Nightly Builder #1890

Workflow file for this run

.github/workflows/nightly.yaml at 56cfb83

	---
	name: Nightly Builder
	"on":
	push:
	tags:
	- "*"
	schedule:
	- cron: "0 0 * * *" # build nightly!
	workflow_dispatch:
	inputs:
	tag:
	description: Release tag
	required: true
	name:
	description: Release name
	required: true
	permissions: {}
	jobs:
	create-release:
	name: Create Release
	runs-on: ubuntu-latest
	permissions:
	contents: write

	steps:
	- name: Create artifacts directory
	run: mkdir artifacts

	- name: Get the release version from the tag
	id: release_version
	run: \|
	if [[ "$GITHUB_EVENT_NAME" == "schedule" ]]; then
	release_name="nightly-$(date '+%Y-%m-%d')"
	release_tag="$release_name"
	elif [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then
	release_name="$EVENT_INPUT_NAME"
	release_tag="$EVENT_INPUT_TAG"
	else
	release_name="$(basename "$GITHUB_REF")"
	release_tag="$release_name"
	fi
	echo "Release name is: ${release_name}"
	echo "Release version is: ${release_tag}"
	echo "name=${release_name}" >> $GITHUB_OUTPUT
	echo "tag=${release_tag}" >> $GITHUB_OUTPUT
	env:
	GITHUB_EVENT_NAME: ${{ github.event_name }}
	GITHUB_REF: ${{ github.ref }}
	EVENT_INPUT_NAME: ${{ github.event.inputs.name }}
	EVENT_INPUT_TAG: ${{ github.event.inputs.tag }}

	- name: Clone Artichoke
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	repository: artichoke/artichoke
	path: artichoke
	persist-credentials: false

	- name: Set latest_commit
	id: latest_commit
	working-directory: artichoke
	run: \|
	artichoke_head=$(git rev-parse HEAD)
	echo "Artichoke HEAD commit is: ${artichoke_head}"
	echo "commit=${artichoke_head}" >> $GITHUB_OUTPUT

	- name: Create GitHub release
	id: release
	uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	tag: ${{ steps.release_version.outputs.tag }}
	draft: true
	prerelease: false
	name: ${{ steps.release_version.outputs.name }}
	body: artichoke/artichoke@${{ steps.latest_commit.outputs.commit }}

	- name: Save release commit hash to artifact
	run: echo "$COMMIT_HASH" > artifacts/release-commit-hash
	env:
	COMMIT_HASH: ${{ steps.latest_commit.outputs.commit }}

	- name: Save release ID to artifact
	run: echo "$RELEASE_ID" > artifacts/release-id
	env:
	RELEASE_ID: ${{ steps.release.outputs.id }}

	- name: Save release upload URL to artifact
	run: echo "$RELEASE_UPLOAD_URL" > artifacts/release-upload-url
	env:
	RELEASE_UPLOAD_URL: ${{ steps.release.outputs.upload_url }}

	- name: Save version number to artifact
	run: echo "$RELEASE_VERSION" > artifacts/release-version
	env:
	RELEASE_VERSION: ${{ steps.release_version.outputs.tag }}

	- name: Upload artifacts
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: artifacts
	path: artifacts

	build-release:
	name: Build Release
	needs: ["create-release"]
	runs-on: ${{ matrix.os }}
	permissions:
	contents: write

	strategy:
	fail-fast: false
	matrix:
	build:
	- linux-x64
	- linux-x64-musl
	- linux-arm64
	- macos-x64
	- macos-arm64
	- windows-x64
	include:
	- build: linux-x64
	os: ubuntu-latest
	target: x86_64-unknown-linux-gnu
	- build: linux-x64-musl
	os: ubuntu-latest
	target: x86_64-unknown-linux-musl
	- build: linux-arm64
	os: ubuntu-latest
	target: aarch64-unknown-linux-gnu
	- build: macos-x64
	os: macos-latest
	target: x86_64-apple-darwin
	- build: macos-arm64
	os: macos-latest
	target: aarch64-apple-darwin
	- build: windows-x64
	os: windows-latest
	target: x86_64-pc-windows-msvc
	env:
	RUST_BACKTRACE: 1

	steps:
	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false

	- name: Get release download URL
	uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
	with:
	name: artifacts
	path: artifacts

	- name: Set release upload URL and release version
	shell: bash
	id: release_info
	run: \|
	release_upload_url="$(cat artifacts/release-upload-url)"
	release_version="$(cat artifacts/release-version)"
	release_commit="$(cat artifacts/release-commit-hash)"

	echo "Release upload url: ${release_upload_url}"
	echo "Release version: ${release_version}"
	echo "Release commit: ${release_commit}"

	echo "upload_url=${release_upload_url}" >> $GITHUB_OUTPUT
	echo "version=${release_version}" >> $GITHUB_OUTPUT
	echo "commit=${release_commit}" >> $GITHUB_OUTPUT

	- name: Generate THIRDPARTY license listing
	uses: artichoke/generate_third_party@4da01edc4b60228846ab2949292044fc55bfb193 # v1.15.0
	with:
	artichoke_ref: ${{ steps.release_info.outputs.commit }}
	target_triple: ${{ matrix.target }}
	output_file: ${{ github.workspace }}/THIRDPARTY.txt
	github_token: ${{ secrets.GITHUB_TOKEN }}

	- name: Clone Artichoke
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	repository: artichoke/artichoke
	path: artichoke
	ref: ${{ steps.release_info.outputs.commit }}
	# Fetch all history.
	#
	# The Artichoke release metadata build script calculates Ruby
	# constants like `RUBY_REVISION` by walking the git history.
	fetch-depth: 0
	persist-credentials: false

	- name: Install the latest version of uv
	uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0
	with:
	version: "latest"
	enable-cache: false

	- name: Set up Python
	run: uv python install

	- name: Setup virtualenv
	run: uv sync

	- name: Set Artichoke Rust toolchain version
	shell: bash
	id: rust_toolchain
	run: \|
	uv run python -m artichoke_nightly.rust_toolchain_version \
	--file artichoke/rust-toolchain.toml \
	--format github

	- name: Install Rust toolchain
	uses: artichoke/setup-rust/build-and-test@68e0ebb3b406970de1cc2ca807797c9156a198a7 # v2.0.1
	with:
	toolchain: ${{ steps.rust_toolchain.outputs.version }}
	target: ${{ matrix.target }}

	# ```
	# $ gpg --fingerprint --with-subkey-fingerprints [email protected]
	# pub ed25519 2021-01-03 [SC]
	# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4
	# uid [ultimate] Code signing for Artichoke Ruby <[email protected]>
	# sub cv25519 2021-01-03 [E]
	# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA
	# sub ed25519 2021-01-03 [S]
	# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452
	# ```
	- name: Import GPG key
	id: import_gpg
	uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
	with:
	gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
	passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
	fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452
	# Set the GPG key to full trust (value 4) to ensure reliable signing
	# and verification in CI. Full trust balances security and practicality
	# in automated environments, avoiding prompts or failures that can
	# occur with marginal trust, while not compromising security like
	# ultimate trust.
	trust_level: 4

	- name: List keys
	run: gpg -K

	- name: Install musl x86_64
	if: matrix.build == 'linux-x64-musl'
	run: \|
	sudo apt update
	sudo apt install musl-tools

	- name: Install gcc aarch64 cross compiler
	if: matrix.build == 'linux-arm64'
	run: \|
	sudo apt update
	sudo apt install gcc-aarch64-linux-gnu binutils-aarch64-linux-gnu
	# https://github.com/rust-lang/rust-bindgen/issues/1229
	echo 'BINDGEN_EXTRA_CLANG_ARGS=--sysroot=/usr/aarch64-linux-gnu' >> $GITHUB_ENV
	# https://github.com/rust-lang/rust/issues/28924
	echo 'CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc' >> $GITHUB_ENV

	- name: Build release artifacts
	working-directory: artichoke
	run: cargo build --verbose --release --target ${{ matrix.target }}

	# This will codesign binaries in place which means that the tarballed
	# binaries will be codesigned as well.
	- name: Run Apple Codesigning and Notarization
	shell: bash
	id: apple_codesigning
	if: runner.os == 'macOS'
	run: \|
	uv run python -m artichoke_nightly.macos_sign_and_notarize \
	"artichoke-nightly-${{ matrix.target }}" \
	--binary "artichoke/target/${{ matrix.target }}/release/artichoke" \
	--binary "artichoke/target/${{ matrix.target }}/release/airb" \
	--resource artichoke/LICENSE \
	--resource artichoke/README.md \
	--resource THIRDPARTY.txt \
	--dmg-icon-url "https://artichoke.github.io/logo/Artichoke-dmg.icns"
	env:
	MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }}
	MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
	MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }}

	- name: GPG sign Apple DMG
	shell: bash
	id: apple_codesigning_gpg
	if: runner.os == 'macOS'
	run: \|
	uv run python -m artichoke_nightly.gpg_sign "artichoke-nightly-${{ matrix.target }}" --artifact "$ARTIFACT"
	env:
	ARTIFACT: ${{ steps.apple_codesigning.outputs.asset }}

	- name: Upload release archive
	uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
	if: runner.os == 'macOS'
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	tag: ${{ steps.release_info.outputs.version }}
	draft: true
	allowUpdates: true
	omitBodyDuringUpdate: true
	omitNameDuringUpdate: true
	omitPrereleaseDuringUpdate: true
	artifacts: ${{ steps.apple_codesigning.outputs.asset }}
	artifactContentType: ${{ steps.apple_codesigning.outputs.content_type }}

	- name: Upload release signature
	uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
	if: runner.os == 'macOS'
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	tag: ${{ steps.release_info.outputs.version }}
	draft: true
	allowUpdates: true
	omitBodyDuringUpdate: true
	omitNameDuringUpdate: true
	omitPrereleaseDuringUpdate: true
	artifacts: ${{ steps.apple_codesigning_gpg.outputs.signature }}
	artifactContentType: "text/plain"

	- name: Build archive
	shell: bash
	id: build
	run: \|
	staging="artichoke-nightly-${{ matrix.target }}"
	mkdir -p "$staging"/
	cp artichoke/{README.md,LICENSE} THIRDPARTY.txt "$staging/"
	if [ "${{ runner.os }}" = "Windows" ]; then
	cp "artichoke/target/${{ matrix.target }}/release/artichoke.exe" "$staging/"
	cp "artichoke/target/${{ matrix.target }}/release/airb.exe" "$staging/"
	7z a "$staging.zip" "$staging"
	echo "asset=$staging.zip" >> $GITHUB_OUTPUT
	echo "content_type=application/zip" >> $GITHUB_OUTPUT
	else
	cp "artichoke/target/${{ matrix.target }}/release/artichoke" "$staging/"
	cp "artichoke/target/${{ matrix.target }}/release/airb" "$staging/"
	tar czf "$staging.tar.gz" "$staging"
	echo "asset=$staging.tar.gz" >> $GITHUB_OUTPUT
	echo "content_type=application/gzip" >> $GITHUB_OUTPUT
	fi

	- name: GPG sign archive
	shell: bash
	id: gpg_signing
	run: \|
	uv run python -m artichoke_nightly.gpg_sign "artichoke-nightly-${{ matrix.target }}" --artifact "$ARTIFACT"
	env:
	ARTIFACT: ${{ steps.build.outputs.asset }}

	- name: Upload release archive
	uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	tag: ${{ steps.release_info.outputs.version }}
	draft: true
	allowUpdates: true
	omitBodyDuringUpdate: true
	omitNameDuringUpdate: true
	omitPrereleaseDuringUpdate: true
	artifacts: ${{ steps.build.outputs.asset }}
	artifactContentType: ${{ steps.build.outputs.content_type }}

	- name: Upload release signature
	uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	tag: ${{ steps.release_info.outputs.version }}
	draft: true
	allowUpdates: true
	omitBodyDuringUpdate: true
	omitNameDuringUpdate: true
	omitPrereleaseDuringUpdate: true
	artifacts: ${{ steps.gpg_signing.outputs.signature }}
	artifactContentType: "text/plain"

	package-source-archive:
	name: Package Source Archive
	needs: ["create-release"]
	runs-on: ubuntu-latest
	permissions:
	contents: write

	strategy:
	fail-fast: false
	matrix:
	archive:
	- tar.gz
	- zip

	steps:
	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false

	- name: Get release download URL
	uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
	with:
	name: artifacts
	path: artifacts

	- name: Set release upload URL and release version
	shell: bash
	id: release_info
	run: \|
	release_upload_url="$(cat artifacts/release-upload-url)"
	release_version="$(cat artifacts/release-version)"
	release_commit="$(cat artifacts/release-commit-hash)"

	echo "Release upload url: ${release_upload_url}"
	echo "Release version: ${release_version}"
	echo "Release commit: ${release_commit}"

	echo "upload_url=${release_upload_url}" >> $GITHUB_OUTPUT
	echo "version=${release_version}" >> $GITHUB_OUTPUT
	echo "commit=${release_commit}" >> $GITHUB_OUTPUT

	- name: Clone Artichoke
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	repository: artichoke/artichoke
	path: artichoke
	ref: ${{ steps.release_info.outputs.commit }}
	persist-credentials: false

	- name: Install the latest version of uv
	uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0
	with:
	version: "latest"
	enable-cache: false

	- name: Set up Python
	run: uv python install

	- name: Setup virtualenv
	run: uv sync

	# ```
	# $ gpg --fingerprint --with-subkey-fingerprints [email protected]
	# pub ed25519 2021-01-03 [SC]
	# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4
	# uid [ultimate] Code signing for Artichoke Ruby <[email protected]>
	# sub cv25519 2021-01-03 [E]
	# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA
	# sub ed25519 2021-01-03 [S]
	# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452
	# ```
	- name: Import GPG key
	id: import_gpg
	uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
	with:
	gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
	passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
	fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452
	# Set the GPG key to full trust (value 4) to ensure reliable signing
	# and verification in CI. Full trust balances security and practicality
	# in automated environments, avoiding prompts or failures that can
	# occur with marginal trust, while not compromising security like
	# ultimate trust.
	trust_level: 4

	- name: List keys
	run: gpg -K

	- name: Build source archive
	run: \|
	git -C artichoke archive \
	--format ${{ matrix.archive }} \
	-9 \
	--output=`pwd`/artichoke-nightly.source.${{ matrix.archive }} \
	"$COMMIT"
	env:
	COMMIT: ${{ steps.release_info.outputs.commit }}

	- name: Build archive
	shell: bash
	id: build
	run: \|
	if [ "${{ matrix.archive }}" = "zip" ]; then
	echo "asset=artichoke-nightly.source.zip" >> $GITHUB_OUTPUT
	echo "content_type=application/zip" >> $GITHUB_OUTPUT
	else
	echo "asset=artichoke-nightly.source.tar.gz" >> $GITHUB_OUTPUT
	echo "content_type=application/gzip" >> $GITHUB_OUTPUT
	fi

	- name: GPG sign archive
	shell: bash
	id: gpg_signing
	run: \|
	uv run -m artichoke_nightly.gpg_sign "artichoke-nightly-source-archive" --artifact "$ARTIFACT"
	env:
	ARTIFACT: ${{ steps.build.outputs.asset }}

	- name: Upload release archive
	uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	tag: ${{ steps.release_info.outputs.version }}
	draft: true
	allowUpdates: true
	omitBodyDuringUpdate: true
	omitNameDuringUpdate: true
	omitPrereleaseDuringUpdate: true
	artifacts: ${{ steps.build.outputs.asset }}
	artifactContentType: ${{ steps.build.outputs.content_type }}

	- name: Upload release signature
	uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	tag: ${{ steps.release_info.outputs.version }}
	draft: true
	allowUpdates: true
	omitBodyDuringUpdate: true
	omitNameDuringUpdate: true
	omitPrereleaseDuringUpdate: true
	artifacts: ${{ steps.gpg_signing.outputs.signature }}
	artifactContentType: "text/plain"

	finalize-release:
	name: Publish Release
	needs: ["build-release", "package-source-archive"]
	runs-on: ubuntu-latest
	permissions:
	contents: write

	steps:
	- name: Get release download URL
	uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
	with:
	name: artifacts
	path: artifacts

	- name: Set publish_info
	id: publish_info
	run: echo "release_tag=$(cat artifacts/release-version)" >> $GITHUB_OUTPUT

	- name: Publish release
	uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	tag: ${{ steps.publish_info.outputs.release_tag }}
	draft: false
	allowUpdates: true
	omitBodyDuringUpdate: true
	omitNameDuringUpdate: true
	omitPrereleaseDuringUpdate: true

	- uses: eregon/keep-last-n-releases@c662ecf90e35b1070a4894539d8804a286e55151 # v1
	if: github.event_name == 'schedule'
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	n: 7

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Nightly Builder #1890

Workflow file

Nightly Builder #1890

Uh oh!

Jobs

Run details

Workflow file for this run