dgram/.github/workflows/release.yml at main · PerryTS/dgram · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
name: Release

# One-shot release pipeline triggered by `vX.Y.Z` tag pushes:
#
#   1. `build` (matrix) — produces a per-target staticlib for every
#      supported triple (macOS x64+arm64, Linux x64+arm64, Windows x64).
#   2. `release` — creates the GitHub release and attaches every
#      target's archive with a unique per-target name.
#   3. `publish` — `npm publish --provenance --access public`.
#
# Why one workflow instead of two: events created via the workflow's
# default GITHUB_TOKEN don't fire downstream workflows (GH's safety
# rule against runaway recursion), so a separate `publish.yml` keyed
# on `release: published` would never fire when `release.yml` creates
# the release itself. Bundling everything into one workflow sidesteps
# the cascade-blocking entirely.

on:
  push:
    tags:
      - 'v*.*.*'
  workflow_dispatch:

jobs:
  build:
    name: ${{ matrix.target }}
    strategy:
      # One target's failure shouldn't cancel the others.
      fail-fast: false
      matrix:
        include:
          - target: x86_64-apple-darwin
            os: macos-latest
          - target: aarch64-apple-darwin
            os: macos-latest
          - target: x86_64-unknown-linux-gnu
            os: ubuntu-latest
          - target: aarch64-unknown-linux-gnu
            os: ubuntu-latest
          - target: x86_64-pc-windows-msvc
            os: windows-latest
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.target }}
      # mimalloc-sys (transitive via perry-runtime) compiles its C
      # sources for the *target* arch through cc-rs, which means
      # aarch64-linux needs a cross-compiling gcc on the runner.
      - name: Install aarch64-linux cross-toolchain
        if: matrix.target == 'aarch64-unknown-linux-gnu'
        run: sudo apt-get update && sudo apt-get install -y gcc-aarch64-linux-gnu
      - name: Build
        env:
          CC_aarch64_unknown_linux_gnu: aarch64-linux-gnu-gcc
          CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
        run: cargo build --release --target ${{ matrix.target }}
      - name: Stage artifact
        shell: bash
        run: |
          # nullglob: empty globs expand to nothing instead of leaving
          # the literal pattern (`set -e` would otherwise trip on the
          # idle-glob iteration of the `*.lib` pattern on Linux/macOS).
          shopt -s nullglob
          mkdir -p artifact/${{ matrix.target }}
          # Embed the target triple in the filename so all 5 archives
          # land on the release without colliding (action-gh-release's
          # default overwrite-by-name would otherwise leave only the
          # last-uploaded `.a`).
          for f in target/${{ matrix.target }}/release/*.a target/${{ matrix.target }}/release/*.lib; do
            base="$(basename "$f")"
            stem="${base%.*}"
            ext="${base##*.}"
            cp "$f" "artifact/${{ matrix.target }}/${stem}-${{ matrix.target }}.${ext}"
          done
      - uses: actions/upload-artifact@v4
        with:
          name: prebuilt-${{ matrix.target }}
          path: artifact/${{ matrix.target }}/

  release:
    needs: build
    runs-on: ubuntu-latest
    # softprops/action-gh-release needs `contents: write` to create
    # the release (the default GITHUB_TOKEN scope on tag-push is r-o).
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          path: prebuilt/
      - name: Attach to release
        uses: softprops/action-gh-release@v2
        with:
          files: prebuilt/**

  publish:
    needs: release
    runs-on: ubuntu-latest
    # `id-token: write` is required for `npm publish --provenance`.
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "24"
          registry-url: "https://registry.npmjs.org"
      - name: Verify tag matches package.json version
        run: |
          PKG_VERSION=$(node -p "require('./package.json').version")
          TAG_VERSION="${GITHUB_REF_NAME#v}"
          if [ "$PKG_VERSION" != "$TAG_VERSION" ]; then
            echo "::error::Release tag ($TAG_VERSION) does not match package.json version ($PKG_VERSION)"
            exit 1
          fi
      - run: npm publish --provenance --access public