Skip to content
release-darwin

refactor: hoist Go module from go/ to repo root (#162) #2

Sign in to view logs

refactor: hoist Go module from go/ to repo root (#162)

refactor: hoist Go module from go/ to repo root (#162) #2

Workflow file for this run

.github/workflows/release-darwin.yml at 24fef39
name: release-darwin
# darwin/arm64 release on a macos-14 runner. Attaches binaries to the
# existing GitHub Release created by release-go.yml (which only builds
# linux). Runs after the linux release lands so the target Release
# already exists.
#
# Why a separate workflow:
# - release-go.yml runs on ubuntu-latest. CGO + kuzudb won't
# cross-compile cleanly to darwin from linux.
# - macos-14 runners are arm64 (M1+); cross-compile to darwin/arm64
# happens via native CC = clang.
# - The two workflows publish to the same tag → same Release.
on:
push:
tags:
- 'v*.*.*'
workflow_dispatch:
inputs:
tag:
description: 'Tag to release (e.g. v0.3.0). Release must already exist.'
required: true
permissions:
contents: write
id-token: write # Sigstore keyless via GitHub OIDC
attestations: write
# Pass the input/ref to the shell via env vars (not inline `${{ }}`
# interpolation) — Semgrep `yaml.github-actions.security.run-shell-injection`
# rule. inputs.tag for workflow_dispatch; GITHUB_REF_NAME for tag pushes.
env:
TAG: ${{ github.event.inputs.tag || github.ref_name }}
jobs:
release-darwin:
name: release (darwin / arm64)
runs-on: macos-14
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: '1.25.10'
cache: true
cache-dependency-path: go.sum
- name: Build darwin/arm64 binary
env:
CGO_ENABLED: '1'
GOOS: darwin
GOARCH: arm64
run: |
VERSION="${TAG#v}"
go build \
-trimpath \
-ldflags "-s -w \
-X 'github.com/randomcodespace/codeiq/internal/buildinfo.Version=${VERSION}' \
-X 'github.com/randomcodespace/codeiq/internal/buildinfo.Commit=$(git rev-parse --short HEAD)' \
-X 'github.com/randomcodespace/codeiq/internal/buildinfo.Date=$(date -u +%Y-%m-%dT%H:%M:%SZ)' \
-X 'github.com/randomcodespace/codeiq/internal/buildinfo.Dirty=false'" \
-o codeiq ./cmd/codeiq
- name: Package archive
run: |
VERSION="${TAG#v}"
ARCHIVE_DIR="codeiq_${VERSION}_darwin_arm64"
mkdir -p "${ARCHIVE_DIR}"
cp codeiq "${ARCHIVE_DIR}/"
cp LICENSE "${ARCHIVE_DIR}/" 2>/dev/null || true
cp README.md "${ARCHIVE_DIR}/" 2>/dev/null || true
cp CHANGELOG.md "${ARCHIVE_DIR}/" 2>/dev/null || true
tar czf "${ARCHIVE_DIR}.tar.gz" "${ARCHIVE_DIR}"
- name: Install Syft (SBOM)
uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
- name: Generate SBOM
run: |
VERSION="${TAG#v}"
ARCHIVE="codeiq_${VERSION}_darwin_arm64.tar.gz"
syft "$ARCHIVE" --output spdx-json="${ARCHIVE}.sbom.spdx.json"
- name: Install Cosign (signing)
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- name: Sign archive (Sigstore keyless, bundle format)
run: |
VERSION="${TAG#v}"
ARCHIVE="codeiq_${VERSION}_darwin_arm64.tar.gz"
cosign sign-blob \
--yes \
--bundle "${ARCHIVE}.cosign.bundle" \
"$ARCHIVE"
- name: Upload to GitHub Release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
VERSION="${TAG#v}"
# Retry up to 3 times to handle race with release-go.yml
# creating the Release.
for i in 1 2 3; do
if gh release view "$TAG" >/dev/null 2>&1; then
gh release upload "$TAG" \
"codeiq_${VERSION}_darwin_arm64.tar.gz" \
"codeiq_${VERSION}_darwin_arm64.tar.gz.sbom.spdx.json" \
"codeiq_${VERSION}_darwin_arm64.tar.gz.cosign.bundle" \
--clobber
exit 0
fi
echo "Release $TAG not yet visible, waiting 30s ($i/3)..."
sleep 30
done
echo "::error::Release $TAG never appeared; release-go.yml may have failed"
exit 1
- name: Attest darwin archive (build provenance)
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-path: 'codeiq_*_darwin_arm64.tar.gz'