|
| 1 | +name: release-darwin |
| 2 | + |
| 3 | +# darwin/arm64 release on a macos-14 runner. Attaches binaries to the |
| 4 | +# existing GitHub Release created by release-go.yml (which only builds |
| 5 | +# linux). Runs after the linux release lands so the target Release |
| 6 | +# already exists. |
| 7 | +# |
| 8 | +# Why a separate workflow: |
| 9 | +# - release-go.yml runs on ubuntu-latest. CGO + kuzudb won't |
| 10 | +# cross-compile cleanly to darwin from linux. |
| 11 | +# - macos-14 runners are arm64 (M1+); cross-compile to darwin/arm64 |
| 12 | +# happens via native CC = clang. |
| 13 | +# - The two workflows publish to the same tag → same Release. |
| 14 | + |
| 15 | +on: |
| 16 | + push: |
| 17 | + tags: |
| 18 | + - 'v*.*.*' |
| 19 | + workflow_dispatch: |
| 20 | + inputs: |
| 21 | + tag: |
| 22 | + description: 'Tag to release (e.g. v0.3.0). Release must already exist.' |
| 23 | + required: true |
| 24 | + |
| 25 | +permissions: |
| 26 | + contents: write |
| 27 | + id-token: write # Sigstore keyless via GitHub OIDC |
| 28 | + attestations: write |
| 29 | + |
| 30 | +# Pass the input/ref to the shell via env vars (not inline `${{ }}` |
| 31 | +# interpolation) — Semgrep `yaml.github-actions.security.run-shell-injection` |
| 32 | +# rule. inputs.tag for workflow_dispatch; GITHUB_REF_NAME for tag pushes. |
| 33 | +env: |
| 34 | + TAG: ${{ github.event.inputs.tag || github.ref_name }} |
| 35 | + |
| 36 | +jobs: |
| 37 | + release-darwin: |
| 38 | + name: release (darwin / arm64) |
| 39 | + runs-on: macos-14 |
| 40 | + steps: |
| 41 | + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 42 | + with: |
| 43 | + fetch-depth: 0 |
| 44 | + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 |
| 45 | + with: |
| 46 | + go-version: '1.25.10' |
| 47 | + cache: true |
| 48 | + cache-dependency-path: go/go.sum |
| 49 | + |
| 50 | + - name: Build darwin/arm64 binary |
| 51 | + working-directory: go |
| 52 | + env: |
| 53 | + CGO_ENABLED: '1' |
| 54 | + GOOS: darwin |
| 55 | + GOARCH: arm64 |
| 56 | + run: | |
| 57 | + VERSION="${TAG#v}" |
| 58 | + go build \ |
| 59 | + -trimpath \ |
| 60 | + -ldflags "-s -w \ |
| 61 | + -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Version=${VERSION}' \ |
| 62 | + -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Commit=$(git rev-parse --short HEAD)' \ |
| 63 | + -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Date=$(date -u +%Y-%m-%dT%H:%M:%SZ)' \ |
| 64 | + -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Dirty=false'" \ |
| 65 | + -o codeiq ./cmd/codeiq |
| 66 | +
|
| 67 | + - name: Package archive |
| 68 | + working-directory: go |
| 69 | + run: | |
| 70 | + VERSION="${TAG#v}" |
| 71 | + ARCHIVE_DIR="codeiq_${VERSION}_darwin_arm64" |
| 72 | + mkdir -p "${ARCHIVE_DIR}" |
| 73 | + cp codeiq "${ARCHIVE_DIR}/" |
| 74 | + cp ../LICENSE "${ARCHIVE_DIR}/" 2>/dev/null || true |
| 75 | + cp ../README.md "${ARCHIVE_DIR}/" 2>/dev/null || true |
| 76 | + cp ../CHANGELOG.md "${ARCHIVE_DIR}/" 2>/dev/null || true |
| 77 | + tar czf "../${ARCHIVE_DIR}.tar.gz" "${ARCHIVE_DIR}" |
| 78 | +
|
| 79 | + - name: Install Syft (SBOM) |
| 80 | + uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 |
| 81 | + - name: Generate SBOM |
| 82 | + run: | |
| 83 | + VERSION="${TAG#v}" |
| 84 | + ARCHIVE="codeiq_${VERSION}_darwin_arm64.tar.gz" |
| 85 | + syft "$ARCHIVE" --output spdx-json="${ARCHIVE}.sbom.spdx.json" |
| 86 | +
|
| 87 | + - name: Install Cosign (signing) |
| 88 | + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 |
| 89 | + - name: Sign archive (Sigstore keyless, bundle format) |
| 90 | + run: | |
| 91 | + VERSION="${TAG#v}" |
| 92 | + ARCHIVE="codeiq_${VERSION}_darwin_arm64.tar.gz" |
| 93 | + cosign sign-blob \ |
| 94 | + --yes \ |
| 95 | + --bundle "${ARCHIVE}.cosign.bundle" \ |
| 96 | + "$ARCHIVE" |
| 97 | +
|
| 98 | + - name: Upload to GitHub Release |
| 99 | + env: |
| 100 | + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 101 | + run: | |
| 102 | + VERSION="${TAG#v}" |
| 103 | + # Retry up to 3 times to handle race with release-go.yml |
| 104 | + # creating the Release. |
| 105 | + for i in 1 2 3; do |
| 106 | + if gh release view "$TAG" >/dev/null 2>&1; then |
| 107 | + gh release upload "$TAG" \ |
| 108 | + "codeiq_${VERSION}_darwin_arm64.tar.gz" \ |
| 109 | + "codeiq_${VERSION}_darwin_arm64.tar.gz.sbom.spdx.json" \ |
| 110 | + "codeiq_${VERSION}_darwin_arm64.tar.gz.cosign.bundle" \ |
| 111 | + --clobber |
| 112 | + exit 0 |
| 113 | + fi |
| 114 | + echo "Release $TAG not yet visible, waiting 30s ($i/3)..." |
| 115 | + sleep 30 |
| 116 | + done |
| 117 | + echo "::error::Release $TAG never appeared; release-go.yml may have failed" |
| 118 | + exit 1 |
| 119 | +
|
| 120 | + - name: Attest darwin archive (build provenance) |
| 121 | + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 |
| 122 | + with: |
| 123 | + subject-path: 'codeiq_*_darwin_arm64.tar.gz' |
0 commit comments