Skip to content
Release Artifacts

feat: add release sbom provenance #6

Sign in to view logs

feat: add release sbom provenance

feat: add release sbom provenance #6

Workflow file for this run

.github/workflows/release.yml at 07fd1da
name: Release Artifacts
on:
push:
tags:
- "v*.*.*"
permissions:
contents: read
jobs:
registry-readiness:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/setup-python@v6.2.0
with:
python-version: "3.12"
cache: pip
- name: Check package registry readiness without publishing
run: scripts/registry_readiness.py
python-package:
needs: [registry-readiness]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/setup-python@v6.2.0
with:
python-version: "3.12"
cache: pip
- name: Build wheel and sdist
working-directory: engine
run: |
python -m pip install --upgrade build
python -m build
- name: Generate checksums
run: python3 scripts/write_sha256s.py engine/dist/SHA256SUMS engine/dist/*
- uses: actions/upload-artifact@v7.0.1
with:
name: zero-engine-python
path: engine/dist/*
cli-binary:
needs: [registry-readiness]
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
artifact: zero-linux
- os: macos-latest
artifact: zero-macos
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v6.0.2
- name: Build CLI
working-directory: cli
run: cargo build -p zero --profile release-small
- name: Prepare artifact
run: |
mkdir -p dist
cp cli/target/release-small/zero dist/${{ matrix.artifact }}
python3 scripts/write_sha256s.py dist/SHA256SUMS dist/${{ matrix.artifact }}
- uses: actions/upload-artifact@v7.0.1
with:
name: ${{ matrix.artifact }}
path: dist/*
container-smoke:
needs: [registry-readiness]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.2
- name: Build paper image
run: docker build -t zero-public:${{ github.ref_name }} .
- name: Run paper demo
run: docker run --rm zero-public:${{ github.ref_name }}
- name: Run paper example
run: docker run --rm zero-public:${{ github.ref_name }} python /app/examples/paper-trading/run.py
- name: Export paper image artifact
run: |
mkdir -p dist
docker save zero-public:${{ github.ref_name }} -o dist/zero-paper-image.tar
python3 scripts/write_sha256s.py dist/SHA256SUMS dist/zero-paper-image.tar
- uses: actions/upload-artifact@v7.0.1
with:
name: zero-paper-image
path: dist/*
github-release:
name: Draft GitHub Release
needs: [python-package, cli-binary, container-smoke]
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
attestations: write
artifact-metadata: write
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/download-artifact@v8.0.1
with:
path: release-artifacts
- name: Assemble release assets
run: |
scripts/assemble_release_assets.sh release-artifacts release-dist
ls -lh release-dist
- name: Verify release assets
run: python3 scripts/release_verify.py release-dist
- name: Attest release assets
uses: actions/attest@v4
with:
subject-checksums: release-dist/SHA256SUMS
- name: Create or update draft release
env:
GH_TOKEN: ${{ github.token }}
run: |
notes_file=".github/RELEASE_TEMPLATE.md"
if [[ -f "docs/releases/${GITHUB_REF_NAME}.md" ]]; then
notes_file="docs/releases/${GITHUB_REF_NAME}.md"
fi
if gh release view "$GITHUB_REF_NAME" >/dev/null 2>&1; then
gh release upload "$GITHUB_REF_NAME" release-dist/* --clobber
gh release edit "$GITHUB_REF_NAME" --notes-file "$notes_file"
else
gh release create "$GITHUB_REF_NAME" release-dist/* \
--draft \
--verify-tag \
--title "$GITHUB_REF_NAME" \
--notes-file "$notes_file"
fi