From 75ab56f2ebd81d0fa98787b0dc566325b70aa8e7 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Wed, 31 Jul 2024 21:13:03 +0200 Subject: [PATCH 01/30] Create releases as drafts initially This is inspired by the ripgrep workflow, though it currently does it in a different way, since right now we are using actions rather than the `gh` command. Actual releases should of course become public. This can be done manually; or another job, which depends on others, could be added so it happens automatically if and after all builds succeed; or this change to creating the releases as drafts (which at this moment is mainly useful to facilitate testing without causing confusion) could be reverted if no longer needed. --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b8dae654380..404eb43447b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,6 +46,7 @@ jobs: tag: ${{ env.VERSION }} name: ${{ env.VERSION }} allowUpdates: true + draft: true omitBody: true omitPrereleaseDuringUpdate: true token: ${{ secrets.GITHUB_TOKEN }} From b9ded3aa2389d88b11fe953b6513724116796f79 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Wed, 31 Jul 2024 21:22:34 +0200 Subject: [PATCH 02/30] Add "Show the version" step from ripgrep workflow --- .github/workflows/release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 404eb43447b..53eb4eaa898 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,6 +39,10 @@ jobs: if: env.VERSION == '' run: echo 'VERSION=${{ github.ref_name }}' >> "$GITHUB_ENV" + - name: Show the version + run: | + echo "version is: $VERSION" + - name: Create GitHub release id: release uses: ncipollo/release-action@v1 From 929c18c9719740da8de90a395827f5377cf650da Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Wed, 31 Jul 2024 22:32:36 +0200 Subject: [PATCH 03/30] Scope env vars to the job definition that needs them The variables that controlled the behavior of Rust programs and the output of `cargo` are only used in the `build-release` job, not in the `create-release` jobs, and one of them was already set in the more suitable narrower scope. This moves them to that scope, without duplication. They still apply to all steps in the build jobs. This also: - Adjusts comment wording to clarify how `CARGO` is set and used. - Quotes `1` as an environment variable value, since such values are always strings (it was being converted), but having it as a numeric YAML literal made it seem like that was not the case. - Adds spacing for clarity and for stylistic consistency across the two job definitions. --- .github/workflows/release.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 53eb4eaa898..c33499d6f37 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,11 +12,6 @@ on: tags: - 'v*' -env: - RUST_BACKTRACE: 1 - CARGO_TERM_COLOR: always - CLICOLOR: 1 - defaults: run: shell: bash @@ -27,10 +22,13 @@ jobs: # from building the release so that we only create the release once. create-release: name: create-release + runs-on: ubuntu-latest + # env: # # Set to force version number, e.g., when no tag exists. # VERSION: TEST-0.0.0 + steps: - name: Create artifacts directory run: mkdir artifacts @@ -133,10 +131,12 @@ jobs: runs-on: ${{ matrix.os }} env: - CARGO: cargo # On Linux, this will be changed to `cross` later. + CARGO: cargo # On Linux, this will be changed to `cross` in a later step. TARGET_FLAGS: --target=${{ matrix.target }} TARGET_DIR: ./target/${{ matrix.target }} - RUST_BACKTRACE: 1 # Emit backtraces on panics. + RUST_BACKTRACE: '1' # Emit backtraces on panics. + CARGO_TERM_COLOR: always + CLICOLOR: '1' steps: - name: Checkout repository From 7306b209e4b31dc1df4807b7bf50a7adaf0bb987 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Wed, 31 Jul 2024 23:16:10 +0200 Subject: [PATCH 04/30] Drop unneeded leading `./` in `$TARGET_DIR` --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c33499d6f37..709af351f3c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -133,7 +133,7 @@ jobs: env: CARGO: cargo # On Linux, this will be changed to `cross` in a later step. TARGET_FLAGS: --target=${{ matrix.target }} - TARGET_DIR: ./target/${{ matrix.target }} + TARGET_DIR: target/${{ matrix.target }} RUST_BACKTRACE: '1' # Emit backtraces on panics. CARGO_TERM_COLOR: always CLICOLOR: '1' From 663f65975272dea9d618aba39f16720b1a36868f Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 01:25:32 +0200 Subject: [PATCH 05/30] Validate version against Cargo.toml This is strongly inspired by an analogous check in the ripgrep workflow, but done differently (from how that currently does it) by parsing `Cargo.toml` using `yq`. The `yq` command supports reading TOML (just not writing it). This command is present on the `ubuntu-latest` runner. This also moves the "Show the version" step into the new step, and has that step also show the version extracted from `Cargo.toml`, so as to make errors easier to understand and also to help verify that this logic is really working. --- .github/workflows/release.yml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 709af351f3c..cc3ce833faf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,16 +30,31 @@ jobs: # VERSION: TEST-0.0.0 steps: - - name: Create artifacts directory - run: mkdir artifacts + - name: Checkout repository + uses: actions/checkout@v4 - name: Get the release version from the tag if: env.VERSION == '' run: echo 'VERSION=${{ github.ref_name }}' >> "$GITHUB_ENV" - - name: Show the version + - name: Validate version against Cargo.toml run: | - echo "version is: $VERSION" + manifest_version="$(yq -r .package.version Cargo.toml)" + echo "version to give the release: $VERSION" + echo "version Cargo.toml declares: $manifest_version" + + case "$VERSION" in + "$manifest_version") + echo "OK: Version to give the relase agrees with top-level Cargo.toml." + ;; + *) + echo "STOPPING: Version to give the release seems mistaken." + exit 1 + ;; + esac + + - name: Create artifacts directory + run: mkdir artifacts - name: Create GitHub release id: release From 902718575f4994b9a06bbd65382bb504631117f2 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 01:37:05 +0200 Subject: [PATCH 06/30] Account for "v" prefix in version matching --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cc3ce833faf..0589ef1c7a2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,7 +44,7 @@ jobs: echo "version Cargo.toml declares: $manifest_version" case "$VERSION" in - "$manifest_version") + "v$manifest_version") echo "OK: Version to give the relase agrees with top-level Cargo.toml." ;; *) From 15ca68033c02b8eca54479a06883f75795136458 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 01:39:37 +0200 Subject: [PATCH 07/30] Avoid appearing not to account for "v" in version matching This way, real mismatches won't appear wrongly to be due to the "v" that is now accounted for. --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0589ef1c7a2..275a843f8bb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,7 +41,7 @@ jobs: run: | manifest_version="$(yq -r .package.version Cargo.toml)" echo "version to give the release: $VERSION" - echo "version Cargo.toml declares: $manifest_version" + echo "version Cargo.toml suggests: v$manifest_version" case "$VERSION" in "v$manifest_version") From 9041e36e0c059b1cc5dd83728bf0e07e1ef549e1 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 01:50:26 +0200 Subject: [PATCH 08/30] Allow special version names that don't match Cargo.toml This permits names that start with `TEST-` or end with `-DO-NOT-USE`, printing a different "OK" message for them. The check comes after the comparison to the version in `Cargo.toml`, which is still always looked up, for three reasons: - Although it would be very weird and probably a bad idea to put a `-DO-NOT-USE` version in `Cargo.toml`, if it were ever done accidentally or on purpose, the message indicating a match to `Cargo.toml` should still be written. - Having code paths that are only exercised for actual releases and rarely or never in testing is likely to lead to bugs. - For looking it up and reporting it initially: this information is potentially valuable even when deliberately not used. This commit also makes two other changes in that same script step: - A custom message is now printed if the version is rejected only because it didn't have the "v" prefix (which this project's version tags and GitHub release names are using). - Stylistic adjustment, mostly to match the quoting style used throughout the workflow. --- .github/workflows/release.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 275a843f8bb..66babc8bbdd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,15 +40,22 @@ jobs: - name: Validate version against Cargo.toml run: | manifest_version="$(yq -r .package.version Cargo.toml)" - echo "version to give the release: $VERSION" + echo "version to name the release: $VERSION" echo "version Cargo.toml suggests: v$manifest_version" case "$VERSION" in - "v$manifest_version") - echo "OK: Version to give the relase agrees with top-level Cargo.toml." + "v$manifest_version" ) + echo 'OK: Version to name the relase agrees with top-level Cargo.toml.' ;; - *) - echo "STOPPING: Version to give the release seems mistaken." + TEST-* | *-DO-NOT-USE ) + echo 'OK: Version to name the release is strange but marked as such.' + ;; + "$manifest_version" ) + echo 'STOPPING: Version to name the release is missing the leading "v".' + exit 1 + ;; + * ) + echo 'STOPPING: Version to name the release seems mistaken.' exit 1 ;; esac From 48c0c2db8f48ac6a601adb8e5fb71220fe02efe8 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 03:08:38 +0200 Subject: [PATCH 09/30] Clarify messages This is mainly to avoid the effect of specifically recommending that the release version/name (usually taken from a tag) be changed to match the version in Cargo.toml, which would not always be good advice because it may be that the version in Cargo.toml is wrong, or that both are wrong, or in testing that a specially named tag (or `VERSION` environment variable) should be used. --- .github/workflows/release.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 66babc8bbdd..a2627be6946 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,17 +45,19 @@ jobs: case "$VERSION" in "v$manifest_version" ) - echo 'OK: Version to name the relase agrees with top-level Cargo.toml.' + echo 'OK: Release name/version agrees with Cargo.toml version.' ;; TEST-* | *-DO-NOT-USE ) - echo 'OK: Version to name the release is strange but marked as such.' + echo 'OK: Release name/version is strange but marked as such.' ;; "$manifest_version" ) - echo 'STOPPING: Version to name the release is missing the leading "v".' + echo 'STOPPING: Release name/version is missing the leading "v".' exit 1 ;; * ) - echo 'STOPPING: Version to name the release seems mistaken.' + echo 'STOPPING: Release name/version and Cargo.toml version do not match.' + echo 'STOPPING: Usually this means either a wrong tag name or wrong version in Cargo.toml.' + echo 'STOPPING: If intended, prepend `TEST-` or append `-DO-NOT-USE` to the release name.' exit 1 ;; esac From 15f67d2fb817f37f9e1cc7345a1a7799e591e09c Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 04:15:12 +0200 Subject: [PATCH 10/30] Create the artifacts directory just before first use This is to keep the steps that produce that directory tree all together. --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a2627be6946..517c2860d0d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -62,9 +62,6 @@ jobs: ;; esac - - name: Create artifacts directory - run: mkdir artifacts - - name: Create GitHub release id: release uses: ncipollo/release-action@v1 @@ -77,6 +74,9 @@ jobs: omitPrereleaseDuringUpdate: true token: ${{ secrets.GITHUB_TOKEN }} + - name: Create artifacts directory + run: mkdir artifacts + - name: Save release upload URL to artifact run: echo '${{ steps.release.outputs.upload_url }}' > artifacts/release-upload-url From b84162db3cfe80c9ee1716c298ac8351de267826 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 04:54:07 +0200 Subject: [PATCH 11/30] Use a `$TARGET` env var (and some other vars) We are already using a `$CARGO` environment variable, which is mainly for convenient expansion by the shell, but `cargo` (and commands like `cross` with the same interface) pass it on to build scripts, which may use it (and if or how they do may in principle vary by feature or target). But the sitation with `$TARGET` is analogous--it would also make commands more readable, and it is also passed down to scripts by `cargo`. So this adds `$TARGET`. Doing this serves another purpose, which is to make it easier to reason about the semantics of the commands the shell is running. Using `${{ }}` interpolation should not be a security risk here, since all values are trusted. But injecting characters such as `'` could still happen by accident. Often it may not be justified, outside of reusable workflows or those running on events with elevated security risks, to route them through environment variables to ensure their contents are not interpreted specially by the shell. However, with the addition of `$TARGET`, it seems that most of that has already been done, such that clarity is overall improved rather than worsened by going the rest of the way. So this does that too, adding other environment variables in the narrowest scope that is broad enough to avoid duplication. Now all `${{ }}` interpolations are outside of script code. Note that these changes only apply to the release workflow and may not necessarily be justified in other workflows. --- .github/workflows/release.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 517c2860d0d..977165012e6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,7 +35,10 @@ jobs: - name: Get the release version from the tag if: env.VERSION == '' - run: echo 'VERSION=${{ github.ref_name }}' >> "$GITHUB_ENV" + run: echo "VERSION=$VERSION" >> "$GITHUB_ENV" + env: + VERSION: ${{ github.ref_name }} + - name: Validate version against Cargo.toml run: | @@ -78,7 +81,9 @@ jobs: run: mkdir artifacts - name: Save release upload URL to artifact - run: echo '${{ steps.release.outputs.upload_url }}' > artifacts/release-upload-url + run: echo "$URL" > artifacts/release-upload-url + env: + URL: ${{ steps.release.outputs.upload_url }} - name: Save version number to artifact run: echo "$VERSION" > artifacts/release-version @@ -156,8 +161,10 @@ jobs: env: CARGO: cargo # On Linux, this will be changed to `cross` in a later step. + TARGET: ${{ matrix.target }} TARGET_FLAGS: --target=${{ matrix.target }} TARGET_DIR: target/${{ matrix.target }} + FEATURE: ${{ matrix.feature }} RUST_BACKTRACE: '1' # Emit backtraces on panics. CARGO_TERM_COLOR: always CLICOLOR: '1' @@ -204,7 +211,7 @@ jobs: - name: Build release binary run: | - "$CARGO" build --verbose --release "$TARGET_FLAGS" --no-default-features --features ${{ matrix.feature }} + "$CARGO" build --verbose --release "$TARGET_FLAGS" --no-default-features --features "$FEATURE" - name: Strip release binary (x86-64 Linux, and all macOS) if: matrix.target == 'x86_64-unknown-linux-musl' || matrix.os == 'macos-latest' @@ -222,12 +229,12 @@ jobs: - name: Build archive run: | - staging='gitoxide-${{ matrix.feature }}-${{ env.VERSION }}-${{ matrix.target }}' + staging="gitoxide-$FEATURE-$VERSION-$TARGET" mkdir -p -- "$staging" cp {README.md,LICENSE-*,CHANGELOG.md} "$staging/" - if [ '${{ matrix.os }}' = 'windows-latest' ]; then + if [ "$OS" = 'windows-latest' ]; then file -- "$TARGET_DIR"/release/{ein,gix}.exe cp -- "$TARGET_DIR"/release/{ein,gix}.exe "$staging/" 7z a "$staging.zip" "$staging" @@ -238,6 +245,8 @@ jobs: tar czf "$staging.tar.gz" "$staging" echo "ASSET=$staging.tar.gz" >> "$GITHUB_ENV" fi + env: + OS: ${{ matrix.os }} - name: Upload release archive uses: actions/upload-release-asset@v1.0.2 From f7ee365c4290fe1aa0c9f481e910b872e592b3df Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 05:02:58 +0200 Subject: [PATCH 12/30] Clarify skipped "Install packages (Ubuntu)" step - Slightly reword and reformat the block comment. - Run two commands instead of using `&&`, since with `shell: bash` (inherited as the default as specified at the workflow level), the actual shell command invoked for script steps includes `-e`, so the script would still immediately fail if the first command fails. --- .github/workflows/release.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 977165012e6..a811991fe4f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -174,11 +174,13 @@ jobs: uses: actions/checkout@v4 - name: Install packages (Ubuntu) - # Because openssl doesn't work on musl by default, we resort to max-pure. And that won't need any dependency, so we can skip this.continue-on-error + # Because openssl doesn't work on musl by default, we resort to max-pure. + # And that won't need any dependency, so we can skip this or use `continue-on-error`. # Once we want to support better zlib performance, we might have to re-add it. if: matrix.os == 'ubuntu-latest-disabled' run: | - sudo apt-get update && sudo apt-get install -y --no-install-recommends xz-utils liblz4-tool musl-tools + sudo apt-get update + sudo apt-get install -y --no-install-recommends xz-utils liblz4-tool musl-tools - name: Install Rust uses: dtolnay/rust-toolchain@master From b67c0fd45cb880c88e5e6f03357989668c8bc98b Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 06:07:00 +0200 Subject: [PATCH 13/30] Fix `$VERSION` environment variable check --- .github/workflows/release.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a811991fe4f..fbd953651a5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,10 +35,9 @@ jobs: - name: Get the release version from the tag if: env.VERSION == '' - run: echo "VERSION=$VERSION" >> "$GITHUB_ENV" + run: echo "VERSION=$REF_NAME" >> "$GITHUB_ENV" env: - VERSION: ${{ github.ref_name }} - + REF_NAME: ${{ github.ref_name }} - name: Validate version against Cargo.toml run: | From 379f9d84a872d394107aece5b0613408a146bf3c Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 07:05:57 +0200 Subject: [PATCH 14/30] Use `gh` command to create and add to release This makes substantial changes to the release workflow, most of them straightforwardly adapted from corresponding material in the ripgrep release workflow: - The biggest change is to use `gh` (the GitHub CLI) instead of both the ncipollo/release-action and actions/upload-release-asset actions. - Use outputs instead of artifacts for the information that needs to go from the `create-release` job into the `build-release` jobs. This eliminates the need for actions/upload-artifact and actions/download-artifact. Furthermore, since `gh` doesn't require a URL to add files to an existing release, there is only one output, the version. - Split up the "Build archive" step so it doesn't need awkward conditional logic inside a single script step. Now the platform agnostic part of creating the directory and putting documentation in it is one step, followed by steps with `if:` keys for Windows and Unix. For this, the main differences from how it is currently written in the ripgrep workflow are the step titles, the uses of shell expansion rather than `${{ }}` interpolation for the environment variables, and the omission of checksum files since we are not currently generating those. This notably does not add either of the following to the workflow: - This does not set `permissions:` for the workflow. It was not set before, so the configuration, including in the upstream repo, seems not to require it. (Note that this does not imply that the configuration in the ripgrep repo doesn't require it.) - This does try to do anything explicit to take the place of specifying `omitBody: true` for ncipollo/release-action. I'm not sure what should be done for this, but the current behavior seems to produce the same result, and passing `--notes ''` to `gh` might go too far. The current ripgrep workflow has no explicit argument corresponding to this. --- .github/workflows/release.yml | 91 ++++++++++++----------------------- 1 file changed, 31 insertions(+), 60 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fbd953651a5..d66ccd95983 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -# This is largely adapted from past and recent versions of the ripgrep release workflow. +# This is largely adapted from the ripgrep release workflow. # https://github.com/BurntSushi/ripgrep/blob/master/.github/workflows/release.yml name: release @@ -65,33 +65,12 @@ jobs: esac - name: Create GitHub release - id: release - uses: ncipollo/release-action@v1 - with: - tag: ${{ env.VERSION }} - name: ${{ env.VERSION }} - allowUpdates: true - draft: true - omitBody: true - omitPrereleaseDuringUpdate: true - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Create artifacts directory - run: mkdir artifacts - - - name: Save release upload URL to artifact - run: echo "$URL" > artifacts/release-upload-url + run: gh release create "$VERSION" --title="$VERSION" --draft env: - URL: ${{ steps.release.outputs.upload_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Save version number to artifact - run: echo "$VERSION" > artifacts/release-version - - - name: Upload artifacts - uses: actions/upload-artifact@v4 - with: - name: artifacts - path: artifacts + outputs: + version: ${{ env.VERSION }} build-release: name: build-release @@ -199,17 +178,6 @@ jobs: echo "target flag is: $TARGET_FLAGS" echo "target dir is: $TARGET_DIR" - - name: Get release download URL - uses: actions/download-artifact@v4 - with: - name: artifacts - path: artifacts - - - name: Set release upload URL and release version - run: | - echo "UPLOAD_URL=$(< artifacts/release-upload-url)" >> "$GITHUB_ENV" - echo "VERSION=$(< artifacts/release-version)" >> "$GITHUB_ENV" - - name: Build release binary run: | "$CARGO" build --verbose --release "$TARGET_FLAGS" --no-default-features --features "$FEATURE" @@ -228,33 +196,36 @@ jobs: /target/arm-unknown-linux-gnueabihf/release/ein \ /target/arm-unknown-linux-gnueabihf/release/gix - - name: Build archive + - name: Determine version + run: echo "VERSION=$VERSION" >> "$GITHUB_ENV" + env: + VERSION: ${{ needs.create-release.outputs.version }} + + - name: Determine archive basename + run: echo "ARCHIVE=gitoxide-$FEATURE-$VERSION-$TARGET" >> "$GITHUB_ENV" + + - name: Pre-populate directory for archive run: | - staging="gitoxide-$FEATURE-$VERSION-$TARGET" - mkdir -p -- "$staging" + mkdir -- "$ARCHIVE" + cp {README.md,LICENSE-*,CHANGELOG.md} "$ARCHIVE/" - cp {README.md,LICENSE-*,CHANGELOG.md} "$staging/" + - name: Build archive (Windows) + if: matrix.os == 'windows-latest' + run: | + file -- "$TARGET_DIR"/release/{ein,gix}.exe + cp -- "$TARGET_DIR"/release/{ein,gix}.exe "$ARCHIVE/" + 7z a "$ARCHIVE.zip" "$ARCHIVE" + echo "ASSET=$ARCHIVE.zip" >> "$GITHUB_ENV" - if [ "$OS" = 'windows-latest' ]; then - file -- "$TARGET_DIR"/release/{ein,gix}.exe - cp -- "$TARGET_DIR"/release/{ein,gix}.exe "$staging/" - 7z a "$staging.zip" "$staging" - echo "ASSET=$staging.zip" >> "$GITHUB_ENV" - else - file -- "$TARGET_DIR"/release/{ein,gix} - cp -- "$TARGET_DIR"/release/{ein,gix} "$staging/" - tar czf "$staging.tar.gz" "$staging" - echo "ASSET=$staging.tar.gz" >> "$GITHUB_ENV" - fi - env: - OS: ${{ matrix.os }} + - name: Build archive (Unix) + if: matrix.os != 'windows-latest' + run: | + file -- "$TARGET_DIR"/release/{ein,gix} + cp -- "$TARGET_DIR"/release/{ein,gix} "$ARCHIVE/" + tar czf "$ARCHIVE.tar.gz" "$ARCHIVE" + echo "ASSET=$ARCHIVE.tar.gz" >> "$GITHUB_ENV" - name: Upload release archive - uses: actions/upload-release-asset@v1.0.2 + run: gh release upload "$VERSION" "$ASSET" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ env.UPLOAD_URL }} - asset_path: ${{ env.ASSET }} - asset_name: ${{ env.ASSET }} - asset_content_type: application/octet-stream From 8b73c5cf488f615a067a366aa8ed7f55c1ca3750 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 09:35:46 +0200 Subject: [PATCH 15/30] Start on skeleton of universal binary build job --- .github/workflows/release.yml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d66ccd95983..9949607d109 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -88,7 +88,7 @@ jobs: - x86_64-pc-windows-gnu - i686-pc-windows-msvc - aarch64-pc-windows-msvc - feature: + feature: &features - small - lean - max @@ -229,3 +229,21 @@ jobs: run: gh release upload "$VERSION" "$ASSET" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + build-macos-universal-binary-release: + name: build-macos-universal-binary-release + + runs-on: macos-latest + + needs: [ create-release, build-release ] + + strategy: + matrix: + feature: *features + + steps: + - name: Placeholder + run: | + echo "This job is for the feature: $FEATURE" + env: + FEATURE: ${{ matrix.feature }} From 56d1bbb364d786e82b6ef7e9bd48698d828eb466 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 09:42:19 +0200 Subject: [PATCH 16/30] Duplicate features, since GHA doesn't support anchors --- .github/workflows/release.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9949607d109..ad0f6d9a07c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -88,11 +88,7 @@ jobs: - x86_64-pc-windows-gnu - i686-pc-windows-msvc - aarch64-pc-windows-msvc - feature: &features - - small - - lean - - max - - max-pure + feature: [ small, lean, max, max-pure ] include: - target: x86_64-unknown-linux-musl os: ubuntu-latest @@ -239,7 +235,7 @@ jobs: strategy: matrix: - feature: *features + feature: [ small, lean, max, max-pure ] steps: - name: Placeholder From 3054aedeb5da4076331acb58598b342aa2a158ee Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 20:04:56 +0200 Subject: [PATCH 17/30] Write universal binary build job draft; refactor env vars This expands the stub job for making Universal 2 binaries for macOS into a full definition, downloading and extracting the two architecture-specific archives from the GitHub release. This may require further refinement. It also refactors the way environment variables are set for the preexisting jobs: - Order variables in `env:` so they may be easier to understand. - Define `VERSION` in `env:` rather than in its own step. I think this is a bit more readable, but also, it allows the new job to be stylistically consistent with the preexisting jobs. --- .github/workflows/release.yml | 50 +++++++++++++++++++++++++---------- 1 file changed, 36 insertions(+), 14 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ad0f6d9a07c..577d8646896 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -134,14 +134,15 @@ jobs: runs-on: ${{ matrix.os }} env: + RUST_BACKTRACE: '1' # Emit backtraces on panics. + CARGO_TERM_COLOR: always + CLICOLOR: '1' CARGO: cargo # On Linux, this will be changed to `cross` in a later step. + FEATURE: ${{ matrix.feature }} + VERSION: ${{ needs.create-release.outputs.version }} TARGET: ${{ matrix.target }} TARGET_FLAGS: --target=${{ matrix.target }} TARGET_DIR: target/${{ matrix.target }} - FEATURE: ${{ matrix.feature }} - RUST_BACKTRACE: '1' # Emit backtraces on panics. - CARGO_TERM_COLOR: always - CLICOLOR: '1' steps: - name: Checkout repository @@ -192,11 +193,6 @@ jobs: /target/arm-unknown-linux-gnueabihf/release/ein \ /target/arm-unknown-linux-gnueabihf/release/gix - - name: Determine version - run: echo "VERSION=$VERSION" >> "$GITHUB_ENV" - env: - VERSION: ${{ needs.create-release.outputs.version }} - - name: Determine archive basename run: echo "ARCHIVE=gitoxide-$FEATURE-$VERSION-$TARGET" >> "$GITHUB_ENV" @@ -226,8 +222,8 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - build-macos-universal-binary-release: - name: build-macos-universal-binary-release + build-macos-universal2-release: + name: build-macos-universal2-release runs-on: macos-latest @@ -237,9 +233,35 @@ jobs: matrix: feature: [ small, lean, max, max-pure ] + env: + BASH_ENV: ./helpers.sh + FEATURE: ${{ matrix.feature }} + VERSION: ${{ needs.create-release.outputs.version }} + steps: - - name: Placeholder + - name: Define helper function + run: | + name() { echo "gitoxide-$FEATURE-$VERSION-$1-apple-darwin"; } + declare -f name >> "$BASH_ENV" + + - name: Obtain single-architecture releases + run: | + gh release download "$VERSION" --pattern="$(name aarch64).tar.gz" --pattern="$(name x86_64).tar.gz" + tar xf "$(name aarch64).tar.gz" + tar xf "$(name x86_64).tar.gz" + + - name: Repack into Universal-2 release run: | - echo "This job is for the feature: $FEATURE" + cp -R -- "$(name aarch64)" "$(name universal)" + rm -- "$(name universal)"/{ein,gix} + for bin in ein gix; do + lipo -create "$(name aarch64)/$bin" "$(name x86_64)/$bin" -output "$(name universal)/$bin" + done + file "$(name universal)"/{ein,gix} + tar czf "$(name universal).tar.gz" "$(name universal)" + echo "ASSET=$(name universal).tar.gz" >> "$GITHUB_ENV" + + - name: Upload release archive + run: gh release upload "$VERSION" "$ASSET" env: - FEATURE: ${{ matrix.feature }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From f5ac2969fa9bd5a152d5f0f61fe33a620001c5a6 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 20:15:35 +0200 Subject: [PATCH 18/30] Refine universal binary build job - Add missing `GITHUB_TOKEN` for download. This is neeeded even for the download step because the release is a draft. (Even if that is changed, it may be made a draft manually during creation under some conditions, which would not usually signal a wish that the Universal 2 binary archive specifically be omitted.) - Break up into more steps. --- .github/workflows/release.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 577d8646896..728fc7af42e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -247,17 +247,28 @@ jobs: - name: Obtain single-architecture releases run: | gh release download "$VERSION" --pattern="$(name aarch64).tar.gz" --pattern="$(name x86_64).tar.gz" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Unpack single-architecture releases + run: | tar xf "$(name aarch64).tar.gz" tar xf "$(name x86_64).tar.gz" - - name: Repack into Universal-2 release + - name: Pre-populate directory for archive run: | cp -R -- "$(name aarch64)" "$(name universal)" rm -- "$(name universal)"/{ein,gix} + + - name: Create Universal 2 binaries + run: | for bin in ein gix; do lipo -create "$(name aarch64)/$bin" "$(name x86_64)/$bin" -output "$(name universal)/$bin" + file "$(name universal)/$bin" done - file "$(name universal)"/{ein,gix} + + - name: Build archive + run: | tar czf "$(name universal).tar.gz" "$(name universal)" echo "ASSET=$(name universal).tar.gz" >> "$GITHUB_ENV" From 0d8f1c4829db171feb274e661f2e88df5b0d0576 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 21:01:38 +0200 Subject: [PATCH 19/30] Apparently we must specify the repo when not checked out This adds a `REPOSITORY` environment variable in at the job level for build-macos-universal2-release and references it in the two steps that apparently need it. Although these are the same two steps that use the token, that is not added to steps that don't require it, since it is sensitive. --- .github/workflows/release.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 728fc7af42e..3013bb66a79 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -235,6 +235,7 @@ jobs: env: BASH_ENV: ./helpers.sh + REPOSITORY: ${{ github.repository }} FEATURE: ${{ matrix.feature }} VERSION: ${{ needs.create-release.outputs.version }} @@ -246,7 +247,7 @@ jobs: - name: Obtain single-architecture releases run: | - gh release download "$VERSION" --pattern="$(name aarch64).tar.gz" --pattern="$(name x86_64).tar.gz" + gh release --repo "$REPOSITORY" download "$VERSION" --pattern="$(name aarch64).tar.gz" --pattern="$(name x86_64).tar.gz" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -273,6 +274,6 @@ jobs: echo "ASSET=$(name universal).tar.gz" >> "$GITHUB_ENV" - name: Upload release archive - run: gh release upload "$VERSION" "$ASSET" + run: gh release --repo "$REPOSITORY" upload "$VERSION" "$ASSET" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 314de7a63d6cd3cb5433f6c9ddfb8095459550ce Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Thu, 1 Aug 2024 22:42:38 +0200 Subject: [PATCH 20/30] Check that macOS universal binaries are for the same features As commented, this should catch if the features lists get out of sync. (It may catch other problems too, but without this issue, the check is likely not justified. Printing the list of artifacts at the time publishing is about to occur may still be justified in that case, though.) --- .github/workflows/release.yml | 49 +++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3013bb66a79..4f70e004953 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -88,6 +88,7 @@ jobs: - x86_64-pc-windows-gnu - i686-pc-windows-msvc - aarch64-pc-windows-msvc + # When changing these features, make the same change in build-macos-universal2-release. feature: [ small, lean, max, max-pure ] include: - target: x86_64-unknown-linux-musl @@ -231,6 +232,7 @@ jobs: strategy: matrix: + # These features need to be exactly the same as the features in build-release. feature: [ small, lean, max, max-pure ] env: @@ -247,7 +249,7 @@ jobs: - name: Obtain single-architecture releases run: | - gh release --repo "$REPOSITORY" download "$VERSION" --pattern="$(name aarch64).tar.gz" --pattern="$(name x86_64).tar.gz" + gh release --repo="$REPOSITORY" download "$VERSION" --pattern="$(name aarch64).tar.gz" --pattern="$(name x86_64).tar.gz" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -274,6 +276,49 @@ jobs: echo "ASSET=$(name universal).tar.gz" >> "$GITHUB_ENV" - name: Upload release archive - run: gh release --repo "$REPOSITORY" upload "$VERSION" "$ASSET" + run: gh release --repo="$REPOSITORY" upload "$VERSION" "$ASSET" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # This checks and publishes the release on GitHub. It does not upload to crates.io. + publish-release: + name: publish-release + + runs-on: ubuntu-latest + + needs: [ create-release, build-release, build-macos-universal2-release ] + + env: + REPOSITORY: ${{ github.repository }} + VERSION: ${{ needs.create-release.outputs.version }} + + steps: + - name: Discover assets + run: | + gh release --repo="$REPOSITORY" view "$VERSION" --json assets --jq '.assets.[].name' > assets.txt + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Show all asset names + run: cat assets.txt + + # The `features` array is repeated because GHA doen't support YAML anchors. + # We will check that the macOS `universal` features match the others exactly. + # In the future this and the next step may be removed, or expanded to do more validation. + - name: Extract macOS asset names by architecture + run: | + for arch in aarch64 x86_64 universal; do + grep -Fw "$arch-apple-darwin" assets.txt | sort | tee -- "$arch.txt" + done + + - name: Check macOS archive features + run: | + mask() { sed -r 's/\w+-apple-darwin/-apple-darwin/' -- "$1.txt"; } + diff -- <(mask aarch64) <(mask universal) + diff -- <(mask x86_64) <(mask universal) + + - name: Publish the release + if: false + run: gh release --repo="$REPOSITORY" edit "$VERSION" --draft=false env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 027fef58c6533a0581c5ef98706ac0a5742ccf6d Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 2 Aug 2024 00:03:41 +0200 Subject: [PATCH 21/30] Generate and upload SHA256 sums, as ripgrep does This uses the code from the ripgrep workflow to do so, with small modifications to fit the style used here, and, except for the code that is specific to Windows, occurring twice: once for most of the Unix jobs, and once for the macOS Universal 2 archive. This also makes these closely related changes: + Refactor the parts of the Universal 2 job that are similar to the other jobs so they are expressed more similarly. + Check the new checksums for the `gh release download` downloaded archives that the Universal 2 job takes its architecture-specific binaries from (to combine into an universal binary). The risk that the files would be corrupted when downloaded in this way is *extremely* low, but the presence of a checksum published for the Universal 2 archive might be interpreted to mean that downloaded archives used for the constituent binary images were verified. (As done here, this verification is not really for security, since the checksums used to do it are obtained from the same source in the same way -- which fortunately is pretty secure. It may safeguard against a very small risk of corruption. It also fails earlier if the files are not downloaded at all, in case the cause is not one that caused `gh` to exit with a failure status.) --- .github/workflows/release.yml | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4f70e004953..42a9289177b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -208,7 +208,9 @@ jobs: file -- "$TARGET_DIR"/release/{ein,gix}.exe cp -- "$TARGET_DIR"/release/{ein,gix}.exe "$ARCHIVE/" 7z a "$ARCHIVE.zip" "$ARCHIVE" + certutil -hashfile "$ARCHIVE.zip" SHA256 > "$ARCHIVE.zip.sha256" echo "ASSET=$ARCHIVE.zip" >> "$GITHUB_ENV" + echo "ASSET_SUM=$ARCHIVE.zip.sha256" >> "$GITHUB_ENV" - name: Build archive (Unix) if: matrix.os != 'windows-latest' @@ -216,10 +218,12 @@ jobs: file -- "$TARGET_DIR"/release/{ein,gix} cp -- "$TARGET_DIR"/release/{ein,gix} "$ARCHIVE/" tar czf "$ARCHIVE.tar.gz" "$ARCHIVE" + shasum --algorithm=256 "$ARCHIVE.tar.gz" > "$ARCHIVE.tar.gz.sha256" echo "ASSET=$ARCHIVE.tar.gz" >> "$GITHUB_ENV" + echo "ASSET_SUM=$ARCHIVE.tar.gz.sha256" >> "$GITHUB_ENV" - name: Upload release archive - run: gh release upload "$VERSION" "$ASSET" + run: gh release upload "$VERSION" "$ASSET" "$ASSET_SUM" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -249,38 +253,46 @@ jobs: - name: Obtain single-architecture releases run: | - gh release --repo="$REPOSITORY" download "$VERSION" --pattern="$(name aarch64).tar.gz" --pattern="$(name x86_64).tar.gz" + gh release --repo="$REPOSITORY" download "$VERSION" \ + --pattern="$(name aarch64).tar.gz" --pattern="$(name aarch64).tar.gz.sha256" \ + --pattern="$(name x86_64).tar.gz" --pattern="$(name x86_64).tar.gz.sha256" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Unpack single-architecture releases run: | + shasum --check "$(name aarch64).tar.gz.sha256" "$(name x86_64).tar.gz.sha256" tar xf "$(name aarch64).tar.gz" tar xf "$(name x86_64).tar.gz" + - name: Determine archive basename + run: echo "ARCHIVE=$(name universal)" >> "$GITHUB_ENV" + - name: Pre-populate directory for archive run: | - cp -R -- "$(name aarch64)" "$(name universal)" - rm -- "$(name universal)"/{ein,gix} + cp -R -- "$(name aarch64)" "$ARCHIVE" + rm -- "$ARCHIVE"/{ein,gix} - name: Create Universal 2 binaries run: | for bin in ein gix; do - lipo -create "$(name aarch64)/$bin" "$(name x86_64)/$bin" -output "$(name universal)/$bin" - file "$(name universal)/$bin" + lipo -create "$(name aarch64)/$bin" "$(name x86_64)/$bin" -output "$ARCHIVE/$bin" + file -- "$ARCHIVE/$bin" done - name: Build archive run: | - tar czf "$(name universal).tar.gz" "$(name universal)" - echo "ASSET=$(name universal).tar.gz" >> "$GITHUB_ENV" + tar czf "$ARCHIVE.tar.gz" "$ARCHIVE" + shasum --algorithm=256 "$ARCHIVE.tar.gz" > "$ARCHIVE.tar.gz.sha256" + echo "ASSET=$ARCHIVE.tar.gz" >> "$GITHUB_ENV" + echo "ASSET_SUM=$ARCHIVE.tar.gz.sha256" >> "$GITHUB_ENV" - name: Upload release archive - run: gh release --repo="$REPOSITORY" upload "$VERSION" "$ASSET" + run: gh release --repo="$REPOSITORY" upload "$VERSION" "$ASSET" "$ASSET_SUM" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # This checks and publishes the release on GitHub. It does not upload to crates.io. + # This checks the draft release on GitHub and publishes it. It does not upload to crates.io. publish-release: name: publish-release From 889377fa533dc83d4b4b5bcab5fdec0f14b0046d Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 2 Aug 2024 04:53:16 +0200 Subject: [PATCH 22/30] Use Unix-style checksum files even on Windows With `shasum` for Unix checksums, they look like: 407860b1605577700750b92f464068fdaa65ff5ecb7fabcd5a9ba8dac7156149 gitoxide-max-pure-v0.38.0-alpha.2-DO-NOT-USE-x86_64-unknown-linux-musl.tar.gz With `certutil` for Windows checksums, they looked like: SHA256 hash of gitoxide-max-pure-v0.38.0-alpha.2-DO-NOT-USE-x86_64-pc-windows-msvc.zip: 870a157307d8674f981278afa2161973d65a4c6956fc2810cdc901886a41da12 CertUtil: -hashfile command completed successfully. Unlike `shasum`, the `certutil` command does not verify checksums, it only generates them. As far as I know, there are no common tools that require the format to be as `certutil` outputs it. In contrast, tools commonly expect the format `shasum` outputs. Furthermore, the Git Bash environment from Git for Windows includes `shasum`, which means it is present: - On GitHub Actions runners for Windows (as for other platforms). - On the computers of most Windows users in gitoxide's user base. Even if someone does not have `shasum` or another tool that will automatically verify checksums from this format, they would at worst need to verify it manually, which I believe is typically already the case when examining output from `certutil` in the above format. Furthermore, we have not published checksums before, so for gitoxide no one is relying on checksums being published that way. --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 42a9289177b..8c6620b53ee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -208,7 +208,7 @@ jobs: file -- "$TARGET_DIR"/release/{ein,gix}.exe cp -- "$TARGET_DIR"/release/{ein,gix}.exe "$ARCHIVE/" 7z a "$ARCHIVE.zip" "$ARCHIVE" - certutil -hashfile "$ARCHIVE.zip" SHA256 > "$ARCHIVE.zip.sha256" + shasum --algorithm=256 "$ARCHIVE.zip" > "$ARCHIVE.zip.sha256" echo "ASSET=$ARCHIVE.zip" >> "$GITHUB_ENV" echo "ASSET_SUM=$ARCHIVE.zip.sha256" >> "$GITHUB_ENV" From aae0fe2710e0ea7c2cdd39b607b8765b40ca9460 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 2 Aug 2024 05:14:50 +0200 Subject: [PATCH 23/30] Help Windows runner find its `shasum` command --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8c6620b53ee..9c8d666cee9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -208,7 +208,7 @@ jobs: file -- "$TARGET_DIR"/release/{ein,gix}.exe cp -- "$TARGET_DIR"/release/{ein,gix}.exe "$ARCHIVE/" 7z a "$ARCHIVE.zip" "$ARCHIVE" - shasum --algorithm=256 "$ARCHIVE.zip" > "$ARCHIVE.zip.sha256" + /usr/bin/core_perl/shasum --algorithm=256 "$ARCHIVE.zip" > "$ARCHIVE.zip.sha256" echo "ASSET=$ARCHIVE.zip" >> "$GITHUB_ENV" echo "ASSET_SUM=$ARCHIVE.zip.sha256" >> "$GITHUB_ENV" From f0bd79a7f75d9104d368e149ef8f640ca6c2f9ec Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 2 Aug 2024 06:01:06 +0200 Subject: [PATCH 24/30] Ensure `shasum` uses binary mode All files whose checksums are computed here are binary files, and even if `shasum` were to behave the same, it omits the `*` prefix in front of the filename that allows humans and tools to know for sure that it was binary mode unless `--binary` is passed. --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9c8d666cee9..83868e94613 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -208,7 +208,7 @@ jobs: file -- "$TARGET_DIR"/release/{ein,gix}.exe cp -- "$TARGET_DIR"/release/{ein,gix}.exe "$ARCHIVE/" 7z a "$ARCHIVE.zip" "$ARCHIVE" - /usr/bin/core_perl/shasum --algorithm=256 "$ARCHIVE.zip" > "$ARCHIVE.zip.sha256" + /usr/bin/core_perl/shasum --algorithm=256 --binary "$ARCHIVE.zip" > "$ARCHIVE.zip.sha256" echo "ASSET=$ARCHIVE.zip" >> "$GITHUB_ENV" echo "ASSET_SUM=$ARCHIVE.zip.sha256" >> "$GITHUB_ENV" @@ -218,7 +218,7 @@ jobs: file -- "$TARGET_DIR"/release/{ein,gix} cp -- "$TARGET_DIR"/release/{ein,gix} "$ARCHIVE/" tar czf "$ARCHIVE.tar.gz" "$ARCHIVE" - shasum --algorithm=256 "$ARCHIVE.tar.gz" > "$ARCHIVE.tar.gz.sha256" + shasum --algorithm=256 --binary "$ARCHIVE.tar.gz" > "$ARCHIVE.tar.gz.sha256" echo "ASSET=$ARCHIVE.tar.gz" >> "$GITHUB_ENV" echo "ASSET_SUM=$ARCHIVE.tar.gz.sha256" >> "$GITHUB_ENV" @@ -283,7 +283,7 @@ jobs: - name: Build archive run: | tar czf "$ARCHIVE.tar.gz" "$ARCHIVE" - shasum --algorithm=256 "$ARCHIVE.tar.gz" > "$ARCHIVE.tar.gz.sha256" + shasum --algorithm=256 --binary "$ARCHIVE.tar.gz" > "$ARCHIVE.tar.gz.sha256" echo "ASSET=$ARCHIVE.tar.gz" >> "$GITHUB_ENV" echo "ASSET_SUM=$ARCHIVE.tar.gz.sha256" >> "$GITHUB_ENV" From 20a498dbe75db99b3909fd594c9ce5edaa864b6d Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 2 Aug 2024 06:03:42 +0200 Subject: [PATCH 25/30] Replace single sha256 files with a combined one before publishing --- .github/workflows/release.yml | 41 +++++++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 83868e94613..e38a5d97bc6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -292,23 +292,20 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # This checks the draft release on GitHub and publishes it. It does not upload to crates.io. - publish-release: - name: publish-release + check-release: + name: check-release runs-on: ubuntu-latest needs: [ create-release, build-release, build-macos-universal2-release ] - env: - REPOSITORY: ${{ github.repository }} - VERSION: ${{ needs.create-release.outputs.version }} - steps: - name: Discover assets run: | gh release --repo="$REPOSITORY" view "$VERSION" --json assets --jq '.assets.[].name' > assets.txt env: + REPOSITORY: ${{ github.repository }} + VERSION: ${{ needs.create-release.outputs.version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Show all asset names @@ -329,8 +326,34 @@ jobs: diff -- <(mask aarch64) <(mask universal) diff -- <(mask x86_64) <(mask universal) + publish-release: + name: publish-release + + runs-on: ubuntu-latest + + needs: [ create-release, check-release ] + + env: + REPOSITORY: ${{ github.repository }} + VERSION: ${{ needs.create-release.outputs.version }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + steps: + - name: Retrieve individual checksums + run: gh release --repo="$REPOSITORY" download "$VERSION" --pattern='gitoxide-*.sha256' + + - name: Concatenate checksums into one file + run: cat gitoxide-*.sha256 > hashes.sha256 + + - name: Upload the combined checksum file + run: gh release --repo="$REPOSITORY" upload "$VERSION" hashes.sha256 + + - name: Discard the individual checksum files + run: | + for sumfile in gitoxide-*.sha256; do + gh release --repo="$REPOSITORY" delete-asset "$VERSION" "$sumfile" --yes + done + - name: Publish the release if: false run: gh release --repo="$REPOSITORY" edit "$VERSION" --draft=false - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From abeaca10b59216911a25a22d434b27580865eebc Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 2 Aug 2024 06:17:37 +0200 Subject: [PATCH 26/30] Consolidate `check-release` and `publish-release` jobs To avoid setting `GITHUB_TOKEN` where not needed, this defines it in `env:` for each individual step that needs it, as elsewhere. This is more awkward than in the other jobs, since half the steps use it here, but this may be okay. --- .github/workflows/release.yml | 39 ++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e38a5d97bc6..e414766acdf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -292,23 +292,25 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - check-release: - name: check-release + publish-release: + name: publish-release runs-on: ubuntu-latest needs: [ create-release, build-release, build-macos-universal2-release ] + env: + REPOSITORY: ${{ github.repository }} + VERSION: ${{ needs.create-release.outputs.version }} + steps: - name: Discover assets run: | gh release --repo="$REPOSITORY" view "$VERSION" --json assets --jq '.assets.[].name' > assets.txt env: - REPOSITORY: ${{ github.repository }} - VERSION: ${{ needs.create-release.outputs.version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Show all asset names + - name: Show all individual asset names run: cat assets.txt # The `features` array is repeated because GHA doen't support YAML anchors. @@ -326,34 +328,33 @@ jobs: diff -- <(mask aarch64) <(mask universal) diff -- <(mask x86_64) <(mask universal) - publish-release: - name: publish-release - - runs-on: ubuntu-latest - - needs: [ create-release, check-release ] - - env: - REPOSITORY: ${{ github.repository }} - VERSION: ${{ needs.create-release.outputs.version }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Clean up local temporary macOS asset list files + run: rm {assets,aarch64,x86_64,universal}.txt - steps: - - name: Retrieve individual checksums + - name: Retrieve all individual checksums run: gh release --repo="$REPOSITORY" download "$VERSION" --pattern='gitoxide-*.sha256' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Concatenate checksums into one file run: cat gitoxide-*.sha256 > hashes.sha256 - name: Upload the combined checksum file run: gh release --repo="$REPOSITORY" upload "$VERSION" hashes.sha256 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Discard the individual checksum files + # If any step of any job fails before this, the draft still has the individual checksum files. + - name: Remove the individual checksum file assets run: | for sumfile in gitoxide-*.sha256; do gh release --repo="$REPOSITORY" delete-asset "$VERSION" "$sumfile" --yes done + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Publish the release if: false run: gh release --repo="$REPOSITORY" edit "$VERSION" --draft=false + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 00695ec49be4c4ee157fc7c801f1e7eb91e5bdc3 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 2 Aug 2024 06:25:41 +0200 Subject: [PATCH 27/30] Remove redundant job `name` keys Since they are all exactly the same as the job IDs. --- .github/workflows/release.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e414766acdf..e19512ddade 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,8 +21,6 @@ jobs: # and names the release after the version tag that was pushed. It's separate # from building the release so that we only create the release once. create-release: - name: create-release - runs-on: ubuntu-latest # env: @@ -73,8 +71,6 @@ jobs: version: ${{ env.VERSION }} build-release: - name: build-release - needs: [ create-release ] strategy: @@ -228,8 +224,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build-macos-universal2-release: - name: build-macos-universal2-release - runs-on: macos-latest needs: [ create-release, build-release ] @@ -293,8 +287,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} publish-release: - name: publish-release - runs-on: ubuntu-latest needs: [ create-release, build-release, build-macos-universal2-release ] From 90c06973c1be7e77db851368d74038a1053d57ae Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 2 Aug 2024 07:11:14 +0200 Subject: [PATCH 28/30] Document each job definition with a specific comment --- .github/workflows/release.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e19512ddade..18996ea7156 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,9 +17,7 @@ defaults: shell: bash jobs: - # The create-release job runs purely to initialize the GitHub release itself, - # and names the release after the version tag that was pushed. It's separate - # from building the release so that we only create the release once. + # Create a draft release, initially with no binary assets attached. create-release: runs-on: ubuntu-latest @@ -70,6 +68,7 @@ jobs: outputs: version: ${{ env.VERSION }} + # Build for a particular feature and target, and attach an archive for it. build-release: needs: [ create-release ] @@ -223,6 +222,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Add a macOS universal binary archive for a feature using its built aarch64 and x86_64 assets. build-macos-universal2-release: runs-on: macos-latest @@ -286,6 +286,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Check for some problems, consolidate checksum files into one, and mark the release non-draft. publish-release: runs-on: ubuntu-latest From f5d98de2ebb3ae5d81fbe918872ab3128c29e011 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 2 Aug 2024 07:01:46 +0200 Subject: [PATCH 29/30] Tweak commented description of relationship to ripgrep workflow This is to account for recent additions that are not present in the history of the ripgrep workflow, so if there are problems with them then people don't spend too much time trying to figure out what in the ripgrep workflow they would have come from. --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 18996ea7156..cb275ad8ec9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -# This is largely adapted from the ripgrep release workflow. +# Much of this workflow is adapted from the ripgrep release workflow. # https://github.com/BurntSushi/ripgrep/blob/master/.github/workflows/release.yml name: release From c307b72eee79cd09fa1bf380687de63491def0ec Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 2 Aug 2024 02:28:51 +0200 Subject: [PATCH 30/30] Make workflow actually publish releases (set non-draft) --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cb275ad8ec9..0c966a26a20 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -347,7 +347,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Publish the release - if: false run: gh release --repo="$REPOSITORY" edit "$VERSION" --draft=false env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}