-
Notifications
You must be signed in to change notification settings - Fork 0
131 lines (112 loc) · 4.54 KB
/
Copy pathrelease.yml
File metadata and controls
131 lines (112 loc) · 4.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: release
on:
push:
tags:
- "v*"
permissions:
contents: write
defaults:
run:
shell: bash
jobs:
release:
name: build + publish opclib
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: "22"
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.0
# npm runs prepare scripts respecting topological dep order; bun
# parallelises and races on nested github: peer-deps.
- name: Install dependencies
run: npm install --no-package-lock --no-save
- name: Typecheck
run: bun run typecheck
- name: Test
run: bun test
- name: Validate source
run: bun run validate --release
- name: Restore signing key
if: ${{ env.OPCLIB_SIGNING_KEY != '' }}
env:
OPCLIB_SIGNING_KEY: ${{ secrets.OPCLIB_SIGNING_KEY }}
run: |
install -m 700 -d "$RUNNER_TEMP/keys"
KEY_PATH="$RUNNER_TEMP/keys/opclib-signing.pem"
printf '%s' "$OPCLIB_SIGNING_KEY" > "$KEY_PATH"
chmod 600 "$KEY_PATH"
echo "OPCLIB_SIGN_KEY_PATH=$KEY_PATH" >> "$GITHUB_ENV"
- name: Pack release
env:
OPCLIB_SIGNING_KEY: ${{ secrets.OPCLIB_SIGNING_KEY }}
OPCLIB_KEY_ID: ${{ vars.OPCLIB_KEY_ID }}
run: |
VERSION="${GITHUB_REF_NAME#v}"
echo "Packing version ${VERSION}"
SIGN_ARGS=""
if [ -n "${OPCLIB_SIGN_KEY_PATH:-}" ] && [ -n "${OPCLIB_KEY_ID:-}" ]; then
SIGN_ARGS="--sign-key=${OPCLIB_SIGN_KEY_PATH} --key-id=${OPCLIB_KEY_ID}"
echo "Signing enabled (keyId=${OPCLIB_KEY_ID})"
else
echo "Signing disabled (no key/keyId configured)"
fi
bun tools/pack.ts --version="${VERSION}" $SIGN_ARGS
- name: Generate SHA256SUMS
run: |
VERSION="${GITHUB_REF_NAME#v}"
cd dist
sha256sum "openpcb-core-library-${VERSION}.opclib" > SHA256SUMS
cat SHA256SUMS
- name: Verify package
run: |
VERSION="${GITHUB_REF_NAME#v}"
ARTIFACT="dist/openpcb-core-library-${VERSION}.opclib"
test -f "$ARTIFACT"
VERIFY_SCRIPT="$(mktemp ./verify-opclib.XXXXXX.mjs)"
trap 'rm -f "$VERIFY_SCRIPT"' EXIT
cat > "$VERIFY_SCRIPT" <<'EOF'
import { readOpclibFromPath } from "@openpcb/opclib-pack";
import { unzipSync } from "fflate";
const artifact = process.env.ARTIFACT;
const version = process.env.VERSION;
if (!artifact || !version) throw new Error("missing env");
const pkg = await readOpclibFromPath(artifact);
const manifest = pkg.manifest;
if (manifest.library.id !== "openpcb.core") throw new Error("invalid library id");
if (manifest.library.version !== version) throw new Error("version mismatch");
if (!/^[a-f0-9]{64}$/.test(manifest.integrity.packageSha256)) throw new Error("invalid package sha");
const bytes = new Uint8Array(await Bun.file(artifact).arrayBuffer());
const entries = Object.keys(unzipSync(bytes));
const forbidden = [/^apps\//, /^packages\//, /\.kicad_sym$/, /\.kicad_mod$/, /^node_modules\//, /^\.playwright-cli\//, /^\.github\/workflows\//];
const matches = entries.filter((entry) => forbidden.some((pattern) => pattern.test(entry)));
if (matches.length > 0) throw new Error("forbidden package entries: " + matches.join(", "));
console.log("verified", manifest.library.id, manifest.library.version, entries.length, "entries");
EOF
ARTIFACT="$ARTIFACT" VERSION="$VERSION" bun "$VERIFY_SCRIPT"
- name: Publish GitHub release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
VERSION="${GITHUB_REF_NAME#v}"
ARTIFACT="dist/openpcb-core-library-${VERSION}.opclib"
SUMS="dist/SHA256SUMS"
ASSETS=("$ARTIFACT" "$SUMS")
if [ -f keys/openpcb-core.pub ]; then
ASSETS+=("keys/openpcb-core.pub")
fi
if gh release view "${GITHUB_REF_NAME}" >/dev/null 2>&1; then
gh release upload "${GITHUB_REF_NAME}" "${ASSETS[@]}" --clobber
else
gh release create "${GITHUB_REF_NAME}" \
--verify-tag \
--title "${GITHUB_REF_NAME}" \
--notes "OpenPCB Core Library ${VERSION}" \
"${ASSETS[@]}"
fi