Merge pull request #1340 from mdecimus/main

CI job fixes
2025-09-12 23:14:18 +08:00 · 2025-03-24 17:54:15 +01:00 · 2025-03-24 17:54:15 +01:00 · c8891489cb
commit c8891489cb
parent 4138ef6fc9 b7d74942e2
3 changed files with 35 additions and 22 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -41,6 +41,8 @@ jobs:
    needs: [linux]
    if: github.event_name == 'push' || inputs.Docker
    steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
      - name: Log In to GitHub Container Registry
        uses: docker/login-action@v3
        with:
@ -82,6 +84,8 @@ jobs:
          echo "GHCR_DIGEST_SHA=$(cat GHCR_DIGEST_SHA)" | tee -a "${GITHUB_ENV}"
          docker buildx imagetools inspect --format '{{json .Manifest}}' index.docker.io/${{github.repository}}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/${{matrix.variant}}/bake-meta.json) | jq -r '.digest' > DOCKERHUB_DIGEST_SHA
          echo "DOCKERHUB_DIGEST_SHA=$(cat DOCKERHUB_DIGEST_SHA)" | tee -a "${GITHUB_ENV}"
+          cosign sign --yes $(jq --arg GHCR_DIGEST_SHA "$(cat GHCR_DIGEST_SHA)" -cr '.target."docker-metadata-action".tags | map(select(startswith("ghcr.io/${{github.repository}}")) | . + "@" + $GHCR_DIGEST_SHA) | join(" ")' ${{ runner.temp }}/${{matrix.variant}}/bake-meta.json)
+          cosign sign --yes $(jq --arg DOCKERHUB_DIGEST_SHA "$(cat DOCKERHUB_DIGEST_SHA)" -cr '.target."docker-metadata-action".tags | map(select(startswith("index.docker.io/${{github.repository}}")) | . + "@" + $DOCKERHUB_DIGEST_SHA) | join(" ")' ${{ runner.temp }}/${{matrix.variant}}/bake-meta.json)

      - name: Attest GHCR
        uses: actions/attest-build-provenance@v2
@ -411,16 +415,25 @@ jobs:
            archive/**/*.tar.gz
            archive/**/*.zip

+      - name: Use cosign to sign existing artifacts
+        uses: sigstore/gh-action-sigstore-python@v3.0.0
+        with:
+          inputs: |
+            archive/**/*.tar.gz
+            archive/**/*.zip
+
      - name: Release
        uses: softprops/action-gh-release@v2
        with:
          files: |
            archive/**/*.tar.gz
            archive/**/*.zip
+            archive/**/*.sigstore.json
          prerelease: ${{!startsWith(github.ref, 'refs/tags/') || null}}
          tag_name: ${{!startsWith(github.ref, 'refs/tags/') && 'nightly' || null}}
+          # TODO add instructions about using cosign to verify binary artifact
          append_body: true
          body: |
            <hr />

-            ## Check binary attestation at [here](${{ steps.attest.outputs.attestation-url }})
+            ### Check binary attestation at [here](${{ steps.attest.outputs.attestation-url }})
--- a/Dockerfile.build
+++ b/Dockerfile.build
@ -28,11 +28,6 @@ RUN \
    ln -s "/usr/local/zig-linux-$(uname -m)-${ZIG_VERSION}/zig" /usr/local/bin/zig
 # Install cargo-binstall
 RUN curl --retry 5 -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
-# Install FoundationDB
-# TODO According to https://github.com/apple/foundationdb/issues/11448#issuecomment-2417766293
-# Once FoundationDB v7.3.53 gets released, we should be able to build the aarch64-unknown-linux-gnu target.
-# The last command is for future build use, so if you are building on a native arm64 device, please use docker qemu.
-RUN curl --retry 5 -Lso /usr/lib/libfdb_c.so "$(curl --retry 5 -Ls 'https://api.github.com/repos/apple/foundationdb/releases' | jq --arg arch "$(uname -m)" -r '.[] | select(.prerelease == false) | .assets[] | select(.name | test("libfdb_c." + $arch + ".so")) | .browser_download_url' | head -n1)"
 # Install cargo-chef & sccache & cargo-zigbuild
 RUN cargo binstall --no-confirm cargo-chef sccache cargo-zigbuild

@ -56,24 +51,31 @@ ARG BUILD_ENV
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 # Install toolchain and specify some env variables
 RUN \
-  rustup set profile minimal && \
-  rustup target add ${TARGET} && \
-  mkdir -p artifact && \
-  touch /env-cargo && \
-  if [ ! -z "${BUILD_ENV}" ]; then \
-      echo "export ${BUILD_ENV}" >> /env-cargo; \
-      echo "Setting up ${BUILD_ENV}"; \
-  fi
+    rustup set profile minimal && \
+    rustup target add ${TARGET} && \
+    mkdir -p artifact && \
+    touch /env-cargo && \
+    if [ ! -z "${BUILD_ENV}" ]; then \
+        echo "export ${BUILD_ENV}" >> /env-cargo; \
+        echo "Setting up ${BUILD_ENV}"; \
+    fi && \
+    if [[ "${TARGET}" == *gnu ]]; then \
+        echo "export FDB_ARCH=${TARGET%%-*}" >> /env-cargo; \
+    fi
+# Install FoundationDB
+RUN \
+    source /env-cargo && \
+    if [ ! -z "${FDB_ARCH}" ]; then \
+        curl --retry 5 -Lso /usr/lib/libfdb_c.so "$(curl --retry 5 -Ls 'https://api.github.com/repos/apple/foundationdb/releases' | jq --arg FDB_ARCH "$FDB_ARCH" -r '.[] | select(.prerelease == false) | .assets[] | select(.name | test("libfdb_c." + $FDB_ARCH + ".so")) | .browser_download_url' | head -n1)"; \
+    fi
 # Cargo-chef Cache layer
 RUN \
    --mount=type=secret,id=ACTIONS_CACHE_URL,env=ACTIONS_CACHE_URL \
    --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN,env=ACTIONS_RUNTIME_TOKEN \
    --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=/usr/local/cargo/git \
-    # TODO According to https://github.com/apple/foundationdb/issues/11448#issuecomment-2417766293
-    # Once FoundationDB v7.3.53 gets released, we should be able to build the aarch64-unknown-linux-gnu target.
    source /env-cargo && \
-    if [ "${TARGET}" = "x86_64-unknown-linux-gnu" ]; then \
+    if [ ! -z "${FDB_ARCH}" ]; then \
        RUSTFLAGS="-L /usr/lib" cargo chef cook --recipe-path recipe.json --zigbuild --release --target ${TARGET} -p mail-server --no-default-features --features "foundationdb elastic s3 redis enterprise"; \
    fi
 RUN \
@ -88,16 +90,14 @@ RUN \
 COPY . .
 ENV RUSTC_WRAPPER="sccache" \
    SCCACHE_GHA_ENABLED=true
-# Build foundationdb version
+# Build FoundationDB version
 RUN \
    --mount=type=secret,id=ACTIONS_CACHE_URL,env=ACTIONS_CACHE_URL \
    --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN,env=ACTIONS_RUNTIME_TOKEN \
    --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=/usr/local/cargo/git \
-    # TODO According to https://github.com/apple/foundationdb/issues/11448#issuecomment-2417766293
-    # Once FoundationDB v7.3.53 gets released, we should be able to build the aarch64-unknown-linux-gnu target.
    source /env-cargo && \
-    if [ "${TARGET}" = "x86_64-unknown-linux-gnu" ]; then \
+    if [ ! -z "${FDB_ARCH}" ]; then \
        RUSTFLAGS="-L /usr/lib" cargo zigbuild --release --target ${TARGET} -p mail-server --no-default-features --features "foundationdb elastic s3 redis enterprise"; \
        mv /app/target/${TARGET}/release/stalwart-mail /app/artifact/stalwart-mail-foundationdb; \
    fi
--- a/crates/store/Cargo.toml
+++ b/crates/store/Cargo.toml
@ -9,7 +9,7 @@ utils = { path = "../utils" }
 nlp = { path = "../nlp" }
 trc = { path = "../trc" }
 rocksdb = { version = "0.23", optional = true, features = ["multi-threaded-cf"] }
-foundationdb = { version = "0.9.0", features = ["embedded-fdb-include", "fdb-7_1"], optional = true }
+foundationdb = { version = "0.9.2", features = ["embedded-fdb-include", "fdb-7_3"], optional = true }
 rusqlite = { version = "0.32", features = ["bundled"], optional = true }
 rust-s3 = { version = "=0.35.0-alpha.2", default-features = false, features = ["tokio-rustls-tls", "no-verify-ssl"], optional = true }
 azure_core = { version = "0.21.0", optional = true }