-
Notifications
You must be signed in to change notification settings - Fork 0
506 lines (455 loc) · 19.6 KB
/
release.yml
File metadata and controls
506 lines (455 loc) · 19.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
name: Release
on:
workflow_dispatch:
inputs:
dry-run:
description: 'Dry run (build only, skip publish)'
type: boolean
default: false
permissions: {}
jobs:
version:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.read.outputs.VERSION }}
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Read version from Cargo.toml
id: read
run: |
VERSION=$(grep '^version = ' Cargo.toml | head -1 | sed 's/version = "\(.*\)"/\1/')
echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
echo "Release version: $VERSION"
- name: Check tag does not exist
run: |
VERSION="${{ steps.read.outputs.VERSION }}"
if git rev-parse "v${VERSION}" >/dev/null 2>&1; then
echo "::error::Tag v${VERSION} already exists. Bump the version in a PR first."
exit 1
fi
- name: Check CHANGELOG.md has release notes for version
run: |
VERSION="${{ steps.read.outputs.VERSION }}"
if [ ! -f CHANGELOG.md ]; then
echo "::error::CHANGELOG.md does not exist at the repository root."
exit 1
fi
# A release requires an explicit `## [X.Y.Z]` / `## X.Y.Z` heading
# (notes written by hand in the version-bump PR).
if grep -qE "^## \[?${VERSION}\]?( |$)" CHANGELOG.md; then
echo "Found explicit CHANGELOG heading for ${VERSION}."
exit 0
fi
echo "::error::CHANGELOG.md has no release notes for ${VERSION}."
echo "::error::Add a \`## [${VERSION}] — $(date +%Y-%m-%d)\` heading with release notes before re-running."
exit 1
build:
needs: version
strategy:
matrix:
include:
- target: aarch64-apple-darwin
runner: macos-14
archive: tar.gz
build-tool: cargo
- target: x86_64-apple-darwin
runner: macos-14
archive: tar.gz
build-tool: cargo
- target: x86_64-unknown-linux-gnu
runner: ubuntu-latest
archive: tar.gz
build-tool: cross
- target: x86_64-unknown-linux-musl
runner: ubuntu-latest
archive: tar.gz
build-tool: cross
- target: aarch64-unknown-linux-gnu
runner: ubuntu-latest
archive: tar.gz
build-tool: cross
- target: aarch64-unknown-linux-musl
runner: ubuntu-latest
archive: tar.gz
build-tool: cross
- target: x86_64-pc-windows-msvc
runner: windows-latest
archive: zip
build-tool: cargo
- target: i686-pc-windows-msvc
runner: windows-latest
archive: zip
build-tool: cargo
- target: aarch64-pc-windows-msvc
runner: windows-latest
archive: zip
build-tool: cargo
- target: aarch64-linux-android
runner: ubuntu-latest
archive: tar.gz
build-tool: cross
- target: arm-unknown-linux-gnueabihf
runner: ubuntu-latest
archive: tar.gz
build-tool: cross
- target: arm-unknown-linux-musleabihf
runner: ubuntu-latest
archive: tar.gz
build-tool: cross
- target: i686-unknown-linux-gnu
runner: ubuntu-latest
archive: tar.gz
build-tool: cross
- target: i686-unknown-linux-musl
runner: ubuntu-latest
archive: tar.gz
build-tool: cross
runs-on: ${{ matrix.runner }}
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install Rust
# rustup is pre-installed on GitHub-hosted runners. `rustup show`
# reads rust-toolchain.toml in the repo root, then installs the
# pinned channel + listed components if missing. The dtolnay action
# cannot auto-detect the channel when pinned by SHA (it normally
# parses it from the ref name), so we go through rustup directly.
run: |
rustup show
rustup target add ${{ matrix.target }}
- name: Install cross
if: matrix.build-tool == 'cross'
run: cargo install --locked --version =0.2.5 cross
- name: Build (cargo)
if: matrix.build-tool == 'cargo'
run: cargo build --release --target ${{ matrix.target }}
- name: Build (cross)
if: matrix.build-tool == 'cross'
run: cross build --release --target ${{ matrix.target }}
- name: Package (unix)
if: matrix.archive == 'tar.gz'
run: |
cd target/${{ matrix.target }}/release
tar czf ../../../socket-patch-${{ matrix.target }}.tar.gz socket-patch
cd ../../..
- name: Package (windows)
if: matrix.archive == 'zip'
shell: pwsh
run: |
Compress-Archive -Path "target/${{ matrix.target }}/release/socket-patch.exe" -DestinationPath "socket-patch-${{ matrix.target }}.zip"
- name: Upload artifact (tar.gz)
if: matrix.archive == 'tar.gz'
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: socket-patch-${{ matrix.target }}
path: socket-patch-${{ matrix.target }}.tar.gz
- name: Upload artifact (zip)
if: matrix.archive == 'zip'
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: socket-patch-${{ matrix.target }}
path: socket-patch-${{ matrix.target }}.zip
tag:
needs: [version, build]
if: ${{ !inputs.dry-run }}
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Create and push tag
run: |
TAG="v${{ needs.version.outputs.version }}"
git tag "$TAG"
git push origin "$TAG"
github-release:
needs: [version, build, tag]
if: ${{ !inputs.dry-run }}
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Download all artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
path: artifacts
merge-multiple: true
- name: Generate SHA256SUMS
run: |
cd artifacts
# Hash every release artifact (tar.gz + zip) so install.sh can verify
# the binary before extraction. Sorted output keeps the file stable.
sha256sum *.tar.gz *.zip 2>/dev/null | sort > SHA256SUMS
cat SHA256SUMS
- name: Create GitHub Release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
TAG="v${{ needs.version.outputs.version }}"
gh release create "$TAG" \
--repo "$GITHUB_REPOSITORY" \
--generate-notes \
artifacts/*
cargo-publish:
needs: [version, build, tag]
if: ${{ !inputs.dry-run }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install Rust
# rustup is pre-installed on GitHub-hosted runners. `rustup show`
# reads rust-toolchain.toml in the repo root, then installs the
# pinned channel + listed components if missing.
run: rustup show
- name: Authenticate with crates.io
id: crates-io-auth
uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3
- name: Publish socket-patch-core
run: cargo publish -p socket-patch-core
env:
CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token }}
# socket-patch-guard is a standalone crate (no dependency on core/cli) that
# `socket-patch setup` adds to a user's Cargo.toml as
# `socket-patch-guard = "<major.minor>"`. It MUST be published on every
# release or cargo setup writes an unresolvable dependency and the user's
# `cargo build` fails. Its build.rs is a no-op when SOCKET_PATCH_ROOT is
# unset (the case during publish verification), so this builds cleanly.
- name: Publish socket-patch-guard
run: cargo publish -p socket-patch-guard
env:
CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token }}
- name: Wait for crates.io index update
run: sleep 30
- name: Copy README for CLI crate
run: cp README.md crates/socket-patch-cli/README.md
- name: Publish socket-patch-cli
run: cargo publish -p socket-patch-cli
env:
CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token }}
npm-publish:
needs: [version, build, tag]
if: ${{ !inputs.dry-run }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Configure git for HTTPS
run: git config --global url."https://github.com/".insteadOf "ssh://git@github.com/"
- name: Download all artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
path: artifacts
merge-multiple: true
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '22.22.1'
registry-url: 'https://registry.npmjs.org'
package-manager-cache: false
- name: Update npm for staged publishing
run: npm install -g npm@11.15.0
- name: Stage binaries into platform packages
run: |
# Unix platforms: extract binary into each platform package directory
stage_unix() {
local artifact="$1" pkg_dir="$2"
tar xzf "artifacts/${artifact}.tar.gz" -C "${pkg_dir}/"
}
# Windows platforms: extract .exe into each platform package directory
stage_win() {
local artifact="$1" pkg_dir="$2"
unzip -o "artifacts/${artifact}.zip" -d "${pkg_dir}/"
}
stage_unix socket-patch-aarch64-apple-darwin npm/socket-patch-darwin-arm64
stage_unix socket-patch-x86_64-apple-darwin npm/socket-patch-darwin-x64
stage_unix socket-patch-x86_64-unknown-linux-gnu npm/socket-patch-linux-x64-gnu
stage_unix socket-patch-x86_64-unknown-linux-musl npm/socket-patch-linux-x64-musl
stage_unix socket-patch-aarch64-unknown-linux-gnu npm/socket-patch-linux-arm64-gnu
stage_unix socket-patch-aarch64-unknown-linux-musl npm/socket-patch-linux-arm64-musl
stage_unix socket-patch-arm-unknown-linux-gnueabihf npm/socket-patch-linux-arm-gnu
stage_unix socket-patch-arm-unknown-linux-musleabihf npm/socket-patch-linux-arm-musl
stage_unix socket-patch-i686-unknown-linux-gnu npm/socket-patch-linux-ia32-gnu
stage_unix socket-patch-i686-unknown-linux-musl npm/socket-patch-linux-ia32-musl
stage_unix socket-patch-aarch64-linux-android npm/socket-patch-android-arm64
stage_win socket-patch-x86_64-pc-windows-msvc npm/socket-patch-win32-x64
stage_win socket-patch-i686-pc-windows-msvc npm/socket-patch-win32-ia32
stage_win socket-patch-aarch64-pc-windows-msvc npm/socket-patch-win32-arm64
- name: Stage-publish platform packages
id: stage-platform
run: |
: > "${RUNNER_TEMP}/staged-packages.txt"
for pkg_dir in npm/socket-patch-*/; do
pkg_name="@socketsecurity/$(basename "$pkg_dir")"
echo "Staging ${pkg_name}..."
if npm stage publish "./${pkg_dir}" --access public; then
echo "$pkg_name" >> "${RUNNER_TEMP}/staged-packages.txt"
else
if npm view "${pkg_name}@${{ needs.version.outputs.version }}" version >/dev/null 2>&1; then
echo "Already published, skipping."
else
exit 1
fi
fi
done
- name: Copy README for npm package
run: cp README.md npm/socket-patch/README.md
- name: Stage-publish main package
run: |
pkg_name="@socketsecurity/socket-patch"
if npm stage publish ./npm/socket-patch --access public; then
echo "$pkg_name" >> "${RUNNER_TEMP}/staged-packages.txt"
else
if npm view "${pkg_name}@${{ needs.version.outputs.version }}" version >/dev/null 2>&1; then
echo "Already published, skipping."
else
exit 1
fi
fi
- name: Summarize staged versions awaiting approval
if: always()
run: |
STAGED_FILE="${RUNNER_TEMP}/staged-packages.txt"
if [ ! -s "$STAGED_FILE" ]; then
echo "No packages staged this run (all versions already published or publish step failed before staging)." >> "$GITHUB_STEP_SUMMARY"
exit 0
fi
VERSION="${{ needs.version.outputs.version }}"
{
echo "## npm staged versions awaiting approval"
echo ""
echo "Version \`${VERSION}\` is staged on npm. A maintainer must approve each package with 2FA before it becomes installable."
echo ""
echo "**Approve platform packages first**, then the main \`@socketsecurity/socket-patch\` package, so install-time \`optionalDependencies\` resolution sees the platform binaries already live."
echo ""
echo "**Approve from the web** (signs in + 2FA prompts inline):"
echo ""
echo "- Org dashboard: <https://www.npmjs.com/settings/socketsecurity/staged-packages>"
echo ""
echo "Per-package review pages:"
echo ""
while IFS= read -r pkg_name; do
[ -z "$pkg_name" ] && continue
# npmjs.com renders staged versions inline on the package page;
# the access page exposes the "Staged" tab and the approve button.
echo "- \`${pkg_name}@${VERSION}\` — <https://www.npmjs.com/package/${pkg_name}/access>"
done < "$STAGED_FILE"
echo ""
echo "**Approve from the CLI** (requires \`npm@11.15.0+\` locally, signed in to the \`socketsecurity\` org with 2FA):"
echo ""
echo '```sh'
echo "npm stage list"
echo "# then, for each stage id printed above (platform packages first, main package last):"
echo "npm stage approve <stage-id>"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
# Mirror to step log so it's also visible in the raw run output.
echo "::notice title=npm staged versions awaiting approval::Review and approve at https://www.npmjs.com/settings/socketsecurity/staged-packages"
pypi-publish:
needs: [version, build, tag]
if: ${{ !inputs.dry-run }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Download all artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
path: artifacts
merge-multiple: true
- name: Setup Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: '3.12.13'
- name: Copy README for PyPI package
run: cp README.md pypi/socket-patch/README.md
- name: Build wheels (platform socket-patch + pure-python socket-patch-hook)
run: |
VERSION="${{ needs.version.outputs.version }}"
# Builds the platform-tagged socket-patch wheels AND the pure-python
# socket-patch-hook wheel (the .pth carrier behind `socket-patch[hook]`).
python scripts/build-pypi-wheels.py --version "$VERSION" --artifacts artifacts --dist dist
# socket-patch and socket-patch-hook are two distinct PyPI projects.
# Publish each from its own dir so trusted publishing mints an OIDC
# token scoped to the right project (one upload spanning both projects
# can be rejected). Each project needs its own trusted publisher on
# PyPI; register a "pending" publisher for socket-patch-hook before the
# first release (repo + workflow `release.yml` + this environment).
mkdir -p dist-hook
mv dist/socket_patch_hook-*.whl dist-hook/
- name: Publish socket-patch to PyPI
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
with:
packages-dir: dist/
- name: Publish socket-patch-hook to PyPI
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
with:
packages-dir: dist-hook/
# Phase 2 scaffolding (CLI_CONTRACT "gem" support matrix): publish the
# `socket-patch-bundler` gem — the published form of the Bundler plugin that
# `socket-patch setup` currently wires via an in-tree `git:` reference. This
# gem is NOT yet the active mechanism (gem_setup still emits the in-tree
# plugin), so the job is **non-blocking** (`continue-on-error`) and skips the
# push when no credential is configured. A follow-up switches the generated
# Gemfile directive to `plugin "socket-patch-bundler"` and drops continue-on-
# error. Preferred hardening: RubyGems trusted publishing (OIDC), mirroring
# the crates.io / PyPI jobs above, in place of a long-lived API key.
gem-publish:
needs: [version, build, tag]
if: ${{ !inputs.dry-run }}
runs-on: ubuntu-latest
continue-on-error: true
# Scope the publish secret to a deployment environment (zizmor
# secrets-outside-env); auto-created with no protection until configured.
environment: rubygems
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
# Ruby is pre-installed on ubuntu-latest; no setup action needed.
- name: Build socket-patch-bundler gem
run: |
cd gem/socket-patch-bundler
gem build socket-patch-bundler.gemspec
- name: Publish socket-patch-bundler to RubyGems
# zizmor: ignore[use-trusted-publishing]
# Uses an API key for now; RubyGems trusted publishing (OIDC) is the
# documented future hardening (see the job comment), matching the
# crates.io / PyPI jobs. Suppressed until that publisher is registered.
env:
GEM_HOST_API_KEY: ${{ secrets.RUBYGEMS_API_KEY }}
run: |
cd gem/socket-patch-bundler
if [ -z "${GEM_HOST_API_KEY}" ]; then
echo "::notice title=gem publish skipped::RUBYGEMS_API_KEY not set; built socket-patch-bundler but did not push (Phase 2 scaffolding)."
exit 0
fi
# A re-push of an already-published version errors; the job is
# continue-on-error so that is non-fatal to the release.
gem push socket-patch-bundler-*.gem