Test binaries #134
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Test binaries | |
| on: | |
| workflow_dispatch: {} | |
| # Run nightly on the main branch | |
| schedule: | |
| - cron: 0 0 * * * # Every day at midnight UTC | |
| # run concurrency group for the workflow | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| attestations: write | |
| packages: write | |
| id-token: write | |
| jobs: | |
| build: | |
| name: Build binaries | |
| # for list of arch `rustup target list | grep -iE 'apple|linux'` | |
| # TODO: Change https://github.com/actions/runner-images/issues/12520 `macos-latest` to `macos-15` when available | |
| strategy: | |
| matrix: | |
| include: | |
| - arch: x86_64-unknown-linux-gnu | |
| platform: ubuntu-22.04 | |
| - arch: aarch64-unknown-linux-gnu | |
| platform: ubuntu-22.04-arm | |
| - arch: x86_64-apple-darwin | |
| platform: macos-latest | |
| - arch: aarch64-apple-darwin | |
| platform: macos-latest | |
| runs-on: ${{ matrix.platform }} | |
| env: | |
| RUSTUP_TOOLCHAIN: stable-${{ matrix.arch }} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| egress-policy: audit | |
| - name: Get github app token | |
| uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 | |
| id: gh-app-token | |
| with: | |
| app-id: ${{ vars.GH_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} | |
| - name: Checkout sources | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| token: ${{ steps.gh-app-token.outputs.token }} | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@fcf085fcb4b4b8f63f96906cd713eb52181b5ea4 # stable | |
| with: | |
| toolchain: stable | |
| target: ${{ matrix.arch }} | |
| - name: Build monitor for ${{ matrix.arch }} | |
| run: | | |
| cargo build --bin openzeppelin-monitor --release --target ${{ matrix.arch }} | |
| - name: Pack monitor | |
| run: | | |
| tar -C ./target/${{ matrix.arch }}/release -czf \ | |
| openzeppelin-monitor-${{ github.sha }}-${{ matrix.arch }}.tar.gz \ | |
| openzeppelin-monitor | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: openzeppelin-monitor-${{ github.sha }}-${{ matrix.arch }} | |
| path: | | |
| openzeppelin-monitor-${{ github.sha }}-${{ matrix.arch }}.tar.gz | |
| ./target/${{ matrix.arch }}/release/openzeppelin-monitor | |
| retention-days: 1 | |
| upload-binaries: | |
| name: Upload binaries | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| attestations: write | |
| packages: write | |
| id-token: write | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| egress-policy: audit | |
| - name: Get github app token | |
| uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 | |
| id: gh-app-token | |
| with: | |
| app-id: ${{ vars.GH_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} | |
| - name: Checkout sources | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| token: ${{ steps.gh-app-token.outputs.token }} | |
| - name: Download artifacts | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| pattern: openzeppelin-monitor-* | |
| path: artifacts | |
| - name: Binaries attestation | |
| uses: actions/attest-build-provenance@d3b713ade6128010830a9be91a036ed11e065550 # main | |
| with: | |
| subject-path: artifacts/**/openzeppelin-monitor*.tar.gz | |
| github-token: ${{ steps.gh-app-token.outputs.token }} | |
| # Validate the artifacts path | |
| - name: Validate artifacts | |
| run: |- | |
| # Check if the artifacts exist | |
| if ls artifacts/*/openzeppelin-monitor-*.tar.gz >/dev/null 2>&1; then | |
| echo "Artifacts found" | |
| else | |
| echo "No artifacts found" | |
| exit 1 | |
| fi |