Container-Compose/.github/workflows/release.yml at main · explicitcontextualunderstanding/Container-Compose · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
name: Release

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      version:
        description: "Release version (e.g., v1.0.0)"
        required: false
        type: string

permissions:
  contents: read # Minimum required for security scan

jobs:
  # Security gate: must pass zizmor scan before building release
  security-scan:
    name: Security Scan (zizmor)
    runs-on: ubuntu-latest
    outputs:
      critical_count: ${{ steps.zizmor.outputs.critical_count }}
      high_count: ${{ steps.zizmor.outputs.high_count }}
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: Install zizmor
        run: |
          curl -sSfL https://github.com/woodruffw/zizmor/releases/download/v1.23.1/zizmor-v1.23.1-x86_64-unknown-linux-gnu.tar.gz | tar xz
          chmod +x zizmor
          sudo mv zizmor /usr/local/bin/

      - name: Run zizmor scan
        id: zizmor
        run: |
          zizmor --format json .github/workflows/ > zizmor-results.json || true
          CRITICAL_COUNT=$(jq '[.[] | select(.severity == "critical")] | length' zizmor-results.json 2>/dev/null || echo "0")
          HIGH_COUNT=$(jq '[.[] | select(.severity == "high")] | length' zizmor-results.json 2>/dev/null || echo "0")
          echo "critical_count=$CRITICAL_COUNT" >> $GITHUB_OUTPUT
          echo "high_count=$HIGH_COUNT" >> $GITHUB_OUTPUT
          echo "zizmor findings:"
          echo "  Critical: $CRITICAL_COUNT"
          echo "  High: $HIGH_COUNT"

      - name: Block release on critical findings
        if: steps.zizmor.outputs.critical_count != '0'
        run: |
          echo "::error::CRITICAL: zizmor found ${{ steps.zizmor.outputs.critical_count }} critical security issues. Release blocked."
          echo "::error::Run 'zizmor .github/workflows/' locally to see details."
          exit 1

      - name: Warn on high findings
        if: steps.zizmor.outputs.high_count != '0'
        run: |
          echo "::warning::zizmor found ${{ steps.zizmor.outputs.high_count }} high severity issues. Review recommended."

  build-release:
    name: Build and Release
    needs: security-scan
    if: needs.security-scan.outputs.critical_count == '0'
    runs-on: macos-26
    permissions:
      contents: write
      attestations: write
      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: Setup Swift
        uses: maartene/setup-swift@main
        with:
          swift-version: "6.2"

      - name: Build Release
        run: swift build -c release

      - name: Generate SHA256 Checksum
        id: checksum
        run: |
          shasum -a 256 .build/release/container-compose | awk '{print $1}' > .build/release/container-compose.sha256
          echo "sha256=$(cat .build/release/container-compose.sha256)" >> $GITHUB_OUTPUT
          echo "Binary SHA256: $(cat .build/release/container-compose.sha256)"

      - name: Attest Build Provenance
        uses: actions/attest-build-provenance@f504d1c46aced50f0eb9e7f117c7e8de6b07e2c7 # v1.4.3
        with:
          subject-path: ".build/release/container-compose"

      - name: Generate Verification Instructions
        run: |
          cat > .build/release/VERIFICATION.md << 'EOF'
          # Binary Verification

          ## SHA256 Checksum
          ```
          ${{ steps.checksum.outputs.sha256 }} container-compose
          ```

          ## Verify Download
          ```bash
          # macOS/Linux
          shasum -a 256 ./container-compose | grep ${{ steps.checksum.outputs.sha256 }}
          # Should output matching hash
          ```

          ## Build Reproducibility
          This binary was built with:
          - macOS 26.x
          - Xcode 26.3
          - Swift 6.2
          - Apple Silicon (arm64)

          ## Attestation
          This release includes cryptographic attestation via GitHub Actions.
          Verify attestation: `gh attestation verify container-compose --owner explicitcontextualunderstanding`

          ## Source Code
          Tagged commit: ${{ github.sha }}
          Compare: https://github.com/${{ github.repository }}/compare/${{ github.ref_name }}
          EOF

      - name: Create Release with Verification
        if: github.event_name == 'push'
        uses: softprops/action-gh-release@c1a018d8a49526b35624d8b4709e296ce22f2fd2 # v2.2.0
        with:
          name: ${{ github.ref_name }}
          draft: false
          prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') }}
          files: |
            .build/release/container-compose
            .build/release/container-compose.sha256
            .build/release/VERIFICATION.md
          body: |
            ## Verification

            **SHA256:** `${{ steps.checksum.outputs.sha256 }}`

            Verify your download:
            ```bash
            shasum -a 256 ./container-compose | grep ${{ steps.checksum.outputs.sha256 }}
            ```

            **Build Attestation:** This release includes cryptographic attestation.
            ```bash
            gh attestation verify container-compose --owner explicitcontextualunderstanding
            ```

            See VERIFICATION.md for full details.
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload to Release (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch'
        run: |
          VERSION="${{ inputs.version || 'latest' }}"
          TAG="v${VERSION#v}"
          RELEASE_ID=$(gh api repos/${{ github.repository }}/releases/tags/$TAG --jq '.id' 2>/dev/null || echo "")
          if [ -z "$RELEASE_ID" ]; then
            RELEASE_ID=$(gh api repos/${{ github.repository }}/releases -X POST \
              --field tag_name="$TAG" \
              --field name="$TAG" \
              --field draft=false \
              --field body="## Verification\n\n**SHA256:** \`${{ steps.checksum.outputs.sha256 }}\`\n\nVerify your download:\n\`\`\`bash\nshasum -a 256 ./container-compose | grep ${{ steps.checksum.outputs.sha256 }}\n\`\`\`\n\nSee full verification instructions in VERIFICATION.md" \
              --jq '.id')
          fi
          gh api repos/${{ github.repository }}/releases/$RELEASE_ID/assets \
            -F "file=@.build/release/container-compose" \
            -F "name=container-compose"
          gh api repos/${{ github.repository }}/releases/$RELEASE_ID/assets \
            -F "file=@.build/release/container-compose.sha256" \
            -F "name=container-compose.sha256"
          gh api repos/${{ github.repository }}/releases/$RELEASE_ID/assets \
            -F "file=@.build/release/VERIFICATION.md" \
            -F "name=VERIFICATION.md"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}