Feat: Transaction Witnesses (#419) #380

Workflow file for this run

.github/workflows/publish.yml at 0ff1792

	name: publish

	on:
	push:
	branches: ['main']
	tags:
	- 'v..*'

	concurrency: ${{ github.ref }}

	env:
	APPLICATION_NAME: 'adder'

	jobs:
	create-draft-release:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	outputs:
	RELEASE_ID: ${{ steps.create-release.outputs.result }}
	steps:
	- run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
	- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/releases/tag/v7.0.1
	id: create-release
	if: startsWith(github.ref, 'refs/tags/')
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	result-encoding: string
	script: \|
	try {
	const response = await github.rest.repos.createRelease({
	draft: true,
	generate_release_notes: true,
	name: process.env.RELEASE_TAG,
	owner: context.repo.owner,
	prerelease: false,
	repo: context.repo.repo,
	tag_name: process.env.RELEASE_TAG,
	});

	return response.data.id;
	} catch (error) {
	core.setFailed(error.message);
	}

	build-binaries:
	strategy:
	matrix:
	include:
	- runner: macos-latest
	os: darwin
	arch: arm64
	- runner: ubuntu-latest
	os: freebsd
	arch: amd64
	- runner: ubuntu-latest
	os: freebsd
	arch: arm64
	- runner: ubuntu-latest
	os: linux
	arch: amd64
	- runner: ubuntu-latest
	os: linux
	arch: arm64
	- runner: windows-latest
	os: windows
	arch: amd64
	- runner: windows-latest
	os: windows
	arch: arm64
	runs-on: ${{ matrix.runner }}
	needs: [create-draft-release]
	permissions:
	actions: write
	attestations: write
	checks: write
	contents: write
	id-token: write
	packages: write
	statuses: write
	steps:
	- name: Set RELEASE_TAG (Windows)
	if: matrix.os == 'windows'
	shell: pwsh
	run: \|
	$tagName = $env:GITHUB_REF -replace 'refs/tags/', ''
	echo "RELEASE_TAG=$tagName" \| Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
	- name: Set RELEASE_TAG
	if: matrix.os != 'windows'
	run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
	with:
	fetch-depth: '0'
	- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 https://github.com/actions/setup-go/releases/tag/v5.4.0
	with:
	go-version: 1.23.x
	- name: Build binary (Windows)
	if: matrix.os == 'windows'
	shell: pwsh
	run: \|
	$env:GOOS = "${{ matrix.os }}"
	$env:GOARCH = "${{ matrix.arch }}"
	make build
	- name: Build binary
	if: matrix.os != 'windows'
	run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} make build

	# Sign Windows build
	- name: Set up Java
	uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 https://github.com/actions/setup-java/releases/tag/v4.7.1
	if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
	with:
	java-version: 17
	distribution: 'temurin'
	- id: 'auth'
	name: Authenticate with Google Cloud
	if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
	uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10 https://github.com/google-github-actions/auth/releases/tag/v2.1.10
	with:
	credentials_json: '${{ secrets.CERTIFICATE_SA_CREDENTIALS }}'
	- name: Set up Cloud SDK
	if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
	uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4 https://github.com/google-github-actions/setup-gcloud/releases/tag/v2.1.4
	- name: Sign binary (Windows)
	if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows' }}
	shell: pwsh
	run: \|
	Write-Host "Downloading jsign.jar"
	Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar" -OutFile "jsign.jar"

	Write-Host "Verifying jsign.jar checksum"
	$expectedHash = "05ca18d4ab7b8c2183289b5378d32860f0ea0f3bdab1f1b8cae5894fb225fa8a"
	$actualHash = (Get-FileHash -Path "jsign.jar" -Algorithm SHA256).Hash.ToLower()

	if ($actualHash -ne $expectedHash) {
	Write-Error "Hash verification failed for jsign.jar"
	Write-Error "Expected: $expectedHash"
	Write-Error "Actual: $actualHash"
	exit 1
	}

	[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("${{ secrets.CERTIFICATE_CHAIN }}")) \| Out-File -FilePath "codesign-chain.pem" -Encoding utf8

	$filename = "${{ env.APPLICATION_NAME }}.exe"
	$ACCESS_TOKEN = & gcloud auth print-access-token
	Write-Host "::add-mask::$ACCESS_TOKEN"

	java -jar jsign.jar `
	--storetype ${{ secrets.CERTIFICATE_STORE_TYPE }} `
	--storepass "$ACCESS_TOKEN" `
	--keystore ${{ secrets.CERTIFICATE_KEYSTORE }} `
	--alias ${{ secrets.CERTIFICATE_KEY_NAME }} `
	--certfile "codesign-chain.pem" `
	--tsmode RFC3161 `
	--tsaurl "http://timestamp.globalsign.com/tsa/r6advanced1" `
	$filename

	$ACCESS_TOKEN = $null

	Write-Host "Signed Windows binary: $filename"
	Write-Host "Cleaning up certificate chain"
	Remove-Item -Path "codesign-chain.pem" -Force

	# Sign MacOS build

	- name: Create .app package and sign macos binary
	if: ${{ startsWith(github.ref, 'refs/tags/') && matrix.os == 'darwin' }}
	run: \|
	echo "Decoding and importing Apple certificate..."
	echo -n "${{ secrets.APPLE_CERTIFICATE }}" \| base64 --decode -o apple_certificate.p12
	security create-keychain -p "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain
	security default-keychain -s build.keychain
	security set-keychain-settings -lut 21600 build.keychain
	security unlock-keychain -p "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain
	security import apple_certificate.p12 -k build.keychain -P "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign
	security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.APPLE_KEYCHAIN_PASSWORD }}" build.keychain
	echo "Packaging ${{ env.APPLICATION_NAME }}..."
	mkdir -p ${{ env.APPLICATION_NAME }}.app/Contents/MacOS
	mkdir -p ${{ env.APPLICATION_NAME }}.app/Contents/Resources
	cp ${{ env.APPLICATION_NAME }} ${{ env.APPLICATION_NAME }}.app/Contents/MacOS/${{ env.APPLICATION_NAME }}
	chmod +x ${{ env.APPLICATION_NAME }}.app/Contents/MacOS/${{ env.APPLICATION_NAME }}
	cp .github/assets/${{ env.APPLICATION_NAME }}.icns ${{ env.APPLICATION_NAME }}.app/Contents/Resources
	export RELEASE_TAG="${{ env.RELEASE_TAG }}"
	CLEAN_VERSION="${RELEASE_TAG#v}"
	cat <<EOF > ${{ env.APPLICATION_NAME }}.app/Contents/Info.plist
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>CFBundleExecutable</key>
	<string>${{ env.APPLICATION_NAME }}</string>
	<key>CFBundleIdentifier</key>
	<string>com.blinklabssoftware.${{ env.APPLICATION_NAME }}</string>
	<key>CFBundleName</key>
	<string>${{ env.APPLICATION_NAME }}</string>
	<key>CFBundleIconFile</key>
	<string>${{ env.APPLICATION_NAME }}</string>
	<key>CFBundleVersion</key>
	<string>${CLEAN_VERSION}</string>
	<key>CFBundleShortVersionString</key>
	<string>${CLEAN_VERSION}</string>
	</dict>
	</plist>
	EOF
	/usr/bin/codesign --force -s "Developer ID Application: Blink Labs Software (${{ secrets.APPLE_TEAM_ID }})" --options runtime ${{ env.APPLICATION_NAME }}.app -v
	xcrun notarytool store-credentials "notarytool-profile" --apple-id "${{ secrets.APPLE_ID }}" --team-id "${{ secrets.APPLE_TEAM_ID }}" --password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}"
	ditto -c -k --keepParent "${{ env.APPLICATION_NAME }}.app" "notarization.zip"
	xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
	xcrun stapler staple "${{ env.APPLICATION_NAME }}.app"

	- name: Upload release asset (Windows)
	if: startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows'
	shell: pwsh
	run: \|
	$filename = "${{ env.APPLICATION_NAME }}-${{ env.RELEASE_TAG }}-${{ matrix.os }}-${{ matrix.arch }}.zip"
	Compress-Archive "${{ env.APPLICATION_NAME }}.exe" "$filename"
	Write-Host "Uploading file: $filename"
	# Upload file using PowerShell
	$headers = @{
	"Authorization" = "token ${{ secrets.GITHUB_TOKEN }}"
	"Content-Type" = "application/octet-stream"
	}
	$uploadUrl = "https://uploads.github.com/repos/${{ github.repository }}/releases/${{ needs.create-draft-release.outputs.RELEASE_ID }}/assets?name=$filename"
	Invoke-RestMethod -Uri $uploadUrl -Method Post -Headers $headers -InFile $filename

	- name: Upload release asset
	if: startsWith(github.ref, 'refs/tags/') && matrix.os != 'windows'
	run: \|
	_filename=${{ env.APPLICATION_NAME }}-${{ env.RELEASE_TAG }}-${{ matrix.os }}-${{ matrix.arch }}.tar.gz
	if [[ "${{ matrix.os }}" != "windows" ]]; then
	tar czf ${_filename} ${{ env.APPLICATION_NAME }}
	fi
	if [[ "${{ matrix.os }}" == "darwin" ]]; then
	_filename=${{ env.APPLICATION_NAME }}-${{ env.RELEASE_TAG }}-${{ matrix.os }}-${{ matrix.arch }}.zip
	zip -r ${_filename} ${{ env.APPLICATION_NAME }}.app
	fi
	curl \
	-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
	-H "Content-Type: application/octet-stream" \
	--data-binary @${_filename} \
	https://uploads.github.com/repos/${{ github.repository_owner }}/adder/releases/${{ needs.create-draft-release.outputs.RELEASE_ID }}/assets?name=${_filename}

	- name: Attest binary (Windows)
	if: startsWith(github.ref, 'refs/tags/') && matrix.os == 'windows'
	uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 https://github.com/actions/attest-build-provenance/releases/tag/v2.3.0
	with:
	subject-path: '${{ env.APPLICATION_NAME }}.exe'

	- name: Attest binary
	if: startsWith(github.ref, 'refs/tags/') && matrix.os != 'windows'
	uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 https://github.com/actions/attest-build-provenance/releases/tag/v2.3.0
	with:
	subject-path: '${{ env.APPLICATION_NAME }}'

	build-images:
	runs-on: ubuntu-latest
	needs: [create-draft-release]
	permissions:
	actions: write
	attestations: write
	checks: write
	contents: write
	id-token: write
	packages: write
	statuses: write
	steps:
	- run: "echo \"RELEASE_TAG=${GITHUB_REF#refs/tags/}\" >> $GITHUB_ENV"
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 https://github.com/actions/checkout/releases/tag/v4.2.2
	with:
	fetch-depth: '0'
	- name: Set up QEMU
	uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 https://github.com/docker/setup-buildx-action/releases/tag/v3.10.0
	- name: Login to Docker Hub
	uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
	with:
	username: blinklabs
	password: ${{ secrets.DOCKER_PASSWORD }} # uses token
	- name: Login to GHCR
	uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 https://github.com/docker/login-action/releases/tag/v3.4.0
	with:
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	registry: ghcr.io
	- id: meta
	uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 https://github.com/docker/metadata-action/releases/tag/v5.7.0
	with:
	images: \|
	blinklabs/adder
	ghcr.io/${{ github.repository }}
	tags: \|
	# Only version, no revision
	type=match,pattern=v(.)-(.),group=1
	# branch
	type=ref,event=branch
	# semver
	type=semver,pattern={{version}}
	- name: Build images
	id: push
	uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 https://github.com/docker/build-push-action/releases/tag/v6.16.0
	with:
	outputs: "type=registry,push=true"
	platforms: linux/amd64,linux/arm64
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	- name: Attest Docker Hub image
	uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 https://github.com/actions/attest-build-provenance/releases/tag/v2.3.0
	with:
	subject-name: index.docker.io/blinklabs/adder
	subject-digest: ${{ steps.push.outputs.digest }}
	push-to-registry: true
	- name: Attest GHCR image
	uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 https://github.com/actions/attest-build-provenance/releases/tag/v2.3.0
	with:
	subject-name: ghcr.io/${{ github.repository }}
	subject-digest: ${{ steps.push.outputs.digest }}
	push-to-registry: true
	# Update Docker Hub from README
	- name: Docker Hub Description
	uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2 https://github.com/peter-evans/dockerhub-description/releases/tag/v4.0.2
	with:
	username: blinklabs
	password: ${{ secrets.DOCKER_PASSWORD }}
	repository: blinklabs/adder
	readme-filepath: ./README.md
	short-description: "Adder is a tool for tailing the Cardano blockchain and emitting events"

	finalize-release:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	needs: [create-draft-release, build-binaries, build-images]
	steps:
	- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 https://github.com/actions/github-script/releases/tag/v7.0.1
	if: startsWith(github.ref, 'refs/tags/')
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: \|
	try {
	await github.rest.repos.updateRelease({
	owner: context.repo.owner,
	repo: context.repo.repo,
	release_id: ${{ needs.create-draft-release.outputs.RELEASE_ID }},
	draft: false,
	});
	} catch (error) {
	core.setFailed(error.message);
	}
	# This updates the documentation on pkg.go.dev and the latest version available via the Go module proxy
	- name: Pull new module version
	if: startsWith(github.ref, 'refs/tags/')
	uses: andrewslotin/go-proxy-pull-action@0ef95ea50ab6c03f2f095a5102bbdecad8fd7602 # v1.3.0 https://github.com/andrewslotin/go-proxy-pull-action/releases/tag/v1.3.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Feat: Transaction Witnesses (#419) #380

Workflow file

Feat: Transaction Witnesses (#419) #380

Uh oh!

Jobs

Run details

Workflow file for this run