Skip to content

Nightly Builder

Nightly Builder #1591

Workflow file for this run

---
name: Nightly Builder
"on":
push:
tags:
- "*"
schedule:
- cron: "0 0 * * *" # build nightly!
workflow_dispatch:
inputs:
tag:
description: Release tag
required: true
name:
description: Release name
required: true
jobs:
create-release:
name: Create Release
runs-on: ubuntu-latest
steps:
- name: Create artifacts directory
run: mkdir artifacts
- name: Get the release version from the tag
id: release_version
run: |
if [[ "${{ github.event_name }}" == "schedule" ]]; then
release_name="nightly-$(date '+%Y-%m-%d')"
release_tag="$release_name"
elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
release_name=${{ github.event.inputs.name }}
release_tag=${{ github.event.inputs.tag }}
else
release_name="$(basename "${{ github.ref }}")"
release_tag="$release_name"
fi
echo "Release name is: ${release_name}"
echo "Release version is: ${release_tag}"
echo "name=${release_name}" >> $GITHUB_OUTPUT
echo "tag=${release_tag}" >> $GITHUB_OUTPUT
- name: Clone Artichoke
uses: actions/checkout@v4.1.7
with:
repository: artichoke/artichoke
path: artichoke
- name: Set latest_commit
id: latest_commit
working-directory: artichoke
run: |
artichoke_head=$(git rev-parse HEAD)
echo "Artichoke HEAD commit is: ${artichoke_head}"
echo "commit=${artichoke_head}" >> $GITHUB_OUTPUT
- name: Create GitHub release
id: release
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ steps.release_version.outputs.tag }}
draft: true
prerelease: false
name: ${{ steps.release_version.outputs.name }}
body: artichoke/artichoke@${{ steps.latest_commit.outputs.commit }}
- name: Save release commit hash to artifact
run: echo "${{ steps.latest_commit.outputs.commit }}" > artifacts/release-commit-hash
- name: Save release ID to artifact
run: echo "${{ steps.release.outputs.id }}" > artifacts/release-id
- name: Save release upload URL to artifact
run: echo "${{ steps.release.outputs.upload_url }}" > artifacts/release-upload-url
- name: Save version number to artifact
run: echo "${{ steps.release_version.outputs.tag }}" > artifacts/release-version
- name: Upload artifacts
uses: actions/upload-artifact@v4.4.0
with:
name: artifacts
path: artifacts
build-release:
name: Build Release
needs: ["create-release"]
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
build:
- linux-x64
- linux-x64-musl
- linux-arm64
- macos-x64
- macos-arm64
- windows-x64
include:
- build: linux-x64
os: ubuntu-latest
target: x86_64-unknown-linux-gnu
- build: linux-x64-musl
os: ubuntu-latest
target: x86_64-unknown-linux-musl
- build: linux-arm64
os: ubuntu-latest
target: aarch64-unknown-linux-gnu
- build: macos-x64
os: macos-latest
target: x86_64-apple-darwin
- build: macos-arm64
os: macos-latest
target: aarch64-apple-darwin
- build: windows-x64
os: windows-latest
target: x86_64-pc-windows-msvc
env:
RUST_BACKTRACE: 1
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.7
- name: Get release download URL
uses: actions/download-artifact@v4.1.8
with:
name: artifacts
path: artifacts
- name: Set release upload URL and release version
shell: bash
id: release_info
run: |
release_upload_url="$(cat artifacts/release-upload-url)"
release_version="$(cat artifacts/release-version)"
release_commit="$(cat artifacts/release-commit-hash)"
echo "Release upload url: ${release_upload_url}"
echo "Release version: ${release_version}"
echo "Release commit: ${release_commit}"
echo "upload_url=${release_upload_url}" >> $GITHUB_OUTPUT
echo "version=${release_version}" >> $GITHUB_OUTPUT
echo "commit=${release_commit}" >> $GITHUB_OUTPUT
- name: Generate THIRDPARTY license listing
uses: artichoke/generate_third_party@v1.14.0
with:
artichoke_ref: ${{ steps.release_info.outputs.commit }}
target_triple: ${{ matrix.target }}
output_file: ${{ github.workspace }}/THIRDPARTY.txt
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Clone Artichoke
uses: actions/checkout@v4.1.7
with:
repository: artichoke/artichoke
path: artichoke
ref: ${{ steps.release_info.outputs.commit }}
# Fetch all history.
#
# The Artichoke release metadata build script calculates Ruby
# constants like `RUBY_REVISION` by walking the git history.
fetch-depth: 0
- name: Setup Python
uses: actions/setup-python@v5.2.0
with:
python-version-file: ".python-version"
- name: Set Python executable path based on OS
shell: bash
run: |
if [[ "$RUNNER_OS" == "Windows" ]]; then
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV
else
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV
fi
- name: Install Python dependencies
shell: bash
run: |
python3 -m venv --upgrade-deps venv
$VENV_PYTHON -m pip install --upgrade pip wheel
$VENV_PYTHON -m pip install --require-hashes -r requirements.txt
- name: Set Artichoke Rust toolchain version
shell: bash
id: rust_toolchain
run: |
$VENV_PYTHON -m artichoke_nightly.rust_toolchain_version \
--file artichoke/rust-toolchain.toml \
--format github
- name: Install Rust toolchain
uses: artichoke/setup-rust/build-and-test@v1.12.1
with:
toolchain: ${{ steps.rust_toolchain.outputs.version }}
target: ${{ matrix.target }}
# ```
# $ gpg --fingerprint --with-subkey-fingerprints codesign@artichokeruby.org
# pub ed25519 2021-01-03 [SC]
# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4
# uid [ultimate] Code signing for Artichoke Ruby <codesign@artichokeruby.org>
# sub cv25519 2021-01-03 [E]
# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA
# sub ed25519 2021-01-03 [S]
# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452
# ```
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452
# Set the GPG key to full trust (value 4) to ensure reliable signing
# and verification in CI. Full trust balances security and practicality
# in automated environments, avoiding prompts or failures that can
# occur with marginal trust, while not compromising security like
# ultimate trust.
trust_level: 4
- name: List keys
run: gpg -K
- name: Install musl x86_64
if: matrix.build == 'linux-x64-musl'
run: |
sudo apt update
sudo apt install musl-tools
- name: Install gcc aarch64 cross compiler
if: matrix.build == 'linux-arm64'
run: |
sudo apt update
sudo apt install gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu
# https://github.com/rust-lang/rust-bindgen/issues/1229
echo 'BINDGEN_EXTRA_CLANG_ARGS=--sysroot=/usr/aarch64-linux-gnu' >> $GITHUB_ENV
# https://github.com/rust-lang/rust/issues/28924
echo 'CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc' >> $GITHUB_ENV
- name: Build release artifacts
working-directory: artichoke
run: cargo build --verbose --release --target ${{ matrix.target }}
# This will codesign binaries in place which means that the tarballed
# binaries will be codesigned as well.
- name: Run Apple Codesigning and Notarization
shell: bash
id: apple_codesigning
if: runner.os == 'macOS'
run: |
$VENV_PYTHON -m artichoke_nightly.macos_sign_and_notarize \
"artichoke-nightly-${{ matrix.target }}" \
--binary "artichoke/target/${{ matrix.target }}/release/artichoke" \
--binary "artichoke/target/${{ matrix.target }}/release/airb" \
--resource artichoke/LICENSE \
--resource artichoke/README.md \
--resource THIRDPARTY.txt \
--dmg-icon-url "https://artichoke.github.io/logo/Artichoke-dmg.icns"
env:
MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }}
- name: GPG sign Apple DMG
shell: bash
id: apple_codesigning_gpg
if: runner.os == 'macOS'
run: |
$VENV_PYTHON -m artichoke_nightly.gpg_sign \
"artichoke-nightly-${{ matrix.target }}" \
--artifact "${{ steps.apple_codesigning.outputs.asset }}"
- name: Upload release archive
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
if: runner.os == 'macOS'
with:
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ steps.release_info.outputs.version }}
draft: true
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
omitPrereleaseDuringUpdate: true
artifacts: ${{ steps.apple_codesigning.outputs.asset }}
artifactContentType: ${{ steps.apple_codesigning.outputs.content_type }}
- name: Upload release signature
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
if: runner.os == 'macOS'
with:
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ steps.release_info.outputs.version }}
draft: true
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
omitPrereleaseDuringUpdate: true
artifacts: ${{ steps.apple_codesigning_gpg.outputs.signature }}
artifactContentType: "text/plain"
- name: Build archive
shell: bash
id: build
run: |
staging="artichoke-nightly-${{ matrix.target }}"
mkdir -p "$staging"/
cp artichoke/{README.md,LICENSE} THIRDPARTY.txt "$staging/"
if [ "${{ runner.os }}" = "Windows" ]; then
cp "artichoke/target/${{ matrix.target }}/release/artichoke.exe" "$staging/"
cp "artichoke/target/${{ matrix.target }}/release/airb.exe" "$staging/"
7z a "$staging.zip" "$staging"
echo "asset=$staging.zip" >> $GITHUB_OUTPUT
echo "content_type=application/zip" >> $GITHUB_OUTPUT
else
cp "artichoke/target/${{ matrix.target }}/release/artichoke" "$staging/"
cp "artichoke/target/${{ matrix.target }}/release/airb" "$staging/"
tar czf "$staging.tar.gz" "$staging"
echo "asset=$staging.tar.gz" >> $GITHUB_OUTPUT
echo "content_type=application/gzip" >> $GITHUB_OUTPUT
fi
- name: GPG sign archive
shell: bash
id: gpg_signing
run: |
$VENV_PYTHON -m artichoke_nightly.gpg_sign \
"artichoke-nightly-${{ matrix.target }}" \
--artifact "${{ steps.build.outputs.asset }}"
- name: Upload release archive
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ steps.release_info.outputs.version }}
draft: true
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
omitPrereleaseDuringUpdate: true
artifacts: ${{ steps.build.outputs.asset }}
artifactContentType: ${{ steps.build.outputs.content_type }}
- name: Upload release signature
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ steps.release_info.outputs.version }}
draft: true
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
omitPrereleaseDuringUpdate: true
artifacts: ${{ steps.gpg_signing.outputs.signature }}
artifactContentType: "text/plain"
package-source-archive:
name: Package Source Archive
needs: ["create-release"]
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
archive:
- tar.gz
- zip
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.7
- name: Get release download URL
uses: actions/download-artifact@v4.1.8
with:
name: artifacts
path: artifacts
- name: Set release upload URL and release version
shell: bash
id: release_info
run: |
release_upload_url="$(cat artifacts/release-upload-url)"
release_version="$(cat artifacts/release-version)"
release_commit="$(cat artifacts/release-commit-hash)"
echo "Release upload url: ${release_upload_url}"
echo "Release version: ${release_version}"
echo "Release commit: ${release_commit}"
echo "upload_url=${release_upload_url}" >> $GITHUB_OUTPUT
echo "version=${release_version}" >> $GITHUB_OUTPUT
echo "commit=${release_commit}" >> $GITHUB_OUTPUT
- name: Clone Artichoke
uses: actions/checkout@v4.1.7
with:
repository: artichoke/artichoke
path: artichoke
ref: ${{ steps.release_info.outputs.commit }}
- name: Setup Python
uses: actions/setup-python@v5.2.0
with:
python-version-file: ".python-version"
- name: Set Python executable path based on OS
shell: bash
run: |
if [[ "$RUNNER_OS" == "Windows" ]]; then
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV
else
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV
fi
- name: Install Python dependencies
shell: bash
run: |
python3 -m venv --upgrade-deps venv
$VENV_PYTHON -m pip install --upgrade pip wheel
$VENV_PYTHON -m pip install --require-hashes -r requirements.txt
# ```
# $ gpg --fingerprint --with-subkey-fingerprints codesign@artichokeruby.org
# pub ed25519 2021-01-03 [SC]
# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4
# uid [ultimate] Code signing for Artichoke Ruby <codesign@artichokeruby.org>
# sub cv25519 2021-01-03 [E]
# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA
# sub ed25519 2021-01-03 [S]
# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452
# ```
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452
# Set the GPG key to full trust (value 4) to ensure reliable signing
# and verification in CI. Full trust balances security and practicality
# in automated environments, avoiding prompts or failures that can
# occur with marginal trust, while not compromising security like
# ultimate trust.
trust_level: 4
- name: List keys
run: gpg -K
- name: Build source archive
run: |
git -C artichoke archive \
--format ${{ matrix.archive }} \
-9 \
--output=`pwd`/artichoke-nightly.source.${{ matrix.archive }} \
${{ steps.release_info.outputs.commit }}
- name: Build archive
shell: bash
id: build
run: |
if [ "${{ matrix.archive }}" = "zip" ]; then
echo "asset=artichoke-nightly.source.zip" >> $GITHUB_OUTPUT
echo "content_type=application/zip" >> $GITHUB_OUTPUT
else
echo "asset=artichoke-nightly.source.tar.gz" >> $GITHUB_OUTPUT
echo "content_type=application/gzip" >> $GITHUB_OUTPUT
fi
- name: GPG sign archive
shell: bash
id: gpg_signing
run: |
$VENV_PYTHON -m artichoke_nightly.gpg_sign \
"artichoke-nightly-source-archive" \
--artifact "${{ steps.build.outputs.asset }}"
- name: Upload release archive
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ steps.release_info.outputs.version }}
draft: true
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
omitPrereleaseDuringUpdate: true
artifacts: ${{ steps.build.outputs.asset }}
artifactContentType: ${{ steps.build.outputs.content_type }}
- name: Upload release signature
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ steps.release_info.outputs.version }}
draft: true
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
omitPrereleaseDuringUpdate: true
artifacts: ${{ steps.gpg_signing.outputs.signature }}
artifactContentType: "text/plain"
finalize-release:
name: Publish Release
needs: ["build-release", "package-source-archive"]
runs-on: ubuntu-latest
steps:
- name: Get release download URL
uses: actions/download-artifact@v4.1.8
with:
name: artifacts
path: artifacts
- name: Set publish_info
id: publish_info
run: echo "release_tag=$(cat artifacts/release-version)" >> $GITHUB_OUTPUT
- name: Publish release
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
tag: ${{ steps.publish_info.outputs.release_tag }}
draft: false
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
omitPrereleaseDuringUpdate: true
- uses: eregon/keep-last-n-releases@c662ecf90e35b1070a4894539d8804a286e55151 # v1
if: github.event_name == 'schedule'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
n: 7