Update changelog and retrieve changes from main #2849
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Build and test on each commit. Create a release on tagged commits. | |
# | |
# Binaries on each platform are stripped. This removes debug symbols. | |
name: Build | |
on: [push] | |
jobs: | |
build-all: | |
name: ${{ matrix.os-name }}-build | |
runs-on: ${{ matrix.os }} | |
container: ${{ matrix.container }} | |
env: | |
GHC_VERSION: '9.4.7' | |
defaults: | |
run: | |
shell: bash | |
strategy: | |
matrix: | |
os: ['windows-latest', 'ubuntu-latest', 'macos-latest'] | |
include: | |
- os: ubuntu-latest | |
os-name: Linux | |
container: fossa/haskell-static-alpine:ghc-9.4.7 | |
project-file: cabal.project.ci.linux | |
ghc: '9.4.7' | |
- os: macos-latest | |
os-name: macOS | |
project-file: cabal.project.ci.macos | |
ghc: '9.4.7' | |
- os: windows-latest | |
os-name: Windows | |
project-file: cabal.project.ci.windows | |
ghc: '9.4.7' | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
lfs: true | |
fetch-depth: 2 | |
- name: Install MacOS binary dependencies | |
if: ${{ contains(matrix.os, 'macos') }} | |
run: | | |
brew install jq | |
# Set up Haskell. | |
- uses: haskell-actions/setup@v2 | |
id: setup-haskell | |
name: Setup ghc/cabal (non-alpine) | |
if: ${{ !contains(matrix.os, 'ubuntu') }} | |
with: | |
ghc-version: ${{ matrix.ghc }} | |
cabal-version: '3.8.1.0' | |
# Set up Rust. | |
- uses: actions-rs/toolchain@v1 | |
with: | |
profile: minimal | |
toolchain: stable | |
- name: Install additional Rust tooling | |
uses: taiki-e/install-action@v2 | |
with: | |
tool: nextest | |
- uses: actions-rs/install@v0.1 | |
with: | |
crate: cargo-nextest | |
version: latest | |
- uses: Swatinem/rust-cache@v2 | |
- name: Debugging information | |
run: | | |
ghc --version || echo "no ghc" | |
cabal --version || echo "no cabal" | |
ghcup --version || echo "no ghcup" | |
rustc -V || echo "no rustc" | |
cargo -V || echo "no cargo" | |
# Linux builds are run in Alpine, which builds them statically; | |
# using jemalloc reduces the performance impact of this | |
# over the default libc allocator (which performs very poorly in static builds). | |
- name: Build Rust dependencies (Linux) | |
if: ${{ matrix.os-name == 'linux' }} | |
run: cargo build --features jemalloc --release | |
# Non-Linux environments generally don't need `jemalloc` | |
# and in particular Windows doesn't support it. | |
- name: Build Rust dependencies (non-Linux) | |
if: ${{ matrix.os-name != 'linux' }} | |
run: cargo build --release | |
# Run tests in release mode to reduce the need for rebuilds. | |
- name: Test Rust dependencies | |
run: cargo nextest run --release | |
- name: Ensure git ownership check does not lead to compiler error | |
run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: Check git status and collect information | |
# https://github.com/actions/checkout/issues/760#issuecomment-1099519159 | |
run: | | |
git status --porcelain | |
echo "parent_commit=$(git rev-parse HEAD^)" >> $GITHUB_ENV | |
# Compute cache key and save to a temporary file. | |
# | |
# We compute the cache key based on the solved install plan instead of just | |
# hashing the `.cabal` file, since there are many kinds of changes that will | |
# cause `.cabal` to change (e.g. adding new source modules). | |
- name: Compute cache key | |
id: compute-cache-key | |
env: | |
RUNNER_OS: ${{ runner.os }} | |
run: | | |
cabal --project-file=${{ matrix.project-file }} update | |
cabal --project-file=${{ matrix.project-file }} build --dry-run | |
cat dist-newstyle/cache/plan.json | jq '."install-plan"[]."id"' | sort > /tmp/cabal-cache-key | |
echo "Install plan:" | |
cat /tmp/cabal-cache-key | |
if [ "$RUNNER_OS" = "macOS" ]; then | |
PLAN_SUM=$(shasum -a256 /tmp/cabal-cache-key) | |
else | |
PLAN_SUM=$(sha256sum /tmp/cabal-cache-key) | |
fi | |
export CABAL_CACHE_KEY=$(echo $PLAN_SUM | awk '{print $1}') | |
echo "Cabal cache key: $CABAL_CACHE_KEY" | |
echo "cabal-cache-key=$CABAL_CACHE_KEY" >> $GITHUB_OUTPUT | |
# Build FOSSA CLI. | |
- uses: actions/cache@v3 | |
name: Cache cabal store | |
with: | |
path: ${{ steps.setup-haskell.outputs.cabal-store || '~/.local/state/cabal' }} | |
key: ${{ runner.os }}-${{ matrix.ghc }}-cabal-cache-${{ steps.compute-cache-key.outputs.cabal-cache-key }} | |
restore-keys: | | |
${{ runner.os }}-${{ matrix.ghc }}-cabal-cache- | |
${{ runner.os }}-${{ matrix.ghc }}- | |
${{ runner.os }}- | |
- uses: actions/cache@v3 | |
name: Cache dist-newstyle | |
with: | |
path: ${{ github.workspace }}/dist-newstyle | |
key: ${{ runner.os }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ env.parent_commit }} | |
${{ runner.os }}-${{ env.GHC_VERSION }}-dist-newstyle- | |
${{ runner.os }}-${{ env.GHC_VERSION }}- | |
${{ runner.os }}- | |
- name: Update vendored binaries | |
run: | | |
mkdir vendor-bins | |
./vendor_download.sh | |
env: | |
GITHUB_TOKEN: ${{ secrets.BASIS_ACCESS_TOKEN }} | |
- name: Build test data | |
run: | | |
make build-test-data | |
- name: Build | |
# Occasionally, we run out of memory on the build process. | |
# Since cabal uses incremental compilation, we can retry from where we left off | |
# by simply re-running cabal if we fail. | |
env: | |
RUN_CMD: cabal build --project-file=${{ matrix.project-file }} all | |
run: | | |
: # With dist-newstyle caches: | |
: # Cabal mainly knows to recompile based on changes to files. | |
: # Tagging in git doesn't reliably change a file in a fixed location that cabal/GHC can track to indicate that there's a new tag. | |
: # For our release process, we merge to master, which builds (and may store a dist-newstyle cache), then push a release tag. | |
: # During the tag build, cabal/GHC may not realize that they have to rebuild the Version.hs file because the tag is invisible to it. | |
: # This line adds a unique comment to our version source file to prompt cabal/GHC to rebuild Version.hs unconditionally. | |
echo "{- $RANDOM$RANDOM$RANDOM -}" >> src/App/Version.hs | |
cabal update | |
$RUN_CMD || $RUN_CMD | |
- name: Run unit tests | |
run: | | |
cabal test --project-file=${{ matrix.project-file }} unit-tests | |
- name: Validate diagnose commands run on the platform | |
run: | | |
cargo run --bin diagnose -- walk --trace-spans none --trace-level info | |
# Save artifacts. | |
- name: Find and move binaries (Windows) | |
if: ${{ contains(matrix.os, 'windows') }} | |
run: | | |
mkdir release | |
find . -type f -path '*/fossa/fossa.exe' -exec cp {} release \; | |
cp target/release/diagnose.exe release | |
cp target/release/millhone.exe release | |
- name: Find and move binaries (non-Windows) | |
if: ${{ !contains(matrix.os, 'windows') }} | |
run: | | |
mkdir release | |
find . -type f -path '*/fossa/fossa' -exec cp {} release \; | |
cp target/release/diagnose release | |
cp target/release/millhone release | |
- name: Strip binaries | |
run: | | |
strip release/* | |
- name: Sign and Notarize Binaries (Mac OS) | |
if: ${{ contains(matrix.os, 'macos') && startsWith(github.ref, 'refs/tags/v') }} | |
env: | |
MACOS_BUILD_CERT_BASE64: ${{ secrets.MACOS_BUILD_CERT_BASE64 }} | |
MACOS_BUILD_CERT_P12_PASSWORD: ${{ secrets.MACOS_BUILD_CERT_P12_PASSWORD }} | |
MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }} | |
APPLE_NOTARIZATION_DEV_PASS: ${{ secrets.APPLE_NOTARIZATION_DEV_PASS }} | |
APPLE_NOTARIZATION_DEV_ID: ${{ secrets.APPLE_NOTARIZATION_DEV_ID }} | |
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
run: | | |
# create variables | |
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
# import certificate and provisioning profile from secrets | |
echo -n "$MACOS_BUILD_CERT_BASE64" | base64 --decode -o $CERTIFICATE_PATH | |
# create temporary keychain | |
security create-keychain -p "$MACOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
security unlock-keychain -p "$MACOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# import certificate to keychain | |
security import $CERTIFICATE_PATH -P "$MACOS_BUILD_CERT_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security list-keychain -d user -s $KEYCHAIN_PATH | |
chmod +x release/* | |
# '--options runtime' enables the hardened runtime: https://developer.apple.com/documentation/security/hardened_runtime | |
# The hardened runtime is required for notarization. | |
codesign --options runtime -s 'FOSSA, Inc.' release/fossa | |
codesign --options runtime -s 'FOSSA, Inc.' release/diagnose | |
codesign --options runtime -s 'FOSSA, Inc.' release/millhone | |
# Perform notarization | |
zip -rj notarization-archive.zip release | |
NOTARY_RESULTS=$(xcrun notarytool submit notarization-archive.zip --apple-id "$APPLE_NOTARIZATION_DEV_ID" --password "$APPLE_NOTARIZATION_DEV_PASS" --team-id "$APPLE_TEAM_ID" --wait) | |
echo "$NOTARY_RESULTS" | |
rm notarization-archive.zip | |
# The notarization tool doesn't set $?, so examine the output. | |
if ! echo "$NOTARY_RESULTS" | grep -q "status: Accepted"; then | |
exit 1 | |
fi | |
- uses: actions/upload-artifact@v2 | |
with: | |
name: ${{ runner.os }}-binaries | |
path: release | |
create-release: | |
name: create-release | |
runs-on: ubuntu-latest | |
needs: ['build-all'] | |
permissions: | |
id-token: write | |
contents: write | |
steps: | |
- uses: actions/download-artifact@v2 | |
- name: Get version | |
id: get-version | |
run: | | |
case $GITHUB_REF in | |
refs/tags/v*) | |
# This strips the 'v' prefix from the tag. | |
echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\/v/} | |
;; | |
*) | |
echo ::set-output name=VERSION::${GITHUB_SHA} | |
;; | |
esac | |
- name: Check that version info was embedded correctly | |
if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
run: | | |
chmod +x Linux-binaries/fossa | |
echo $GITHUB_REF_NAME | |
echo $GITHUB_REF_TYPE | |
echo $GITHUB_SHA | |
echo ${GITHUB_SHA:0:12} | |
VERSION=$(echo $(Linux-binaries/fossa --version)) | |
EXPECTED="fossa-cli version ${{ steps.get-version.outputs.VERSION }} (revision ${GITHUB_SHA:0:12} compiled with ghc-9.4)" | |
echo " VERSION: $VERSION" | |
echo "EXPECTED: $EXPECTED" | |
[ "$GITHUB_REF_TYPE" = "tag" ] && echo "Ref type OK" | |
[ "$VERSION" = "$EXPECTED" ] && echo "CLI version OK" | |
- name: Install Cosign | |
if: ${{ github.ref_type == 'tag' }} | |
uses: sigstore/cosign-installer@v3.1.1 | |
- name: Sign Release (Linux) | |
if: ${{ github.ref_type == 'tag' }} | |
run: | | |
cosign version | |
cosign sign-blob --yes --bundle "Linux-binaries/fossa.bundle" "Linux-binaries/fossa" | |
cosign sign-blob --yes --bundle "Linux-binaries/diagnose.bundle" "Linux-binaries/diagnose" | |
cosign sign-blob --yes --bundle "Linux-binaries/millhone.bundle" "Linux-binaries/millhone" | |
- name: Verify Signatures | |
if: ${{ github.ref_type == 'tag' }} | |
run: | | |
cosign verify-blob --bundle "Linux-binaries/fossa.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/fossa" | |
cosign verify-blob --bundle "Linux-binaries/diagnose.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/diagnose" | |
cosign verify-blob --bundle "Linux-binaries/millhone.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/millhone" | |
# This uses names compatible with our install script. | |
# | |
# Originally, CLI >=2.x Linux releases were only packaged as zip files, but | |
# we added tar.gz to improve compatibility. Our install script depends on | |
# the unzip command, which is not installed in most Linux distributions by | |
# default. To avoid breaking compatibility with older install scripts, we | |
# release both formats but default to using tar.gz when installing. | |
- name: Bundle binaries | |
env: | |
LINUX_FOSSA_TAR_PATH: "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar" | |
LINUX_FOSSA_ZIP_PATH: "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip" | |
LINUX_DIAGNOSE_TAR_PATH: "release/diagnose_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar" | |
LINUX_DIAGNOSE_ZIP_PATH: "release/diagnose_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip" | |
LINUX_MILLHONE_TAR_PATH: "release/millhone_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar" | |
LINUX_MILLHONE_ZIP_PATH: "release/millhone_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip" | |
run: | | |
mkdir release | |
ls -R | |
chmod +x Linux-binaries/* | |
zip -j "$LINUX_FOSSA_ZIP_PATH" Linux-binaries/fossa | |
zip -j "$LINUX_DIAGNOSE_ZIP_PATH" Linux-binaries/diagnose | |
zip -j "$LINUX_MILLHONE_ZIP_PATH" Linux-binaries/millhone | |
tar --create --verbose --file "$LINUX_FOSSA_TAR_PATH" --directory Linux-binaries fossa | |
tar --create --verbose --file "$LINUX_DIAGNOSE_TAR_PATH" --directory Linux-binaries diagnose | |
tar --create --verbose --file "$LINUX_MILLHONE_TAR_PATH" --directory Linux-binaries millhone | |
if [ "$GITHUB_REF_TYPE" = "tag" ]; then | |
tar --append --file "$LINUX_FOSSA_TAR_PATH" --directory Linux-binaries fossa.bundle | |
tar --append --file "$LINUX_DIAGNOSE_TAR_PATH" --directory Linux-binaries diagnose.bundle | |
tar --append --file "$LINUX_MILLHONE_TAR_PATH" --directory Linux-binaries millhone.bundle | |
zip -j "$LINUX_FOSSA_ZIP_PATH" Linux-binaries/fossa.bundle | |
zip -j "$LINUX_DIAGNOSE_ZIP_PATH" Linux-binaries/diagnose.bundle | |
zip -j "$LINUX_MILLHONE_ZIP_PATH" Linux-binaries/millhone.bundle | |
fi | |
gzip "$LINUX_FOSSA_TAR_PATH" | |
gzip "$LINUX_DIAGNOSE_TAR_PATH" | |
gzip "$LINUX_MILLHONE_TAR_PATH" | |
chmod +x macOS-binaries/* | |
zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-binaries/fossa | |
zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-binaries/diagnose | |
zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-binaries/millhone | |
chmod +x Windows-binaries/* | |
zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/fossa.exe | |
zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/diagnose.exe | |
zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/millhone.exe | |
- name: Create checksums | |
# We have to run from within the release dir so that "release" isn't prepended to the relative path of the zip file. | |
run: | | |
cd release | |
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip.sha256" | |
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz.sha256" | |
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip.sha256" | |
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip.sha256" | |
echo "Sanity-checking the checksums." | |
cat *.sha256 | sha256sum --check --status | |
# Uploads the generated archives (tar.gz/zip) as build artifacts to allow | |
# verifying them without needing to do an actual release. This step does not | |
# need to run for tagged release versions. | |
- name: Upload release archives | |
if: ${{ !startsWith(github.ref, 'refs/tags/v') }} | |
uses: actions/upload-artifact@v2 | |
with: | |
name: release-archives | |
path: release | |
- name: Release | |
if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
uses: softprops/action-gh-release@v1 | |
with: | |
files: release/* | |
draft: true | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |