "s/${PLACEHOLDER}/${HASH}/" murk.rb
          done

          sed -i "s/__VERSION__/${VERSION}/" murk.rb
          cat murk.rb

      - name: Push to tap
        env:
          TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
        run: |
          git clone https://x-access-token:${TAP_TOKEN}@github.com/iicky/homebrew-murk.git tap
          mkdir -p tap/Formula
          cp murk.rb tap/Formula/murk.rb
          cd tap
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add Formula/murk.rb
          git commit -m "murk ${GITHUB_REF_NAME}"
          git push

  publish:
    name: Publish to crates.io
    needs: build
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
      - name: Authenticate to crates.io via OIDC
        uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4
        id: crates-auth
      - name: Publish
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.crates-auth.outputs.token }}
        shell: bash
        run: |
          set -o pipefail
          cargo publish 2>&1 | tee /tmp/publish.log || {
            if grep -q "already uploaded" /tmp/publish.log; then
              echo "Version already published"
              exit 0
            fi
            exit 1
          }