name: Release on: push: tags: - "v*" permissions: contents: write actions: read # needed for cross-workflow artifact download concurrency: group: release cancel-in-progress: false env: CARGO_TERM_COLOR: always jobs: determinism-check: name: Determinism Harness (${{ matrix.os }}) strategy: fail-fast: false matrix: os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: tj-smith47/anodizer-action@v1 with: determinism: true env: GITHUB_TOKEN: ${{ secrets.GH_PAT }} build: name: Build (${{ matrix.os }}) needs: [determinism-check] strategy: fail-fast: false matrix: include: - os: ubuntu-latest targets: x86_64-unknown-linux-gnu,aarch64-unknown-linux-gnu - os: macos-latest targets: x86_64-apple-darwin,aarch64-apple-darwin - os: windows-latest targets: x86_64-pc-windows-msvc,aarch64-pc-windows-msvc runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: dtolnay/rust-toolchain@stable with: targets: ${{ matrix.targets }} - uses: Swatinem/rust-cache@v2 with: key: release-${{ matrix.os }} # Linux reuses the CI-built anodizer binary; macOS/Windows must build # anodizer from source (no per-platform CI artifact). Both paths flow # through the action so the release workflow has a single entry point. - name: Install anodizer + build dependencies (Linux) if: runner.os == 'Linux' uses: tj-smith47/anodizer-action@v1 with: from-artifact: anodizer-linux artifact-run-id: auto artifact-workflow: ci.yml install: zig,cargo-zigbuild,upx args: release --split --clean env: GITHUB_TOKEN: ${{ secrets.GH_PAT }} - name: Install anodizer + build dependencies (macOS/Windows) if: runner.os != 'Linux' uses: tj-smith47/anodizer-action@v1 with: from-source: true install-rust: false # already installed above via rust-toolchain install: zig,cargo-zigbuild,upx args: release --split --clean env: GITHUB_TOKEN: ${{ secrets.GH_PAT }} - name: Upload split artifacts uses: actions/upload-artifact@v4 with: name: dist-${{ runner.os }} path: dist/ release: name: Publish Release needs: build runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: dtolnay/rust-toolchain@stable # Download all split artifacts into dist/ before running the action # (the action's `args: release --merge` step will operate on them). - name: Download split artifacts uses: actions/download-artifact@v4 with: path: dist/ pattern: dist-* merge-multiple: true - name: Verify split artifacts run: | echo "Split contexts found:" find dist -name context.json -type f COUNT=$(find dist -name context.json -type f | wc -l) if [ "$COUNT" -eq 0 ]; then echo "::error::No split context files found in dist/" exit 1 fi echo "Found $COUNT split context(s)" - name: Run anodizer release --merge uses: tj-smith47/anodizer-action@v1 with: from-artifact: anodizer-linux artifact-run-id: auto artifact-workflow: ci.yml install: nfpm,makeself,snapcraft,rpmbuild,cosign,syft gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} apk-private-key: ${{ secrets.APK_PRIVATE_KEY }} args: release --merge env: GITHUB_TOKEN: ${{ secrets.GH_PAT }} CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }} CHOCOLATEY_API_KEY: ${{ secrets.CHOCOLATEY_API_KEY }} COSIGN_KEY: ${{ secrets.COSIGN_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }} CLOUDSMITH_TOKEN: ${{ secrets.CLOUDSMITH_TOKEN }} - name: Upload run summary if: always() uses: actions/upload-artifact@v4 with: name: run-summary-${{ github.sha }} path: | dist/run-*/summary.json dist/run-*/determinism.json if-no-files-found: warn