Skip to content

build(deps): bump github/codeql-action from 3.27.9 to 3.28.0 #4409

build(deps): bump github/codeql-action from 3.27.9 to 3.28.0

build(deps): bump github/codeql-action from 3.27.9 to 3.28.0 #4409

Workflow file for this run

# Forked from https://github.com/containerd/nerdctl/blob/v0.8.1/.github/workflows/release.yml
# Apache License 2.0
name: Release
on:
push:
branches:
- 'master'
tags:
- 'v*'
pull_request:
branches:
- 'master'
env:
GO111MODULE: on
permissions:
contents: read
jobs:
artifacts-darwin:
name: Artifacts Darwin
# The latest release of macOS is used to enable new features.
# https://github.com/lima-vm/lima/issues/2767
#
# Apparently, a binary built on a newer version of macOS can still run on
# an older release of macOS without an error.
# This is quite different from Linux and glibc.
runs-on: macos-15
timeout-minutes: 20
steps:
- name: "Show xcode and SDK version"
run: |
# Xcode version
xcodebuild -version
# macOS SDK version
xcrun --show-sdk-version || true
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 1
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: 1.23.x
- name: Make darwin artifacts
run: make artifacts-darwin
- name: "Upload artifacts"
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: artifacts-darwin
path: _artifacts/
release:
# An old release of Ubuntu is chosen for glibc compatibility
runs-on: ubuntu-20.04
needs: artifacts-darwin
timeout-minutes: 20
# The maximum access is "read" for PRs from public forked repos
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
permissions:
contents: write # for releases
id-token: write # for provenances
attestations: write # for provenances
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: artifacts-darwin
path: _artifacts/
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: 1.23.x
- name: Install gcc-x86-64-linux-gnu
run: |
sudo apt-get update
sudo apt-get install -y gcc-x86-64-linux-gnu
- name: Install gcc-aarch64-linux-gnu
run: |
sudo apt-get update
sudo apt-get install -y gcc-aarch64-linux-gnu
- name: "Compile binaries"
run: make artifacts-linux
- name: "Make misc artifacts"
run: make artifacts-misc
- name: "SHA256SUMS"
run: |
( cd _artifacts; sha256sum *.tar.gz ) | tee /tmp/SHA256SUMS
mv /tmp/SHA256SUMS _artifacts/SHA256SUMS
- name: "The sha256sum of the SHA256SUMS file"
run: (cd _artifacts; sha256sum SHA256SUMS)
- name: "Prepare the release note"
run: |
shasha=$(sha256sum _artifacts/SHA256SUMS | awk '{print $1}')
cat <<-EOF | tee /tmp/release-note.txt
(Changes to be documented)
## Usage
\`\`\`console
[macOS]$ limactl create
[macOS]$ limactl start
...
INFO[0029] READY. Run \`lima\` to open the shell.
[macOS]$ lima uname
Linux
\`\`\`
- - -
The binaries were built automatically on GitHub Actions.
The build log is available for 90 days: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
The sha256sum of the SHA256SUMS file itself is \`${shasha}\` .
- - -
Release manager: [ADD YOUR NAME HERE] (@[ADD YOUR GITHUB ID HERE])
EOF
- uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
with:
subject-path: _artifacts/*
- name: "Create release"
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
tag="${GITHUB_REF##*/}"
gh release create -F /tmp/release-note.txt --draft --title "${tag}" "${tag}" _artifacts/*