Arius7/.github/workflows/release.yml at master · woutervanranst/Arius7 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: 🚀 Release

on:
  push:
    tags:
      - "v*"

permissions:
  contents: write

jobs:
  test:
    uses: ./.github/workflows/ci.yml
    secrets: inherit

  build:
    name: 📦 Build (${{ matrix.rid }})
    needs: test
    strategy:
      matrix:
        include:
          - os: windows-latest
            rid: win-x64
          - os: ubuntu-latest
            rid: linux-x64
          - os: macos-latest
            rid: osx-arm64

    runs-on: ${{ matrix.os }}

    steps:
      - name: 🛎️ Checkout
        uses: actions/checkout@v6

      - name: ⚙️ Setup .NET
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: "10.0.x"

      - name: 🏷️ Extract version from tag
        id: version
        shell: bash
        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"

      - name: 🔨 Publish self-contained binary
        run: >
          dotnet publish src/Arius.Cli/Arius.Cli.csproj
          -c Release
          -r ${{ matrix.rid }}
          --self-contained true
          -o publish
          -p:Version=${{ steps.version.outputs.version }}
          -p:PublishSingleFile=true
          -p:IncludeNativeLibrariesForSelfExtract=true
          -p:DebugType=none

      - name: ✏️ Rename binary
        shell: bash
        run: |
          if [[ "${{ matrix.rid }}" == win-* ]]; then
            mv publish/Arius.Cli.exe arius-${{ matrix.rid }}.exe
          else
            mv publish/Arius.Cli arius-${{ matrix.rid }}
          fi

      - name: ⬆️ Upload artifact
        uses: actions/upload-artifact@v7
        with:
          name: binary-${{ matrix.rid }}
          path: arius-${{ matrix.rid }}*

  verify-recovery-script:
    name: 🔓 Verify recovery script
    needs: test
    runs-on: ubuntu-latest

    steps:
      - name: 🛎️ Checkout
        uses: actions/checkout@v6

      - name: 🐍 Install Python cryptography package
        run: pip install cryptography

      - name: 🔑 Decrypt GCM golden file and verify output
        run: |
          GOLDEN="src/Arius.Core.Tests/Encryption/GoldenFiles/2594868716c414b39895e10299bc609a1d1602a65b8576599d149f911aa33be8"
          PASSPHRASE="wouter"
          EXPECTED="Hello, ArGCM1 golden file!"

          ACTUAL=$(python3 recover-chunk.py "$GOLDEN" "$PASSPHRASE")
          if [[ "$ACTUAL" != "$EXPECTED" ]]; then
            echo "❌ Recovery mismatch!" >&2
            echo "  expected: $EXPECTED" >&2
            echo "  actual:   $ACTUAL" >&2
            exit 1
          fi
          echo "✅ GCM recovery script output matches expected plaintext."

      - name: 🔑 Decrypt CBC golden file and verify output
        run: |
          GOLDEN="src/Arius.Core.Tests/Encryption/GoldenFiles/680ccc692b5c2b058a0d9964ae08f9343350f8873dd900bb62742ba0a0b313de"
          PASSPHRASE="wouter"
          EXPECTED="Hello, Salted__ CBC golden file!"

          ACTUAL=$(python3 recover-chunk.py "$GOLDEN" "$PASSPHRASE")
          if [[ "$ACTUAL" != "$EXPECTED" ]]; then
            echo "❌ CBC recovery mismatch!" >&2
            echo "  expected: $EXPECTED" >&2
            echo "  actual:   $ACTUAL" >&2
            exit 1
          fi
          echo "✅ CBC recovery script output matches expected plaintext."

  release:
    name: 🎉 Publish Release
    needs: [build, verify-recovery-script]
    runs-on: ubuntu-latest

    steps:
      - name: 🛎️ Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: 🏷️ Extract version from tag
        id: version
        shell: bash
        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"

      - name: 📝 Generate release notes
        uses: orhun/git-cliff-action@v4
        with:
          config: cliff.toml
          args: --latest --strip header
        env:
          OUTPUT: CHANGELOG.md

      - name: ⬇️ Download release artifacts
        uses: actions/download-artifact@v8
        with:
          path: dist/
          pattern: binary-*
          merge-multiple: true

      - name: 🚀 Create GitHub Release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh release create ${{ github.ref_name }} \
            --repo ${{ github.repository }} \
            --title "Arius ${{ steps.version.outputs.version }}" \
            --notes-file CHANGELOG.md \
            dist/*

      - name: 🔄 Trigger verify-self-update workflow
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh workflow run verify-self-update.yml \
            --repo ${{ github.repository }} \
            --ref master