name: Release
on:
push: pull_request: types: [edited]
permissions:
contents: write pull-requests: write id-token: write
env:
GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN || secrets.GITHUB_TOKEN }}
jobs:
release-pr:
uses: powerman/workflows/.github/workflows/release-pr.yml@v0.4.4
with:
version_cmd: |
sed -i "s/^version = \".*\"/version = \"${RELEASE_PR_VERSION#v}\"/" Cargo.toml
cargo check
secrets:
TOKEN: ${{ secrets.RELEASE_TOKEN }}
build-and-upload:
needs: [release-pr]
if: ${{ needs.release-pr.outputs.result == 'released' }}
permissions:
contents: write id-token: write timeout-minutes: 30
runs-on: ubuntu-latest
strategy:
matrix:
target:
- x86_64-unknown-linux-gnu
- aarch64-unknown-linux-gnu
- x86_64-apple-darwin
- aarch64-apple-darwin
steps:
- uses: actions/checkout@v6
with:
token: ${{ env.GITHUB_TOKEN }}
ref: ${{ needs.release-pr.outputs.version }}
- uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- uses: taiki-e/install-action@v2
with:
tool: cargo-zigbuild
- uses: mlugg/setup-zig@v2
- name: Add rust target
run: rustup target add ${{ matrix.target }}
- name: Build binary
id: build
env:
TARGET: ${{ matrix.target }}
BINARY_NAME: ${{ github.event.repository.name }}
run: |
cargo zigbuild --release --target "$TARGET"
EXT=""
[[ "$TARGET" == *-windows-* ]] && EXT=".exe"
ASSET_DIR="$(mktemp -d)"
BIN="target/$TARGET/release/${BINARY_NAME}${EXT}"
ASSET_NAME="${BINARY_NAME}-${TARGET}${EXT}"
cp "$BIN" "$ASSET_DIR/$ASSET_NAME"
echo "release_asset_dir=$ASSET_DIR" >> "$GITHUB_OUTPUT"
- name: Install UPX
if: ${{ !contains(matrix.target, 'darwin') }}
uses: crazy-max/ghaction-upx@v4
with:
install-only: true
- name: Compress binary with UPX
if: ${{ !contains(matrix.target, 'darwin') }}
working-directory: ${{ steps.build.outputs.release_asset_dir }}
run: upx --best ./*
- name: Install cosign
uses: sigstore/cosign-installer@v4.1.2
- name: Sign assets with cosign
working-directory: ${{ steps.build.outputs.release_asset_dir }}
run: |
for file in *; do
if [[ -f "$file" && ! "$file" =~ \.(sha256|md5|sig|bundle)$ ]]; then
echo "Signing $file..."
cosign sign-blob --yes "$file" --bundle "${file}.bundle"
fi
done
- name: Upload files to the release
uses: softprops/action-gh-release@v3
with:
token: ${{ env.GITHUB_TOKEN }}
tag_name: ${{ needs.release-pr.outputs.version }}
body: ${{ needs.release-pr.outputs.changelog }}
files: ${{ steps.build.outputs.release_asset_dir }}/*
draft: true
prerelease: ${{ needs.release-pr.outputs.prerelease }}
make_latest: false
finalize:
needs: [release-pr, build-and-upload]
if: ${{ needs.release-pr.outputs.result == 'released' }}
permissions:
contents: write timeout-minutes: 5
runs-on: ubuntu-latest
steps:
- name: Publish release
uses: softprops/action-gh-release@v3
with:
token: ${{ env.GITHUB_TOKEN }}
tag_name: ${{ needs.release-pr.outputs.version }}
body: ${{ needs.release-pr.outputs.changelog }}
draft: false
prerelease: ${{ needs.release-pr.outputs.prerelease }}
make_latest: ${{ needs.release-pr.outputs.prerelease != 'true' }}
publish-crates-io:
needs: [release-pr, build-and-upload, finalize]
if: ${{ needs.release-pr.outputs.result == 'released' }}
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
ref: ${{ needs.release-pr.outputs.version }}
- name: Publish to crates.io
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
run: cargo publish