Skip to content

actions/attest-build-provenance #1442

actions/attest-build-provenance

actions/attest-build-provenance #1442

Workflow file for this run

name: CI
on:
push:
branches:
- master
tags:
- "jq-*"
pull_request:
permissions:
id-token: write
contents: read
attestations: write
jobs:
linux:
strategy:
fail-fast: false
matrix:
arch:
- amd64
- arm64
- armel
- armhf
- i386
- mips
- mips64
- mips64el
- mips64r6
- mips64r6el
- mipsel
- mipsr6
- mipsr6el
- powerpc
- ppc64el
- riscv64
- s390x
include:
- arch: amd64
CC: x86_64-linux-gnu
- arch: arm64
CC: aarch64-linux-gnu
- arch: armel
CC: arm-linux-gnueabi
- arch: armhf
CC: arm-linux-gnueabihf
- arch: i386
CC: i686-linux-gnu
- arch: mips
CC: mips-linux-gnu
- arch: mips64
CC: mips64-linux-gnuabi64
- arch: mips64el
CC: mips64el-linux-gnuabi64
- arch: mips64r6
CC: mipsisa64r6-linux-gnuabi64
- arch: mips64r6el
CC: mipsisa64r6el-linux-gnuabi64
- arch: mipsel
CC: mipsel-linux-gnu
- arch: mipsr6
CC: mipsisa32r6-linux-gnu
- arch: mipsr6el
CC: mipsisa32r6el-linux-gnu
- arch: powerpc
CC: powerpc-linux-gnu
- arch: ppc64el
CC: powerpc64le-linux-gnu
- arch: riscv64
CC: riscv64-linux-gnu
- arch: s390x
CC: s390x-linux-gnu
runs-on: ubuntu-22.04
env:
AR: ${{ matrix.CC }}-ar
CHOST: ${{ matrix.CC }}
CC: ${{ matrix.CC }}-gcc
CPP: ${{ matrix.CC }}-cpp
LDFLAGS: -s
SUFFIX: linux-${{ matrix.arch }}
steps:
- name: Clone repository
uses: actions/checkout@v4
with:
submodules: true
- name: Install packages
run: |
sudo apt-get update
sudo apt-get install -y automake autoconf libtool crossbuild-essential-${{ matrix.arch }}
- name: Build
run: |
autoreconf -i
./configure \
--host=${{ matrix.CC }} \
--disable-docs \
--disable-valgrind \
--with-oniguruma=builtin \
--enable-static \
--enable-all-static \
CFLAGS="-O2 -pthread -fstack-protector-all"
make -j"$(nproc)"
file ./jq
cp ./jq jq-${{ env.SUFFIX }}
- name: Test
# Only run tests for amd64 matching the CI machine arch
if: ${{ matrix.arch == 'amd64' }}
run: |
make check VERBOSE=yes
git diff --exit-code
- name: Upload Test Logs
if: ${{ failure() }}
uses: actions/upload-artifact@v4
with:
name: test-logs-${{ env.SUFFIX }}
retention-days: 7
path: |
test-suite.log
tests/*.log
- name: attest-build-provenance
uses: actions/attest-build-provenance@v2
with:
subject-path: jq-${{ env.SUFFIX }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: jq-${{ env.SUFFIX }}
path: jq-${{ env.SUFFIX }}
if-no-files-found: error
retention-days: 7
macos:
strategy:
fail-fast: false
matrix:
arch:
- amd64
- arm64
include:
- arch: amd64
target: x86_64-apple-darwin
- arch: arm64
target: arm64-apple-darwin
runs-on: macos-13
env:
LDFLAGS: -dead_strip
SUFFIX: macos-${{ matrix.arch }}
steps:
- name: Clone repository
uses: actions/checkout@v4
with:
submodules: true
- name: Install packages
run: |
# brew update sometimes fails with "Fetching /usr/local/Homebrew/Library/Taps/homebrew/homebrew-cask failed!"
brew update || brew update-reset
brew install autoconf automake libtool
- name: Set CC
run: |
echo "CC=clang -target ${{ matrix.target }}$(uname -r)" >> "$GITHUB_ENV"
- name: Build
run: |
autoreconf -i
./configure \
--host="${{ matrix.target }}$(uname -r)" \
--disable-docs \
--disable-valgrind \
--with-oniguruma=builtin \
--enable-static \
--enable-all-static \
CFLAGS="-O2 -pthread -fstack-protector-all"
make -j"$(sysctl -n hw.logicalcpu)"
strip ./jq
file ./jq
cp ./jq jq-${{ env.SUFFIX }}
- name: Test
# Only run tests for amd64 matching the CI machine arch
if: ${{ matrix.arch == 'amd64' }}
run: |
make check VERBOSE=yes
git diff --exit-code
- name: Upload Test Logs
if: ${{ failure() }}
uses: actions/upload-artifact@v4
with:
name: test-logs-${{ env.SUFFIX }}
retention-days: 7
path: |
test-suite.log
tests/*.log
- name: attest-build-provenance
uses: actions/attest-build-provenance@v2
with:
subject-path: jq-${{ env.SUFFIX }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: jq-${{ env.SUFFIX }}
path: jq-${{ env.SUFFIX }}
if-no-files-found: error
retention-days: 7
windows:
strategy:
fail-fast: false
matrix:
arch:
- amd64
- i386
include:
- arch: amd64
msystem: UCRT64
- arch: i386
msystem: MINGW32
runs-on: windows-2022
env:
LDFLAGS: -s
SUFFIX: windows-${{ matrix.arch }}
defaults:
run:
shell: msys2 {0}
steps:
- name: Prepare git config
run: git config --system core.autocrlf false
shell: bash
- name: Clone repository
uses: actions/checkout@v4
with:
submodules: true
- uses: msys2/setup-msys2@v2
with:
update: true
msystem: ${{ matrix.msystem }}
install: >-
base-devel
git
autoconf
automake
libtool
pacboy: >-
toolchain:p
- name: Build
run: |
autoreconf -i
./configure \
--disable-docs \
--disable-valgrind \
--with-oniguruma=builtin \
--disable-shared \
--enable-static \
--enable-all-static \
CFLAGS="-O2 -pthread -fstack-protector-all"
make -j$(nproc)
file ./jq.exe
cp ./jq.exe jq-${{ env.SUFFIX }}.exe
- name: Test
run: |
make check VERBOSE=yes
git diff --exit-code
- name: Upload Test Logs
if: ${{ failure() }}
uses: actions/upload-artifact@v4
with:
name: test-logs-${{ env.SUFFIX }}
retention-days: 7
path: |
test-suite.log
tests/*.log
- name: attest-build-provenance
uses: actions/attest-build-provenance@v2
with:
subject-path: jq-${{ env.SUFFIX }}.exe
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: jq-${{ env.SUFFIX }}
path: jq-${{ env.SUFFIX }}.exe
if-no-files-found: error
retention-days: 7
dist:
runs-on: ubuntu-latest
steps:
- name: Clone repository
uses: actions/checkout@v4
with:
submodules: true
- name: Install packages
run: |
sudo apt-get update -qq
sudo apt-get install -y automake autoconf
- name: Create dist
run: |
autoreconf -i
./configure \
--disable-docs \
--disable-valgrind \
--with-oniguruma=builtin
make distcheck
make dist dist-zip
git diff --exit-code
- name: attest-build-provenance
uses: actions/attest-build-provenance@v2
with:
subject-path: |
jq-*.tar.gz
jq-*.zip
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: jq-dist
if-no-files-found: error
retention-days: 7
path: |
jq-*.tar.gz
jq-*.zip
docker:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
attestations: write
packages: write
needs: linux
steps:
- name: Clone repository
uses: actions/checkout@v4
- name: Download executables
uses: actions/download-artifact@v4
with:
pattern: jq-linux-*
merge-multiple: true
- name: Move executables
run: |
mkdir -p linux/{386,amd64,arm64,mips64le,ppc64le,riscv64,s390x}
mv jq-linux-i386 linux/386/jq
mv jq-linux-amd64 linux/amd64/jq
mv jq-linux-arm64 linux/arm64/jq
mv jq-linux-mips64el linux/mips64le/jq
mv jq-linux-ppc64el linux/ppc64le/jq
mv jq-linux-riscv64 linux/riscv64/jq
mv jq-linux-s390x linux/s390x/jq
chmod +x linux/*/jq
- name: Create Dockerfile
run: |
cat <<'EOF' >Dockerfile
FROM scratch
ARG TARGETPLATFORM
COPY AUTHORS COPYING $TARGETPLATFORM/jq /
RUN ["/jq", "--version"]
ENTRYPOINT ["/jq"]
EOF
- name: Docker metadata
uses: docker/metadata-action@v5
id: metadata
with:
images: ghcr.io/${{ github.repository }}
tags: >
${{ startsWith(github.ref, 'refs/tags/jq-')
&& format('type=match,pattern=jq-(.*),group=1,value={0}', github.ref_name)
|| 'type=sha,format=long' }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and release Docker image
id: attestation
uses: docker/build-push-action@v6
with:
context: .
push: ${{ startsWith(github.ref, 'refs/tags/jq-') }}
provenance: false
platforms: linux/386,linux/amd64,linux/arm64,linux/mips64le,linux/ppc64le,linux/riscv64,linux/s390x
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
- name: attest-build-provenance
uses: actions/attest-build-provenance@v2
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.attestation.outputs.digest }}
push-to-registry: true
release:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
environment: release
needs: [linux, macos, windows, dist, docker]
if: startsWith(github.ref, 'refs/tags/jq-')
steps:
- name: Clone repository
uses: actions/checkout@v4
- name: Download artifacts
uses: actions/download-artifact@v4
with:
merge-multiple: true
- name: Upload release
env:
TAG_NAME: ${{ github.ref_name }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cp jq-linux-amd64 jq-linux64
cp jq-macos-amd64 jq-osx-amd64
cp jq-windows-amd64.exe jq-win64.exe
sha256sum jq-* > sha256sum.txt
gh release create "$TAG_NAME" --draft --title "jq ${TAG_NAME#jq-}" --generate-notes
gh release upload "$TAG_NAME" --clobber jq-* sha256sum.txt
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.JQ_RELEASE_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.JQ_RELEASE_GPG_PASSPHRASE }}
- name: Update signatures
env:
TAG_NAME: ${{ github.ref_name }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
sig_dir="sig/v${TAG_NAME#jq-}"
mkdir -p "$sig_dir"
mv sha256sum.txt "$sig_dir"
for file in jq-*; do
gpg --detach-sign --armor --batch --output "${sig_dir}/${file#*/}.asc" "$file"
done
git add sig
git config user.name 'github-actions[bot]'
git config user.email 'github-actions[bot]@users.noreply.github.com'
title="Update signatures of ${TAG_NAME#jq-}"
git commit -m "$title"
branch="update-signatures-${TAG_NAME#jq-}"
git push origin "HEAD:refs/heads/$branch"
gh pr create --title "$title" --body "" --head "$branch"