build: switch to cross & create attestation (#6)

Co-authored-by: Rabindra Dhakal <[email protected]>

Author: Azathothas

.github/workflows/nightly.yaml

@@ -1,13 +1,18 @@
 name: soarql
-
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true
+  
 on:
   push:
     branches:
       - main
   workflow_dispatch:
 
 permissions:
+  attestations: write
   contents: write
+  id-token: write
 
 jobs:
   remove-nightly-tag:
@@ -57,30 +62,39 @@ jobs:
       - name: Install dependencies
         shell: bash
         run: |
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends \
-            --allow-unauthenticated musl-tools b3sum
+          sudo apt update -y
+          sudo apt install b3sum findutils file -y
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@nightly
         with:
           targets: ${{ matrix.build.TARGET }}
 
-      - name: Install cross-compilation tools
-        uses: taiki-e/setup-cross-toolchain-action@v1
-        with:
-          target: ${{ matrix.build.TARGET }}
-
+      - name: Install Cross
+        shell: bash
+        run: |
+          cargo install cross --git "https://github.com/cross-rs/cross" --jobs="$(($(nproc)+1))"
+          hash -r &>/dev/null
+          command -v cross &>/dev/null || { echo "cross command not found" >&2; exit 1; } 
+       
       - name: Build
-        run: RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --locked --target ${{ matrix.build.TARGET }}
+        env:
+          RUSTFLAGS: "-C target-feature=+crt-static \
+                      -C link-self-contained=yes \
+                      -C link-arg=-Wl,--build-id=none"
+        run: cross +nightly build --release --locked --target "${{ matrix.build.TARGET }}" --jobs="$(($(nproc)+1))" --verbose
 
       - name: Prepare nightly binary
+        env:
+          ARTIFACT: "nightly/soarql-${{ matrix.build.NAME }}"
         shell: bash
         run: |
           mkdir -p nightly
-          cp "target/${{ matrix.build.TARGET }}/release/soarql" nightly/soarql-${{ matrix.build.NAME }}
-          b3sum nightly/soarql-${{ matrix.build.NAME }} > nightly/soarql-${{ matrix.build.NAME }}.b3sum
-
+          cp "target/${{ matrix.build.TARGET }}/release/soarql" "${ARTIFACT}"
+          b3sum "${ARTIFACT}" > "${ARTIFACT}.b3sum"
+          realpath "${ARTIFACT}" | xargs -I "{}" bash -c \
+           'printf "\nFile: $(basename {})\n  Type: $(file -b {})\n  B3sum: $(b3sum {} | cut -d" " -f1)\n  SHA256sum: $(sha256sum {} | cut -d" " -f1)\n  Size: $(du -bh {} | cut -f1)\n"'
+          
       - name: Upload nightly binary
         uses: softprops/action-gh-release@v2
         with:
@@ -92,3 +106,12 @@ jobs:
           draft: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Attest Build Provenance
+        uses: actions/[email protected]
+        with:
+          subject-name: "soarql-${{ matrix.build.NAME }}"
+          subject-path: |
+            nightly/**
+          show-summary: true
+        continue-on-error: true