mirror of
https://github.com/zama-ai/tfhe-rs.git
synced 2026-01-07 22:04:10 -05:00
031c3fe34f
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](1af3b93b68...8e8c483db8)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
142 lines
4.9 KiB
YAML
142 lines
4.9 KiB
YAML
# Common workflow to make crate release
|
|
name: make_release_common
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
package-name:
|
|
type: string
|
|
required: true
|
|
dry-run:
|
|
type: boolean
|
|
default: true
|
|
secrets:
|
|
REPO_CHECKOUT_TOKEN:
|
|
required: true
|
|
SLACK_CHANNEL:
|
|
required: true
|
|
BOT_USERNAME:
|
|
required: true
|
|
SLACK_WEBHOOK:
|
|
required: true
|
|
ALLOWED_TEAM:
|
|
required: true
|
|
READ_ORG_TOKEN:
|
|
required: true
|
|
|
|
env:
|
|
ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
|
|
SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
|
|
SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png
|
|
SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
|
|
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
|
|
|
|
permissions: {}
|
|
|
|
# zizmor: ignore[concurrency-limits] caller workflow is responsible for the concurrency
|
|
|
|
jobs:
|
|
verify-triggering-actor:
|
|
name: make_release_common/verify-triggering-actor
|
|
if: startsWith(github.ref, 'refs/tags/')
|
|
uses: ./.github/workflows/verify_triggering_actor.yml
|
|
secrets:
|
|
ALLOWED_TEAM: ${{ secrets.ALLOWED_TEAM }}
|
|
READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
|
|
|
|
package:
|
|
name: make_release_common/package
|
|
runs-on: ubuntu-latest
|
|
needs: verify-triggering-actor
|
|
outputs:
|
|
hash: ${{ steps.hash.outputs.hash }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: 'false'
|
|
token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
|
|
- name: Prepare package
|
|
env:
|
|
PACKAGE: ${{ inputs.package-name }}
|
|
run: |
|
|
cargo package -p "${PACKAGE}"
|
|
- uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
|
|
with:
|
|
name: crate-${{ inputs.package-name }}
|
|
path: target/package/*.crate
|
|
- name: generate hash
|
|
id: hash
|
|
run: cd target/package && echo "hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}"
|
|
|
|
|
|
provenance:
|
|
name: make_release_common/provenance
|
|
if: ${{ !inputs.dry-run }}
|
|
needs: package
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
|
|
permissions:
|
|
actions: read # Needed to detect the GitHub Actions environment
|
|
id-token: write # Needed to create the provenance via GitHub OIDC
|
|
contents: write # Needed to upload assets/artifacts
|
|
with:
|
|
# SHA-256 hashes of the Crate package.
|
|
base64-subjects: ${{ needs.package.outputs.hash }}
|
|
|
|
|
|
publish_release:
|
|
name: make_release_common/publish-release
|
|
needs: package
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
id-token: write # Needed for OIDC token exchange on crates.io
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: 'false'
|
|
token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
|
|
|
|
- name: Download artifact
|
|
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
|
|
with:
|
|
name: crate-${{ inputs.package-name }}
|
|
path: target/package
|
|
|
|
- name: Authenticate on registry
|
|
uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3
|
|
id: auth
|
|
|
|
- name: Publish crate.io package
|
|
env:
|
|
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
|
|
PACKAGE: ${{ inputs.package-name }}
|
|
DRY_RUN: ${{ inputs.dry-run && '--dry-run' || '' }}
|
|
run: |
|
|
# DRY_RUN expansion cannot be double quoted when variable contains empty string otherwise cargo publish
|
|
# would fail. This is safe since DRY_RUN is handled in the env section above.
|
|
# shellcheck disable=SC2086
|
|
cargo publish -p "${PACKAGE}" ${DRY_RUN}
|
|
|
|
- name: Generate hash
|
|
id: published_hash
|
|
run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}"
|
|
|
|
- name: Slack notification (hashes comparison)
|
|
if: ${{ needs.package.outputs.hash != steps.published_hash.outputs.pub_hash }}
|
|
continue-on-error: true
|
|
uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
|
|
env:
|
|
SLACK_COLOR: failure
|
|
SLACK_MESSAGE: "SLSA ${{ inputs.package-name }} - hash comparison failure: (${{ env.ACTION_RUN_URL }})"
|
|
|
|
- name: Slack Notification
|
|
if: ${{ failure() }}
|
|
continue-on-error: true
|
|
uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
|
|
env:
|
|
SLACK_COLOR: ${{ job.status }}
|
|
SLACK_MESSAGE: "${{ inputs.package-name }} release finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
|