github.com/rootless-containers/rootlesskit/v2@v2.3.4/.github/workflows/release.yaml (about)

     1  # Release guide (since v0.9.0):
     2  # 1. Bump up the version string to `vX.Y.Z` (or `vX.Y.Z-beta.W`) in `pkg/version/version.go`.
     3  # 2. `git commit -a -s -m vX.Y.Z`
     4  # 3. Bump up the version string to `vX.Y.Z+dev` (or `vX.Y.Z-beta.W`+dev) in `pkg/version/version.go`.
     5  # 4. `git commit -a -s -m vX.Y.Z+dev`
     6  # 5. Open a PR and merge it.
     7  # 6. Create a tag `v.X.Y.Z` for the `vX.Y.Z` commit, and push the tag to the upstream: `git push upstream vX.Y.Z`
     8  # 7. GitHub Actions automatically ships a draft release with a statically compiled binary: https://github.com/rootless-containers/rootlesskit/releases
     9  #    If it fails, check the GitHub Actions log: https://github.com/rootless-containers/rootlesskit/actions?query=workflow%3ARelease
    10  # 8. Add release notes to the draft release and ship the release.
    11  name: Release
    12  on:
    13    push:
    14      tags:
    15      - 'v*'
    16  
    17  jobs:
    18    release:
    19      runs-on: ubuntu-24.04
    20      # The maximum access is "read" for PRs from public forked repos
    21      # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
    22      permissions:
    23        contents: write  # for releases
    24        id-token: write  # for provenances
    25        attestations: write  # for provenances
    26      steps:
    27      - uses: actions/checkout@v4
    28      - name: "Build binaries"
    29        run: DOCKER_BUILDKIT=1 docker build -o /tmp/artifact --target cross-artifact .
    30      - name: "SHA256SUMS"
    31        run: (cd /tmp/artifact; sha256sum *) | tee /tmp/SHA256SUMS
    32      - name: "The sha256sum of the SHA256SUMS file"
    33        run: sha256sum /tmp/SHA256SUMS
    34      - name: "Prepare the release note"
    35        run: |
    36          shasha=$(sha256sum /tmp/SHA256SUMS | awk '{print $1}')
    37          cat << EOF | tee /tmp/release-note.txt
    38          #### Changes
    39          (To be documented)
    40  
    41          #### Install
    42          \`\`\`
    43          mkdir -p ~/bin
    44          curl -sSL https://github.com/${{ github.repository }}/releases/download/${tag}/rootlesskit-\$(uname -m).tar.gz | tar Cxzv ~/bin
    45          \`\`\`
    46  
    47          #### About the binaries
    48          The binaries were built automatically on GitHub Actions.
    49          See the log to verify SHA256SUMS.
    50          https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
    51          The sha256sum of the SHA256SUMS file itself is ${shasha} .
    52          EOF
    53      - uses: actions/attest-build-provenance@v2
    54        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
    55        with:
    56          subject-path: |
    57            /tmp/artifact/*
    58            /tmp/SHA256SUMS
    59      - name: "Create release"
    60        env:
    61          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    62        run: |
    63          tag="${GITHUB_REF##*/}"
    64          gh release create -F /tmp/release-note.txt --draft --title "${tag}" "${tag}" /tmp/artifact/* /tmp/SHA256SUMS