Skip to content

ci: Fixing slsa for powerpc builds #466

ci: Fixing slsa for powerpc builds

ci: Fixing slsa for powerpc builds #466

Workflow file for this run

name: CI for meson build
on:
push:
branches: [ develop, master, release/*, feature/*, hotfix/* ]
tags: [ v* ]
pull_request:
branches: [ develop ]
jobs:
build:
name: ${{ matrix.config.name }}
runs-on: ${{ matrix.config.os }}
container: ${{ matrix.config.image }}
strategy:
fail-fast: false # so that if one config fails, other won't be cancelled automatically
matrix:
config:
- {
name: "Windows MSVC x64",
os: windows-latest,
cc: "cl.exe",
cxx: "cl.exe",
arch: "x64",
publish_release: true,
meson_opts: "-Db_vscrt=static_from_buildtype",
release_name: "win-x64",
release_extension: ".zip",
archive_command: "7z a -tzip -mmt"
}
- {
name: "Windows MSVC x86",
os: windows-latest,
cc: "cl.exe",
cxx: "cl.exe",
arch: "x64_x86",
publish_release: true,
meson_opts: "-Db_vscrt=static_from_buildtype",
release_name: "win-x86",
release_extension: ".zip",
archive_command: "7z a -tzip -mmt"
}
- {
name: "Windows GCC",
os: windows-latest,
cc: "gcc.exe",
cxx: "g++.exe",
release_name: "win-x86_64-gcc",
release_extension: ".zip",
archive_command: "7z a -tzip -mmt"
}
- {
name: "Windows Clang",
os: windows-latest,
cc: "clang.exe",
cxx: "clang++.exe",
release_name: "win-x86_64-clang",
release_extension: ".zip",
archive_command: "7z a -tzip -mmt"
}
- {
name: "Ubuntu GCC",
os: ubuntu-latest,
cc: "gcc",
cxx: "g++",
release_name: "linux-x86_64-gcc",
release_extension: ".tar.xz",
archive_command: "tar cvfJ"
}
- {
name: "Ubuntu Clang",
os: ubuntu-latest,
cc: "clang",
cxx: "clang++",
release_name: "linux-x86_64",
release_extension: ".tar.xz",
archive_command: "tar cvfJ"
}
- {
name: "MUSL Cross Compile x86_64",
os: ubuntu-latest,
cc: "",
cxx: "",
publish_release: true,
create_package: true,
meson_opts: "--cross-file=./meson_crosscompile/x86_64-linux-musl-cross.txt",
cross_compiler_arch: "x86_64",
release_name: "linux-x86_64-portable",
release_extension: ".tar.xz",
archive_command: "tar cvfJ"
}
- {
name: "MUSL Cross Compile i686",
os: ubuntu-latest,
cc: "",
cxx: "",
publish_release: true,
meson_opts: "--cross-file=./meson_crosscompile/i686-linux-musl-cross.txt",
cross_compiler_arch: "i686",
release_name: "linux-i686-portable",
release_extension: ".tar.xz",
archive_command: "tar cvfJ"
}
- {
name: "MUSL Cross Compile aarch64",
os: ubuntu-latest,
cc: "",
cxx: "",
publish_release: true,
meson_opts: "--cross-file=./meson_crosscompile/aarch64-linux-musl-cross.txt",
cross_compiler_arch: "aarch64",
release_name: "linux-aarch64-portable",
release_extension: ".tar.xz",
archive_command: "tar cvfJ"
}
- {
name: "MUSL Cross Compile armv7l",
os: ubuntu-latest,
cc: "",
cxx: "",
publish_release: true,
meson_opts: "--cross-file=./meson_crosscompile/armv7l-linux-musl-cross.txt",
cross_compiler_arch: "armv7l",
release_name: "linux-armv7l-portable",
release_extension: ".tar.xz",
archive_command: "tar cvfJ"
}
- {
name: "MUSL Cross Compile armv6",
os: ubuntu-latest,
cc: "",
cxx: "",
publish_release: true,
meson_opts: "--cross-file=./meson_crosscompile/armv6-linux-musl-cross.txt",
cross_compiler_arch: "armv6",
release_name: "linux-armv6-portable",
release_extension: ".tar.xz",
archive_command: "tar cvfJ"
}
- {
name: "MUSL Cross Compile armv5l",
os: ubuntu-latest,
cc: "",
cxx: "",
publish_release: true,
meson_opts: "--cross-file=./meson_crosscompile/armv5l-linux-musl-cross.txt",
cross_compiler_arch: "armv5l",
release_name: "linux-armv5l-portable",
release_extension: ".tar.xz",
archive_command: "tar cvfJ"
}
- {
name: "MUSL Cross Compile powerpc64",
os: ubuntu-latest,
cc: "",
cxx: "",
publish_release: true,
meson_opts: "--cross-file=./meson_crosscompile/powerpc64-linux-musl-cross.txt",
cross_compiler_arch: "powerpc64",
release_name: "linux-powerpc64-portable",
release_extension: ".tar.xz",
archive_command: "tar cvfJ"
}
- {
name: "MUSL Cross Compile powerpc64le",
os: ubuntu-latest,
cc: "",
cxx: "",
publish_release: true,
meson_opts: "--cross-file=./meson_crosscompile/powerpc64le-linux-musl-cross.txt",
cross_compiler_arch: "powerpc64le",
release_name: "linux-powerpc64le-portable",
release_extension: ".tar.xz",
archive_command: "tar cvfJ"
}
outputs: #where hashes need to be stored for slsa provenance
#NOTE: Only doing this for builds with "publish_release: true"
#format is hash-${{release_name}}
hash-win-x64: ${{ steps.hash.outputs.hash-win-x64 }}
hash-win-x86: ${{ steps.hash.outputs.hash-win-x86 }}
hash-linux-x86_64-portable: ${{ steps.hash.outputs.hash-linux-x86_64-portable }}
hash-linux-i686-portable: ${{ steps.hash.outputs.hash-linux-i686-portable }}
hash-linux-aarch64-portable: ${{ steps.hash.outputs.hash-linux-aarch64-portable }}
hash-linux-armv7l-portable: ${{ steps.hash.outputs.hash-linux-armv7l-portable }}
hash-linux-armv6-portable: ${{ steps.hash.outputs.hash-linux-armv6-portable }}
hash-linux-armv5l-portable: ${{ steps.hash.outputs.hash-linux-armv5l-portable }}
hash-linux-powerpc64-portable: ${{ steps.hash.outputs.hash-linux-powerpc64-portable }}
hash-linux-powerpc64le-portable: ${{ steps.hash.outputs.hash-linux-powerpc64le-portable }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Settings vars for MSVC
if: startsWith(matrix.config.name, 'Windows MSVC')
uses: ilammy/msvc-dev-cmd@v1
with:
arch: ${{ matrix.config.arch }}
- name: Setup for MUSL Cross Compilation
if: startsWith(matrix.config.name, 'MUSL Cross Compile')
run: |
sudo ./meson_crosscompile/install-muslcc.sh -a ${{ matrix.config.cross_compiler_arch }}
- name: Get latest LLVM version
if: startsWith(matrix.config.name, 'Windows Clang')
run: |
$headers = @{ Authorization = 'Bearer ${{ secrets.GITHUB_TOKEN }}' }
echo "LLVM_RELID=$((Invoke-WebRequest -Headers $headers 'https://api.github.com/repos/llvm/llvm-project/releases/latest').Content | ConvertFrom-Json | Select-Object -ExpandProperty id)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
- name: Restore LLVM from cache
if: startsWith(matrix.config.name, 'Windows Clang')
id: llvm-cache
uses: actions/cache@v4
with:
path: C:/Program Files/LLVM
key: 'llvm-llvm-project-relid-${{ env.LLVM_RELID }}'
- name: Downloading latest clang for Windows
if: ${{ steps.llvm-cache.outputs.cache-hit != 'true' && startsWith(matrix.config.name, 'Windows Clang') }}
run: |
$headers = @{ Authorization = 'Bearer ${{ secrets.GITHUB_TOKEN }}' }
Invoke-WebRequest -Headers $headers -OutFile "LLVM.exe" ((Invoke-WebRequest -Headers $headers "https://api.github.com/repos/llvm/llvm-project/releases/$($env:LLVM_RELID)").Content | ConvertFrom-Json | Select-Object -ExpandProperty assets | Where -Property name -Like "*win64.exe" | Select-Object -First 1).browser_download_url
7z x LLVM.exe -y -o"C:/Program Files/LLVM"
- name: Escape backslash in branch name
shell: bash
run: echo "BRANCH_NAME=$(echo ${{ github.ref_name }} | tr / -)" >> $GITHUB_ENV
- name: Setting release name
env:
DESTDIR: ${{ format('openSeaChest-{0}-{1}', env.BRANCH_NAME, matrix.config.release_name) }}
run: |
echo "DESTDIR=${DESTDIR}" >> $GITHUB_ENV
shell: bash
- name: Configuring and compiling with meson
env:
CC: ${{ matrix.config.cc }}
CXX: ${{ matrix.config.cxx }}
run: |
pip install meson==0.60.3 ninja
meson setup build -Dprefix=/ -Dmandir=/man -Dbindir=/ ${{ matrix.config.meson_opts }} --buildtype=release
meson install -C build
- name: Packing release
env:
ARCHIVE_EXT: ${{ matrix.config.release_extension }}
run: |
cd build
${{ matrix.config.archive_command }} "${DESTDIR}${ARCHIVE_EXT}" $DESTDIR
shell: bash
# add `GOBIN` to the `PATH` otherwise nfpm in next step can't be found
- uses: actions/setup-go@v5
if: ${{ matrix.config.create_package }}
with:
go-version: 'stable'
cache: false
- name: Create packages
if: ${{ matrix.config.create_package }}
working-directory: ${{ format('build/{0}', env.DESTDIR) }}
run: | # https://nfpm.goreleaser.com/install/
go install github.com/goreleaser/nfpm/v2/cmd/[email protected]
if [[ ${{ github.ref }} =~ ^refs/tags/v[0-9\.]+$ ]]; then
version=$(echo ${{ github.ref_name }} | tr -d 'v')
else
version=$(printf "%s-dev" $(date +'%y.%m.%d'))
fi
sed -i '/version:/ s/"[^"][^"]*"/"'"$version"'"/' ../../nfpm.yaml
nfpm package -f ../../nfpm.yaml -p deb -t ..
nfpm package -f ../../nfpm.yaml -p rpm -t ..
shell: bash
- name: Generate Hashes
if: ${{ matrix.config.publish_release }}
shell: bash
id: hash
run: |
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
# sha256sum artifact | base64 -w0
# NOTE: Using suggested method to generate sha across OS's from slsa documentation
# https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-artifacts-built-across-multiple-operating-systems
set -euo pipefail
(sha256sum -t ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }} || shasum -a 256 ${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }}) > checksum
echo "hash-${{ matrix.config.release_name }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}"
- name: Uploading artifacts
uses: actions/upload-artifact@v4
with:
name: ${{ format('{0}', matrix.config.release_name) }}
path: |
${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }}
build/*.deb
build/*.rpm
- name: Publish release
if: ${{ startsWith(github.ref, 'refs/tags/v') && matrix.config.publish_release }}
uses: softprops/action-gh-release@v2
with:
files: |
${{ format('./build/{0}{1}', env.DESTDIR, matrix.config.release_extension) }}
build/*.deb
build/*.rpm
# Generate the slsa provenance
provenance:
needs: [build]
strategy:
fail-fast: false #don't cancel other jobs if one is failing
matrix:
#NOTE: this release_name MUST match EXACTLY the name used by the build job above!
release_name: [ "win-x64",
"win-x86",
"linux-x86_64-portable",
"linux-i686-portable",
"linux-aarch64-portable",
"linux-armv7l-portable",
"linux-armv6-portable",
"linux-armv5l-portable",
"linux-powerpc64-portable",
"linux-powerpc64le-portable"
]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs[format('hash-{0}', matrix.release_name)] }}"
# Upload provenance to a new release
upload-assets: true