Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Establish chain of trust from code to Linux and macOS builds by compiling and releasing using GitHub Actions #40

Merged
merged 2 commits into from
Feb 18, 2025
Merged

Establish chain of trust from code to Linux and macOS builds by compiling and releasing using GitHub Actions #40

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7ba937b
Establish chain of trust from code to Linux and macOS builds by compi…
orazioedoardo Feb 18, 2025
2e02548
Checkout to latest tag as opposed to latest commit for consistency
orazioedoardo Feb 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 94 additions & 22 deletions .github/workflows/ReleaseBuilds.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,55 +3,127 @@ name: Make Release Builds
on: [workflow_dispatch]

jobs:
create-new-release:
runs-on: ubuntu-22.04
timeout-minutes: 5

permissions:
contents: write

outputs:
latest_tag: ${{ steps.get-release-tag.outputs.latest_tag }}

steps:
- uses: actions/checkout@v4
with:
ref: boom

- name: Get release tag
id: get-release-tag
shell: bash
run: |
git fetch --prune --unshallow --tags

if ! latest_tag="$(git describe --tags --abbrev=0)"; then
echo "No tags in this branch!"
exit 1
fi

releases="$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/${{ github.repository }}/releases)"

if latest_release_tag="$(jq -e -r '.[0].tag_name' <<< "$releases")" && [ "${latest_release_tag}" = "${latest_tag}" ]; then
echo "A release for tag ${latest_tag} has already been created!"
exit 1
fi

echo "Setting release tag to '${latest_tag}'..."
echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT"

env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Create (empty) release
run: |
run_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
notes="Linux and macOS builds in this release were compiled and uploaded entirely by GitHub Actions following the steps in the workflow file of this repository. Together with the SHA-256 hashes of the assets being printed in the logs of the workflow run ${run_url}, this allows users to verify that said builds were produced based on the source code of the repository at a specific commit."
gh release create --notes "${notes}" "$LATEST_TAG"

env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LATEST_TAG: ${{ steps.get-release-tag.outputs.latest_tag }}

build-macos-universal:
needs: create-new-release
runs-on: macos-13
timeout-minutes: 15

permissions:
contents: write

steps:
- uses: actions/checkout@v4
with:
ref: boom
ref: ${{ needs.create-new-release.outputs.latest_tag }}

- run: ./makeapp_osx.sh
- name: Compile macOS universal app and upload file to release
run: |
./makeapp_osx.sh
openssl sha256 BOOM-Remake-*-mac.dmg
gh release upload "$LATEST_TAG" BOOM-Remake-*-mac.dmg

- uses: actions/upload-artifact@v4
with:
name: mac-build-universal
path: BOOM-Remake-*-mac.dmg
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LATEST_TAG: ${{ needs.create-new-release.outputs.latest_tag }}

build-linux-appimage-x86_64:
needs: create-new-release
runs-on: ubuntu-22.04
timeout-minutes: 15

permissions:
contents: write

steps:
- uses: actions/checkout@v4
with:
ref: boom
ref: ${{ needs.create-new-release.outputs.latest_tag }}

- run: |
- name: Compile Linux x86_64 app and upload file to release
run: |
sudo apt update
sudo apt install -y desktop-file-utils libsfml-dev
./makeapp_linux.sh
openssl sha256 BOOM-Remake-*-linux-x86_64.AppImage
gh release upload "$LATEST_TAG" BOOM-Remake-*-linux-x86_64.AppImage

- run: ./makeapp_linux.sh

- uses: actions/upload-artifact@v4
with:
name: linux-build-x86_64
path: BOOM-Remake-*-linux-x86_64.AppImage
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LATEST_TAG: ${{ needs.create-new-release.outputs.latest_tag }}

build-linux-appimage-aarch64:
needs: create-new-release
runs-on: ubuntu-22.04-arm
timeout-minutes: 15

permissions:
contents: write

steps:
- uses: actions/checkout@v4
with:
ref: boom
ref: ${{ needs.create-new-release.outputs.latest_tag }}

- run: |
- name: Compile Linux aarch64 app and upload file to release
run: |
sudo apt update
sudo apt install -y desktop-file-utils libsfml-dev
./makeapp_linux.sh
openssl sha256 BOOM-Remake-*-linux-aarch64.AppImage
gh release upload "$LATEST_TAG" BOOM-Remake-*-linux-aarch64.AppImage

- run: ./makeapp_linux.sh

- uses: actions/upload-artifact@v4
with:
name: linux-build-aarch64
path: BOOM-Remake-*-linux-aarch64.AppImage
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LATEST_TAG: ${{ needs.create-new-release.outputs.latest_tag }}