Create attested and reproducible release artifacts

swsnr · Feb 2, 2025 · 947f102 · 947f102
1 parent ed7cb10
commit 947f102
Showing 1 changed file with 50 additions and 3 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -34,18 +34,65 @@ jobs:
           name: relnotes
           path: relnotes.md
 
+  vendor-dependencies:
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo --version
+      - run: tar --version
+      - run: zstd --version
+      - run: echo "${GITHUB_SHA}"
+      # Generate a reproducible vendor bundle
+      - run: env LC_ALL=C TZ=UTC0 echo "timestamp=$(git show --quiet --date='format-local:%Y-%m-%dT%H:%M:%SZ' --format="%cd" "${GITHUB_SHA}")" >> "$GITHUB_OUTPUT"
+        id: timestamp
+      - run: cargo vendor --locked
+      - run: env LC_ALL=C tar --numeric-owner --owner 0 --group 0 --sort name --mode='go+u,go-w' --format=posix --pax-option=exthdr.name=%d/PaxHeaders/%f --pax-option=delete=atime,delete=ctime --mtime="${{ steps.timestamp.outputs.timestamp }}" -c -f vendor.tar.zst --zstd vendor
+      - uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: vendor.tar.zst
+      - uses: actions/upload-artifact@v4
+        with:
+          name: vendor.tar.zst
+          path: vendor.tar.zst
+
+  git-archive:
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: env LC_ALL=C TZ=UTC0 git archive --format tar --prefix 'turnon-${{ github.ref_name }}/' --output 'turnon-${{ github.ref_name }}.tar' "${{ github.sha }}"
+      - run: zstd 'turnon-${{ github.ref_name }}.tar'
+      - uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: 'turnon-${{ github.ref_name }}.tar.zst'
+      - uses: actions/upload-artifact@v4
+        with:
+          name: turnon-${{ github.ref_name }}.tar.zst
+          path: turnon-${{ github.ref_name }}.tar.zst
+
   create-release:
     runs-on: ubuntu-latest
-    needs: prepare-release-notes
+    needs: [prepare-release-notes, git-archive, vendor-dependencies]
     permissions:
       contents: write
     # Only create the actual release when we push to a tag.
     if: ${{ startsWith(github.ref, 'refs/tags/') }}
     steps:
       - uses: actions/download-artifact@v4
         with:
-          name: relnotes
+          path: ./artifacts
+          merge-multiple: false
       - uses: softprops/action-gh-release@v2
         with:
-          body_path: ./relnotes.md
+          body_path: ./artifacts/relnotes.md
           make_latest: true
+          files: |
+            ./artifacts/**/*.tar.*