chore: initial ci configs

Signed-off-by: Sam Gammon <[email protected]>
sgammon · Jun 7, 2024 · 77513ca · 77513ca
1 parent 82b2267
commit 77513ca
Show file tree

Hide file tree

Showing 3 changed files with 244 additions and 0 deletions.
diff --git a/.github/workflows/job.build.yml b/.github/workflows/job.build.yml
@@ -0,0 +1,154 @@
+#
+# Copyright (c) 2024 Elide Technologies, Inc.
+#
+# Licensed under the MIT license (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# https://opensource.org/license/mit/
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+# an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under the License.
+#
+
+name: Build
+
+"on":
+  workflow_dispatch:
+    inputs:
+      ## Input: Enable Release Targets
+      release:
+        description: "Release"
+        type: boolean
+        default: false
+
+      ## Input: Publish Libraries
+      publish:
+        description: "Publish"
+        type: boolean
+        default: false
+
+      ## Input: Enable Provenance
+      provenance:
+        description: "Provenance"
+        type: boolean
+        default: true
+
+      ## Input: Runner
+      runner:
+        description: "Runner"
+        type: string
+        default: ubuntu-latest
+
+  workflow_call:
+    inputs:
+      release:
+        description: "Release"
+        type: boolean
+        default: false
+      publish:
+        description: "Publish"
+        type: boolean
+        default: false
+      provenance:
+        description: "Provenance"
+        type: boolean
+        default: true
+      runner:
+        description: "Runner to use"
+        type: string
+        default: ubuntu-latest
+
+    secrets:
+      BUILDLESS_APIKEY:
+        required: false
+        description: "Buildless API Key"
+      CODECOV_TOKEN:
+        required: false
+        description: "Codecov token"
+
+env:
+  BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
+
+permissions:
+  contents: read
+
+jobs:
+  ##
+  ## Job: Build
+  ##
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [Ubuntu]
+        mode: ["Strict"]
+        machine:
+          - ${{ inputs.runner }}
+
+    name: "Build (${{ matrix.os }})"
+    runs-on: ${{ matrix.machine }}
+    continue-on-error: ${{ matrix.mode != 'Strict' }}
+
+    permissions:
+      contents: "write"
+      actions: "read"
+      id-token: "write"
+      checks: "write"
+      pull-requests: "write"
+      packages: "read"
+      security-events: "write"
+
+    defaults:
+      run:
+        shell: bash
+
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          # allowed-endpoints: []
+      - name: "Setup: Checkout"
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          submodules: false
+          persist-credentials: false
+      - name: "Setup: Bun"
+        uses: oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 # v1.2.2
+        with:
+          bun-version: latest
+      - name: "Setup: Install Dependencies"
+        run: bun install --frozen
+      - name: "Build: Library"
+        run: bun run build && cd dist && tar -czvf ../hakuna.tgz ./*
+      - name: "Artifact: Build Outputs"
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: hakuna-lib
+          path: |
+            hakuna.tgz
+            dist/**/*.*
+      - name: "Artifact: Provenance Subject"
+        id: hash
+        if: ${{ matrix.os == 'ubuntu' && inputs.provenance }}
+        run: |
+          echo "hashes=$(sha256sum ./hakuna.tgz | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  ## Report: Provenance
+  provenance:
+    name: Provenance
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    if: inputs.provenance
+    needs: [build]
+    permissions:
+      actions: "read"
+      id-token: "write"
+      contents: "write"
+    with:
+      base64-subjects: "${{ needs.gradle.outputs.hashes }}"
+      upload-assets: ${{ github.ref == 'refs/heads/stable' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'release/') || startsWith(github.ref, 'refs/tags/v') }}
diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml
@@ -0,0 +1,44 @@
+#
+# Copyright (c) 2024 Elide Technologies, Inc.
+#
+# Licensed under the MIT license (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# https://opensource.org/license/mit/
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+# an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under the License.
+#
+
+name: PR
+
+"on":
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: "pr-${{ github.event.pull_request.number }}"
+  cancel-in-progress: true
+
+jobs:
+  ##
+  ## Job: Bun Build
+  ##
+  pr-build:
+    name: "Build"
+    uses: ./.github/workflows/job.build.yml
+    secrets: inherit
+    permissions:
+      contents: "write"
+      actions: "read"
+      id-token: "write"
+      checks: "write"
+      pull-requests: "write"
+      packages: "read"
+      security-events: "write"
+    with:
+      provenance: false
diff --git a/.github/workflows/on.push.yml b/.github/workflows/on.push.yml
@@ -0,0 +1,46 @@
+#
+# Copyright (c) 2024 Elide Technologies, Inc.
+#
+# Licensed under the MIT license (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# https://opensource.org/license/mit/
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+# an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under the License.
+#
+
+name: CI
+
+"on":
+  merge_group: {}
+  push:
+    branches:
+      - stable
+      - main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: "push-${{ github.ref }}"
+
+jobs:
+  ##
+  ## Job: Multi-platform Build
+  ##
+  build:
+    name: "Build"
+    uses: ./.github/workflows/job.build.yml
+    secrets: inherit
+    permissions:
+      actions: "read"
+      checks: "write"
+      contents: "write"
+      id-token: "write"
+      packages: "read"
+      pull-requests: "write"
+      security-events: "write"
+    with:
+      provenance: true