name: Release
on:
push:
tags: ["*"]
workflow_dispatch:
inputs:
version:
description: 'Version to release (e.g., 0.23.5). Creates tag + release.'
required: true
type: string
permissions:
contents: write
id-token: write attestations: write
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
jobs:
ci:
name: CI Gate
uses: ./.github/workflows/ci.yml
permissions:
contents: read
actions: read
build:
name: Build (${{ matrix.name }})
runs-on: ${{ matrix.os }}
needs: [ci]
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
include:
- target: x86_64-unknown-linux-gnu
os: ubuntu-latest
name: linux-amd64
- target: aarch64-unknown-linux-gnu
os: ubuntu-latest
name: linux-arm64
cross: true
- target: aarch64-apple-darwin
os: macos-latest
name: macos-arm64
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- uses: Swatinem/rust-cache@v2
with:
key: ${{ matrix.target }}
- name: Cross deps (arm64)
if: matrix.cross
run: |
sudo apt-get update
sudo apt-get install -y gcc-aarch64-linux-gnu
mkdir -p .cargo
echo '[target.aarch64-unknown-linux-gnu]' >> .cargo/config.toml
echo 'linker = "aarch64-linux-gnu-gcc"' >> .cargo/config.toml
- run: cargo build --release --target ${{ matrix.target }}
- name: Generate SLSA provenance
uses: actions/attest-build-provenance@v2
with:
subject-path: target/${{ matrix.target }}/release/libszal*
publish:
name: Publish to crates.io
runs-on: ubuntu-latest
needs: [ci, build]
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Verify version
run: |
FILE_VERSION=$(cat VERSION | tr -d '[:space:]')
TAG_VERSION="${GITHUB_REF_NAME}"
[ "$FILE_VERSION" = "$TAG_VERSION" ] || { echo "VERSION mismatch"; exit 1; }
- run: cargo publish
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
release:
name: Create GitHub Release
runs-on: ubuntu-latest
needs: [ci, build, publish]
steps:
- uses: actions/checkout@v4
- uses: softprops/action-gh-release@v2
with:
generate_release_notes: true