ci: add new workflow to build and attach the phar file to a release upon new tag

[drupol]

This PR:

• is related to Integration in Nix - upload build asset (phar) to Github release? #1276 and Integration in Nix - upload build asset (phar) to Github release? n98-magerun2#1098
• Adds a new Github workflow

[drupol]

This failure in the CI is unrelated.

[ktomk]

Yes, looking into it.

ERROR: Error in file: "/home/runner/work/n98-magerun/n98-magerun/magento/www/app/code/core/Mage/Catalog/data/catalog_setup/data-install-1.6.0.0.php" - timezone (Etc/GMT+8) is not a known timezone

• Test Setup Job for test_setup.sh openmage-20.0.14 / PHP 8.2

[drupol]

Cool ! Can you tag a release now?

[ktomk]

@drupol to pkg or nix to pkg is the question /E: and we have a phar!

[drupol]

I would not use nix to package it, but yes for your development environment. We can even have a meeting today about that.

[ktomk]

@drupol that would be great. what about 13:00? This would be great for dev'ing.

[drupol]

Deal !

[drupol]

In the meantime, can you tag 2.3.1 so @fballiano can move on in NixOS/nixpkgs#212296 ?

[fballiano]

Wow, great job everybody!

[ktomk]

I don't think 2.3.1 would be stable as the build failed, also master and develop have diverged, so I took 2.3.1-alpha1 and mark it as pre-release, HTH. @drupol /cc @cmuench

[drupol]

Ok. thanks! Can you send me the invite for the meeting at 1pm ? My email can be found here: https://not-a-number.io/ ( I try to avoid spreading it everywhere)

[cmuench]

@ktomk This new process forced a phar publish. There is a new "stable" phar release now. I will remove this new process!

[cmuench]

We do not tag alpha versions.

[ktomk]

@ktomk This new process forced a phar publish. There is a new "stable" phar release now. I will remove this new process!

@cmuench: oh, that's unfortunate. I kept it on develop as I was under the impression it won't trigger, also with the non-standard tag-name, sorry for the inconvenience.

would it be possible to filter by tag pattern so that we can sandbox this at least for magerun one?

[cmuench]

@ktomk Maybe but I do not plan to change too much in this really stable publish process. Why should we change that?

[fballiano]

Why should we change that?

to have the package in NIX or if other OS/distributors decide to enforce a stricter security policy.

I started this whole thing because I wanted to add magerun to my new devenv environment for openmage (and later M2). devenv is truly amazing and it would have just being great to have magerun as a package in the environment shell.

[cmuench]

@fballiano So you trust Microsoft more than me?

[cmuench]

We publish since several years without any security issues all phar files at files.magerun.net
It's published together with a PGP .sig file to verify downloads. The phar build is stable. Means that you can build the phar file on your local machine and compare the sha256 of the file.
I do not see why we should change that an publish on Github.

[fballiano]

No man i’ve nothing to do with this thing. I do magento, i published magerun in homebrew much before you did and loved magerun since the behinning of time.

i Wanted to add it to Nix and i’ve been told that an external server is a security concern, which i can see their point you know. That’s it.

[cmuench]

I don't get it. The phar file on files.magerun.net can be extracted. So everything is open source. It's signed with my (maintainers) GPG key.
So the source is trustfully.
The only difference is that the phar is not stored on a GitHub server.
I choosed the external storage due to several outages of GitHub where people were not able to deploy. Since we moved all to a server with a CDN in front we had less problems as before.
I do not want to provide two sources of the phar file. Hope you can understand my position here.
Everyone how needs more control can clone the source and build the phar manually. Any state. The checksum should be the same due to the way we generate the phar file (without timestamp included).
I understand that the nix people want to see the publishing process. Maybe I can open the output of my private drone server if that helps.

[cmuench]

@fballiano BTW thanks for maintaining the brew integration.