nsip 0.6.2

---
name: Release

# Attested delivery: build platform binaries, completions/man-page archives,
# and the MCPB bundle; attach SLSA build provenance to every artifact; bind
# them all to a CycloneDX SBOM attestation; then fail-closed verify every
# attestation BEFORE the GitHub Release is published. A tag publishes
# nothing unattested.
#
# Dry-run: `workflow_dispatch` from any branch exercises the full
# build -> attest -> verify chain; the release job is tag-gated and skipped.

"on":
  push:
    tags:
      - "v*.*.*"
  workflow_dispatch:

permissions:
  contents: read

env:
  CARGO_TERM_COLOR: always

jobs:
  version:
    name: Resolve Version
    runs-on: ubuntu-latest
    timeout-minutes: 5
    outputs:
      version: ${{ steps.get_version.outputs.version }}
    steps:
      - name: Checkout repository
        # yamllint disable-line rule:line-length
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3

      - name: Get version from tag or Cargo.toml
        id: get_version
        run: |
          set -euo pipefail
          if [[ "$GITHUB_REF" == refs/tags/v* ]]; then
            echo "version=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
          else
            # Dry-run (workflow_dispatch): version from Cargo.toml, marked -dev
            v=$(grep -m1 '^version' Cargo.toml | cut -d'"' -f2)
            echo "version=${v}-dev" >> "$GITHUB_OUTPUT"
          fi

  test:
    # Tags are not guaranteed to point at CI-green commits; the release
    # publishes nothing untested.
    name: Test
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - name: Checkout repository
        # yamllint disable-line rule:line-length
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3

      - name: Setup Rust with caching
        uses: ./.github/actions/setup-rust-cached
        with:
          toolchain: stable
          cache-key: release-test

      - name: Run tests
        run: cargo test --all-features --locked

  audit:
    name: Cargo Audit
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - name: Checkout repository
        # yamllint disable-line rule:line-length
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3

      - name: Install cargo-audit
        uses: ./.github/actions/install-cargo-tool
        with:
          tool: cargo-audit

      - name: Audit dependencies for known vulnerabilities
        # RUSTSEC-2023-0071 (rsa Marvin timing sidechannel) has no upstream
        # fix and the affected code path is never executed here (HMAC-only
        # JWT signing); deny.toml ignores it by the same policy.
        run: cargo audit --deny warnings --ignore RUSTSEC-2023-0071

  build:
    name: Build (${{ matrix.platform }})
    needs: [version]
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45
    permissions:
      contents: read
      id-token: write
      attestations: write
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
            target: x86_64-unknown-linux-gnu
            artifact_name: nsip
            platform: linux-amd64
          # Native ARM runner: no cross toolchain needed
          - os: ubuntu-24.04-arm
            target: aarch64-unknown-linux-gnu
            artifact_name: nsip
            platform: linux-arm64
          - os: macos-latest
            target: x86_64-apple-darwin
            artifact_name: nsip
            platform: macos-amd64
          - os: macos-latest
            target: aarch64-apple-darwin
            artifact_name: nsip
            platform: macos-arm64
          # Windows pinned: deterministic release artifacts
          - os: windows-2022
            target: x86_64-pc-windows-msvc
            artifact_name: nsip.exe
            platform: windows-amd64.exe
    steps:
      - name: Checkout repository
        # yamllint disable-line rule:line-length
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3

      - name: Setup Rust with caching
        uses: ./.github/actions/setup-rust-cached
        with:
          toolchain: stable
          targets: ${{ matrix.target }}
          cache-key: release-${{ matrix.target }}

      - name: Build release binary
        run: >-
          cargo build --release --locked
          --target ${{ matrix.target }}

      - name: Strip binary (Unix)
        if: runner.os != 'Windows'
        run: >-
          strip
          "target/${{ matrix.target }}/release/${{ matrix.artifact_name }}"

      - name: Stage named artifact
        shell: bash
        env:
          VERSION: ${{ needs.version.outputs.version }}
          PLATFORM: ${{ matrix.platform }}
        run: |
          mkdir -p dist
          cp "target/${{ matrix.target }}/release/${{ matrix.artifact_name }}" \
            "dist/nsip-${VERSION}-${PLATFORM}"

      - name: Attest build provenance
        # yamllint disable-line rule:line-length
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
        with:
          subject-path: dist/*

      - name: Upload artifact
        # yamllint disable-line rule:line-length
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          # yamllint disable-line rule:line-length
          name: nsip-${{ needs.version.outputs.version }}-${{ matrix.platform }}
          path: dist/*
          if-no-files-found: error

  extras:
    name: Completions & man pages
    needs: [version]
    runs-on: ubuntu-latest
    timeout-minutes: 20
    permissions:
      contents: read
      id-token: write
      attestations: write
    steps:
      - name: Checkout repository
        # yamllint disable-line rule:line-length
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3

      - name: Setup Rust with caching
        uses: ./.github/actions/setup-rust-cached
        with:
          toolchain: stable
          cache-key: release-extras

      - name: Build release binary
        run: cargo build --release --locked

      - name: Generate shell completions
        run: |
          mkdir -p completions
          ./target/release/nsip completions bash \
            > completions/nsip.bash
          ./target/release/nsip completions zsh \
            > completions/_nsip
          ./target/release/nsip completions fish \
            > completions/nsip.fish
          ./target/release/nsip completions powershell \
            > completions/_nsip.ps1

      - name: Generate man pages
        run: |
          mkdir -p man
          ./target/release/nsip man-pages --out-dir man

      - name: Stage versioned archives
        env:
          VERSION: ${{ needs.version.outputs.version }}
        run: |
          mkdir -p dist
          tar czf "dist/nsip-${VERSION}-completions.tar.gz" -C completions .
          tar czf "dist/nsip-${VERSION}-man-pages.tar.gz" -C man .

      - name: Attest build provenance
        # yamllint disable-line rule:line-length
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
        with:
          subject-path: dist/*

      - name: Upload artifact
        # yamllint disable-line rule:line-length
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          name: nsip-${{ needs.version.outputs.version }}-extras
          path: dist/*
          if-no-files-found: error

  mcpb:
    name: Package MCPB Bundle
    needs: [version, build]
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
      id-token: write
      attestations: write
    steps:
      - name: Checkout repository
        # yamllint disable-line rule:line-length
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3

      - name: Download platform binaries
        # yamllint disable-line rule:line-length
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
        with:
          pattern: nsip-${{ needs.version.outputs.version }}-*
          path: binaries
          merge-multiple: true

      - name: Stage binaries for bundling
        env:
          VERSION: ${{ needs.version.outputs.version }}
        run: |
          set -euo pipefail
          mkdir -p server
          # manifest.json references unversioned server/nsip-<platform>
          # filenames; rename the versioned artifacts back to the names
          # the MCPB bundle expects.
          for platform in linux-amd64 linux-arm64 macos-amd64 \
                          macos-arm64 windows-amd64.exe; do
            mv "binaries/nsip-${VERSION}-${platform}" \
               "server/nsip-${platform}"
          done
          chmod +x server/nsip-*

      - name: Inject version into manifest
        env:
          VERSION: ${{ needs.version.outputs.version }}
        run: >-
          sed -i
          "s/\"version\": \".*\"/\"version\": \"${VERSION}\"/"
          manifest.json

      - name: Package MCPB bundle
        id: mcpb
        # yamllint disable-line rule:line-length
        uses: zircote/mcp-bundle@902cd0e159b26226a136dc12a2a226457e3bb691  # main
        with:
          upload-artifact: 'false'
          create-release-asset: 'false'

      - name: Stage bundle
        env:
          MCPB_FILE: ${{ steps.mcpb.outputs.bundle-path }}
        run: |
          mkdir -p dist
          cp "$MCPB_FILE" dist/

      - name: Attest build provenance
        # yamllint disable-line rule:line-length
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
        with:
          subject-path: dist/*

      - name: Upload artifact
        # yamllint disable-line rule:line-length
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          name: nsip-${{ needs.version.outputs.version }}-mcpb
          path: dist/*
          if-no-files-found: error

  sbom:
    name: SBOM (generate + attest)
    needs: [version, build, extras, mcpb]
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
      id-token: write
      attestations: write
    steps:
      - name: Checkout repository
        # yamllint disable-line rule:line-length
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3

      - name: Download all artifacts
        # yamllint disable-line rule:line-length
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
        with:
          path: dist
          merge-multiple: true

      - name: Generate CycloneDX SBOM
        # yamllint disable-line rule:line-length
        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610  # v0.24.0
        with:
          path: .
          format: cyclonedx-json
          # yamllint disable-line rule:line-length
          output-file: nsip-${{ needs.version.outputs.version }}-sbom.cdx.json
          upload-artifact: false
          upload-release-assets: false

      - name: Attest SBOM (binds every artifact to the SBOM)
        # yamllint disable-line rule:line-length
        uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e  # v4.1.0
        with:
          subject-path: dist/*
          # yamllint disable-line rule:line-length
          sbom-path: nsip-${{ needs.version.outputs.version }}-sbom.cdx.json

      - name: Upload SBOM artifact
        # yamllint disable-line rule:line-length
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          name: nsip-${{ needs.version.outputs.version }}-sbom
          # yamllint disable-line rule:line-length
          path: nsip-${{ needs.version.outputs.version }}-sbom.cdx.json
          if-no-files-found: error

  verify:
    name: Verify Attestations
    needs: [version, build, extras, mcpb, sbom]
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
      attestations: read
    steps:
      - name: Download all artifacts
        # yamllint disable-line rule:line-length
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
        with:
          path: dist
          merge-multiple: true

      - name: Fail-closed attestation verification
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          set -euo pipefail
          shopt -s nullglob
          files=(dist/*)
          # 5 platform binaries + completions + man pages + MCPB bundle +
          # SBOM. A partial set must never reach the release.
          if [ "${#files[@]}" -ne 9 ]; then
            echo "::error::expected 9 artifacts, found ${#files[@]}"
            printf '%s\n' "${files[@]}"
            exit 1
          fi
          for f in "${files[@]}"; do
            case "$f" in
              *-sbom.cdx.json) continue ;;
            esac
            echo "Verifying provenance: ${f}"
            gh attestation verify "$f" --repo "$GITHUB_REPOSITORY"
            echo "Verifying SBOM attestation: ${f}"
            gh attestation verify "$f" --repo "$GITHUB_REPOSITORY" \
              --predicate-type https://cyclonedx.org/bom
          done

  release:
    name: Create Release
    if: startsWith(github.ref, 'refs/tags/')
    needs: [version, verify, audit, test]
    runs-on: ubuntu-latest
    timeout-minutes: 15
    environment: copilot
    permissions:
      contents: write
    steps:
      - name: Checkout repository
        # yamllint disable-line rule:line-length
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
        with:
          fetch-depth: 0

      - name: Download all artifacts
        # yamllint disable-line rule:line-length
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
        with:
          path: dist
          merge-multiple: true

      - name: Generate checksums
        env:
          VERSION: ${{ needs.version.outputs.version }}
        run: |
          cd dist
          sha256sum -- * > "nsip-${VERSION}-checksums.txt"

      - name: Generate changelog
        id: changelog
        # yamllint disable-line rule:line-length
        uses: orhun/git-cliff-action@f50e11560dce63f7c33227798f90b924471a88b5  # v4.5.0
        with:
          config: cliff.toml
          # Strip header AND footer: the footer carries compare-link reference
          # definitions and a generator comment meant for CHANGELOG.md, not
          # the per-release GitHub notes body.
          args: --latest --strip all

      - name: Create GitHub Release
        # yamllint disable-line rule:line-length
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda  # v3.0.0
        with:
          tag_name: ${{ github.ref }}
          name: Release ${{ needs.version.outputs.version }}
          body: ${{ steps.changelog.outputs.content }}
          draft: false
          # yamllint disable-line rule:line-length
          prerelease: ${{ contains(needs.version.outputs.version, '-alpha') || contains(needs.version.outputs.version, '-beta') || contains(needs.version.outputs.version, '-rc') }}
          files: dist/*
        env:
          # Use PAT so the release event propagates to
          # downstream workflows (homebrew)
          GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}