-
Notifications
You must be signed in to change notification settings - Fork 0
254 lines (212 loc) · 7.51 KB
/
release.yml
File metadata and controls
254 lines (212 loc) · 7.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
name: Release
on:
push:
tags:
- 'v*'
# SECURITY: Limit permissions at workflow level
permissions:
contents: read
jobs:
# ==========================================
# Job 1: Security Audit (gates all other jobs)
# ==========================================
security-audit:
name: Security Audit
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
fetch-depth: 0
- name: Verify tag is on main
shell: bash
run: |
git fetch origin main
if ! git merge-base --is-ancestor "${{ github.sha }}" origin/main; then
echo "::error::Tagged commit is not on main branch — aborting release"
exit 1
fi
- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
with:
node-version: "22"
- name: Install pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
with:
version: 10.12.2
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Security audit
run: pnpm audit --audit-level=critical
# ==========================================
# Job 2: Publish to NPM
# ==========================================
publish:
name: Publish to NPM
needs: security-audit
runs-on: ubuntu-latest
environment: production
permissions:
contents: read
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
fetch-depth: 0
- name: Verify tag is on main
shell: bash
run: |
git fetch origin main
if ! git merge-base --is-ancestor "${{ github.sha }}" origin/main; then
echo "::error::Tagged commit is not on main branch — aborting publish"
exit 1
fi
- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
with:
node-version: "22"
registry-url: "https://registry.npmjs.org"
- name: Install pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
with:
version: 10.12.2
# npm 11.5.1 or later is required for trusted publishing
- name: Update npm
run: npm install -g npm@latest
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Run tests
run: pnpm test
- name: Build package
run: pnpm run build
- name: Publish to NPM
run: pnpm publish --access public --no-git-checks
# ==========================================
# Job 3: Build binaries for all platforms
# ==========================================
build-binaries:
name: Build Binary (${{ matrix.platform }}-${{ matrix.arch }})
needs: security-audit
runs-on: ${{ matrix.os }}
permissions:
contents: read
attestations: write
id-token: write
strategy:
matrix:
include:
- os: ubuntu-latest
platform: linux
arch: x64
- os: macos-latest
platform: darwin
arch: arm64
- os: macos-latest
platform: darwin
arch: x64
node_arch: x64
- os: windows-latest
platform: win32
arch: x64
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
fetch-depth: 0
- name: Verify tag is on main
shell: bash
run: |
git fetch origin main
if ! git merge-base --is-ancestor "${{ github.sha }}" origin/main; then
echo "::error::Tagged commit is not on main branch — aborting build"
exit 1
fi
- name: Setup Node.js
if: ${{ !matrix.node_arch }}
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
with:
node-version: "22"
- name: Setup Node.js (x64 via Rosetta)
if: ${{ matrix.node_arch }}
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
with:
node-version: "22"
architecture: ${{ matrix.node_arch }}
- name: Install pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
with:
version: 10.12.2
- name: Get pnpm store directory
shell: bash
run: |
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- name: Setup pnpm cache
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
with:
path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-store-
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Build TypeScript
run: pnpm build
- name: Bundle CLI for SEA
run: pnpm build:cli:bundle
- name: Prepare SEA blob
run: pnpm build:sea:prepare
- name: Build binary
run: pnpm build:sea
- name: Rename binary (Windows)
if: matrix.platform == 'win32'
shell: bash
run: mv shield.exe shield-windows-${{ matrix.arch }}.exe
- name: Generate checksum (Unix)
if: matrix.platform != 'win32'
run: |
shasum -a 256 shield-${{ matrix.platform }}-${{ matrix.arch }} > shield-${{ matrix.platform }}-${{ matrix.arch }}.sha256
cat shield-${{ matrix.platform }}-${{ matrix.arch }}.sha256
- name: Generate checksum (Windows)
if: matrix.platform == 'win32'
shell: pwsh
run: |
$hash = Get-FileHash -Algorithm SHA256 shield-windows-${{ matrix.arch }}.exe
"$($hash.Hash.ToLower()) shield-windows-${{ matrix.arch }}.exe" | Out-File -Encoding utf8 shield-windows-${{ matrix.arch }}.exe.sha256
Get-Content shield-windows-${{ matrix.arch }}.exe.sha256
- name: Generate artifact attestation
uses: actions/attest-build-provenance@e4d4f7c39adfa4c260fb5c147f0622000aa14b99
with:
subject-path: "shield-*"
- name: Upload artifacts
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
name: binary-${{ matrix.platform }}-${{ matrix.arch }}
path: |
shield-${{ matrix.platform == 'win32' && 'windows' || matrix.platform }}-${{ matrix.arch }}${{ matrix.platform == 'win32' && '.exe' || '' }}
shield-${{ matrix.platform == 'win32' && 'windows' || matrix.platform }}-${{ matrix.arch }}${{ matrix.platform == 'win32' && '.exe' || '' }}.sha256
# ==========================================
# Job 4: Create GitHub Release with all binaries
# ==========================================
create-release:
name: Create GitHub Release
needs: build-binaries
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Download all artifacts
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
with:
pattern: binary-*
merge-multiple: true
- name: List release files
run: ls -la shield-*
- name: Create Release
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b
with:
files: shield-*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}