name: Release

on:

push:

branches:

- main

- v*.*

tags:

- v*

env:

ELIXIR_OPTS: "--warnings-as-errors"

LANG: C.UTF-8

permissions:

contents: write

id-token: write

attestations: write

jobs:

create_draft_release:

runs-on: ubuntu-22.04

env:

GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

steps:

- name: Create draft release

if: github.ref_type != 'branch'

run: |

gh release create \

--repo ${{ github.repository }} \

--title ${{ github.ref_name }} \

--notes '' \

--draft \

${{ github.ref_name }}

- uses: actions/checkout@v4

if: github.ref_type == 'branch'

with:

fetch-depth: 50

- name: Update ${{ github.ref_name }}-latest

if: github.ref_type == 'branch'

run: |

ref_name=${{ github.ref_name }}-latest

if ! gh release view $ref_name; then

gh release create \

--latest=false \

--title $ref_name \

--notes "Automated release for latest ${{ github.ref_name }}." \

$ref_name

fi

git tag $ref_name --force

git push origin $ref_name --force

build:

needs: create_draft_release

strategy:

fail-fast: true

matrix:

include:

- otp: 25

otp_version: "25.3"

- otp: 26

otp_version: "26.0"

- otp: 27

otp_version: "27.0"

build_docs: build_docs

runs-on: ubuntu-22.04

steps:

- uses: actions/checkout@v4

with:

fetch-depth: 50

- name: "Build Release"

uses: ./.github/workflows/release_pre_built

with:

otp_version: ${{ matrix.otp_version }}

otp: ${{ matrix.otp }}

build_docs: ${{ matrix.build_docs }}

- name: "Attest release .exe provenance"

uses: actions/attest-build-provenance@v1

id: attest-exe-provenance

with:

subject-path: "elixir-otp-${{ matrix.otp }}.exe"

- name: "Copy release .exe provenance"

run: cp "$ATTESTATION" elixir-otp-${{ matrix.otp }}.exe.sigstore

env:

ATTESTATION: "${{ steps.attest-exe-provenance.outputs.bundle-path }}"

- name: "Attest release .zip provenance"

uses: actions/attest-build-provenance@v1

id: attest-zip-provenance

with:

subject-path: "elixir-otp-${{ matrix.otp }}.zip"

- name: "Copy release .zip provenance"

run: cp "$ATTESTATION" elixir-otp-${{ matrix.otp }}.zip.sigstore

env:

ATTESTATION: "${{ steps.attest-zip-provenance.outputs.bundle-path }}"

- name: "Attest docs provenance"

uses: actions/attest-build-provenance@v1

id: attest-docs-provenance

if: ${{ matrix.build_docs }}

with:

subject-path: "Docs.zip"

- name: "Copy docs provenance"

if: ${{ matrix.build_docs }}

run: cp "$ATTESTATION" Docs.zip.sigstore

env:

ATTESTATION: "${{ steps.attest-docs-provenance.outputs.bundle-path }}"

- name: "Upload release artifacts"

uses: actions/upload-artifact@v4

with:

name: elixir-otp-${{ matrix.otp }}

path: elixir-otp-${{ matrix.otp }}*

- name: "Upload doc artifacts"

uses: actions/upload-artifact@v4

if: ${{ matrix.build_docs }}

with:

name: Docs

path: Docs.zip*

upload-release:

needs: build

runs-on: windows-2022

steps:

- uses: actions/download-artifact@v4

- run: |

mv elixir-otp-*/* .

mv Docs/* .

shell: bash

- name: "Sign files with Trusted Signing"

if: github.repository == 'elixir-lang/elixir'

uses: azure/trusted-signing-action@v0.5.0

with:

azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}

azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}

azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}

endpoint: https://eus.codesigning.azure.net/

trusted-signing-account-name: trusted-signing-elixir

certificate-profile-name: Elixir

files-folder: ${{ github.workspace }}

files-folder-filter: exe

file-digest: SHA256

timestamp-rfc3161: http://timestamp.acs.microsoft.com

timestamp-digest: SHA256

- name: Upload Pre-built

shell: bash

env:

GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

if [ "${{ github.ref_type }}" == "branch" ]; then

tag=${{ github.ref_name }}-latest

else

tag="${{ github.ref_name }}"

fi

gh release upload \

--repo ${{ github.repository }} \

--clobber \

"$tag" \

elixir-otp-*.zip \

elixir-otp-*.zip.sha{1,256}sum \

elixir-otp-*.zip.sigstore \

elixir-otp-*.exe \

elixir-otp-*.exe.sha{1,256}sum \

elixir-otp-*.exe.sigstore \

Docs.zip \

Docs.zip.sha{1,256}sum \

Docs.zip.sigstore

upload-builds-hex-pm:

needs: build

runs-on: ubuntu-22.04

concurrency: builds-hex-pm

env:

AWS_ACCESS_KEY_ID: ${{ secrets.HEX_AWS_ACCESS_KEY_ID }}

AWS_SECRET_ACCESS_KEY: ${{ secrets.HEX_AWS_SECRET_ACCESS_KEY }}

AWS_REGION: ${{ secrets.HEX_AWS_REGION }}

AWS_S3_BUCKET: ${{ secrets.HEX_AWS_S3_BUCKET }}

FASTLY_REPO_SERVICE_ID: ${{ secrets.HEX_FASTLY_REPO_SERVICE_ID }}

FASTLY_BUILDS_SERVICE_ID: ${{ secrets.HEX_FASTLY_BUILDS_SERVICE_ID }}

FASTLY_KEY: ${{ secrets.HEX_FASTLY_KEY }}

OTP_GENERIC_VERSION: "25"

steps:

- uses: actions/download-artifact@v4

- name: Init purge keys file

run: |

touch purge_keys.txt

- name: Upload Precompiled to S3

run: |

ref_name=${{ github.ref_name }}

mv elixir-otp-*/* .

for zip in $(find . -type f -name 'elixir-otp-*.zip' | sed 's/^\.\///'); do

dest=${zip/elixir/${ref_name}}

surrogate_key=${dest/.zip$/}

aws s3 cp "${zip}" "s3://${AWS_S3_BUCKET}/builds/elixir/${dest}" \

--cache-control "public,max-age=3600" \

--metadata "{\"surrogate-key\":\"builds builds/elixir builds/elixir/${surrogate_key}\",\"surrogate-control\":\"public,max-age=604800\"}"

echo "builds/elixir/${surrogate_key}" >> purge_keys.txt

if [ "$zip" == "elixir-otp-${OTP_GENERIC_VERSION}.zip" ]; then

aws s3 cp "${zip}" "s3://${AWS_S3_BUCKET}/builds/elixir/${ref_name}.zip" \

--cache-control "public,max-age=3600" \

--metadata "{\"surrogate-key\":\"builds builds/elixir builds/elixir/${ref_name}\",\"surrogate-control\":\"public,max-age=604800\"}"

echo builds/elixir/${ref_name} >> purge_keys.txt

fi

done

- name: Upload Docs to S3

working-directory: Docs

run: |

version=$(echo ${{ github.ref_name }} | sed -e 's/^v//g')

unzip Docs.zip

for f in doc/*; do

if [ -d "$f" ]; then

app=$(echo "$f" | sed s/"doc\/"//)

tarball="${app}-${version}.tar.gz"

surrogate_key="docs/${app}-${version}"

tar -czf "${tarball}" -C "doc/${app}" .

aws s3 cp "${tarball}" "s3://${AWS_S3_BUCKET}/docs/${tarball}" \

--cache-control "public,max-age=3600" \

--metadata "{\"surrogate-key\":\"${surrogate_key}\",\"surrogate-control\":\"public,max-age=604800\"}"

echo "${surrogate_key}" >> ../purge_keys.txt

fi

done

- name: Update builds txt

run: |

date="$(date -u '+%Y-%m-%dT%H:%M:%SZ')"

ref_name=${{ github.ref_name }}

aws s3 cp "s3://${AWS_S3_BUCKET}/builds/elixir/builds.txt" builds.txt || true

touch builds.txt

for sha256_file in $(find . -name 'elixir-otp-*.zip.sha256sum' | sed 's/^\.\///'); do

otp_version=$(echo "${sha256_file}" | sed -r 's/^elixir-otp-([[:digit:]]+)\.zip\.sha256sum/otp-\1/')

build_sha256=$(cut -d ' ' -f 1 "${sha256_file}")

sed -i "/^${ref_name}-${otp_version} /d" builds.txt

echo -e "${ref_name}-${otp_version} ${{ github.sha }} ${date} ${build_sha256} \n$(cat builds.txt)" > builds.txt

if [ "${otp_version}" == "otp-${OTP_GENERIC_VERSION}" ]; then

sed -i "/^${ref_name} /d" builds.txt

echo -e "${ref_name} ${{ github.sha }} ${date} ${build_sha256} \n$(cat builds.txt)" > builds.txt

fi

done

sort -u -k1,1 -o builds.txt builds.txt

aws s3 cp builds.txt "s3://${AWS_S3_BUCKET}/builds/elixir/builds.txt" \

--cache-control "public,max-age=3600" \

--metadata '{"surrogate-key":"builds builds/elixir builds/elixir/txt","surrogate-control":"public,max-age=604800"}'

echo 'builds/elixir/txt' >> purge_keys.txt

- name: Flush cache

if: github.repository == 'elixir-lang/elixir'

run: |

function purge_key() {

curl \

-X POST \

-H "Fastly-Key: ${FASTLY_KEY}" \

-H "Accept: application/json" \

-H "Content-Length: 0" \

"https://api.fastly.com/service/$1/purge/$2"

}

function purge() {

purge_key ${FASTLY_REPO_SERVICE_ID} $1

purge_key ${FASTLY_BUILDS_SERVICE_ID} $1

sleep 2

purge_key ${FASTLY_REPO_SERVICE_ID} $1

purge_key ${FASTLY_BUILDS_SERVICE_ID} $1

sleep 2

purge_key ${FASTLY_REPO_SERVICE_ID} $1

purge_key ${FASTLY_BUILDS_SERVICE_ID} $1

}

for key in $(cat purge_keys.txt); do

purge "${key}"

done