Release #40
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Release guide (since v0.9.0): | |
| # 1. Bump up the version string to `vX.Y.Z` (or `vX.Y.Z-beta.W`) in `pkg/version/version.go`. | |
| # 2. `git commit -a -s -m vX.Y.Z` | |
| # 3. Bump up the version string to `vX.Y.Z+dev` (or `vX.Y.Z-beta.W`+dev) in `pkg/version/version.go`. | |
| # 4. `git commit -a -s -m vX.Y.Z+dev` | |
| # 5. Open a PR and merge it. | |
| # 6. Create a tag `v.X.Y.Z` for the `vX.Y.Z` commit, and push the tag to the upstream: `git push upstream vX.Y.Z` | |
| # 7. GitHub Actions automatically ships a draft release with a statically compiled binary: https://github.com/rootless-containers/rootlesskit/releases | |
| # If it fails, check the GitHub Actions log: https://github.com/rootless-containers/rootlesskit/actions?query=workflow%3ARelease | |
| # 8. Add release notes to the draft release and ship the release. | |
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| jobs: | |
| release: | |
| runs-on: ubuntu-22.04 | |
| # The maximum access is "read" for PRs from public forked repos | |
| # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
| permissions: | |
| contents: write # for releases | |
| id-token: write # for provenances | |
| attestations: write # for provenances | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: "Build binaries" | |
| run: DOCKER_BUILDKIT=1 docker build -o /tmp/artifact --target cross-artifact . | |
| - name: "SHA256SUMS" | |
| run: (cd /tmp/artifact; sha256sum *) | tee /tmp/SHA256SUMS | |
| - name: "The sha256sum of the SHA256SUMS file" | |
| run: sha256sum /tmp/SHA256SUMS | |
| - name: "Prepare the release note" | |
| run: | | |
| shasha=$(sha256sum /tmp/SHA256SUMS | awk '{print $1}') | |
| cat << EOF | tee /tmp/release-note.txt | |
| #### Changes | |
| (To be documented) | |
| #### Install | |
| \`\`\` | |
| mkdir -p ~/bin | |
| curl -sSL https://github.com/${{ github.repository }}/releases/download/${tag}/rootlesskit-\$(uname -m).tar.gz | tar Cxzv ~/bin | |
| \`\`\` | |
| #### About the binaries | |
| The binaries were built automatically on GitHub Actions. | |
| See the log to verify SHA256SUMS. | |
| https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| The sha256sum of the SHA256SUMS file itself is ${shasha} . | |
| EOF | |
| - uses: actions/attest-build-provenance@v1 | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') | |
| with: | |
| subject-path: | | |
| /tmp/artifact/* | |
| /tmp/SHA256SUMS | |
| - name: "Create release" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| tag="${GITHUB_REF##*/}" | |
| gh release create -F /tmp/release-note.txt --draft --title "${tag}" "${tag}" /tmp/artifact/* /tmp/SHA256SUMS |