Skip to content
CI

Add Checksums and Attestation #479

Sign in to view logs

Add Checksums and Attestation

Add Checksums and Attestation #479

Workflow file for this run

.github/workflows/build.yml at d9ad49c
name: CI
on:
push:
branches:
- main
pull_request:
workflow_dispatch:
inputs:
version:
description: 'Version of the Release'
changelog:
description: 'Changelog of the Release'
skip-packaging:
description: 'Skip packaging'
type: boolean
env:
RUNNER_DEV_VERSION: "0.9.x"
RUNNER_SERVER_VERSION: "3.11.16"
jobs:
build:
permissions:
id-token: write
attestations: write
contents: read
runs-on: ubuntu-latest
strategy:
#
fail-fast: false
matrix:
include:
# go tool dist list -json to get the source
- {GOOS: android, GOARCH: 386, TARGET: i686-linux-android }
- {GOOS: android, GOARCH: amd64, TARGET: x86_64-linux-android }
- {GOOS: android, GOARCH: arm, TARGET: armv7a-linux-androideabi }
- {GOOS: android, GOARCH: arm64, TARGET: aarch64-linux-android }
- {GOOS: darwin, GOARCH: amd64 }
- {GOOS: darwin, GOARCH: arm64 }
- {GOOS: dragonfly, GOARCH: amd64 }
- {GOOS: freebsd, GOARCH: 386 }
- {GOOS: freebsd, GOARCH: amd64 }
- {GOOS: freebsd, GOARCH: arm }
- {GOOS: freebsd, GOARCH: arm64 }
- {GOOS: illumos, GOARCH: amd64 }
- {GOOS: linux, GOARCH: 386 }
- {GOOS: linux, GOARCH: amd64 }
- {GOOS: linux, GOARCH: arm }
- {GOOS: linux, GOARCH: arm, GOARM: 5 }
- {GOOS: linux, GOARCH: arm64 }
- {GOOS: linux, GOARCH: ppc64 }
- {GOOS: linux, GOARCH: ppc64le }
- {GOOS: linux, GOARCH: mips }
- {GOOS: linux, GOARCH: mipsle }
- {GOOS: linux, GOARCH: mips64 }
- {GOOS: linux, GOARCH: mips64le }
- {GOOS: linux, GOARCH: riscv64 }
- {GOOS: linux, GOARCH: s390x }
- {GOOS: linux, GOARCH: loong64 }
- {GOOS: netbsd, GOARCH: 386 }
- {GOOS: netbsd, GOARCH: amd64 }
- {GOOS: netbsd, GOARCH: arm }
- {GOOS: netbsd, GOARCH: arm64 }
- {GOOS: openbsd, GOARCH: 386, }
- {GOOS: openbsd, GOARCH: amd64, }
- {GOOS: openbsd, GOARCH: arm, }
- {GOOS: openbsd, GOARCH: arm64, }
- {GOOS: plan9, GOARCH: 386 }
- {GOOS: plan9, GOARCH: amd64 }
- {GOOS: plan9, GOARCH: arm }
- {GOOS: solaris, GOARCH: amd64 }
- {GOOS: windows, GOARCH: 386, suffix: .exe}
- {GOOS: windows, GOARCH: amd64, suffix: .exe}
- {GOOS: windows, GOARCH: arm, suffix: .exe}
- {GOOS: windows, GOARCH: arm64, suffix: .exe}
env:
CGO_ENABLED: 0 # Only android should build with cgo
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: "${{ matrix.GOVERSION || vars.GOVERSION || '^1.16.0' }}"
cache: false
- name: Setup cgo ndk
if: matrix.GOOS == 'android'
run: |
export TOOLCHAIN=$ANDROID_NDK/toolchains/llvm/prebuilt/darwin-x86_64
export TOOLCHAIN=$ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64
# Set this to your minSdkVersion.
export API=21
# Configure and build.
echo "AR=$TOOLCHAIN/bin/llvm-ar" >> $GITHUB_ENV
echo "CC=$TOOLCHAIN/bin/$TARGET$API-clang" >> $GITHUB_ENV
echo "AS=$CC" >> $GITHUB_ENV
echo "CXX=$TOOLCHAIN/bin/$TARGET$API-clang++" >> $GITHUB_ENV
echo "LD=$TOOLCHAIN/bin/ld" >> $GITHUB_ENV
echo "RANLIB=$TOOLCHAIN/bin/llvm-ranlib" >> $GITHUB_ENV
echo "STRIP=$TOOLCHAIN/bin/llvm-strip" >> $GITHUB_ENV
echo "CGO_ENABLED=1" >> $GITHUB_ENV
env:
TARGET: ${{ matrix.TARGET }}
- name: Build
run: |
go build -ldflags "-X main.version=${{ github.event.inputs.version || format('{0}-dev-{1}', env.RUNNER_DEV_VERSION, github.sha) }}" -o github-act-runner-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}${{matrix.suffix}}
mkdir output
cp github-act-runner-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}${{matrix.suffix}} output/github-act-runner${{matrix.suffix}}
env:
GOOS: ${{matrix.GOOS}}
GOARCH: ${{matrix.GOARCH}}
GOARM: ${{matrix.GOARM}}
- name: Package tar
if: ${{ github.event.inputs.skip-packaging != 'true' && matrix.GOOS != 'windows' }}
run: |
cp compat/*.sh output/
cd output
tar czf ../binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.tar.gz ./*
- name: Package zip
if: ${{ github.event.inputs.skip-packaging != 'true' && matrix.GOOS == 'windows' }}
run: |
cp compat/*.cmd output/
cd output
zip ../binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.zip ./*
- name: Create Signed Provenance
uses: actions/attest-build-provenance@v1
id: attest
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.skip-packaging != 'true' }}
with:
subject-path: binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.${{ matrix.GOOS == 'windows' && 'zip' || 'tar.gz' }}
- name: Copy Signed Provenance to well known filepath
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.skip-packaging != 'true' }}
run: |
cp "$BUNDLE_PATH" binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.sigstore.json
env:
BUNDLE_PATH: ${{ steps.attest.outputs.bundle-path }}
- name: Create Package Checksums
if: ${{ github.event.inputs.skip-packaging != 'true' }}
run: |
sha512sum binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.${{ matrix.GOOS == 'windows' && 'zip' || 'tar.gz' }} > binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.sha512
- uses: actions/upload-artifact@v4
with:
name: binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}
path: github-act-runner-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}${{matrix.suffix}}
- uses: actions/upload-artifact@v4
if: ${{ github.event.inputs.skip-packaging != 'true' }}
with:
name: bundle-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}
path: |
binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.*
#######################################
########## publish to github ##########
#######################################
publish-to-github:
name: deploy to github
runs-on: ubuntu-latest
needs: build
if: ${{ github.event.inputs.skip-packaging != 'true' && github.event.inputs.version }}
continue-on-error: true
steps:
- uses: actions/download-artifact@v4
with:
path: "artifacts"
- uses: ncipollo/release-action@v1
with:
artifacts: "artifacts/**/*.zip,artifacts/**/*.tar.gz,artifacts/**/*.sha512,artifacts/**/*.sigstore.json"
token: ${{ secrets.GITHUB_TOKEN }}
tag: v${{ github.event.inputs.version }}
commit: ${{ github.sha }}
body: |
# Changes
${{ fromJSON(github.event.inputs.changelog) || 'No changelog provided' }}
# Using your self hosted runner
Download and extract the self-hosted runner artifact for your system, then [follow the official Documentation](https://docs.github.com/en/actions/hosting-your-own-runners/adding-self-hosted-runners) (follow the linux instruction if your system isn't listed).
If your system doesn't have bash installed and isn't windows then:
|replace|with|
---|---
|`./config.sh`|`./github-act-runner configure`|
|`./config.sh remove`|`./github-act-runner remove`|
|`./run.sh`|`./github-act-runner run`|
The runner configuration is saved in / loaded from your current working directory, while using the `github-act-runner` command directly.
#########################################
########## publish to deb repo ##########
#########################################
build-and-publish-to-deb-repo:
needs: build
runs-on: ubuntu-latest
name: build and deploy to deb repo
if: ${{ github.event.inputs.skip-packaging != 'true' }}
env:
DEPLOY_ARCHS: "amd64 i386 armel armhf arm64 ppc64 ppc64el mips mipsel mips64el riscv64 s390x loong64" # architectures from https://wiki.debian.org/SupportedArchitectures
steps:
- name: git clone
uses: actions/checkout@v4
with: {submodules: false}
- uses: actions/download-artifact@v4
with:
path: "artifacts"
- name: add cppfw repo to install myci scripts from
uses: myci-actions/add-deb-repo@e2d8b32bd968fb27d9934670a4f27857194b607d
with:
repo: deb https://gagis.hopto.org/repo/cppfw/$(lsb_release --id --short | tr '[:upper:]' '[:lower:]') $(lsb_release --codename --short) main
repo-name: cppfw
keys-asc: https://gagis.hopto.org/repo/cppfw/pubkey.gpg
- name: install debian package tools
run: |
sudo apt --quiet update
sudo apt --quiet install --assume-yes dpkg-dev debhelper devscripts myci
- name: add entry to debian/changelog
run: dch --newversion="${{ github.event.inputs.version || format('{0}-dev-{1}', env.RUNNER_DEV_VERSION, github.sha) }}" "another release"
- name: create deb package script
run: |
apt --quiet update
apt --quiet install --assume-yes dpkg-dev debhelper
for arch in $DEPLOY_ARCHS; do
dpkg-buildpackage --build=binary --no-sign --host-arch $arch
done
mkdir -p debs
cp ../*.deb debs/
shell: cp {0} script.sh
- name: create deb package
run: |
docker run -v "$PWD:$PWD" -w "$PWD" -e "DEPLOY_ARCHS=$DEPLOY_ARCHS" --rm ubuntu:noble bash script.sh
- uses: actions/upload-artifact@v4
continue-on-error: true
with:
name: debs
path: 'debs/*.deb'
- name: deploy packages to deb repo
if: ${{ github.event.inputs.version && fromJSON(env.HAVE_MYCI_REPO_SSH_KEY) }}
env:
HAVE_MYCI_REPO_SSH_KEY: ${{ toJSON(secrets.MYCI_REPO_SSH_KEY != '') }}
run: |
echo "${{ secrets.MYCI_REPO_SSH_KEY }}" > repo_key_rsa && chmod 600 repo_key_rsa
myci-deploy-apt-ssh.sh --key repo_key_rsa --server gagis.hopto.org --user chrishx --repo chrishx/deb --distro all --component main debs/*.deb
run-tests:
needs: build
runs-on: ubuntu-latest
if: ${{ github.event.inputs.skip-packaging != 'true' }}
steps:
- uses: actions/checkout@v4
- name: Prepare actions-runner
run: |
# Create a folder
mkdir actions-runner && cd actions-runner
# Download the latest runner package
curl -O -L https://github.com/ChristopherHX/runner.server/releases/download/v${{env.RUNNER_SERVER_VERSION}}/runner.server-linux-x64.tar.gz
# Extract the installer
tar xzf "runner.server-linux-x64.tar.gz"
- name: Download Artifact
uses: actions/download-artifact@v4
with:
name: bundle-linux-amd64
path: runner
- name: Unpack Artifact
run: |
tar xzf ./binary-linux-amd64.tar.gz
working-directory: runner
- name: Run Tests
run: |
./actions-runner/Runner.Server&
sleep 2
./runner/config.sh --unattended --url http://localhost:5000/runner/test --token WhichToken
./runner/run.sh&
# Check for leaks during run (#41)
sudo prlimit --pid $! --nofile=256:256
sleep 2
# Show test commands
set -x
./actions-runner/Runner.Client --server http://localhost:5000 -W ./.github/testworkflows --log-output-dir ./logs
./actions-runner/Runner.Client --server http://localhost:5000 -W ./.github/failingtestworkflows/test_container_fail_step.yml --log-output-dir ./logs && exit 1 || [[ "$?" = "1" ]]
./actions-runner/Runner.Client --server http://localhost:5000 -W ./.github/failingtestworkflows/test_host_fail_step.yml --log-output-dir ./logs && exit 1 || [[ "$?" = "1" ]]
./actions-runner/Runner.Client --server http://localhost:5000 -W ./.github/failingtestworkflows/test_unsupported_job_env.yml --log-output-dir ./logs && exit 1 || [[ "$?" = "1" ]]
./actions-runner/Runner.Client --server http://localhost:5000 -W ./.github/failingtestworkflows/test_unsupported_step_env.yml --log-output-dir ./logs && exit 1 || [[ "$?" = "1" ]]
./actions-runner/Runner.Client --server http://localhost:5000 -W ./.github/failingtestworkflows/test_unsupported_step_with.yml --log-output-dir ./logs && exit 1 || [[ "$?" = "1" ]]
./actions-runner/Runner.Client workflow_dispatch --server http://localhost:5000 -W ./.github/testworkflows/test-full-contextdata/workflow.yml --log-output-dir ./logs --var WORKSPACE=$PWD -s GITHUB_TOKEN=somevalue
# Run the cache action with debug logs
./actions-runner/Runner.Client --server http://localhost:5000 -W ./.github/testworkflows/cache-action.yml --log-output-dir ./logs -s ACTIONS_STEP_DEBUG=true
# Show debug logs of loglevel test
./actions-runner/Runner.Client --server http://localhost:5000 -W ./.github/testworkflows/loglevel.yml --log-output-dir ./logs -s ACTIONS_STEP_DEBUG=true
- name: Test if removal works
timeout-minutes: 1
run: |
export JIT_TOKEN="$(./runner/github-act-runner configure --unattended --url http://localhost:5000/runner/test --token WhichToken --print-jitconfig)"
./runner/github-act-runner remove --jitconfig "$JIT_TOKEN" --token WhichToken
./runner/github-act-runner run --jitconfig "$JIT_TOKEN" && exit 1 || [[ "$?" = "1" ]]
- name: Archive Test Results
if: ${{always()}}
run: tar czf ../logs.tar.gz .
working-directory: logs
- name: Upload Test Results
if: ${{always()}}
uses: actions/upload-artifact@v4
with:
name: test-results-linux-amd64
path: 'logs.tar.gz'