upstream/borgbackup
1
0
Fork 0
mirror of https://github.com/borgbackup/borg.git synced 2026-06-11 01:41:57 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

Merge pull request #9136 from ThomasWaldmann/issue-9134-attestations2
Some checks are pending
Lint / lint (push) Waiting to run
Details
CI / lint (push) Waiting to run
Details
CI / security (push) Waiting to run
Details
CI / posix_tests (push) Blocked by required conditions
Details
CI / windows_tests (push) Blocked by required conditions
Details
CodeQL / Analyze (push) Waiting to run
Details

Browse source 
do binary build and gh attestation based on a tag push
This commit is contained in:
TW 2025-11-02 19:27:12 +01:00 committed by GitHub
commit 30fb8266a0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 8 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
.github/workflows/ci.yml vendored
View file

@ -5,17 +5,8 @@ name: CI
on:
push:
branches: [ master ]
paths:
- '**.py'
- '**.pyx'
- '**.c'
- '**.h'
- '**.yml'
- '**.toml'
- '**.cfg'
- '**.ini'
- 'requirements.d/*'
- '!docs/**'
tags:
- '2.*'
pull_request:
branches: [ master ]
paths:
@ -106,25 +97,6 @@ jobs:
fetch-depth: 0
fetch-tags: true
- name: Detect if commit is tagged
id: detect_tag
run: |
tag="$(git describe --exact-match --tags HEAD 2>/dev/null || true)"
# If HEAD is a merge commit, the PR head is usually the second parent (HEAD^2).
if [ -z "$tag" ] && git rev-parse -q --verify HEAD^2 >/dev/null 2>&1; then
tag="$(git describe --exact-match --tags HEAD^2 2>/dev/null || true)"
fi
echo "Found tag: ${tag}"
echo "tagged=$tag" >> "$GITHUB_OUTPUT"
- name: Check out exact tag
if: ${{ steps.detect_tag.outputs.tagged }}
uses: actions/checkout@v4
with:
ref: ${{ steps.detect_tag.outputs.tagged }}
fetch-depth: 0
fetch-tags: true
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
@ -240,14 +212,14 @@ jobs:
env_vars: OS, python
- name: Build Borg fat binaries (${{ matrix.binary }})
if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
if: ${{ matrix.binary && startsWith(github.ref, 'refs/tags/') }}
run: |
pip install 'pyinstaller==6.14.2'
mkdir -p dist/binary
pyinstaller --clean --distpath=dist/binary scripts/borg.exe.spec
- name: Smoke-test the built binary (${{ matrix.binary }})
if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
if: ${{ matrix.binary && startsWith(github.ref, 'refs/tags/') }}
run: |
pushd dist/binary
echo "single-file binary"
@ -260,7 +232,7 @@ jobs:
popd
- name: Prepare binaries (${{ matrix.binary }})
if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
if: ${{ matrix.binary && startsWith(github.ref, 'refs/tags/') }}
run: |
mkdir -p artifacts
if [ -f dist/binary/borg.exe ]; then
@ -273,13 +245,13 @@ jobs:
ls -l artifacts/
- name: Attest binaries provenance (${{ matrix.binary }})
if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
if: ${{ matrix.binary && startsWith(github.ref, 'refs/tags/') }}
uses: actions/attest-build-provenance@v3
with:
subject-path: 'artifacts/*'
- name: Upload binaries (${{ matrix.binary }})
if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
if: ${{ matrix.binary && startsWith(github.ref, 'refs/tags/') }}
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.binary }}

2
docs/binaries/00_README.txt
View file

@ -80,7 +80,7 @@ use a recent version that supports "gh attestation".
Practical example (Linux, 2.0.0b20 tag):
curl -LO https://github.com/borgbackup/borg/releases/download/2.0.0b20/borg-linux-glibc235-x86_64-gh
gh attestation verify --repo borgbackup/borg --ref 2.0.0b20 ./borg-linux-glibc235-x86_64-gh
gh attestation verify --repo borgbackup/borg --source-ref refs/tags/2.0.0b20 borg-linux-glibc235-x86_64-gh
If verification succeeds, gh prints a summary stating the subject (your file),
that it was attested by GitHub Actions, and the job/workflow reference.