build/build.sh

A script is included in `build/checksums.sh` to output these checksums after

#!/bin/sh

set -e

main() {

  # Use UTC time for everything.

  export TZ=UTC0

  # Set minimal locale.

  export LC_ALL=C

  # Set source date. This is honored by `asciidoctor` and other tools.

  export SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)

  if ! command -v rad > /dev/null; then

    echo "fatal: rad is not installed" ; exit 1

  fi

  if ! command -v podman > /dev/null; then

    echo "fatal: podman is not installed" ; exit 1

  fi

  if ! command -v sha256sum > /dev/null; then

    echo "fatal: sha256sum is not installed" ; exit 1

  fi

  rev="$(git rev-parse --short HEAD)"

  tempdir="$(mktemp -d)"

  gitarchive="$tempdir/heartwood-$rev.tar.gz"

  keypath="$(rad path)/keys/radicle.pub"

  version="$(build/version.sh)"

  image=radicle-build-$version

  if [ ! -f "$keypath" ]; then

    echo "fatal: no key found at $keypath" ; exit 1

  fi

  # Authenticate user for signing

  rad auth

  echo "Building Radicle $version.."

  echo "Creating archive of repository at $rev in $gitarchive.."

  git archive --format tar.gz -o "$gitarchive" HEAD

  echo "Building image ($image).."

  podman --cgroup-manager=cgroupfs build \

    --env SOURCE_DATE_EPOCH \

    --env GIT_COMMIT_TIME=$SOURCE_DATE_EPOCH \

    --env GIT_HEAD=$rev \

    --env RADICLE_VERSION=$version \

    --arch amd64 --tag $image -f ./build/Dockerfile - < $gitarchive

  echo "Creating container (radicle-build-container).."

  podman --cgroup-manager=cgroupfs create --replace --name radicle-build-container $image

  # Copy build artifacts to output folder.

  outdir=build/artifacts/

  mkdir -p $outdir

  podman cp --overwrite radicle-build-container:/builds/. $outdir

  for target in $(cat build/targets); do

    echo "Signing artifacts for $target.."

    filename="radicle-$version-$target.tar.xz"

    filepath="$outdir/$filename"

    # Output SHA256 digest of archive.

    checksum="$(cd $outdir && sha256sum $filename)"

    echo "Checksum of $filepath is $(echo "$checksum" | cut -d' ' -f1)"

    echo "$checksum" > $filepath.sha256

    # Sign archive and verify archive.

    rm -f $filepath.sig # Delete existing signature

    ssh-keygen -Y sign -n file -f $keypath $filepath

    ssh-keygen -Y check-novalidate -n file -s $filepath.sig < $filepath

  done

  # Remove build artifacts that aren't needed anymore.

  rm -f $gitarchive

  podman rm radicle-build-container > /dev/null

  podman rmi --ignore localhost/$image

}

# Run build.

echo "Running build.."

main "$@"

# Show artifact checksums.

echo

build/checksums.sh

echo

echo "Build ran successfully."

#!/bin/sh

find build/artifacts -type f -name '*.sha256' -exec cat {} +

x86_64-unknown-linux-musl

aarch64-unknown-linux-musl

x86_64-apple-darwin

aarch64-apple-darwin

#!/bin/sh

set -e

SSH_LOGIN=${SSH_LOGIN:-release}

SSH_ADDRESS=${SSH_ADDRESS:-$SSH_LOGIN@files.radicle.xyz}

SSH_KEY="$(rad path)/keys/radicle"

main() {

  version="$(build/version.sh)"

  echo "Uploading Radicle $version..."

  if [ -z "$version" ]; then

    echo "fatal: empty version number" >&2 ; exit 1

  fi

  # Create remote folder.

  ssh -i $SSH_KEY $SSH_ADDRESS mkdir -p /mnt/radicle/files/releases/$version

  # Copy files over.

  scp -i $SSH_KEY build/artifacts/radicle-$version* $SSH_ADDRESS:/mnt/radicle/files/releases/$version

  scp -i $SSH_KEY build/artifacts/radicle.json $SSH_ADDRESS:/mnt/radicle/files/releases/$version

  for target in $(cat build/targets); do

    archive=/mnt/radicle/files/releases/$version/radicle-$version-$target.tar.xz

    symlink=/mnt/radicle/files/releases/$version/radicle-$target.tar.xz

    echo "Creating symlinks for $target.."

    ssh -i $SSH_KEY $SSH_ADDRESS ln -snf $archive $symlink

    ssh -i $SSH_KEY $SSH_ADDRESS ln -snf $archive.sig $symlink.sig

    ssh -i $SSH_KEY $SSH_ADDRESS ln -snf $archive.sha256 $symlink.sha256

  done

  echo "Creating 'latest' symlink.."

  ssh -i $SSH_KEY $SSH_ADDRESS ln -snf /mnt/radicle/files/releases/$version /mnt/radicle/files/releases/latest

  echo "Done."

}

main "$@"

#!/bin/sh

if ! version="$(git describe --match='v*' --candidates=1 2>/dev/null)"; then

  echo "fatal: no version tag found by 'git describe'" >&2 ; exit 1

fi

# Remove `v` prefix from version.

version=${version#v}

echo $version

#!/bin/sh

set -e

if [ $# -ne 1 ]; then

  echo "Usage: $0 <version-number>"

  exit 1

fi

version="$1"

tag="v$version"

commit="$(git rev-parse HEAD)"

signing_key=$(git config user.signingKey)

git show "$commit"

if [ "$signing_key" != "$(rad self --ssh-key)" ]; then

  echo "The Git signing key does not match the output of 'rad self --ssh-key'."

  exit 1

fi

printf "\n"

printf "Tag the above commit with \033[35m$tag\033[0m, using \033[35m$(rad self --did)\033[0m? [y/N] "

read confirmation

rad auth

case "$confirmation" in

  [Yy]*)

    if git tag --annotate --sign "$tag" -m "Release $version" "$commit"; then

      echo "Tag $tag created and signed over $commit."

    else

      echo "Failed to create tag."

      exit 1

    fi ;;

  *)

    echo "Operation aborted."

    exit 1 ;;

esac