Release #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
workflow_dispatch: | |
release: | |
types: [created] | |
permissions: {} | |
jobs: | |
build: | |
if: github.repository == 'mihaimaruseac/hindent' # Don't do this in forks | |
runs-on: ubuntu-latest | |
# Keep these in sync with a subset of Cabal-based CI matrix. This way, we | |
# are not building a new cache here, just reusing an existing one. | |
env: | |
os: ubuntu-latest | |
ghc: 9.6.3 | |
outputs: | |
hash_sdist: ${{ steps.hash_sdist.outputs.hash_sdist }} | |
hash_execs: ${{ steps.hash_execs.outputs.hash_execs }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
persist-credentials: false | |
- name: Setup Haskell Compiler (cabal) | |
id: setup-haskell | |
uses: haskell-actions/setup@91c5a796c146b3acc330865028659afb2d078774 # v2.5.2 | |
with: | |
ghc-version: ${{ env.ghc }} | |
- name: Cache dist-newstyle | |
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | |
with: | |
path: dist-newstyle | |
key: dist-newstyle-${{ env.os }}-${{ env.ghc }}-${{ hashFiles('**/*.cabal') }}-${{ hashFiles('internal/**','src/**','app/**','tests/**','benchmarks/**') }} | |
restore-keys: | | |
dist-newstyle-${{ env.os }}-${{ env.ghc }}-${{ hashFiles('**/*.cabal') }}- | |
dist-newstyle-${{ env.os }}-${{ env.ghc }}- | |
- name: Cache ~/.cabal/store | |
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | |
with: | |
path: ${{ steps.setup-haskell.outputs.cabal-store }} | |
key: cabal-store-${{ env.os }}-${{ env.ghc }}-${{ hashFiles('**/*.cabal') }} | |
restore-keys: cabal-store-${{ env.os }}-${{ env.ghc }}- | |
- name: Build executables | |
run: cabal build all:exes | |
- name: Generate source distribution | |
run: cabal sdist --output . | |
- name: Generate documentation | |
run: cabal haddock --haddock-for-hackage --enable-doc --builddir=. | |
- name: Generate subject for provenance of source distribution | |
id: hash_sdist | |
run: | | |
set -euo pipefail | |
echo "hash_sdist=$(sha256sum hindent-*.tar.gz | base64 -w0)" >> "${GITHUB_OUTPUT}" | |
# Wehn uploading we pick a fixed name since we don't yet have access to | |
# the version string in the tarball. This can be fixed with some | |
# scripting if needed, but it works for our use cases as it is. | |
# TODO(mihaimaruseac): Maybe fix to upload the path as needed | |
- name: Upload sdist as an artifact for later jobs in workflow | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
path: hindent-*.tar.gz | |
name: sdist.zip # When downloading it is a zip containing the sdist tarball | |
if-no-files-found: error | |
retention-days: 1 | |
- name: Copy all executables to root directory for ease of release | |
run: mkdir .execs && cp $(cabal list-bin all:exes) .execs | |
# TODO(mihaimaruseac): Strip executables | |
- name: Generate subject for provenance of executables | |
id: hash_execs | |
run: | | |
set -euo pipefail | |
echo "hash_execs=$(sha256sum .execs/* | base64 -w0)" >> "${GITHUB_OUTPUT}" | |
# When uploading executables we push them all to the same archive and | |
# later the action that downloads it automatically unpacks it. So, in | |
# effect this allows us to be transparent on what the executables we | |
# generate. | |
# However, on the CI run this will result in an artifact (short lived!) | |
# that has all of the executables in it. If we want to upload each | |
# executable by itself, maybe we can use automatic matrix generation[1] | |
# for this. | |
# [1]: https://frontside.com/blog/2022-12-12-dynamic-github-action-jobs/ | |
# TODO(mihaimaruseac): Maybe use automatic matrix generation here | |
- name: Upload executables as an artifact for later jobs in workflow | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
path: .execs/ | |
name: executables.zip # When downloading it is a zip with all executables | |
if-no-files-found: error | |
retention-days: 1 | |
provenance-sdist: | |
needs: [build] | |
permissions: | |
actions: read | |
id-token: write | |
contents: write | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.build.outputs.hash_sdist }}" | |
upload-assets: true | |
provenance-name: source-distribution.intoto.jsonl | |
provenance-execs: | |
needs: [build] | |
permissions: | |
actions: read | |
id-token: write | |
contents: write | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.build.outputs.hash_execs }}" | |
upload-assets: true | |
provenance-name: executables.intoto.jsonl | |
release: | |
needs: [build, provenance-sdist, provenance-execs] | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/tags/') | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: executables.zip | |
- name: Download artifact | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: sdist.zip | |
- name: Upload assets | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 | |
with: | |
files: ./* | |
# TODO(mihaimaruseac): Upload haddock and build report to Hackage | |
# Not doing this now because we don't want to store user/pass in GitHub | |
# secrets and there is no OIDC way to upload. |