.github/workflows/publish-release-artifacts.yml - third_party/zstd - Git at Google

 name: publish-release-artifacts

 on:
   release:
     types:
       - published

 permissions: read-all

 jobs:
   publish-release-artifacts:
     permissions:
       contents: write # to fetch code and upload artifacts

     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/')

     steps:
       - name: Checkout
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

       - name: Archive
         env:
           RELEASE_SIGNING_KEY: ${{ secrets.RELEASE_SIGNING_KEY }}
           RELEASE_SIGNING_KEY_PASSPHRASE: ${{ secrets.RELEASE_SIGNING_KEY_PASSPHRASE }}
         run: |
           # compute file name
           export TAG="$(echo "$GITHUB_REF" | sed -n 's_^refs/tags/__p')"
           if [ -z "$TAG" ]; then
             echo "action must be run on a tag. GITHUB_REF is not a tag: $GITHUB_REF"
             exit 1
           fi
           # Attempt to extract "1.2.3" from "v1.2.3" to maintain artifact name backwards compat.
           # Otherwise, degrade to using full tag.
           export VERSION="$(echo "$TAG" | sed 's_^v\([0-9]\+\.[0-9]\+\.[0-9]\+\)$_\1_')"
           export ZSTD_VERSION="zstd-$VERSION"

           # archive
           git archive $TAG \
               --prefix $ZSTD_VERSION/ \
               --format tar \
               -o $ZSTD_VERSION.tar

           # Do the rest of the work in a sub-dir so we can glob everything we want to publish.
           mkdir artifacts/
           mv $ZSTD_VERSION.tar artifacts/
           cd artifacts/

           # compress
           zstd -k -19 $ZSTD_VERSION.tar
           gzip -k  -9 $ZSTD_VERSION.tar

           # we only publish the compressed tarballs
           rm $ZSTD_VERSION.tar

           # hash
           sha256sum $ZSTD_VERSION.tar.zst > $ZSTD_VERSION.tar.zst.sha256
           sha256sum $ZSTD_VERSION.tar.gz  > $ZSTD_VERSION.tar.gz.sha256

           # sign
           if [ -n "$RELEASE_SIGNING_KEY" ]; then
             export GPG_BATCH_OPTS="--batch --no-use-agent --pinentry-mode loopback --no-tty --yes"
             echo "$RELEASE_SIGNING_KEY" | gpg $GPG_BATCH_OPTS --import
             gpg $GPG_BATCH_OPTS --armor --sign --sign-with signing@zstd.net --detach-sig --passphrase "$RELEASE_SIGNING_KEY_PASSPHRASE" --output $ZSTD_VERSION.tar.zst.sig $ZSTD_VERSION.tar.zst
             gpg $GPG_BATCH_OPTS --armor --sign --sign-with signing@zstd.net --detach-sig --passphrase "$RELEASE_SIGNING_KEY_PASSPHRASE" --output $ZSTD_VERSION.tar.gz.sig  $ZSTD_VERSION.tar.gz
           fi

       - name: Publish
         uses: skx/github-action-publish-binaries@b9ca5643b2f1d7371a6cba7f35333f1461bbc703 # tag=release-2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           args: artifacts/*
	name: publish-release-artifacts

	on:
	release:
	types:
	- published

	permissions: read-all

	jobs:
	publish-release-artifacts:
	permissions:
	contents: write # to fetch code and upload artifacts

	runs-on: ubuntu-latest
	if: startsWith(github.ref, 'refs/tags/')

	steps:
	- name: Checkout
	uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

	- name: Archive
	env:
	RELEASE_SIGNING_KEY: ${{ secrets.RELEASE_SIGNING_KEY }}
	RELEASE_SIGNING_KEY_PASSPHRASE: ${{ secrets.RELEASE_SIGNING_KEY_PASSPHRASE }}
	run: \|
	# compute file name
	export TAG="$(echo "$GITHUB_REF" \| sed -n 's_^refs/tags/__p')"
	if [ -z "$TAG" ]; then
	echo "action must be run on a tag. GITHUB_REF is not a tag: $GITHUB_REF"
	exit 1
	fi
	# Attempt to extract "1.2.3" from "v1.2.3" to maintain artifact name backwards compat.
	# Otherwise, degrade to using full tag.
	export VERSION="$(echo "$TAG" \| sed 's_^v\([0-9]\+\.[0-9]\+\.[0-9]\+\)$_\1_')"
	export ZSTD_VERSION="zstd-$VERSION"

	# archive
	git archive $TAG \
	--prefix $ZSTD_VERSION/ \
	--format tar \
	-o $ZSTD_VERSION.tar

	# Do the rest of the work in a sub-dir so we can glob everything we want to publish.
	mkdir artifacts/
	mv $ZSTD_VERSION.tar artifacts/
	cd artifacts/

	# compress
	zstd -k -19 $ZSTD_VERSION.tar
	gzip -k -9 $ZSTD_VERSION.tar

	# we only publish the compressed tarballs
	rm $ZSTD_VERSION.tar

	# hash
	sha256sum $ZSTD_VERSION.tar.zst > $ZSTD_VERSION.tar.zst.sha256
	sha256sum $ZSTD_VERSION.tar.gz > $ZSTD_VERSION.tar.gz.sha256

	# sign
	if [ -n "$RELEASE_SIGNING_KEY" ]; then
	export GPG_BATCH_OPTS="--batch --no-use-agent --pinentry-mode loopback --no-tty --yes"
	echo "$RELEASE_SIGNING_KEY" \| gpg $GPG_BATCH_OPTS --import
	gpg $GPG_BATCH_OPTS --armor --sign --sign-with signing@zstd.net --detach-sig --passphrase "$RELEASE_SIGNING_KEY_PASSPHRASE" --output $ZSTD_VERSION.tar.zst.sig $ZSTD_VERSION.tar.zst
	gpg $GPG_BATCH_OPTS --armor --sign --sign-with signing@zstd.net --detach-sig --passphrase "$RELEASE_SIGNING_KEY_PASSPHRASE" --output $ZSTD_VERSION.tar.gz.sig $ZSTD_VERSION.tar.gz
	fi

	- name: Publish
	uses: skx/github-action-publish-binaries@b9ca5643b2f1d7371a6cba7f35333f1461bbc703 # tag=release-2.0
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	args: artifacts/*