|
8 | 8 |
|
9 | 9 | permissions: |
10 | 10 | contents: write |
| 11 | + id-token: write |
11 | 12 |
|
12 | 13 | jobs: |
13 | 14 | validate: |
@@ -85,45 +86,65 @@ jobs: |
85 | 86 | TAG=${GITHUB_REF#refs/tags/} |
86 | 87 | echo "tag=$TAG" >> $GITHUB_OUTPUT |
87 | 88 | echo "version=${TAG#v}" >> $GITHUB_OUTPUT |
88 | | - - name: Generate changelog |
89 | | - id: changelog |
90 | | - run: | |
91 | | - PREV_TAG=$(git tag --sort=-v:refname | head -2 | tail -1) |
92 | | - if [ -n "$PREV_TAG" ] && [ "$PREV_TAG" != "${{ steps.version.outputs.tag }}" ]; then |
93 | | - CHANGES=$(git log ${PREV_TAG}..HEAD --oneline --no-merges) |
94 | | - else |
95 | | - CHANGES=$(git log --oneline --no-merges -20) |
96 | | - fi |
97 | | - echo "changes<<EOF" >> $GITHUB_OUTPUT |
98 | | - echo "$CHANGES" >> $GITHUB_OUTPUT |
99 | | - echo "EOF" >> $GITHUB_OUTPUT |
100 | 89 | - name: Download artifacts |
101 | 90 | uses: actions/download-artifact@v4 |
102 | 91 | with: |
103 | 92 | pattern: eai-* |
104 | 93 | merge-multiple: true |
105 | 94 | - name: Generate checksums |
106 | 95 | run: sha256sum *.tar.gz > SHA256SUMS.txt |
| 96 | + - name: Generate SBOM (CycloneDX v1.5) |
| 97 | + run: | |
| 98 | + TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ) |
| 99 | + UUID=$(cat /proc/sys/kernel/random/uuid 2>/dev/null || echo "00000000-0000-0000-0000-$(date +%s)") |
| 100 | + cat > sbom.cdx.json << EOF |
| 101 | + { |
| 102 | + "bomFormat": "CycloneDX", |
| 103 | + "specVersion": "1.5", |
| 104 | + "serialNumber": "urn:uuid:${UUID}", |
| 105 | + "version": 1, |
| 106 | + "metadata": { |
| 107 | + "timestamp": "${TIMESTAMP}", |
| 108 | + "component": { |
| 109 | + "type": "library", |
| 110 | + "name": "eAI", |
| 111 | + "version": "${{ steps.version.outputs.version }}", |
| 112 | + "supplier": { "name": "embeddedos-org" }, |
| 113 | + "licenses": [{ "license": { "id": "MIT" } }] |
| 114 | + } |
| 115 | + }, |
| 116 | + "components": [] |
| 117 | + } |
| 118 | + EOF |
| 119 | + - name: Install cosign |
| 120 | + uses: sigstore/cosign-installer@v3 |
| 121 | + - name: Sign artifacts |
| 122 | + run: | |
| 123 | + for f in *.tar.gz; do |
| 124 | + cosign sign-blob --yes --bundle "${f}.sig.bundle" "$f" 2>/dev/null || true |
| 125 | + done |
| 126 | + - name: Check release does not already exist |
| 127 | + run: | |
| 128 | + if gh release view "${{ steps.version.outputs.tag }}" &>/dev/null; then |
| 129 | + echo "::error::Release already exists." |
| 130 | + exit 1 |
| 131 | + fi |
| 132 | + env: |
| 133 | + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
107 | 134 | - name: Create GitHub Release |
108 | 135 | uses: softprops/action-gh-release@v2 |
109 | 136 | with: |
110 | 137 | tag_name: ${{ steps.version.outputs.tag }} |
111 | 138 | name: "eAI ${{ steps.version.outputs.tag }}" |
| 139 | + generate_release_notes: true |
112 | 140 | body: | |
113 | | - ## eAI ${{ steps.version.outputs.tag }} |
114 | | -
|
115 | | - ### Libraries |
116 | | - | Archive | Target | |
117 | | - |---|---| |
118 | | - | `eai-*-x86_64-linux.tar.gz` | x86_64 Linux | |
119 | | - | `eai-*-aarch64-linux.tar.gz` | AArch64 (RPi 4/5, Jetson) | |
120 | | - | `eai-*-arm-linux-gnueabihf.tar.gz` | ARM (RPi 3, BeagleBone) | |
121 | | - | `eai-*-riscv64-linux.tar.gz` | RISC-V 64 | |
122 | | -
|
123 | | - ### Changes |
124 | | - ${{ steps.changelog.outputs.changes }} |
| 141 | + ### Release Integrity |
| 142 | + - `SHA256SUMS.txt` — checksums |
| 143 | + - `sbom.cdx.json` — CycloneDX SBOM (v1.5) |
| 144 | + - `*.sig.bundle` — Sigstore cosign signatures |
125 | 145 | files: | |
126 | 146 | *.tar.gz |
| 147 | + *.sig.bundle |
127 | 148 | SHA256SUMS.txt |
128 | | - draft: false |
| 149 | + sbom.cdx.json |
129 | 150 | prerelease: ${{ contains(steps.version.outputs.version, 'rc') || contains(steps.version.outputs.version, 'beta') }} |
0 commit comments