dandri/MeshChatX
1
0
Fork 0
mirror of https://git.quad4.io/RNS-Things/MeshChatX.git synced 2026-04-27 17:15:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
47d355da153af8a17f45ae4e166a62aed581e98e
MeshChatX/.github/workflows/build-linux-release.yml
T

191 lines
7.2 KiB
YAML
Raw Blame History

# Linux release binaries (wheel, AppImage, deb, rpm), SBOM, optional cosign bundles,
# SLSA Build Level 3 provenance (slsa-github-generator generic), and a draft GitHub release.
#
# Pinned first-party actions (bump tag and SHA together when upgrading):
# actions/checkout@v6.0.1 8e8c483db84b4bee98b60c0593521ed34d9990e8
# actions/setup-python@v6.2.0 a309ff8b426b58ec0e2a45f0f869d46889d02405
# actions/setup-node@v6.1.0 395ad3262231945c25e8478fd5baf05154b1d79f
# actions/upload-artifact@v5.0.0 330a01c490aca151604b8cf639adc76d48f6c5d4
# actions/download-artifact@v5.0.0 634f93cb2916e3fdff6788551b99b062d0335ce0
#
# SLSA generator (must stay @vX.Y.Z semver per upstream):
# slsa-framework/slsa-github-generator/generator_generic_slsa3.yml@v2.1.0
name: Build Linux release
on:
push:
tags:
- "*"
workflow_dispatch:
permissions:
contents: write
actions: write
id-token: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
NODE_OPTIONS: --max-old-space-size=8192
PYTHON_VERSION: "3.14"
NODE_VERSION: "24"
POETRY_VERSION: "2.3.4"
PNPM_VERSION: "10.33.0"
COSIGN_VERSION: "3.0.6"
jobs:
frontend:
name: Build frontend artifact
uses: ./.github/workflows/frontend-build.yml
permissions:
contents: read
with:
artifact_name: meshchatx-frontend-linux-rel-${{ github.run_id }}-${{ github.run_attempt }}
retention_days: 7
pnpm_version: "10.33.0"
linux-release:
name: Linux release assets
needs: frontend
runs-on: ubuntu-latest
timeout-minutes: 120
outputs:
hashes: ${{ steps.slsa-hashes.outputs.hashes }}
permissions:
contents: read
actions: write
env:
FRONTEND_ARTIFACT_NAME: ${{ needs.frontend.outputs.artifact_name }}
MESHCHATX_FRONTEND_PREBUILT: "1"
steps:
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install Poetry (PyPI pin)
env:
POETRY_VERSION: ${{ env.POETRY_VERSION }}
run: bash scripts/ci/github-install-poetry.sh
- name: Set up Node
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
with:
node-version: ${{ env.NODE_VERSION }}
- name: Enable pnpm (corepack)
run: corepack enable && corepack prepare "pnpm@${PNPM_VERSION}" --activate
- name: Linux packaging APT dependencies
run: bash scripts/ci/github-apt-linux-packaging.sh
- name: Install project dependencies
run: bash scripts/ci/github-install-deps.sh
- name: Download frontend artifact
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
with:
name: ${{ env.FRONTEND_ARTIFACT_NAME }}
path: meshchatx/public
- name: Verify frontend artifact contents
run: |
set -euo pipefail
test -f meshchatx/public/index.html
test -d meshchatx/public/assets
test -d meshchatx/public/reticulum-docs-bundled/current
- name: Setup Task
run: sh scripts/ci/setup-task.sh
- name: Setup Trivy
run: sh scripts/ci/setup-trivy.sh
- name: Build release-assets
run: bash scripts/ci/github-build-linux-release-assets.sh
- name: SLSA subject hashes
id: slsa-hashes
if: startsWith(github.ref, 'refs/tags/')
run: bash scripts/ci/github-slsa-hashes-release-assets.sh
- name: SLSA attestations (cosign)
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
GITHUB_SERVER_URL: ${{ github.server_url }}
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
GITHUB_RUN_ID: ${{ github.run_id }}
GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
GITHUB_WORKFLOW: ${{ github.workflow }}
COSIGN_VERSION: ${{ env.COSIGN_VERSION }}
run: |
set -eu
if [ -z "${COSIGN_PRIVATE_KEY:-}" ]; then
echo "Skipping cosign attestations (no COSIGN_PRIVATE_KEY)."
exit 0
fi
sh scripts/ci/setup-cosign.sh "${COSIGN_VERSION}"
printf '%s\n' "$COSIGN_PRIVATE_KEY" > /tmp/cosign.key
chmod 600 /tmp/cosign.key
export COSIGN_KEY_PATH=/tmp/cosign.key
sh scripts/ci/attest-release-assets.sh ./release-assets
rm -f /tmp/cosign.key
- name: Upload Linux release artifact
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
with:
name: meshchatx-linux-release-${{ github.ref_name }}-${{ github.run_id }}
path: release-assets/
if-no-files-found: error
retention-days: 30
slsa-provenance-linux:
name: SLSA provenance (Linux)
needs: [linux-release]
if: startsWith(github.ref, 'refs/tags/')
permissions:
id-token: write
contents: read
actions: read
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
base64-subjects: ${{ needs.linux-release.outputs.hashes }}
upload-assets: false
provenance-name: meshchatx-linux-${{ github.ref_name }}.intoto.jsonl
draft-github-release-linux:
name: Draft GitHub release (Linux assets + SLSA)
needs: [linux-release, slsa-provenance-linux]
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: write
steps:
- name: Download Linux release assets
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
with:
name: meshchatx-linux-release-${{ github.ref_name }}-${{ github.run_id }}
path: upload
- name: Download SLSA provenance
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
with:
name: ${{ needs.slsa-provenance-linux.outputs.provenance-name }}
path: upload
- name: Upload to draft release
env:
GH_TOKEN: ${{ github.token }}
run: bash scripts/ci/github-draft-release-upload-assets.sh upload
Reference in New Issue View Git Blame Copy Permalink