# Linux release binaries (wheel, AppImage, deb, rpm), SBOM, optional cosign bundles, # SLSA Build Level 3 provenance (slsa-github-generator generic), and a draft GitHub release. # # Pinned first-party actions (bump tag and SHA together when upgrading): # actions/checkout@v6.0.1 8e8c483db84b4bee98b60c0593521ed34d9990e8 # actions/setup-python@v6.2.0 a309ff8b426b58ec0e2a45f0f869d46889d02405 # actions/setup-node@v6.1.0 395ad3262231945c25e8478fd5baf05154b1d79f # actions/upload-artifact@v5.0.0 330a01c490aca151604b8cf639adc76d48f6c5d4 # actions/download-artifact@v5.0.0 634f93cb2916e3fdff6788551b99b062d0335ce0 # actions/cache@v4.2.0 1bd1e32a3bdc45362d1e726936510720a7c30a57 # # SLSA generator (must stay @vX.Y.Z semver per upstream): # slsa-framework/slsa-github-generator/generator_generic_slsa3.yml@v2.1.0 name: Build Linux release on: push: tags: - "*" workflow_dispatch: permissions: contents: write actions: write id-token: write concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true NODE_OPTIONS: --max-old-space-size=8192 PYTHON_VERSION: "3.14" NODE_VERSION: "24" POETRY_VERSION: "2.3.4" PNPM_VERSION: "10.33.0" COSIGN_VERSION: "3.0.6" jobs: frontend: name: Build frontend artifact uses: ./.github/workflows/frontend-build.yml permissions: contents: read with: artifact_name: meshchatx-frontend-linux-rel-${{ github.run_id }}-${{ github.run_attempt }} retention_days: 7 pnpm_version: "10.33.0" linux-release: name: Linux release assets needs: frontend runs-on: ubuntu-latest timeout-minutes: 120 outputs: hashes: ${{ steps.slsa-hashes.outputs.hashes }} permissions: contents: read actions: write env: FRONTEND_ARTIFACT_NAME: ${{ needs.frontend.outputs.artifact_name }} MESHCHATX_FRONTEND_PREBUILT: "1" steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install Poetry (PyPI pin) env: POETRY_VERSION: ${{ env.POETRY_VERSION }} run: bash scripts/ci/github-install-poetry.sh - name: Cache Poetry downloads uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 with: path: ~/.cache/pypoetry key: ${{ runner.os }}-pypoetry-${{ hashFiles('poetry.lock') }} restore-keys: | ${{ runner.os }}-pypoetry- - name: Enable pnpm (corepack) run: corepack enable && corepack prepare "pnpm@${PNPM_VERSION}" --activate - name: Set up Node uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f with: node-version: ${{ env.NODE_VERSION }} cache: pnpm cache-dependency-path: pnpm-lock.yaml - name: Linux packaging APT dependencies run: bash scripts/ci/github-apt-linux-packaging.sh - name: Install project dependencies run: bash scripts/ci/github-install-deps.sh - name: Download frontend artifact uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 with: name: ${{ env.FRONTEND_ARTIFACT_NAME }} path: meshchatx/public - name: Verify frontend artifact contents run: | set -euo pipefail test -f meshchatx/public/index.html test -d meshchatx/public/assets test -d meshchatx/public/reticulum-docs-bundled/current - name: Setup Task run: sh scripts/ci/setup-task.sh - name: Setup Trivy run: sh scripts/ci/setup-trivy.sh - name: Build release-assets run: bash scripts/ci/github-build-linux-release-assets.sh - name: SLSA subject hashes id: slsa-hashes if: startsWith(github.ref, 'refs/tags/') run: bash scripts/ci/github-slsa-hashes-release-assets.sh - name: SLSA attestations (cosign) env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} GITHUB_SERVER_URL: ${{ github.server_url }} GITHUB_REPOSITORY: ${{ github.repository }} GITHUB_SHA: ${{ github.sha }} GITHUB_REF: ${{ github.ref }} GITHUB_RUN_ID: ${{ github.run_id }} GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }} GITHUB_WORKFLOW: ${{ github.workflow }} COSIGN_VERSION: ${{ env.COSIGN_VERSION }} run: | set -eu if [ -z "${COSIGN_PRIVATE_KEY:-}" ]; then echo "Skipping cosign attestations (no COSIGN_PRIVATE_KEY)." exit 0 fi sh scripts/ci/setup-cosign.sh "${COSIGN_VERSION}" printf '%s\n' "$COSIGN_PRIVATE_KEY" > /tmp/cosign.key chmod 600 /tmp/cosign.key export COSIGN_KEY_PATH=/tmp/cosign.key sh scripts/ci/attest-release-assets.sh ./release-assets rm -f /tmp/cosign.key - name: Upload Linux release artifact uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 with: name: meshchatx-linux-release-${{ github.ref_name }}-${{ github.run_id }} path: release-assets/ if-no-files-found: error retention-days: 30 slsa-provenance-linux: name: SLSA provenance (Linux) needs: [linux-release] if: startsWith(github.ref, 'refs/tags/') permissions: id-token: write contents: read actions: read uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 with: base64-subjects: ${{ needs.linux-release.outputs.hashes }} upload-assets: false provenance-name: meshchatx-linux-${{ github.ref_name }}.intoto.jsonl draft-github-release-linux: name: Draft GitHub release (Linux assets + SLSA) needs: [linux-release, slsa-provenance-linux] if: startsWith(github.ref, 'refs/tags/') runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: write steps: - name: Download Linux release assets uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 with: name: meshchatx-linux-release-${{ github.ref_name }}-${{ github.run_id }} path: upload - name: Download SLSA provenance uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 with: name: ${{ needs.slsa-provenance-linux.outputs.provenance-name }} path: upload - name: Upload to draft release env: GH_TOKEN: ${{ github.token }} run: bash scripts/ci/github-draft-release-upload-assets.sh upload