fix: enforce alphanumeric branchprefix values (#76) #76
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*.*.*" | |
| branches: | |
| - main | |
| permissions: | |
| contents: write | |
| id-token: write | |
| packages: write | |
| jobs: | |
| build-linux: | |
| name: Build Linux Executables | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.version.outputs.VERSION }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| targets: x86_64-unknown-linux-gnu,aarch64-unknown-linux-gnu | |
| - name: Install cross-compilation tools | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc-aarch64-linux-gnu | |
| - name: Set version | |
| id: version | |
| run: | | |
| if [[ "$GITHUB_REF" == refs/tags/v* ]]; then | |
| VERSION="${GITHUB_REF#refs/tags/v}" | |
| else | |
| CURRENT_VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*"\(.*\)"/\1/') | |
| COMMIT_SHA=${GITHUB_SHA::7} | |
| VERSION="${CURRENT_VERSION}-preview.${COMMIT_SHA}" | |
| fi | |
| echo "Setting version to: ${VERSION}" | |
| echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT | |
| sed -i "s/^version = \".*\"/version = \"${VERSION}\"/" Cargo.toml | |
| - name: Format check | |
| run: cargo fmt --all -- --check | |
| - name: Build for Linux x64 | |
| run: cargo build --release --target x86_64-unknown-linux-gnu | |
| - name: Build for Linux ARM64 | |
| env: | |
| CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc | |
| run: cargo build --release --target aarch64-unknown-linux-gnu | |
| - name: Prepare artifacts | |
| run: | | |
| cp target/x86_64-unknown-linux-gnu/release/grove grove-linux-x64 | |
| cp target/aarch64-unknown-linux-gnu/release/grove grove-linux-arm64 | |
| - name: Upload Linux executables | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: grove-linux-executables | |
| path: | | |
| grove-linux-x64 | |
| grove-linux-arm64 | |
| build-macos: | |
| name: Build and Sign macOS Executables | |
| runs-on: macos-latest | |
| needs: build-linux | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: x86_64-apple-darwin,aarch64-apple-darwin | |
| - name: Set version | |
| run: sed -i '' "s/^version = \".*\"/version = \"${{ needs.build-linux.outputs.version }}\"/" Cargo.toml | |
| - name: Build for macOS x64 | |
| run: cargo build --release --target x86_64-apple-darwin | |
| - name: Build for macOS ARM64 | |
| run: cargo build --release --target aarch64-apple-darwin | |
| - name: Prepare artifacts | |
| run: | | |
| cp target/x86_64-apple-darwin/release/grove grove-darwin-x64 | |
| cp target/aarch64-apple-darwin/release/grove grove-darwin-arm64 | |
| - name: Import Code Signing Certificate | |
| env: | |
| MACOS_CERT_P12_BASE64: ${{ secrets.MACOS_CERT_P12_BASE64 }} | |
| MACOS_CERT_P12_PASSWORD: ${{ secrets.MACOS_CERT_P12_PASSWORD }} | |
| run: | | |
| # Create a temporary keychain | |
| KEYCHAIN_PATH=$RUNNER_TEMP/signing.keychain-db | |
| KEYCHAIN_PASSWORD=$(openssl rand -base64 32) | |
| # Decode the certificate | |
| echo "$MACOS_CERT_P12_BASE64" | base64 --decode > $RUNNER_TEMP/certificate.p12 | |
| # Create and configure keychain | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| # Import certificate | |
| security import $RUNNER_TEMP/certificate.p12 -P "$MACOS_CERT_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security list-keychain -d user -s $KEYCHAIN_PATH | |
| # Clean up certificate file | |
| rm $RUNNER_TEMP/certificate.p12 | |
| - name: Sign macOS Binaries | |
| run: | | |
| # Find the signing identity | |
| IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F'"' '{print $2}') | |
| echo "Signing with identity: $IDENTITY" | |
| # Sign both binaries with JIT entitlements | |
| codesign --force --options runtime --timestamp --entitlements .github/workflows/assets/entitlements.plist --sign "$IDENTITY" grove-darwin-x64 | |
| codesign --force --options runtime --timestamp --entitlements .github/workflows/assets/entitlements.plist --sign "$IDENTITY" grove-darwin-arm64 | |
| # Verify signatures | |
| codesign --verify --verbose grove-darwin-x64 | |
| codesign --verify --verbose grove-darwin-arm64 | |
| - name: Notarize macOS Binaries | |
| env: | |
| APPLE_ID_EMAIL: ${{ secrets.APPLE_ID_EMAIL }} | |
| APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} | |
| run: | | |
| # Create zip files for notarization | |
| zip grove-darwin-x64.zip grove-darwin-x64 | |
| zip grove-darwin-arm64.zip grove-darwin-arm64 | |
| # Get team ID from signing identity | |
| TEAM_ID=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | sed -n 's/.*(\([A-Z0-9]*\)).*/\1/p') | |
| # Notarize x64 binary | |
| xcrun notarytool submit grove-darwin-x64.zip \ | |
| --apple-id "$APPLE_ID_EMAIL" \ | |
| --password "$APPLE_APP_SPECIFIC_PASSWORD" \ | |
| --team-id "$TEAM_ID" \ | |
| --wait | |
| # Notarize ARM64 binary | |
| xcrun notarytool submit grove-darwin-arm64.zip \ | |
| --apple-id "$APPLE_ID_EMAIL" \ | |
| --password "$APPLE_APP_SPECIFIC_PASSWORD" \ | |
| --team-id "$TEAM_ID" \ | |
| --wait | |
| # Clean up zip files | |
| rm grove-darwin-x64.zip grove-darwin-arm64.zip | |
| - name: Upload macOS executables | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: grove-macos-executables | |
| path: | | |
| grove-darwin-x64 | |
| grove-darwin-arm64 | |
| build-windows: | |
| name: Build Windows Executables | |
| runs-on: windows-latest | |
| needs: build-linux | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Set version | |
| shell: pwsh | |
| run: | | |
| $version = '${{ needs.build-linux.outputs.version }}' | |
| (Get-Content Cargo.toml -Raw) ` | |
| -replace '^(version = ").*(")$', "`$1$version`$2" | | |
| Set-Content Cargo.toml | |
| - name: Build for Windows x64 | |
| run: cargo build --release --target x86_64-pc-windows-msvc | |
| - name: Prepare artifacts | |
| run: | | |
| copy target\x86_64-pc-windows-msvc\release\grove.exe grove-windows-x64.exe | |
| - name: Upload Windows executables | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: grove-windows-executables | |
| path: | | |
| grove-windows-x64.exe | |
| prerelease: | |
| name: Prerelease | |
| runs-on: ubuntu-latest | |
| needs: [build-linux, build-macos, build-windows] | |
| if: github.ref == 'refs/heads/main' && !startsWith(github.ref, 'refs/tags/') | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download Linux executables | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: grove-linux-executables | |
| path: ./executables | |
| - name: Download macOS executables | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: grove-macos-executables | |
| path: ./executables | |
| - name: Download Windows executables | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: grove-windows-executables | |
| path: ./executables | |
| - name: Create GitHub Preview Release | |
| uses: softprops/action-gh-release@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: v${{ needs.build-linux.outputs.version }} | |
| name: Preview v${{ needs.build-linux.outputs.version }} | |
| body: | | |
| ## Preview Release | |
| This is an automated preview release from the `main` branch. | |
| **Commit:** ${{ github.sha }} | |
| ## Installation | |
| ```bash | |
| curl -fsSL https://i.safia.sh/captainsafia/grove/v${{ needs.build-linux.outputs.version }} | sh | |
| ``` | |
| ## Manual Downloads | |
| | Platform | Architecture | Download | | |
| |----------|--------------|----------| | |
| | Linux | x64 | `grove-linux-x64` | | |
| | Linux | ARM64 | `grove-linux-arm64` | | |
| | macOS | x64 | `grove-darwin-x64` (signed & notarized) | | |
| | macOS | ARM64 | `grove-darwin-arm64` (signed & notarized) | | |
| | Windows | x64 | `grove-windows-x64.exe` | | |
| | Windows | x64 | `grove-windows-x64.exe` | | |
| draft: false | |
| prerelease: true | |
| files: | | |
| ./executables/grove-linux-x64 | |
| ./executables/grove-linux-arm64 | |
| ./executables/grove-darwin-x64 | |
| ./executables/grove-darwin-arm64 | |
| ./executables/grove-windows-x64.exe | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| needs: [build-linux, build-macos, build-windows] | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download Linux executables | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: grove-linux-executables | |
| path: ./executables | |
| - name: Download macOS executables | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: grove-macos-executables | |
| path: ./executables | |
| - name: Download Windows executables | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: grove-windows-executables | |
| path: ./executables | |
| - name: Extract version from tag | |
| id: version | |
| run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT | |
| - name: Get previous tag | |
| id: prev_tag | |
| run: | | |
| CURRENT_TAG="${GITHUB_REF#refs/tags/}" | |
| PREV_TAG=$(git tag --list 'v*' --sort=version:refname \ | |
| | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \ | |
| | awk -v current="${CURRENT_TAG}" '$0==current{print prev; exit} {prev=$0}') | |
| echo "PREV_TAG=${PREV_TAG}" >> $GITHUB_OUTPUT | |
| - name: Generate changelog | |
| id: changelog | |
| uses: warpdotdev/oz-agent-action@v1 | |
| with: | |
| skill: generate-changelog | |
| prompt: | | |
| Generate the changelog for the release ${{ github.ref_name }} using the | |
| previous tag ${{ steps.prev_tag.outputs.PREV_TAG || 'the beginning of the repository' }}. | |
| warp_api_key: ${{ secrets.WARP_API_KEY }} | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ github.ref_name }} | |
| name: Release ${{ github.ref_name }} | |
| body: | | |
| ## Installation | |
| ```bash | |
| curl -fsSL https://i.safia.sh/captainsafia/grove/${{ github.ref_name }} | sh | |
| ``` | |
| ## Manual Downloads | |
| | Platform | Architecture | Download | | |
| |----------|--------------|----------| | |
| | Linux | x64 | `grove-linux-x64` | | |
| | Linux | ARM64 | `grove-linux-arm64` | | |
| | macOS | x64 | `grove-darwin-x64` (signed & notarized) | | |
| | macOS | ARM64 | `grove-darwin-arm64` (signed & notarized) | | |
| | Windows | x64 | `grove-windows-x64.exe` | | |
| ## Changelog | |
| View the full changelog for this release: | |
| https://github.com/${{ github.repository }}/blob/${{ github.ref_name }}/CHANGELOG.md#${{ github.ref_name }} | |
| draft: false | |
| prerelease: false | |
| files: | | |
| ./executables/grove-linux-x64 | |
| ./executables/grove-linux-arm64 | |
| ./executables/grove-darwin-x64 | |
| ./executables/grove-darwin-arm64 | |
| ./executables/grove-windows-x64.exe |