diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index a1d1d994..70c63c01 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -23,20 +23,43 @@ jobs: exit 1 fi - update-brew: + brew_formula: needs: enforce_stable_semver - if: github.repository_owner == 'openziti' - runs-on: ubuntu-latest + if: github.repository_owner == 'openziti' || github.repository_owner == 'openziti-test-kitchen' + runs-on: ubuntu-24.04 steps: - - name: Extract Version - id: extract-version - run: | - echo "tag-name=${GITHUB_REF#refs/tags/}" | tee -a ${GITHUB_OUTPUT} - - uses: mislav/bump-homebrew-formula-action@v3.1 - if: ${{ !contains(github.ref, '-') }} + - name: Get Checksums File + shell: bash + run: | + curl -sSLf -o checksums.sha256.txt \ + https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/checksums.sha256.txt + + - name: Get Source Archive + shell: bash + run: | + curl -sSLf -o source-${{ github.ref_name }}.tar.gz \ + https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source-${{ github.ref_name }}.tar.gz + + - name: Verify Source Archive Checksum + shell: bash + run: | + shasum --algorithm 256 --ignore-missing --check checksums.sha256.txt + + - name: Extract Source Archive Checksum + id: source + shell: bash + run: | + CHECKSUM=$(grep -E '\bsource\.tar\.gz$' checksums.sha256.txt | cut -d' ' -f1) + echo "sha256=${CHECKSUM}" | tee -a "$GITHUB_OUTPUT" + + - name: Upload Release Source Archive to Homebrew + uses: mislav/bump-homebrew-formula-action@v3.2 with: formula-name: zrok - download-url: https://github.com/openziti/zrok/archive/refs/tags/${{ steps.extract-version.outputs.tag-name }}.tar.gz + formula-path: Formula/z/zrok.rb + download-url: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source-${{ github.ref_name }}.tar.gz + download-sha256: ${{ steps.source.outputs.sha256 }} + homebrew-tap: ${{ vars.ZROK_BREW_TAP || 'Homebrew/homebrew-core' }} env: COMMITTER_TOKEN: ${{ secrets.BREW_COMMITTER_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 11ddbe79..410baee5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -269,6 +269,12 @@ jobs: - run: | mkdir -p ./automated-release-build + - name: Fetch Source Archive + shell: bash + run: | + curl -sSLf -o ./automated-release-build/source-${{ github.ref_name }}.tar.gz \ + https://api.github.com/repos/${{ github.repository }}/tarball/${{ github.ref_name }} + - uses: actions/download-artifact@v4 with: path: ./automated-release-build @@ -277,7 +283,8 @@ jobs: - run: | ls -lAR ./automated-release-build/ - shasum ./automated-release-build/* > ./automated-release-build/checksums.txt + cd ./automated-release-build/ + shasum --algorithm 256 ./* | tee ./checksums.sha256.txt - uses: goreleaser/goreleaser-action@v6 with: diff --git a/CHANGELOG.md b/CHANGELOG.md index 6be8142e..dad2d9ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,11 @@ ## v0.4.49 -FIX: Pre-releases are no longer uploaded to the stable Linux package repo. +FIX: Release artifacts now include a reproducible source archive. The archive's download URL is now used by the Homebrew formula when building from source instead of the archive generated on-demand by GitHub (https://github.com/openziti/zrok/issues/858). + +FIX: Pre-releases are no longer uploaded to the stable Linux package repo, and workflows that promote stable release artifacts to downstream distribution channels enforce semver stable release tags, i.e., not having a semver hyphenated prerelease suffix. + +CHANGE: The release `checksums.txt` has been renamed `checksums.sha256.txt` to reflect the use of a collision-resistant algorithm instead of `shasum`'s default algorithm, SHA-1. CHANGE: Pre-releases are uploaded to the pre-release Linux package repo and Docker Hub for testing. [RELEASING.md](./RELEASING.md) describes releaser steps and the events they trigger.