Gate release on a dispatched security audit instead of workflow_call #26
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-standalone: | |
| name: Build Standalone (${{ matrix.target }}) | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| strategy: | |
| matrix: | |
| include: | |
| - platform: ubuntu-22.04 | |
| target: x86_64-unknown-linux-gnu | |
| artifact-name: standalone-linux-x64 | |
| - platform: macos-latest | |
| target: aarch64-apple-darwin | |
| artifact-name: standalone-mac-aarch64 | |
| - platform: windows-latest | |
| target: x86_64-pc-windows-msvc | |
| artifact-name: standalone-win-x64 | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| # The bundled Node.js version is pinned in package.json's | |
| # devEngines.runtime.version (see standalone/src-tauri/build.rs, which | |
| # fails the build unless the bundled binary matches this pin). | |
| - name: Read pinned Node.js version | |
| id: node-pin | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| version=$(jq -r '.devEngines.runtime.version' package.json) | |
| if [[ ! "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "ERROR: package.json devEngines.runtime.version is not MAJOR.MINOR.PATCH, got: '$version'" >&2 | |
| exit 1 | |
| fi | |
| echo "version=$version" >> "$GITHUB_OUTPUT" | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: ${{ steps.node-pin.outputs.version }} | |
| - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 | |
| with: | |
| version: 11.0.6 | |
| - name: Install workspace dependencies | |
| run: pnpm install --frozen-lockfile | |
| - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| - name: Rust cache | |
| uses: swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| with: | |
| workspaces: standalone/src-tauri | |
| - name: Install system dependencies (Linux) | |
| if: matrix.platform == 'ubuntu-22.04' | |
| run: | | |
| sudo apt-get update -qq | |
| sudo apt-get install -y -qq libgtk-3-dev libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf | |
| - name: Generate ephemeral Tauri updater key | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| key_path="$RUNNER_TEMP/tauri-ci-updater.key" | |
| pnpm --dir standalone exec tauri signer generate \ | |
| --ci \ | |
| --write-keys "$key_path" \ | |
| --force | |
| echo "TAURI_SIGNING_PRIVATE_KEY=$key_path" >> "$GITHUB_ENV" | |
| - name: Build Tauri app | |
| uses: tauri-apps/tauri-action@84b9d35b5fc46c1e45415bdb6144030364f7ebc5 # v0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| projectPath: standalone | |
| tauriScript: pnpm tauri | |
| args: --target ${{ matrix.target }} | |
| - name: List bundle contents (debug) | |
| if: matrix.target == 'x86_64-pc-windows-msvc' | |
| run: find standalone/src-tauri/target/${{ matrix.target }}/release/bundle -type f | sort | |
| shell: bash | |
| - name: Copy NSIS plugin for artifact upload (Windows) | |
| if: matrix.target == 'x86_64-pc-windows-msvc' | |
| run: | | |
| mkdir -p standalone/src-tauri/target/${{ matrix.target }}/release/nsis/x64/plugins | |
| cp "$LOCALAPPDATA/tauri/NSIS/Plugins/x86-unicode/additional/nsis_tauri_utils.dll" \ | |
| standalone/src-tauri/target/${{ matrix.target }}/release/nsis/x64/plugins/ | |
| shell: bash | |
| - name: Generate artifact manifest | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| cd standalone | |
| release_dir="src-tauri/target/${{ matrix.target }}/release" | |
| manifest="artifact-manifest.sha256" | |
| { | |
| [[ -f "$release_dir/dormouse.exe" ]] && printf '%s\n' "$release_dir/dormouse.exe" | |
| if [[ -d "$release_dir/bundle" ]]; then | |
| find -L "$release_dir/bundle" -type f \( \ | |
| -name "*.exe" -o \ | |
| -name "*.msi" -o \ | |
| -name "*.dmg" -o \ | |
| -path "*.app/*" -o \ | |
| -name "*.AppImage" -o \ | |
| -path "*/nsis/*" \ | |
| fi | |
| [[ -d "$release_dir/nsis" ]] && find -L "$release_dir/nsis" -type f -print | |
| [[ -d sidecar ]] && find -L sidecar -type f -print | |
| [[ -d src-tauri/binaries ]] && find -L src-tauri/binaries -type f -print | |
| } | sort -u | while IFS= read -r file; do | |
| if command -v sha256sum >/dev/null 2>&1; then | |
| sha256sum "$file" | |
| else | |
| shasum -a 256 "$file" | |
| fi | |
| done > "$manifest" | |
| [[ -s "$manifest" ]] | |
| - name: Attest artifact manifest | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| with: | |
| subject-path: standalone/artifact-manifest.sha256 | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: ${{ matrix.artifact-name }} | |
| path: | | |
| standalone/artifact-manifest.sha256 | |
| standalone/src-tauri/target/${{ matrix.target }}/release/dormouse.exe | |
| standalone/src-tauri/target/${{ matrix.target }}/release/bundle/**/*.exe | |
| standalone/src-tauri/target/${{ matrix.target }}/release/bundle/**/*.msi | |
| standalone/src-tauri/target/${{ matrix.target }}/release/bundle/**/*.dmg | |
| standalone/src-tauri/target/${{ matrix.target }}/release/bundle/**/*.app | |
| standalone/src-tauri/target/${{ matrix.target }}/release/bundle/**/*.AppImage | |
| standalone/src-tauri/target/${{ matrix.target }}/release/bundle/nsis/** | |
| standalone/src-tauri/target/${{ matrix.target }}/release/nsis/** | |
| standalone/sidecar/** | |
| standalone/src-tauri/binaries/** | |
| build-vscode: | |
| name: Build VSCode Extension | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: 22 | |
| - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 | |
| with: | |
| version: 11.0.6 | |
| - name: Install workspace dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Test lib | |
| run: pnpm --filter dormouse-lib test | |
| - name: Build frontend for VSCode | |
| run: pnpm --filter dormouse build:frontend | |
| - name: Build extension | |
| run: pnpm --filter dormouse build | |
| - name: Package extension | |
| run: pnpm --dir vscode-ext exec vsce package --no-dependencies | |
| - name: Generate artifact manifest | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| shopt -s nullglob | |
| cd vscode-ext | |
| manifest="artifact-manifest.sha256" | |
| files=(*.vsix) | |
| { | |
| for path in "${files[@]}"; do | |
| [[ -f "$path" ]] && printf '%s\n' "$path" | |
| done | |
| } | sort -u | while IFS= read -r file; do | |
| if command -v sha256sum >/dev/null 2>&1; then | |
| sha256sum "$file" | |
| else | |
| shasum -a 256 "$file" | |
| fi | |
| done > "$manifest" | |
| [[ -s "$manifest" ]] | |
| - name: Attest artifact manifest | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| with: | |
| subject-path: vscode-ext/artifact-manifest.sha256 | |
| - name: Upload .vsix | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: vscode-extension | |
| path: | | |
| vscode-ext/*.vsix | |
| vscode-ext/artifact-manifest.sha256 | |
| security-audit: | |
| name: Security audit | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| # Dispatch the security-audit workflow and read its run status. We | |
| # cannot call security-audit.yaml via `uses:` here: a tag `push` | |
| # propagates into the reusable workflow as event_name `push`, which | |
| # claude-code-action rejects ("Unsupported event type: push"), and | |
| # GITHUB_EVENT_NAME is a default var that cannot be overridden. | |
| # Dispatching produces a genuine workflow_dispatch run — the same | |
| # supported path the nightly audit uses. | |
| actions: write | |
| steps: | |
| - name: Dispatch security audit and gate on its result | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| set -euo pipefail | |
| workflow="security-audit.yaml" | |
| tag="${GITHUB_REF#refs/tags/}" | |
| sha="${GITHUB_SHA}" | |
| # A little before dispatch, so we can distinguish our run from any | |
| # pre-existing workflow_dispatch run on the same commit. | |
| since="$(date -u -d '-30 seconds' +%Y-%m-%dT%H:%M:%SZ)" | |
| echo "Dispatching $workflow on $tag ($sha)…" | |
| gh workflow run "$workflow" --ref "$tag" | |
| # The dispatched run takes a few seconds to register. Poll for it: | |
| # same head commit, workflow_dispatch event, created after $since. | |
| run_id="" | |
| for attempt in $(seq 1 36); do | |
| sleep 5 | |
| run_id="$(gh run list \ | |
| --workflow "$workflow" \ | |
| --event workflow_dispatch \ | |
| --limit 20 \ | |
| --json databaseId,headSha,createdAt \ | |
| --jq "[.[] | select(.headSha==\"$sha\" and .createdAt >= \"$since\")] | sort_by(.createdAt) | last | .databaseId // empty")" | |
| [ -n "$run_id" ] && break | |
| echo " …waiting for dispatched run to appear (attempt $attempt/36)" | |
| done | |
| if [ -z "$run_id" ]; then | |
| echo "::error::Dispatched security-audit run never appeared." >&2 | |
| exit 1 | |
| fi | |
| echo "Watching security-audit run $run_id …" | |
| # --exit-status fails this job if the audit run failed, which | |
| # blocks publish-vscode (needs: security-audit). | |
| gh run watch "$run_id" --exit-status | |
| publish-vscode: | |
| name: Publish VSCode Extension | |
| needs: | |
| - build-standalone | |
| - build-vscode | |
| - security-audit | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: vscode-extension-publish | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: 22 | |
| - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 | |
| with: | |
| version: 11.0.6 | |
| - name: Install workspace dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Download .vsix | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: vscode-extension | |
| path: vscode-ext | |
| - name: Publish to VS Code Marketplace | |
| working-directory: vscode-ext | |
| run: | | |
| for i in 1 2 3; do | |
| pnpm exec vsce publish --packagePath *.vsix --no-dependencies && exit 0 | |
| echo "Attempt $i failed, retrying in 10s..." | |
| sleep 10 | |
| done | |
| exit 1 | |
| env: | |
| VSCE_PAT: ${{ secrets.VSCE_PAT }} | |
| - name: Publish to OpenVSX | |
| working-directory: vscode-ext | |
| run: | | |
| for i in 1 2 3; do | |
| pnpm exec ovsx publish --packagePath *.vsix --no-dependencies && exit 0 | |
| echo "Attempt $i failed, retrying in 10s..." | |
| sleep 10 | |
| done | |
| exit 1 | |
| env: | |
| OVSX_PAT: ${{ secrets.OVSX_PAT }} |