build: bump sha3 from 0.10.8 to 0.11.0 #855
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Three trigger flows: | |
| # | |
| # push tag (X.Y.Z) — Full production release: build, review, publish | |
| # to GitHub Releases with attestation, deploy docs, | |
| # and verify the install script. Requires manual | |
| # approval via the solx-release environment. | |
| # | |
| # workflow_dispatch — Nightly / ad-hoc pre-release: same build & review | |
| # pipeline, publishes a GitHub pre-release. Individual | |
| # platforms can be toggled off. Requires manual approval. | |
| # | |
| # pull_request (ci:release label) — Dry-run: exercises the full pipeline but | |
| # skips attestation, GitHub Release creation, docs | |
| # deploy, and install-script check. No approval needed. | |
| name: Build and release binaries | |
| on: | |
| pull_request: | |
| types: [opened, labeled, synchronize] | |
| workflow_dispatch: | |
| inputs: | |
| ref: | |
| description: "Git REF to use for manual pre-release. Keep it empty to use the workflow branch." | |
| required: false | |
| type: string | |
| prerelease_suffix: | |
| description: "Suffix which has been used for manual pre-release name" | |
| required: false | |
| type: string | |
| default: "notag" | |
| release_macos_amd64: | |
| description: "Release for MacOS amd64?" | |
| required: false | |
| type: boolean | |
| default: true | |
| release_macos_arm64: | |
| description: "Release for MacOS arm64?" | |
| required: false | |
| type: boolean | |
| default: true | |
| release_linux_amd64_gnu: | |
| description: "Release for Linux amd64 gnu?" | |
| required: false | |
| type: boolean | |
| default: true | |
| release_linux_arm64_gnu: | |
| description: "Release for Linux arm64 gnu?" | |
| required: false | |
| type: boolean | |
| default: true | |
| release_windows_amd64: | |
| description: "Release for Windows amd64?" | |
| required: false | |
| type: boolean | |
| default: true | |
| push: | |
| tags: | |
| - "*.*.*" | |
| # Zero permissions baseline — each job declares only what it needs. | |
| permissions: {} | |
| jobs: | |
| label-check: | |
| if: >- | |
| github.event_name != 'pull_request' | |
| || (contains(github.event.pull_request.labels.*.name, 'ci:release') | |
| && !github.event.pull_request.head.repo.fork) | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - run: 'true' | |
| # Extra-defensive cooldown check: `main` branch and PRs already require | |
| # passing this in CI, but we re-check here to guarantee we never release | |
| # with too-fresh dependencies. | |
| cooldown-check: | |
| name: Cargo cooldown check | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-24.04 | |
| needs: [label-check] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.ref || '' }} | |
| - uses: ./.github/actions/cooldown-check | |
| # ─────────────────────────────────────────────── | |
| # Stage 0: Build matrix & platform binaries | |
| # ─────────────────────────────────────────────── | |
| prepare-matrix: | |
| needs: [label-check] | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| matrix: ${{ steps.prepare-matrix.outputs.matrix }} | |
| steps: | |
| - name: Checkout source | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| submodules: 'recursive' | |
| ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.ref || '' }} | |
| - name: Prepare matrix | |
| id: prepare-matrix | |
| run: | | |
| # Define general matrix parameters | |
| WINDOWS='{"name":"Windows","runner":"windows-2025","release-suffix":"windows-amd64-gnu"}' | |
| MACOS_AMD64='{"name":"MacOS-x86","runner":"macos-15-intel","release-suffix":"macosx-amd64"}' | |
| MACOS_ARM64='{"name":"MacOS-arm64","runner":"macos-15","release-suffix":"macosx-arm64"}' | |
| LINUX_AMD64_GNU='{"name":"Linux-AMD64-gnu","runner":"ubuntu-24.04","image":"ghcr.io/nomicfoundation/solx-ci-runner@sha256:c2b03000a1074d2cc3e6cf25a1c4fdc6eb0a61d23e63bef59205050249fa1d6e","target":"x86_64-unknown-linux-gnu","release-suffix":"linux-amd64-gnu"}' | |
| LINUX_ARM64_GNU='{"name":"Linux-ARM64-gnu","runner":"ubuntu-24.04-arm","image":"ghcr.io/nomicfoundation/solx-ci-runner@sha256:c2b03000a1074d2cc3e6cf25a1c4fdc6eb0a61d23e63bef59205050249fa1d6e","target":"aarch64-unknown-linux-gnu","release-suffix":"linux-arm64-gnu"}' | |
| # Disable platforms for non-tag builds if user requested | |
| if [ '${{ github.event_name }}' = 'workflow_dispatch' ] && [ "${GITHUB_REF_TYPE}" != tag ]; then | |
| [ "${{ github.event.inputs.release_windows_amd64 }}" != true ] && WINDOWS= | |
| [ "${{ github.event.inputs.release_macos_amd64 }}" != true ] && MACOS_AMD64= | |
| [ "${{ github.event.inputs.release_macos_arm64 }}" != true ] && MACOS_ARM64= | |
| [ "${{ github.event.inputs.release_linux_amd64_gnu }}" != true ] && LINUX_AMD64_GNU= | |
| [ "${{ github.event.inputs.release_linux_arm64_gnu }}" != true ] && LINUX_ARM64_GNU= | |
| fi | |
| PLATFORMS=(${WINDOWS} ${MACOS_AMD64} ${MACOS_ARM64} ${LINUX_AMD64_GNU} ${LINUX_ARM64_GNU}) | |
| echo "matrix={ \"include\": [ $(IFS=, ; echo "${PLATFORMS[*]}") ] }" | tee -a "${GITHUB_OUTPUT}" | |
| build: | |
| permissions: | |
| contents: read | |
| packages: read | |
| needs: prepare-matrix | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.prepare-matrix.outputs.matrix) }} | |
| runs-on: ${{ matrix.runner }} | |
| container: | |
| image: ${{ matrix.image || '' }} # Special workaround to allow matrix builds with optional container | |
| name: ${{ matrix.name }} | |
| steps: | |
| - name: Checkout source | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| submodules: 'recursive' | |
| ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.ref || '' }} | |
| # This step is required to checkout submodules | |
| # that are disabled in .gitmodules config | |
| - name: Checkout submodules | |
| run: | | |
| git config --global --add safe.directory '*' | |
| git submodule update --force --depth=1 --recursive --checkout | |
| - name: Prepare Windows env | |
| if: runner.os == 'Windows' | |
| uses: ./.github/actions/prepare-msys | |
| - name: Setup SFW | |
| uses: ./.github/actions/setup-sfw | |
| - name: Build LLVM | |
| uses: ./.github/actions/build-llvm | |
| with: | |
| build-type: Release | |
| enable-assertions: 'false' | |
| enable-mlir: 'false' | |
| - name: Building solc | |
| uses: ./.github/actions/build-solc | |
| with: | |
| cmake-build-type: 'Release' | |
| working-dir: 'solx-solidity' | |
| - name: Free disk space (remove LLVM build artifacts) | |
| shell: bash | |
| run: | | |
| echo "Before cleanup:" && df -h . | |
| rm -rf target-llvm/build-final | |
| echo "After cleanup:" && df -h . | |
| - name: Build solx | |
| uses: ./.github/actions/build-rust | |
| env: | |
| BOOST_PREFIX: ${{ github.workspace }}/solx-solidity/boost/lib | |
| SOLC_PREFIX: ${{ github.workspace }}/solx-solidity/build | |
| with: | |
| exec_name: 'solx' | |
| target: ${{ matrix.target }} | |
| release-suffix: ${{ format('{0}-{1}', matrix.release-suffix, github.ref_type == 'tag' && format('v{0}', github.ref_name) || inputs.prerelease_suffix || 'notag') }} | |
| get-previous-release: | |
| needs: [label-check] | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| tag: ${{ steps.latest_release.outputs.tag }} | |
| steps: | |
| - name: Checkout source | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.ref || '' }} | |
| # Gets the tag of the published release marked `latest` | |
| # ignoring all intermediate releases and tags for manual releases | |
| - name: Get latest release tag | |
| id: latest_release | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| tag=$(gh release view --json tagName --jq .tagName 2>/dev/null || echo "") | |
| echo "tag=${tag}" >> "${GITHUB_OUTPUT}" | |
| # ─────────────────────────────────────────────── | |
| # Stage 1: Prepare — bundle all artifacts | |
| # ─────────────────────────────────────────────── | |
| prepare: | |
| permissions: | |
| contents: read | |
| packages: read | |
| name: Prepare release bundle | |
| runs-on: ubuntu-24.04 | |
| container: | |
| image: ghcr.io/nomicfoundation/solx-ci-runner@sha256:c2b03000a1074d2cc3e6cf25a1c4fdc6eb0a61d23e63bef59205050249fa1d6e | |
| needs: [build] | |
| outputs: | |
| release_title: ${{ steps.release.outputs.release_title }} | |
| version_or_sha: ${{ steps.release.outputs.version_or_sha }} | |
| full_sha: ${{ steps.release.outputs.full_sha }} | |
| steps: | |
| - name: Checkout source | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.ref || '' }} | |
| - name: Download artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: release* | |
| path: releases | |
| - name: Identify release name | |
| id: release | |
| run: | | |
| git config --global --add safe.directory "${GITHUB_WORKSPACE}" | |
| if [ '${{ github.ref_type }}' = 'tag' ]; then | |
| VERSION_OR_SHA="${GITHUB_REF#refs/tags/}" | |
| echo "release_title=${VERSION_OR_SHA}" >> $GITHUB_OUTPUT | |
| else | |
| VERSION_OR_SHA=$(git rev-parse --short HEAD) | |
| echo "full_sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT | |
| if [ '${{ github.event_name }}' = 'pull_request' ]; then | |
| echo "release_title=pr-dry-run-${VERSION_OR_SHA}" >> $GITHUB_OUTPUT | |
| else | |
| echo "release_title=prerelease-${VERSION_OR_SHA}-${{ github.event.inputs.prerelease_suffix }}" >> $GITHUB_OUTPUT | |
| fi | |
| fi | |
| echo "version_or_sha=${VERSION_OR_SHA}" >> $GITHUB_OUTPUT | |
| - name: Check release version | |
| if: github.ref_type == 'tag' | |
| run: | | |
| TAG="${{ steps.release.outputs.version_or_sha }}" | |
| CARGO_PACKAGE_VERSION="$(${SFW_PREFIX:-} cargo pkgid --manifest-path solx/Cargo.toml | cut -d "#" -f2)" | |
| # All versions must be equal | |
| if [ "${CARGO_PACKAGE_VERSION}" != "${TAG}" ]; then | |
| echo "Version mismatch: TAG=${TAG}, CARGO_PACKAGE_VERSION=${CARGO_PACKAGE_VERSION}" | |
| echo "Please update the version in Cargo.toml and tag the commit with the same version." | |
| exit 1 | |
| fi | |
| - name: Prepare universal macOS binary | |
| if: >- | |
| github.ref_type == 'tag' | |
| || github.event_name == 'pull_request' | |
| || (github.event_name == 'workflow_dispatch' && inputs.release_macos_amd64 && inputs.release_macos_arm64) | |
| env: | |
| MACOSX_UNIVERSAL_SUFFIX: "macosx" | |
| RELEASE_SUFFIX: ${{ github.ref_type == 'tag' && format('v{0}', github.ref_name) || inputs.prerelease_suffix || 'notag' }} | |
| run: | | |
| OUTDIR="./releases/release-${MACOSX_UNIVERSAL_SUFFIX}-${RELEASE_SUFFIX}/${MACOSX_UNIVERSAL_SUFFIX}-${RELEASE_SUFFIX}" | |
| mkdir -p "${OUTDIR}" | |
| OUTPUT="${OUTDIR}/solx-${MACOSX_UNIVERSAL_SUFFIX}-${RELEASE_SUFFIX}" | |
| llvm-lipo -create -output "${OUTPUT}" \ | |
| ./releases/release-macosx-amd64-${RELEASE_SUFFIX}/macosx-amd64-${RELEASE_SUFFIX}/solx-macosx-amd64-${RELEASE_SUFFIX} \ | |
| ./releases/release-macosx-arm64-${RELEASE_SUFFIX}/macosx-arm64-${RELEASE_SUFFIX}/solx-macosx-arm64-${RELEASE_SUFFIX} | |
| rm -f ./releases/release-macosx-amd64-${RELEASE_SUFFIX}/macosx-amd64-${RELEASE_SUFFIX}/solx-macosx-amd64-${RELEASE_SUFFIX} \ | |
| ./releases/release-macosx-arm64-${RELEASE_SUFFIX}/macosx-arm64-${RELEASE_SUFFIX}/solx-macosx-arm64-${RELEASE_SUFFIX} | |
| - name: Generate SHA256 checksums | |
| run: | | |
| cd releases | |
| find . -type f -not -name '*.sha256' | sort | while read -r file; do | |
| sha256sum "${file}" > "${file}.sha256" | |
| echo "Checksum: $(cat "${file}.sha256")" | |
| done | |
| - name: Bundle release artifacts | |
| run: | | |
| TARBALL="solx-release-bundle.tar.gz" | |
| tar czf "${TARBALL}" -C releases . | |
| echo "Bundle size: $(du -h "${TARBALL}" | cut -f1)" | |
| - name: Upload release bundle | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: solx-release-bundle | |
| path: solx-release-bundle.tar.gz | |
| retention-days: 5 | |
| # ─────────────────────────────────────────────── | |
| # Stage 2: Review — validate the bundle | |
| # ─────────────────────────────────────────────── | |
| review: | |
| permissions: | |
| contents: read | |
| name: Review release bundle | |
| needs: [prepare] | |
| if: "!cancelled() && needs.prepare.result == 'success'" | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Download release bundle | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: solx-release-bundle | |
| - name: Extract bundle | |
| run: | | |
| mkdir -p bundle | |
| tar xzf solx-release-bundle.tar.gz -C bundle | |
| - name: List all files (audit trail) | |
| run: | | |
| echo "=== Release bundle contents ===" | |
| find bundle -type f | sort | |
| - name: Validate binary count | |
| env: | |
| IS_TAG: ${{ github.ref_type == 'tag' }} | |
| run: | | |
| BINARY_COUNT=$(find bundle -type f -not -name '*.sha256' | wc -l) | |
| echo "Found ${BINARY_COUNT} binary file(s)" | |
| # Tag releases require all 4 platform binaries — catch partial builds | |
| # caused by individual matrix legs failing (fail-fast: false). | |
| # Non-tag builds (dispatch/PR) only need >= 1 since platforms can be | |
| # toggled off intentionally. | |
| if [ "${IS_TAG}" = "true" ]; then | |
| # linux-amd64-gnu, linux-arm64-gnu, windows-amd64, macosx-universal | |
| EXPECTED=4 | |
| if [ "${BINARY_COUNT}" -ne "${EXPECTED}" ]; then | |
| echo "ERROR: Tag release expected exactly ${EXPECTED} binaries, found ${BINARY_COUNT}" | |
| find bundle -type f -not -name '*.sha256' | sort | |
| exit 1 | |
| fi | |
| elif [ "${BINARY_COUNT}" -lt 1 ]; then | |
| echo "ERROR: Expected at least 1 binary in the release bundle" | |
| exit 1 | |
| fi | |
| - name: Verify SHA256 checksums | |
| run: | | |
| cd bundle | |
| CHECKSUM_COUNT=$(find . -name '*.sha256' | wc -l) | |
| echo "Found ${CHECKSUM_COUNT} checksum file(s)" | |
| if [ "${CHECKSUM_COUNT}" -lt 1 ]; then | |
| echo "ERROR: Expected at least 1 checksum file in the release bundle" | |
| exit 1 | |
| fi | |
| find . -name '*.sha256' -print0 | xargs -0 sha256sum --check | |
| - name: Display binary sizes | |
| run: | | |
| echo "=== Binary sizes ===" | |
| find bundle -type f -not -name '*.sha256' -exec ls -lh {} \; | awk '{print $5, $9}' | |
| # ─────────────────────────────────────────────── | |
| # Stage 2.5: Notify — Slack notification before environment gate | |
| # ─────────────────────────────────────────────── | |
| notify-deploy: | |
| name: Notify pre-deploy to Slack | |
| runs-on: ubuntu-24.04 | |
| needs: [prepare, review, cooldown-check] | |
| if: >- | |
| !cancelled() | |
| && needs.prepare.result == 'success' | |
| && needs.review.result == 'success' | |
| && needs.cooldown-check.result == 'success' | |
| && github.event_name != 'pull_request' | |
| steps: | |
| - name: Notify pre-deploy | |
| continue-on-error: true | |
| uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 | |
| with: | |
| webhook: ${{ secrets.PUBLISHING_NOTIFICATIONS_SLACK_WEBHOOK_URL }} | |
| webhook-type: incoming-webhook | |
| payload: | | |
| { | |
| "text": "solx release — Review requested: ${{ needs.prepare.outputs.release_title }}", | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "solx release — Review requested" | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Release:*\n`${{ needs.prepare.outputs.release_title }}`" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Type:*\n${{ github.ref_type == 'tag' && 'Production release' || 'Internal / nightly release' }}" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*Commit:* <${{ github.event.head_commit.url || format('{0}/{1}/commit/{2}', github.server_url, github.repository, github.sha) }}|View commit>\n*Approve:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Open workflow run>" | |
| } | |
| }, | |
| { | |
| "type": "context", | |
| "elements": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "Triggered by *${{ github.actor }}* via `${{ github.event_name }}`" | |
| } | |
| ] | |
| } | |
| ] | |
| } | |
| # ─────────────────────────────────────────────── | |
| # Stage 3: Publish | |
| # ─────────────────────────────────────────────── | |
| publish: | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| contents: write | |
| name: Publish release | |
| needs: [prepare, review, get-previous-release, notify-deploy, cooldown-check] | |
| # Run as long as prepare, review, and cooldown-check succeeded — tolerate | |
| # get-previous-release failure so a transient GitHub API issue doesn't | |
| # silently skip the release. | |
| if: >- | |
| !cancelled() | |
| && needs.prepare.result == 'success' | |
| && needs.review.result == 'success' | |
| && needs.cooldown-check.result == 'success' | |
| # PR dry-runs skip the manual approval gate; tag/dispatch runs still require it. | |
| environment: ${{ github.event_name != 'pull_request' && 'solx-release' || '' }} | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Notify deployment approved to Slack | |
| if: github.event_name != 'pull_request' | |
| continue-on-error: true | |
| uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 | |
| with: | |
| webhook: ${{ secrets.PUBLISHING_NOTIFICATIONS_SLACK_WEBHOOK_URL }} | |
| webhook-type: incoming-webhook | |
| payload: | | |
| { | |
| "text": "solx release — Deployment starting: ${{ needs.prepare.outputs.release_title }}", | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "solx release — Deployment starting" | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "fields": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Release:*\n`${{ needs.prepare.outputs.release_title }}`" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Type:*\n${{ github.ref_type == 'tag' && 'Production release' || 'Internal / nightly release' }}" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*Run:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Open workflow run>" | |
| } | |
| }, | |
| { | |
| "type": "context", | |
| "elements": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "Triggered by *${{ github.actor }}*" | |
| } | |
| ] | |
| } | |
| ] | |
| } | |
| - name: Checkout source | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.ref || '' }} | |
| - name: Download release bundle | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: solx-release-bundle | |
| - name: Extract bundle | |
| run: | | |
| mkdir -p releases | |
| tar xzf solx-release-bundle.tar.gz -C releases | |
| - name: Build changelog | |
| if: github.ref_type == 'tag' || github.event_name == 'pull_request' | |
| id: build_changelog | |
| uses: mikepenz/release-changelog-builder-action@2cb9befdbc05f65b8354cc9873cd506509bd0782 # v6.2.0 | |
| with: | |
| fromTag: ${{ needs.get-previous-release.outputs.tag || '' }} | |
| toTag: ${{ github.ref_type == 'tag' && github.ref_name || github.sha }} | |
| mode: "COMMIT" | |
| configurationJson: | | |
| { | |
| "template": "# 📝 Changelog\n\n#{{CHANGELOG}}", | |
| "categories": [ | |
| { | |
| "title": "## ✨ Features", | |
| "labels": ["feat", "feature"] | |
| }, | |
| { | |
| "title": "## 🐛 Fixes", | |
| "labels": ["fix", "bug"] | |
| }, | |
| { | |
| "title": "## 📚 Documentation", | |
| "labels": ["docs", "documentation"] | |
| }, | |
| { | |
| "title": "## 📦 Other Changes", | |
| "labels": [] | |
| } | |
| ], | |
| "label_extractor": [ | |
| { | |
| "pattern": "^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test){1}(\\([\\w\\-\\.]+\\))?(!)?: ([\\w ])+([\\s\\S]*)", | |
| "on_property": "title", | |
| "target": "$1" | |
| } | |
| ] | |
| } | |
| - name: Binaries attestation | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| if: github.ref_type == 'tag' | |
| with: | |
| subject-path: 'releases/**/**' | |
| - name: Publish release | |
| if: github.event_name != 'pull_request' | |
| uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 | |
| with: | |
| name: ${{ needs.prepare.outputs.release_title }} | |
| generate_release_notes: false | |
| body: ${{ steps.build_changelog.outputs.changelog }} | |
| tag_name: ${{ needs.prepare.outputs.version_or_sha }} | |
| target_commitish: ${{ needs.prepare.outputs.full_sha || github.sha }} | |
| prerelease: ${{ github.ref_type != 'tag' }} | |
| make_latest: ${{ github.ref_type == 'tag' }} | |
| files: releases/**/** | |
| - name: "DRY-RUN: publish summary" | |
| if: github.event_name == 'pull_request' | |
| env: | |
| RELEASE_TITLE: ${{ needs.prepare.outputs.release_title }} | |
| VERSION_OR_SHA: ${{ needs.prepare.outputs.version_or_sha }} | |
| FULL_SHA: ${{ needs.prepare.outputs.full_sha }} | |
| IS_TAG: ${{ github.ref_type == 'tag' }} | |
| CHANGELOG: ${{ steps.build_changelog.outputs.changelog }} | |
| run: | | |
| echo "============================================" | |
| echo " DRY-RUN: Release would be published" | |
| echo "============================================" | |
| echo "" | |
| echo "Release title: ${RELEASE_TITLE}" | |
| echo "Version / SHA: ${VERSION_OR_SHA}" | |
| echo "Full SHA: ${FULL_SHA}" | |
| echo "Is tag release: ${IS_TAG}" | |
| echo "Prerelease: ${{ github.ref_type != 'tag' }}" | |
| echo "Make latest: ${{ github.ref_type == 'tag' }}" | |
| echo "" | |
| echo "--- Changelog ---" | |
| echo "${CHANGELOG:-'(no changelog — not a tag release)'}" | |
| echo "" | |
| echo "--- Files that would be uploaded ---" | |
| find releases -type f -not -name '*.sha256' | sort | |
| echo "" | |
| echo "--- Checksums ---" | |
| find releases -name '*.sha256' -exec cat {} \; | sort | |
| echo "" | |
| echo "--- Skipped steps (dry-run) ---" | |
| echo " - actions/attest-build-provenance (attestation)" | |
| echo " - softprops/action-gh-release (GitHub Release creation)" | |
| echo "" | |
| echo "============================================" | |
| echo " DRY-RUN complete. No release was created." | |
| echo "============================================" | |
| - name: Summary | |
| run: | | |
| echo "### Release Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY | |
| echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Title** | \`${{ needs.prepare.outputs.release_title }}\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Version** | \`${{ needs.prepare.outputs.version_or_sha }}\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Prerelease** | \`${{ github.ref_type != 'tag' }}\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Environment** | \`${{ github.event_name != 'pull_request' && 'solx-release' || 'none (dry-run)' }}\` |" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Files:**" >> $GITHUB_STEP_SUMMARY | |
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
| find releases -type f -not -name '*.sha256' | sort >> $GITHUB_STEP_SUMMARY | |
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
| deploy-docs: | |
| if: github.ref_type == 'tag' | |
| needs: publish | |
| uses: ./.github/workflows/deploy-docs.yaml | |
| with: | |
| deploy: true | |
| permissions: | |
| contents: write | |
| check-install-script: | |
| if: github.ref_type == 'tag' | |
| needs: publish | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: "MacOS x86" | |
| runner: macos-15-intel | |
| - name: "MacOS arm64" | |
| runner: macos-15 | |
| - name: "Linux x86 gnu" | |
| runner: ubuntu-24.04 | |
| - name: "Linux ARM64 gnu" | |
| runner: ubuntu-24.04-arm | |
| runs-on: ${{ matrix.runner }} | |
| name: ${{ matrix.name }} | |
| steps: | |
| - name: Download and run installation script | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| curl -fsSL -o "${{ runner.temp }}/install-solx" \ | |
| "https://raw.githubusercontent.com/NomicFoundation/solx/${{ github.ref_name }}/install-solx" | |
| bash "${{ runner.temp }}/install-solx" |