Sign artifacts

JanCBrammer · JanCBrammer · commit e301b4321ab0 · 2025-08-28T06:44:38.000Z
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.github/workflows/build_matrix.json b/.github/workflows/build_matrix.json
@@ -6,7 +6,9 @@
         "pre_build": "sudo apt update && sudo apt install -y cmake && python3 -m pip install -e INCHI-1-TEST[invariance-tests]",
         "build_exe": "cmake --build CMake_build/cli_build",
         "build_lib": "cmake --build CMake_build/libinchi_build",
-        "exe_path": "CMake_build/cli_build/bin/inchi-1"
+        "exe_path": "CMake_build/cli_build/bin/inchi-1",
+        "lib_path": "CMake_build/libinchi_build/bin/libinchi.so",
+        "main_path": "CMake_build/libinchi_build/bin/inchi_main"
     },
     {
         "os": "windows-2022",
@@ -15,7 +17,9 @@
         "pre_build": "python -m pip install -e INCHI-1-TEST[invariance-tests]",
         "build_exe": "cmake --build CMake_build/cli_build --config Release",
         "build_lib": "cmake --build CMake_build/libinchi_build --config Release",
-        "exe_path": "CMake_build/cli_build/bin/Release/inchi-1.exe"
+        "exe_path": "CMake_build/cli_build/bin/Release/inchi-1.exe",
+        "lib_path": "CMake_build/libinchi_build/bin/Release/libinchi.dll",
+        "main_path": "CMake_build/libinchi_build/bin/Release/inchi_main.exe"
 
     },
     {
@@ -25,6 +29,8 @@
         "pre_build": "python -m pip install -e INCHI-1-TEST[invariance-tests]",
         "build_exe": "cmake --build CMake_build/cli_build",
         "build_lib": "cmake --build CMake_build/libinchi_build",
-        "exe_path": "CMake_build/cli_build/bin/inchi-1"
+        "exe_path": "CMake_build/cli_build/bin/inchi-1",
+        "lib_path": "CMake_build/libinchi_build/bin/libinchi.dylib",
+        "main_path": "CMake_build/libinchi_build/bin/inchi_main"
     }
 ]
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,36 +1,130 @@
-# Trigger this workflow by pushing a release tag.
-# Make sure that `HEAD` is pointing to the commit you want to release.
-# Then run `git tag -a v<version_tag> -m "Release version <version_tag> (<yyyy>-<mm>-<dd>)" && git push && git push --tags`.
-# For example `git tag -a v1.06 -m "Release version 1.06 (2020-12-20)" && git push && git push --tags`.
-name: InChI Release
+name: Release
 
 on:
+  workflow_dispatch:
   push:
+    # TODO: Remove branches trigger.
+    branches: [ release-automation ]
+    # Trigger this workflow by pushing a release tag.
+    # Make sure that `HEAD` is pointing to the commit you want to release.
+    # Then run `git tag -a v<version_tag> -m "Release version <version_tag> (<yyyy>-<mm>-<dd>)" && git push && git push --tags`.
+    # For example `git tag -a v1.06 -m "Release version 1.06 (2020-12-20)" && git push && git push --tags`.
     tags:
       - v1.*
 
 jobs:
-  release:
-    runs-on: ubuntu-latest
+  define_matrix:
+    runs-on: ubuntu-22.04
+    outputs:
+      matrix: ${{ steps.define_matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Define build matrix
+        id: define_matrix
+        # The build matrix is used to interpolate commands and inputs throughout the remainder of the workflow.
+        # Since those interpolations are potentially security-sensitive, we verify the hash of the build matrix.
+        if: ${{ hashFiles('.github/workflows/build_matrix.json') == 'ae87ded543b131908cf5aed1502d0e39b2cb9374693598ef7f09c5c5a8be4e52' }}
+        run: |
+          echo "matrix=$(cat .github/workflows/build_matrix.json| jq -c .)" >> $GITHUB_OUTPUT
+
+  build_and_test:
+    needs: define_matrix
+    strategy:
+      matrix:
+        include:
+          ${{ fromJson(needs.define_matrix.outputs.matrix) }}
+    name: ${{ matrix.name }}
+    runs-on: ${{ matrix.os }}
+    env:
+      RELEASE_DIR: inchi-${{ matrix.slug }}-${{ github.sha }}
 
     permissions:
       contents: write
 
     steps:
       - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
         with:
-          fetch-depth: 0
+          python-version: '3.12'
+
+      - name: Install dependencies
+        run: ${{ matrix.pre_build }}
+
+      - name: Set up Visual Studio shell
+        if: runner.os == 'Windows'
+        uses: egor-tensin/vs-shell@9a932a62d05192eae18ca370155cf877eecc2202
+        with:
+          arch: x64
+
+      - name: Build executable
+        run: |
+          cmake -B CMake_build/cli_build -S INCHI-1-SRC/INCHI_EXE/inchi-1/src
+          ${{ matrix.build_exe }}
+
+      - name: Test executable
+        run: pytest INCHI-1-TEST/tests/test_executable --exe-path ${{ matrix.exe_path }}
+
+      - name: Build library
+        run: |
+          cmake -B CMake_build/libinchi_build -S INCHI-1-SRC/INCHI_API/demos/inchi_main/src
+          ${{ matrix.build_lib }}
 
-      - name: Checkout release
-        # `ref_name` is triggering tag.
-        run: git checkout ${{ github.ref_name }}
+      - name: Test library
+        uses: ./.github/actions/regression_tests
+        with:
+          artifact-name: regression-test-results-${{ matrix.slug }}-${{ github.sha }}
+          test-config: INCHI-1-TEST/tests/test_library/config/config_regression_${{ matrix.slug }}.py
+          shell: ${{ runner.os == 'Windows' && 'pwsh' || 'bash' }}
 
-      - name: Build release artifacts
+      - name: Collect artifacts
         run: |
-          zip -r INCHI-1-BIN.zip INCHI-1-BIN
-          zip -r INCHI-1-DOC.zip INCHI-1-DOC
-          zip -r INCHI-1-SRC.zip INCHI-1-SRC
-          zip -r INCHI-1-TEST.zip INCHI-1-TEST
+          mkdir -p ${{ env.RELEASE_DIR }}
+          cp ${{ matrix.exe_path }} ${{ env.RELEASE_DIR }}
+          cp ${{ matrix.lib_path }} ${{ env.RELEASE_DIR }}
+          cp ${{ matrix.main_path }} ${{ env.RELEASE_DIR }}
+
+      - id: upload-unsigned-artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.RELEASE_DIR }}
+          path: ${{ env.RELEASE_DIR }}
+
+      - name: Sign artifacts
+        if: runner.os == 'Windows'
+        uses: signpath/github-action-submit-signing-request@4f13d373e8f0cd8d3c0465ff4877feff27aed2ae
+        with:
+          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
+          organization-id: 656f8204-f8c5-4028-bd48-f832f5f89b31
+          project-slug: InChI
+          signing-policy-slug: test-signing
+          github-artifact-id: ${{ steps.upload-unsigned-artifacts.outputs.artifact-id }}
+          wait-for-completion: true
+          output-artifact-directory: ${{ env.RELEASE_DIR }}-signed
+
+      - uses: actions/upload-artifact@v4
+        if: runner.os == 'Windows'
+        with:
+          name: ${{ env.RELEASE_DIR }}-signed
+          path: ${{ env.RELEASE_DIR }}-signed
+
+  release:
+    needs: build_and_test
+    if: github.ref_type == 'tag'
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: release_artifacts
+          pattern: inchi-*
+
+      - name: Package artifacts
+        run: zip -r release_artifacts.zip release_artifacts
 
       - name: Create release
         shell: bash
@@ -42,4 +136,4 @@ jobs:
           --verify-tag \
           --title "${{ github.ref_name }}" \
           --notes "For details about this release have a look at the [CHANGELOG](INCHI-1-DOC/CHANGELOG.md)." \
-          INCHI-1-BIN.zip INCHI-1-DOC.zip INCHI-1-SRC.zip INCHI-1-TEST.zip
+          release_artifacts.zip
