Add cargo-dist for automated binary distribution

martinemde · martinemde · commit ee352232bc0e · 2026-01-07T12:54:19.000-08:00
Configure cross-platform release builds using cargo-dist:
- Target x86_64/aarch64 for Linux and macOS
- Generate shell and PowerShell installers
- Enable GitHub attestations for build provenance
- Separate release workflow from CI checks

The new release.yml workflow handles:
- Planning release artifacts
- Building per-platform binaries
- Generating global artifacts (installers)
- Publishing to GitHub Releases on tag push

This replaces the previous manual release workflow in ci.yml.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -53,117 +53,5 @@ jobs:
       - name: Run cargo clippy
         run: cargo clippy --all-targets --all-features
 
-  release:
-    runs-on: macos-latest
-    needs:
-      - test
-      - lints
-      - check
-    outputs:
-      new_version: ${{ steps.check_for_version_changes.outputs.new_version }}
-      changed: ${{ steps.check_for_version_changes.outputs.changed }}
-    if: github.ref == 'refs/heads/main'
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          # https://stackoverflow.com/questions/65944700/how-to-run-git-diff-in-github-actions
-          # TLDR – By default this action fetches no history.
-          # We need a bit of history to be able to check if we've recently updated the version in Cargo.toml
-          fetch-depth: 2
-      - name: Toolchain info
-        run: |
-          cargo --version --verbose
-          rustc --version
-          cargo clippy --version
-      - name: Build
-        run: cargo build --release --target aarch64-apple-darwin --target x86_64-apple-darwin
-      - name: Check for version changes in Cargo.toml
-        id: check_for_version_changes
-        run: |
-          # When there are no changes, VERSION_CHANGES will be empty
-          # Without the echo, this command would exit with a 1, causing the GitHub Action to fail
-          # Instead, we want it to succeed, but just evaluate `changed=false` in the other branch of the conditional
-          VERSION_CHANGES=$(git diff HEAD~1 HEAD Cargo.toml | grep "\+version" || echo "")
-          if [[ -n $VERSION_CHANGES ]]; then
-            NEW_VERSION=$(echo $VERSION_CHANGES | awk -F'"' '{print $2}')
-            echo "changed=true" >> $GITHUB_OUTPUT
-            echo "new_version=v$NEW_VERSION" >> $GITHUB_OUTPUT
-          else
-            echo "changed=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Create GitHub Release if current commit has updated the version in Cargo.toml
-        if: steps.check_for_version_changes.outputs.changed == 'true'
-        run: |
-          gh release create ${{steps.check_for_version_changes.outputs.new_version}} --target "${{ github.sha }}" --generate-notes
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  upload-mac-universal-bin:
-    needs: release
-    runs-on: macos-latest
-    if: ${{needs.release.outputs.new_version}}
-    steps:
-      - uses: actions/checkout@v3
-      - name: Build
-        run: cargo build --release --target aarch64-apple-darwin --target x86_64-apple-darwin
-
-      - name: Upload mac universal binary
-        run: |
-          # This combines the intel and m1 binaries into a single binary
-          lipo -create -output target/pks target/aarch64-apple-darwin/release/pks target/x86_64-apple-darwin/release/pks
-
-          # Creates artifact for homebrew. -C means run from `target` directory
-          tar -czf target/pks-mac.tar.gz -C target pks
-
-          # This tarball is a binary that is executable
-          gh release upload $NEW_VERSION target/pks-mac.tar.gz
-
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NEW_VERSION: ${{ needs.release.outputs.new_version }}
-
-  upload-linux-bin:
-    needs: release
-    if: ${{needs.release.outputs.new_version}}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Update local toolchain
-        run: |
-          cargo install cross
-      - name: Build linux binaries
-        run: |
-          cross build --release --target x86_64-unknown-linux-gnu
-          cross build --release --target aarch64-unknown-linux-gnu
-      - name: Upload linux binaries
-        run: |
-          tar -czf target/x86_64-unknown-linux-gnu.tar.gz -C target/x86_64-unknown-linux-gnu/release pks 
-          tar -czf target/aarch64-unknown-linux-gnu.tar.gz -C target/aarch64-unknown-linux-gnu/release pks 
-          gh release upload $NEW_VERSION target/x86_64-unknown-linux-gnu.tar.gz
-          gh release upload $NEW_VERSION target/aarch64-unknown-linux-gnu.tar.gz 
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NEW_VERSION: ${{ needs.release.outputs.new_version }}
-
-  generate-dotslash-files:
-    name: Generating and uploading DotSlash files
-    needs: 
-      - release
-      - upload-linux-bin
-      - upload-mac-universal-bin
-    if: success() && ${{needs.release.outputs.new_version}}
-    runs-on: ubuntu-latest
-    
-    steps:
-      - uses: facebook/dotslash-publish-release@v1
-        # This is necessary because the action uses
-        # `gh release upload` to publish the generated DotSlash file(s)
-        # as part of the release.
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          # Additional file that lives in your repo that defines
-          # how your DotSlash file(s) should be generated.
-          config: .github/workflows/dotslash-config.json
-          # Tag for the release to target.
-          tag: ${{ needs.release.outputs.new_version }}
+  # NOTE: Release builds are handled by release.yml using cargo-dist
+  # This workflow focuses on CI checks only
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,193 @@
+# Copyright 2022-2024, axodotdev
+# SPDX-License-Identifier: MIT or Apache-2.0
+#
+# CI that:
+#
+# * checks for a Git Tag that looks like a release
+# * builds artifacts with cargo-dist (archives, installers, hashes)
+# * uploads those artifacts to temporary workflow zip
+# * on success, uploads the artifacts to a GitHub Release
+#
+# Note that the GitHub Release will be created with a generated
+# temporary title/body if the Tag Body is empty. You should update
+# the Release notes before announcing it.
+
+name: Release
+
+permissions:
+  contents: write
+  # For GitHub attestations
+  id-token: write
+  attestations: write
+
+# This task will run whenever you push a tag to your repo
+# that looks like a version number.
+on:
+  push:
+    tags:
+      - 'v[0-9]+.*'
+  pull_request:
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  # Run 'cargo dist plan' to determine what tasks we need to do
+  plan:
+    runs-on: ubuntu-latest
+    outputs:
+      val: ${{ steps.plan.outputs.manifest }}
+      tag: ${{ !github.event.pull_request && github.ref_name || '' }}
+      tag-flag: ${{ !github.event.pull_request && format('--tag={0}', github.ref_name) || '' }}
+      publishing: ${{ !github.event.pull_request }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Install cargo-dist
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-dist@0.27.0
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
+      - id: plan
+        run: |
+          cargo dist plan ${{ !github.event.pull_request && format('--tag={0}', github.ref_name) || '' }} --output-format=json > plan-dist-manifest.json
+          echo "manifest=$(jq -c '.' plan-dist-manifest.json)" >> "$GITHUB_OUTPUT"
+      - name: Upload dist-manifest.json
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifacts-plan-dist-manifest
+          path: plan-dist-manifest.json
+
+  # Build and upload artifacts for each platform
+  build-local-artifacts:
+    name: build-local-artifacts (${{ matrix.targets }})
+    needs: plan
+    if: ${{ fromJson(needs.plan.outputs.val).ci.github.artifacts_matrix.include != null && (needs.plan.outputs.publishing == 'true' || fromJson(needs.plan.outputs.val).ci.github.pr_run_mode == 'upload') }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.plan.outputs.val).ci.github.artifacts_matrix.include }}
+    runs-on: ${{ matrix.runner }}
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      BUILD_MANIFEST_NAME: target/distrib/${{ join(matrix.targets, '-') }}-dist-manifest.json
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Install cargo-dist
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-dist@0.27.0
+      - name: Install cross for Linux ARM builds
+        if: ${{ contains(matrix.targets, 'aarch64-unknown-linux') }}
+        run: cargo install cross --git https://github.com/cross-rs/cross
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
+      - name: Build artifacts
+        run: |
+          cargo dist build ${{ needs.plan.outputs.tag-flag }} --print=linkage --output-format=json ${{ matrix.dist_args }} > dist-manifest.json
+          echo "dist manifest: $(cat dist-manifest.json)"
+          cp dist-manifest.json "$BUILD_MANIFEST_NAME"
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifacts-build-local-${{ join(matrix.targets, '_') }}
+          path: |
+            target/distrib/*
+
+  # Build and upload global artifacts
+  build-global-artifacts:
+    needs:
+      - plan
+      - build-local-artifacts
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Install cargo-dist
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-dist@0.27.0
+      - name: Download local artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: artifacts-*
+          path: target/distrib/
+          merge-multiple: true
+      - name: Build global artifacts
+        run: |
+          cargo dist build ${{ needs.plan.outputs.tag-flag }} --output-format=json "--artifacts=global" > dist-manifest.json
+          cat dist-manifest.json
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifacts-build-global
+          path: |
+            target/distrib/*
+
+  # Generate GitHub attestations for build provenance
+  generate-attestations:
+    needs:
+      - plan
+      - build-local-artifacts
+      - build-global-artifacts
+    if: needs.plan.outputs.publishing == 'true'
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: artifacts-*
+          path: target/distrib/
+          merge-multiple: true
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            target/distrib/*.tar.gz
+            target/distrib/*.zip
+            target/distrib/*.ps1
+            target/distrib/*.sh
+
+  # Publish to GitHub Releases
+  publish:
+    needs:
+      - plan
+      - build-local-artifacts
+      - build-global-artifacts
+      - generate-attestations
+    if: needs.plan.outputs.publishing == 'true'
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: artifacts-*
+          path: target/distrib/
+          merge-multiple: true
+      - name: Publish to GitHub Releases
+        run: |
+          gh release create ${{ needs.plan.outputs.tag }} target/distrib/* --title "${{ needs.plan.outputs.tag }}" --generate-notes
diff --git a/Cargo.toml b/Cargo.toml
@@ -56,3 +56,19 @@ rusty-hook = "^0.11.2"      # git hooks
 predicates = "3.0.2"        # kind of like rspec assertions
 pretty_assertions = "1.3.0" # Shows a more readable diff when comparing objects
 serial_test = "3.1.1"       # Run specific tests in serial
+
+# Config for 'cargo dist'
+[package.metadata.dist]
+# The preferred cargo-dist version to use (should match dist-workspace.toml)
+cargo-dist-version = "0.27.0"
+# CI backends to support
+ci = "github"
+# Target platforms
+targets = [
+    "aarch64-apple-darwin",
+    "x86_64-apple-darwin",
+    "aarch64-unknown-linux-gnu",
+    "x86_64-unknown-linux-gnu",
+]
+# Installers to generate
+installers = ["shell", "powershell"]
diff --git a/dist-workspace.toml b/dist-workspace.toml
@@ -0,0 +1,40 @@
+# cargo-dist workspace configuration
+# https://opensource.axo.dev/cargo-dist/book/reference/config.html
+
+[workspace]
+members = ["./"]
+
+[dist]
+# The preferred cargo-dist version to use in CI
+cargo-dist-version = "0.27.0"
+
+# CI backends to support
+ci = "github"
+
+# Target platforms for release builds
+targets = [
+    "aarch64-apple-darwin",
+    "x86_64-apple-darwin",
+    "aarch64-unknown-linux-gnu",
+    "x86_64-unknown-linux-gnu",
+]
+
+# Installers to generate
+installers = [
+    "shell",
+    "powershell",
+]
+
+# Enable GitHub attestations for enhanced security
+github-attestations = true
+
+# Archive format for each platform
+unix-archive = ".tar.gz"
+windows-archive = ".zip"
+
+# Release branch configuration
+pr-run-mode = "skip"
+allow-dirty = ["ci"]
+
+# Build configuration
+precise-builds = true
