Merge branch 'feature_remove_api_key_from_doc' into 'main' #22
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: ["v*"] | |
| permissions: | |
| contents: read | |
| env: | |
| CARGO_TERM_COLOR: always | |
| # Change only this line when renaming (also update the [[bin]] name in Cargo.toml) | |
| BIN_NAME: okx-outcomes | |
| jobs: | |
| # Gate: a `v*` tag only releases if it points at a commit that is an | |
| # ancestor of `main`. Without this, anyone with write access (or a stolen | |
| # token) could tag an arbitrary unreviewed commit on a side branch and ship | |
| # it to every user via install.sh. `build` — and transitively `release` — | |
| # depend on this job, so a tag off `main` builds nothing. | |
| validate-ref: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Verify tag is on main | |
| run: | | |
| # checkout above used fetch-depth: 0, which already fetched every | |
| # branch (incl. main) into refs/remotes/origin/* with the job token. | |
| # A separate `git fetch` here would run without credentials | |
| # (persist-credentials: false strips them) and fail on a private repo, | |
| # so compare against the origin/main that checkout already pulled. | |
| git merge-base --is-ancestor "$GITHUB_SHA" origin/main \ | |
| || { echo "::error::release tag is not on main; refusing to build"; exit 1; } | |
| build: | |
| name: Build ${{ matrix.target }} | |
| needs: validate-ref | |
| runs-on: ${{ matrix.runner }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - target: x86_64-apple-darwin | |
| # Apple Silicon runner, cross-compiles to x86_64 (rustc ships a universal-capable SDK) | |
| runner: macos-latest | |
| archive: tar.gz | |
| - target: aarch64-apple-darwin | |
| runner: macos-latest | |
| archive: tar.gz | |
| - target: x86_64-unknown-linux-gnu | |
| runner: ubuntu-latest | |
| archive: tar.gz | |
| - target: aarch64-unknown-linux-gnu | |
| runner: ubuntu-latest | |
| archive: tar.gz | |
| cross: true | |
| # Statically linked binaries that run on Alpine / minimal Docker images. | |
| - target: x86_64-unknown-linux-musl | |
| runner: ubuntu-latest | |
| archive: tar.gz | |
| cross: true | |
| # Apple Silicon Docker + AWS Graviton Alpine containers. | |
| - target: aarch64-unknown-linux-musl | |
| runner: ubuntu-latest | |
| archive: tar.gz | |
| cross: true | |
| - target: x86_64-pc-windows-msvc | |
| runner: windows-latest | |
| archive: zip | |
| # Native Windows on ARM (newer Surface / Snapdragon laptops). | |
| - target: aarch64-pc-windows-msvc | |
| runner: windows-latest | |
| archive: zip | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master (pinned) | |
| with: | |
| toolchain: 1.91.1 | |
| targets: ${{ matrix.target }} | |
| - name: Install cross | |
| if: matrix.cross | |
| # Pin to the v0.2.5 release commit (not HEAD) and honor cross's own | |
| # Cargo.lock, so an upstream compromise can't reach the release runner. | |
| run: cargo install cross --git https://github.com/cross-rs/cross --rev f8151ae777290430cf2108efacf3976d9528500b --locked | |
| - name: Set workspace version from tag | |
| shell: bash | |
| env: | |
| REF_NAME: ${{ github.ref_name }} | |
| run: | | |
| VERSION="${REF_NAME#v}" | |
| # Allowlist check: only accept semver-style tags so a malicious tag name | |
| # cannot inject metacharacters into the sed expression below. | |
| [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?$ ]] || { echo "invalid version: $VERSION" >&2; exit 1; } | |
| # Only matches lines starting with `version = "..."`; inline versions in dependencies are left untouched. | |
| sed -i.bak -E "s/^version = \"[^\"]+\"/version = \"${VERSION}\"/" Cargo.toml | |
| rm Cargo.toml.bak | |
| # Sync Cargo.lock's workspace-member version with the bumped | |
| # Cargo.toml so the `--locked` release build below doesn't fail on a | |
| # stale lockfile. `--workspace` only touches this package's own | |
| # version; the pinned SDK rev and the locked registry deps stay | |
| # unchanged. We can't use `--offline` here: on a clean CI runner the | |
| # git dependency hasn't been fetched yet, so cargo needs network to | |
| # resolve its source. | |
| cargo update --workspace | |
| grep -E "^version" Cargo.toml | |
| - name: Build | |
| shell: bash | |
| run: | | |
| if [ "${{ matrix.cross }}" = "true" ]; then | |
| cross build --release --locked --target ${{ matrix.target }} | |
| else | |
| cargo build --release --locked --target ${{ matrix.target }} | |
| fi | |
| - name: Package (tar.gz) | |
| if: matrix.archive == 'tar.gz' | |
| shell: bash | |
| env: | |
| REPO_NAME: ${{ github.event.repository.name }} | |
| REF_NAME: ${{ github.ref_name }} | |
| run: | | |
| STAGING="${REPO_NAME}-${REF_NAME}-${{ matrix.target }}" | |
| mkdir -p "$STAGING" | |
| cp "target/${{ matrix.target }}/release/${BIN_NAME}" "$STAGING/" | |
| cp README.md LICENSE "$STAGING/" 2>/dev/null || true | |
| tar czf "${STAGING}.tar.gz" "$STAGING" | |
| echo "ASSET=${STAGING}.tar.gz" >> "$GITHUB_ENV" | |
| - name: Package (zip) | |
| if: matrix.archive == 'zip' | |
| shell: pwsh | |
| env: | |
| REPO_NAME: ${{ github.event.repository.name }} | |
| REF_NAME: ${{ github.ref_name }} | |
| run: | | |
| $staging = "$env:REPO_NAME-$env:REF_NAME-${{ matrix.target }}" | |
| New-Item -ItemType Directory -Path $staging | Out-Null | |
| Copy-Item "target/${{ matrix.target }}/release/$env:BIN_NAME.exe" $staging | |
| Copy-Item README.md, LICENSE $staging -ErrorAction SilentlyContinue | |
| Compress-Archive -Path $staging -DestinationPath "$staging.zip" | |
| "ASSET=$staging.zip" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: ${{ matrix.target }} | |
| path: ${{ env.ASSET }} | |
| if-no-files-found: error | |
| release: | |
| name: Publish release | |
| needs: build | |
| runs-on: ubuntu-latest | |
| # Manual approval gate before anything is published. Create a | |
| # `production-release` environment with Required reviewers under | |
| # Settings → Environments; until reviewers are configured this is a | |
| # no-op (the job runs without pausing). | |
| environment: production-release | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 | |
| with: | |
| merge-multiple: true | |
| - name: Generate checksums | |
| shell: bash | |
| run: | | |
| shopt -s nullglob | |
| files=(*.tar.gz *.zip) | |
| if [ ${#files[@]} -eq 0 ]; then | |
| echo "no artifacts found" >&2 | |
| exit 1 | |
| fi | |
| sha256sum "${files[@]}" > checksums.txt | |
| cat checksums.txt | |
| - uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 | |
| with: | |
| generate_release_notes: true | |
| files: | | |
| *.tar.gz | |
| *.zip | |
| checksums.txt |