Skip to content

Add attestation with sbom #26

Add attestation with sbom

Add attestation with sbom #26

Workflow file for this run

name: Rust builds
on:
push:
branches: [main]
tags:
- v*
pull_request:
branches: [main]
permissions:
contents: write
id-token: write
attestations: write
actions: read
jobs:
create-release:
needs:
- build
- nixbuild
runs-on: ubuntu-latest
if: github.ref_type == 'tag'
steps:
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
path: artifacts
- name: Rename and move artifacts
run: |
for dir in artifacts/*/
do
dir=${dir%*/} # remove the trailing "/"
for file in $dir/*
do
file=${file##*/} # remove the path before the filename
base=${file%.*} # remove the extension
ext=${file#"$base"} # remove the filename before the extension
echo "moving ${dir}/${file} to artifacts/${file%%.*}-${dir##*/}${ext}"
mv "${dir}/${file}" "artifacts/${file%%.*}-${dir##*/}${ext}"
done
rm -r "${dir}"
done
- name: release
uses: ncipollo/release-action@v1
id: create_release
with:
generateReleaseNotes: true
artifacts: "artifacts/*"
nixbuild:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v25
with:
nix_path: nixpkgs=channel:nixos-23.05
- uses: DeterminateSystems/magic-nix-cache-action@v3
- run: nix-build
- run: nix-shell --run "echo OK"
build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
rust: [stable]
target: [x86_64-unknown-linux-gnu, x86_64-pc-windows-msvc, i686-pc-windows-msvc, x86_64-apple-darwin, aarch64-apple-darwin] #x86_64-unknown-linux-musl,
package: ["time", "timer", "counter"]
include:
- os: ubuntu-latest
target: x86_64-unknown-linux-gnu
name: linux_64-bit
#- os: ubuntu-latest
# target: x86_64-unknown-linux-musl
- os: windows-latest
target: x86_64-pc-windows-msvc
name: windows_64-bit
- os: windows-latest
target: i686-pc-windows-msvc
name: windows_32-bit
- os: macos-latest
target: x86_64-apple-darwin
name: macos_64-bit
- os: macos-latest
target: aarch64-apple-darwin
name: macos_aarch64
fail-fast: false
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Rust
uses: moonrepo/setup-rust@v1
with:
cache-target: release
targets: ${{ matrix.target }}
- name: Linux Specific libs install
if: matrix.os == 'ubuntu-latest'
uses: awalsh128/cache-apt-pkgs-action@v1
with:
packages: librust-atk-dev libglib2.0-dev libgtk-3-dev
execute_install_scripts: true
- name: Configure sccache env var and set build profile to ephemeral build
run: |
echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
echo "SCCACHE_GHA_ENABLED=true" >> $GITHUB_ENV
- name: Run sccache-cache
uses: mozilla-actions/sccache-action@v0.0.4
- name: Run build
run: cargo build --target ${{ matrix.target }} --release --package ${{ matrix.package }} --bin ${{ matrix.package }}
- uses: anchore/sbom-action@v0
with:
artifact-name: "${{ matrix.package }}-${{ matrix.name }}-sbom.spdx.json"
output-file: "${{ matrix.package }}-${{ matrix.name }}-sbom.spdx.json"
- uses: actions/attest-sbom@v1
with:
subject-path: |
!target/${{ matrix.target }}/release/*.pdb
!target/${{ matrix.target }}/release/*.d
!target/${{ matrix.target }}/release/deps
!target/${{ matrix.target }}/release/build
!target/${{ matrix.target }}/release/.fingerprint
!target/${{ matrix.target }}/release/examples
!target/${{ matrix.target }}/release/incremental
!target/${{ matrix.target }}/release/.cargo-lock
target/${{ matrix.target }}/release/${{ matrix.package }}*(?<!\.d)
sbom-path: "${{ matrix.package }}-${{ matrix.name }}-sbom.spdx.json"
push-to-registry: false
- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
name: "${{ matrix.package }}-${{ matrix.name }}"
path: |
target/${{ matrix.target }}/release/${{ matrix.package }}*
!target/${{ matrix.target }}/release/deps
!target/${{ matrix.target }}/release/build
!target/${{ matrix.target }}/release/.fingerprint
!target/${{ matrix.target }}/release/examples
!target/${{ matrix.target }}/release/incremental
!target/${{ matrix.target }}/release/.cargo-lock
!target/${{ matrix.target }}/release/*.d
!target/${{ matrix.target }}/release/*.pdb