Merge branch 'release' into file-encrypt-decrypt

IronCoreLabs · Apr 2, 2020 · ff3ea4e · ff3ea4e
2 parents 718a4c0 + 141c995
commit ff3ea4e
Show file tree

Hide file tree

Showing 3 changed files with 126 additions and 5 deletions.
diff --git a/.github/signing-key.asc.iron b/.github/signing-key.asc.iron
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1,17 +1,23 @@
 name: ironoxide-cli
 
-on:
-  push:
-    branches:
-      - master
-  pull_request:
+on: push
 
 jobs:
   check:
     name: Check
     runs-on: ubuntu-18.04
     steps:
       - uses: actions/checkout@v2
+      # Work around https://github.com/actions/cache/issues/133#issuecomment-599102035
+      - run: sudo chown -R $(whoami):$(id -ng) ~/.cargo/
+        name: Fix perms on .cargo so we can restore the cache.
+      - name: Restore rust cache
+        uses: actions/cache@v1
+        with:
+          key: ${{ github.workflow }}-rust-${{ hashFiles('Cargo.lock') }}
+          restore-keys: |
+            ${{ github.workflow }}-rust-
+          path: ~/.cargo
       - uses: actions-rs/toolchain@v1
         with:
           profile: minimal
@@ -35,3 +41,12 @@ jobs:
         with:
           command: fmt
           args: --all -- --check
+
+  security:
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: Rust security audit
+      uses: actions-rs/audit-check@v1
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,106 @@
+name: release
+
+on:
+  push:
+    tags:
+    - '*'
+
+jobs:
+  release:
+    runs-on: ubuntu-18.04
+    needs: build
+    steps:
+    - uses: actions/checkout@v2
+    - name: Decrypt PGP key
+      uses: IronCoreLabs/ironhide-actions/decrypt@v1
+      with:
+        keys: ${{ secrets.IRONHIDE_KEYS }}
+        input: .github/signing-key.asc.iron
+    - name: Import PGP key
+      run: gpg --batch --import .github/signing-key.asc
+    - uses: actions/create-release@v1
+      id: release
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        tag_name: ${{ github.ref }}
+        release_name: Version ${{ github.ref }}
+
+    - name: Download release artifacts from ubuntu-18.04
+      uses: actions/download-artifact@v1
+      with:
+        name: release-ubuntu-18.04
+        path: release/ubuntu-18.04
+    - name: Sign artifact for ubuntu-18.04
+      run: |
+        gpg --batch --detach-sign -a release/ubuntu-18.04/ironoxide-cli-ubuntu-18.04
+        gpg --batch --verify release/ubuntu-18.04/ironoxide-cli-ubuntu-18.04.asc release/ubuntu-18.04/ironoxide-cli-ubuntu-18.04
+    - name: Upload artifact for ubuntu-18.04
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.release.outputs.upload_url }}
+        asset_path: release/ubuntu-18.04/ironoxide-cli-ubuntu-18.04
+        asset_name: ironoxide-cli-ubuntu-18.04
+        asset_content_type: application/data
+    - name: Upload signature for ubuntu-18.04
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.release.outputs.upload_url }}
+        asset_path: release/ubuntu-18.04/ironoxide-cli-ubuntu-18.04.asc
+        asset_name: ironoxide-cli-ubuntu-18.04.asc
+        asset_content_type: application/pgp-signature
+
+    - name: Download release artifacts from macos-10.15
+      uses: actions/download-artifact@v1
+      with:
+        name: release-macos-10.15
+        path: release/macos-10.15
+    - name: Sign artifact for macos-10.15
+      run: |
+        gpg --batch --detach-sign -a release/macos-10.15/ironoxide-cli-macos-10.15
+        gpg --batch --verify release/macos-10.15/ironoxide-cli-macos-10.15.asc release/macos-10.15/ironoxide-cli-macos-10.15
+    - name: Upload artifact for macos-10.15
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.release.outputs.upload_url }}
+        asset_path: release/macos-10.15/ironoxide-cli-macos-10.15
+        asset_name: ironoxide-cli-macos-10.15
+        asset_content_type: application/data
+    - name: Upload signature for macos-10.15
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.release.outputs.upload_url }}
+        asset_path: release/macos-10.15/ironoxide-cli-macos-10.15.asc
+        asset_name: ironoxide-cli-macos-10.15.asc
+        asset_content_type: application/pgp-signature
+
+  build:
+    strategy:
+      matrix:
+        os: [ ubuntu-18.04, macos-10.15 ]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions-rs/toolchain@v1
+      with:
+        toolchain: stable
+    - uses: actions-rs/cargo@v1
+      with:
+        command: build
+        args: --release
+    - name: Package release artifacts
+      working-directory: target/release
+      run: mv ironoxide-cli ironoxide-cli-${{ matrix.os }}
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v1
+      with:
+        name: release-${{ matrix.os }}
+        path: target/release/ironoxide-cli-${{ matrix.os }}