fix: Release binaries and enable nightly workflows to create binary artifacts and images (#313)

Author: tirumerla

.github/workflows/release-bins.yml

@@ -15,10 +15,11 @@ on:
         required: true
 jobs:
   build:
+    # for list of arch `rustup target list | grep -iE 'apple|linux'`
+
+    # TODO: Change https://github.com/actions/runner-images/issues/12520 `macos-latest` to `macos-15` when available
     name: Build binaries
     environment: release
-    env:
-      TAG: ${{ inputs.tag || github.event.inputs.tag }}
     outputs:
       release_tag: ${{ env.TAG }}
     strategy:
@@ -33,6 +34,9 @@ jobs:
           - arch: aarch64-apple-darwin
             platform: macos-latest
     runs-on: ${{ matrix.platform }}
+    env:
+      TAG: ${{ inputs.tag || github.event.inputs.tag }}
+      RUSTUP_TOOLCHAIN: stable-${{ matrix.arch }}
     steps:
       - name: Get github app token
         uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5  # v2.0.2
@@ -98,9 +102,9 @@ jobs:
       - name: Binaries attestation
         uses: actions/attest-build-provenance@d3b713ade6128010830a9be91a036ed11e065550  # main
         with:
-          subject-path: artifacts/**/openzeppelin-monitor
+          subject-path: artifacts/**/openzeppelin-monitor*.tar.gz
           github-token: ${{ steps.gh-app-token.outputs.token }}
-      - name: Update release please artifacts
+      - name: Update released binaries artifacts
         uses: softprops/action-gh-release@ab50eebb6488051c6788d97fa95232267c6a4e23  # main
         with:
           tag_name: ${{ env.TAG }}

.github/workflows/test-bins.yml

@@ -0,0 +1,110 @@
+---
+name: Test binaries
+on:
+  workflow_dispatch: {}
+  # Run nightly on the main branch
+  schedule:
+    - cron: 0 0 * * *  # Every day at midnight UTC
+# run concurrency group for the workflow
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+permissions:
+  contents: write
+  pull-requests: write
+  attestations: write
+  packages: write
+  id-token: write
+jobs:
+  build:
+    name: Build binaries
+    # for list of arch `rustup target list | grep -iE 'apple|linux'`
+
+    # TODO: Change https://github.com/actions/runner-images/issues/12520 `macos-latest` to `macos-15` when available
+    strategy:
+      matrix:
+        include:
+          - arch: x86_64-unknown-linux-gnu
+            platform: ubuntu-22.04
+          - arch: aarch64-unknown-linux-gnu
+            platform: ubuntu-22.04-arm
+          - arch: x86_64-apple-darwin
+            platform: macos-latest
+          - arch: aarch64-apple-darwin
+            platform: macos-latest
+    runs-on: ${{ matrix.platform }}
+    env:
+      RUSTUP_TOOLCHAIN: stable-${{ matrix.arch }}
+    steps:
+      - name: Get github app token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5  # v2.0.2
+        id: gh-app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - name: Checkout sources
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          token: ${{ steps.gh-app-token.outputs.token }}
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@fcf085fcb4b4b8f63f96906cd713eb52181b5ea4  # stable
+        with:
+          toolchain: stable
+          target: ${{ matrix.arch }}
+      - name: Build monitor for ${{ matrix.arch }}
+        run: |
+          cargo build --bin openzeppelin-monitor --release --target ${{ matrix.arch }}
+      - name: Pack monitor
+        run: |
+          tar -C ./target/${{ matrix.arch }}/release -czf \
+            openzeppelin-monitor-${{ github.sha }}-${{ matrix.arch }}.tar.gz \
+            openzeppelin-monitor
+      - name: Upload artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        with:
+          name: openzeppelin-monitor-${{ github.sha }}-${{ matrix.arch }}
+          path: |
+            openzeppelin-monitor-${{ github.sha }}-${{ matrix.arch }}.tar.gz
+            ./target/${{ matrix.arch }}/release/openzeppelin-monitor
+          retention-days: 1
+  upload-binaries:
+    name: Upload binaries
+    permissions:
+      contents: write
+      pull-requests: write
+      attestations: write
+      packages: write
+      id-token: write
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get github app token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5  # v2.0.2
+        id: gh-app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - name: Checkout sources
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          token: ${{ steps.gh-app-token.outputs.token }}
+      - name: Download artifacts
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e  # v4.2.1
+        with:
+          pattern: openzeppelin-monitor-*
+          path: artifacts
+      - name: Binaries attestation
+        uses: actions/attest-build-provenance@d3b713ade6128010830a9be91a036ed11e065550  # main
+        with:
+          subject-path: artifacts/**/openzeppelin-monitor*.tar.gz
+          github-token: ${{ steps.gh-app-token.outputs.token }}
+      # Validate the artifacts path
+      - name: Validate artifacts
+        run: |-
+          # Check if the artifacts exist
+          if ls artifacts/*/openzeppelin-monitor-*.tar.gz >/dev/null 2>&1; then
+            echo "Artifacts found"
+          else
+            echo "No artifacts found"
+            exit 1
+          fi