From 075d7097bc0b7b2462d30ca05505854dc0e3ec16 Mon Sep 17 00:00:00 2001 From: amannocci Date: Thu, 18 Jun 2026 19:46:53 +0200 Subject: [PATCH 1/6] ci: Add artifact verification and simplify release workflow --- .github/workflows/ci.yml | 49 +++++++++++++++++++++++++++++++++++ .github/workflows/release.yml | 32 +++-------------------- 2 files changed, 53 insertions(+), 28 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eb27b13..230d7c5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -53,6 +53,15 @@ jobs: - name: Build run: uv run poe build + - uses: actions/attest@v4 + with: + subject-path: "dist/*" + + - uses: actions/upload-artifact@v7 + with: + name: terranova-${{ matrix.os }} + path: "dist/*" + test: needs: - build @@ -70,3 +79,43 @@ jobs: - name: Test run: uv run poe test + + sanitize: + needs: + - test + strategy: + matrix: + os: + - macos-15 + - macos-15-intel + - ubuntu-latest + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v6.0.2 + + - name: Install environment + uses: ./.github/workflows/env-install + + - uses: actions/download-artifact@v8 + with: + merge-multiple: true + + - name: Verify macOS amd64 binary + run: | + ./dist/terranova-*-darwin-amd64 || exit 1 + if: runner.arch == 'X64' && runner.os == 'macOS' + + - name: Verify macOS arm64 binary + run: | + ./dist/terranova-*-darwin-arm64 || exit 1 + if: runner.arch == 'ARM64' && runner.os == 'macOS' + + - name: Verify linux amd64 binary + run: | + ./dist/terranova-*-linux-amd64 || exit 1 + if: runner.arch == 'X64' && runner.os == 'Linux' + + - name: Verify linux arm64 binary + run: | + ./dist/terranova-*-linux-arm64 || exit 1 + if: runner.arch == 'ARM64' && runner.os == 'Linux' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c94017e..9eecfc2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,36 +19,12 @@ concurrency: group: ${{ github.workflow }} jobs: - build: - strategy: - matrix: - os: - - macos-15 - - macos-15-intel - - ubuntu-latest - runs-on: ${{ matrix.os }} + ci: permissions: - artifact-metadata: write - attestations: write - contents: write + contents: read id-token: write - steps: - - uses: actions/checkout@v7 - - - name: Install environment - uses: ./.github/workflows/env-install - - - name: Build - run: uv run poe build - - - uses: actions/attest@v4 - with: - subject-path: "dist/*" - - - uses: actions/upload-artifact@v7 - with: - name: terranova-${{ matrix.os }} - path: "dist/*" + uses: ./.github/workflows/ci.yml + secrets: inherit release: runs-on: ubuntu-latest From c69b9812cc2491d3d3cf29bfda53f5b2a678ad23 Mon Sep 17 00:00:00 2001 From: amannocci Date: Thu, 18 Jun 2026 19:51:15 +0200 Subject: [PATCH 2/6] ci: Add id-token permission to build job --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 230d7c5..5e1c812 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,6 +35,8 @@ jobs: run: uv run poe lint build: + permissions: + id-token: write needs: - lint strategy: From d68f8ea5922d27be963170ed4b27f4072e506086 Mon Sep 17 00:00:00 2001 From: amannocci Date: Mon, 22 Jun 2026 18:24:00 +0200 Subject: [PATCH 3/6] ci: Add attestation permissions and update checkout version --- .github/workflows/ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5e1c812..99b58d6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -37,6 +37,8 @@ jobs: build: permissions: id-token: write + attestations: write + artifact-metadata: write needs: - lint strategy: @@ -93,7 +95,7 @@ jobs: - ubuntu-latest runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@v6 - name: Install environment uses: ./.github/workflows/env-install From a62f8a8a6982ace3e3413d768ceeef8dd8d51e60 Mon Sep 17 00:00:00 2001 From: amannocci Date: Tue, 23 Jun 2026 19:33:30 +0200 Subject: [PATCH 4/6] ci: Specify artifact download path in sanitize job --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 99b58d6..eec020d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -103,6 +103,7 @@ jobs: - uses: actions/download-artifact@v8 with: merge-multiple: true + path: dist - name: Verify macOS amd64 binary run: | From 6fc7eca1304b9b41dea21f9c7e5886b374314147 Mon Sep 17 00:00:00 2001 From: amannocci Date: Tue, 23 Jun 2026 19:48:58 +0200 Subject: [PATCH 5/6] ci: Add executable permissions to binaries in sanitize job --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eec020d..15207cd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -107,20 +107,24 @@ jobs: - name: Verify macOS amd64 binary run: | + chmod +x ./dist/terranova-*-darwin-amd64 ./dist/terranova-*-darwin-amd64 || exit 1 if: runner.arch == 'X64' && runner.os == 'macOS' - name: Verify macOS arm64 binary run: | + chmod +x ./dist/terranova-*-darwin-arm64 ./dist/terranova-*-darwin-arm64 || exit 1 if: runner.arch == 'ARM64' && runner.os == 'macOS' - name: Verify linux amd64 binary run: | + chmod +x ./dist/terranova-*-linux-amd64 ./dist/terranova-*-linux-amd64 || exit 1 if: runner.arch == 'X64' && runner.os == 'Linux' - name: Verify linux arm64 binary run: | + chmod +x ./dist/terranova-*-linux-arm64 ./dist/terranova-*-linux-arm64 || exit 1 if: runner.arch == 'ARM64' && runner.os == 'Linux' From 9c72591a4ce1fda47eadd06b410e1d2f90db8391 Mon Sep 17 00:00:00 2001 From: amannocci Date: Tue, 23 Jun 2026 20:32:49 +0200 Subject: [PATCH 6/6] ci: Verify binaries with --version flag instead of bare execution --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 15207cd..2567b9f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -108,23 +108,23 @@ jobs: - name: Verify macOS amd64 binary run: | chmod +x ./dist/terranova-*-darwin-amd64 - ./dist/terranova-*-darwin-amd64 || exit 1 + ./dist/terranova-*-darwin-amd64 --version || exit 1 if: runner.arch == 'X64' && runner.os == 'macOS' - name: Verify macOS arm64 binary run: | chmod +x ./dist/terranova-*-darwin-arm64 - ./dist/terranova-*-darwin-arm64 || exit 1 + ./dist/terranova-*-darwin-arm64 --version || exit 1 if: runner.arch == 'ARM64' && runner.os == 'macOS' - name: Verify linux amd64 binary run: | chmod +x ./dist/terranova-*-linux-amd64 - ./dist/terranova-*-linux-amd64 || exit 1 + ./dist/terranova-*-linux-amd64 --version || exit 1 if: runner.arch == 'X64' && runner.os == 'Linux' - name: Verify linux arm64 binary run: | chmod +x ./dist/terranova-*-linux-arm64 - ./dist/terranova-*-linux-arm64 || exit 1 + ./dist/terranova-*-linux-arm64 --version || exit 1 if: runner.arch == 'ARM64' && runner.os == 'Linux'