Merge pull request #530 from telemt/workflow

Update release.yml

.github/workflows/release.yml

@@ -21,16 +21,13 @@ env:
 
 jobs:
   prepare:
-    name: Prepare metadata
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.meta.outputs.version }}
       prerelease: ${{ steps.meta.outputs.prerelease }}
       release_enabled: ${{ steps.meta.outputs.release_enabled }}
     steps:
-      - name: Derive version
+      - id: meta
-        id: meta
-        shell: bash
         run: |
           set -euo pipefail
 
@@ -53,67 +50,38 @@ jobs:
           echo "release_enabled=$RELEASE_ENABLED" >> "$GITHUB_OUTPUT"
 
   checks:
-    name: Checks
     runs-on: ubuntu-latest
     container:
       image: debian:trixie
     steps:
-      - name: Install system dependencies
+      - run: |
-        shell: bash
-        run: |
-          set -euo pipefail
           apt-get update
-          apt-get install -y --no-install-recommends \
+          apt-get install -y build-essential clang llvm pkg-config curl git
-            ca-certificates \
-            curl \
-            git \
-            build-essential \
-            pkg-config \
-            clang \
-            llvm \
-            python3 \
-            python3-pip
-          update-ca-certificates
 
       - uses: actions/checkout@v4
-
       - uses: dtolnay/rust-toolchain@stable
         with:
           components: rustfmt, clippy
 
-      - name: Cache cargo
+      - uses: actions/cache@v4
-        uses: actions/cache@v4
         with:
           path: |
             /github/home/.cargo/registry
             /github/home/.cargo/git
             target
-          key: checks-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
+          key: checks-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            checks-${{ runner.os }}-
 
-      - name: Cargo fetch
+      - run: cargo fetch --locked
-        shell: bash
+      - run: cargo fmt --all -- --check
-        run: cargo fetch --locked
+      - run: cargo clippy
-
+      - run: cargo test
-      - name: Format
-        shell: bash
-        run: cargo fmt --all -- --check
-
-      - name: Clippy
-        shell: bash
-        run: cargo clippy --workspace --all-targets --locked -- -D warnings
-
-      - name: Tests
-        shell: bash
-        run: cargo test --workspace --all-targets --locked
 
   build-binaries:
-    name: Build ${{ matrix.asset_name }}
     needs: [prepare, checks]
     runs-on: ubuntu-latest
     container:
       image: debian:trixie
+
     strategy:
       fail-fast: false
       matrix:
@@ -132,156 +100,80 @@ jobs:
             asset_name: telemt-aarch64-linux-musl
 
     steps:
-      - name: Install system dependencies
+      - run: |
-        shell: bash
-        run: |
-          set -euo pipefail
           apt-get update
-          apt-get install -y --no-install-recommends \
+          apt-get install -y clang llvm pkg-config curl git python3 python3-pip file tar xz-utils
-            ca-certificates \
-            curl \
-            git \
-            build-essential \
-            pkg-config \
-            clang \
-            llvm \
-            file \
-            tar \
-            xz-utils \
-            python3 \
-            python3-pip
-          update-ca-certificates
 
       - uses: actions/checkout@v4
-
       - uses: dtolnay/rust-toolchain@stable
         with:
           targets: ${{ matrix.rust_target }}
 
-      - name: Cache cargo
+      - uses: actions/cache@v4
-        uses: actions/cache@v4
         with:
           path: |
             /github/home/.cargo/registry
             /github/home/.cargo/git
             target
           key: build-${{ matrix.zig_target }}-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            build-${{ matrix.zig_target }}-
 
-      - name: Install cargo-zigbuild + Zig
+      - run: |
-        shell: bash
-        run: |
-          set -euo pipefail
           python3 -m pip install --user --break-system-packages cargo-zigbuild
           echo "/github/home/.local/bin" >> "$GITHUB_PATH"
 
-      - name: Cargo fetch
+      - run: cargo fetch --locked
-        shell: bash
-        run: cargo fetch --locked
 
-      - name: Build release
+      - run: |
-        shell: bash
-        env:
-          CARGO_PROFILE_RELEASE_LTO: "fat"
-          CARGO_PROFILE_RELEASE_CODEGEN_UNITS: "1"
-          CARGO_PROFILE_RELEASE_PANIC: "abort"
-        run: |
-          set -euo pipefail
           cargo zigbuild --release --locked --target "${{ matrix.zig_target }}"
 
-      - name: Strip binary
+      - run: |
-        shell: bash
+          BIN="target/${{ matrix.rust_target }}/release/${BINARY_NAME}"
-        run: |
+          llvm-strip "$BIN" || true
-          set -euo pipefail
-          llvm-strip "target/${{ matrix.zig_target }}/release/${BINARY_NAME}" || true
 
-      - name: Inspect binary
+      - run: |
-        shell: bash
+          BIN="target/${{ matrix.rust_target }}/release/${BINARY_NAME}"
-        run: |
+          OUT="$RUNNER_TEMP/${{ matrix.asset_name }}"
-          set -euo pipefail
+          mkdir -p "$OUT"
-          file "target/${{ matrix.zig_target }}/release/${BINARY_NAME}"
+          install -m755 "$BIN" "$OUT/${BINARY_NAME}"
 
-      - name: Package
+          tar -C "$RUNNER_TEMP" -czf "${{ matrix.asset_name }}.tar.gz" "${{ matrix.asset_name }}"
-        shell: bash
+          sha256sum "${{ matrix.asset_name }}.tar.gz" > "${{ matrix.asset_name }}.sha256"
-        run: |
-          set -euo pipefail
-
-          OUTDIR="$RUNNER_TEMP/pkg/${{ matrix.asset_name }}"
-          mkdir -p "$OUTDIR"
-
-          install -m 0755 "target/${{ matrix.zig_target }}/release/${BINARY_NAME}" "$OUTDIR/${BINARY_NAME}"
-
-          if [[ -f LICENSE ]]; then cp LICENSE "$OUTDIR/"; fi
-          if [[ -f README.md ]]; then cp README.md "$OUTDIR/"; fi
-
-          cat > "$OUTDIR/BUILD-INFO.txt" <<EOF
-          project=${GITHUB_REPOSITORY}
-          version=${{ needs.prepare.outputs.version }}
-          git_ref=${GITHUB_REF}
-          git_sha=${GITHUB_SHA}
-          rust_target=${{ matrix.rust_target }}
-          zig_target=${{ matrix.zig_target }}
-          built_at=$(date -u +%Y-%m-%dT%H:%M:%SZ)
-          EOF
-
-          mkdir -p dist
-          tar -C "$RUNNER_TEMP/pkg" -czf "dist/${{ matrix.asset_name }}.tar.gz" "${{ matrix.asset_name }}"
-          sha256sum "dist/${{ matrix.asset_name }}.tar.gz" > "dist/${{ matrix.asset_name }}.sha256"
 
       - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.asset_name }}
           path: |
-            dist/${{ matrix.asset_name }}.tar.gz
+            ${{ matrix.asset_name }}.tar.gz
-            dist/${{ matrix.asset_name }}.sha256
+            ${{ matrix.asset_name }}.sha256
-          if-no-files-found: error
-          retention-days: 14
-
-  attest-binaries:
-    name: Attest binary archives
-    needs: build-binaries
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      attestations: write
-      id-token: write
-    steps:
-      - uses: actions/download-artifact@v4
-        with:
-          path: dist
-
-      - name: Flatten artifacts
-        shell: bash
-        run: |
-          set -euo pipefail
-          mkdir -p upload
-          find dist -type f \( -name '*.tar.gz' -o -name '*.sha256' \) -exec cp {} upload/ \;
-          ls -lah upload
-
-      - name: Attest release archives
-        uses: actions/attest-build-provenance@v3
-        with:
-          subject-path: 'upload/*.tar.gz'
 
   docker-image:
-    name: Build and push GHCR image
+    name: Docker ${{ matrix.platform }}
-    needs: [prepare, checks]
+    needs: [prepare, build-binaries]
     runs-on: ubuntu-latest
-    permissions:
+
-      contents: read
+    strategy:
-      packages: write
+      matrix:
+        include:
+          - platform: linux/amd64
+            artifact: telemt-x86_64-linux-gnu
+          - platform: linux/arm64
+            artifact: telemt-aarch64-linux-gnu
 
     steps:
       - uses: actions/checkout@v4
 
-      - name: Set up QEMU
+      - uses: actions/download-artifact@v4
-        uses: docker/setup-qemu-action@v3
+        with:
+          name: ${{ matrix.artifact }}
+          path: dist
 
-      - name: Set up Buildx
+      - run: |
-        uses: docker/setup-buildx-action@v3
+          mkdir docker-build
+          tar -xzf dist/*.tar.gz -C docker-build --strip-components=1
 
-      - name: Log in to GHCR
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Login
         if: ${{ needs.prepare.outputs.release_enabled == 'true' }}
         uses: docker/login-action@v3
         with:
@@ -289,43 +181,20 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Docker metadata
+      - uses: docker/build-push-action@v6
-        id: meta
-        uses: docker/metadata-action@v5
         with:
-          images: ghcr.io/${{ github.repository }}
+          context: ./docker-build
-          tags: |
+          platforms: ${{ matrix.platform }}
-            type=raw,value=${{ needs.prepare.outputs.version }}
-            type=raw,value=latest,enable=${{ needs.prepare.outputs.prerelease != 'true' && needs.prepare.outputs.release_enabled == 'true' }}
-          labels: |
-            org.opencontainers.image.title=telemt
-            org.opencontainers.image.description=telemt
-            org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.version=${{ needs.prepare.outputs.version }}
-            org.opencontainers.image.revision=${{ github.sha }}
-
-      - name: Build and push
-        id: build
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
           push: ${{ needs.prepare.outputs.release_enabled == 'true' }}
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: ghcr.io/${{ github.repository }}:${{ needs.prepare.outputs.version }}
-          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=telemt-${{ matrix.platform }}
-          cache-from: type=gha
+          cache-to: type=gha,mode=max,scope=telemt-${{ matrix.platform }}
-          cache-to: type=gha,mode=max
+          provenance: false
-          provenance: mode=max
+          sbom: false
-          sbom: true
-          build-args: |
-            TELEMT_VERSION=${{ needs.prepare.outputs.version }}
-            VCS_REF=${{ github.sha }}
 
   release:
-    name: Create GitHub Release
     if: ${{ needs.prepare.outputs.release_enabled == 'true' }}
-    needs: [prepare, build-binaries, attest-binaries, docker-image]
+    needs: [prepare, build-binaries]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -334,19 +203,14 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
           path: release-artifacts
+          pattern: telemt-*
 
-      - name: Flatten artifacts
+      - run: |
-        shell: bash
+          mkdir upload
-        run: |
-          set -euo pipefail
-          mkdir -p upload
           find release-artifacts -type f \( -name '*.tar.gz' -o -name '*.sha256' \) -exec cp {} upload/ \;
-          ls -lah upload
 
-      - name: Create release
+      - uses: softprops/action-gh-release@v2
-        uses: softprops/action-gh-release@v2
         with:
           files: upload/*
           generate_release_notes: true
-          draft: false
           prerelease: ${{ needs.prepare.outputs.prerelease == 'true' }}