diff --git a/.github/workflows/mla_release.yml b/.github/workflows/mla_release.yml index 1cd11c78..d1e768ad 100644 --- a/.github/workflows/mla_release.yml +++ b/.github/workflows/mla_release.yml @@ -104,15 +104,6 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6 - if: matrix.container == null - with: - # Pin Rust toolchain for releases to a known-good previous stable release - # for increased stability and security. - # Rust does not provide an "old-stable" channel, so we explicitly specify the version (including its patch level). - toolchain: 1.92.0 - # For non-release builds, use 'stable'. - # toolchain: stable - uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0 if: matrix.msvc_platform - name: Set target if any @@ -142,15 +133,12 @@ jobs: if: matrix.container != null run: cargo build ${{ matrix.cargo_arg }} --manifest-path=bindings/C/Cargo.toml --target=${{ matrix.target }} - name: Build static library (outside container) - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # v1.0.1 if: matrix.container == null env: # RUSTC_BOOTSTRAP=1 allows use of -Z build-std on stable toolchain # Required because win7 targets aren't officially supported in stable RUSTC_BOOTSTRAP: "${{ contains(matrix.target, 'win7') && '1' || '' }}" - with: - command: build - args: ${{ matrix.cargo_arg }} --manifest-path=bindings/C/Cargo.toml --target=${{ matrix.target }} + run: cargo build ${{ matrix.cargo_arg }} --manifest-path=bindings/C/Cargo.toml --target=${{ matrix.target }} - name: Upload resulting 'mla' uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: @@ -159,7 +147,12 @@ jobs: release: permissions: + # Used to generate artifact attestation + attestations: write + # Used to upload release artifacts contents: write + # Use to sign the release artifacts + id-token: write # From https://github.com/cloudflare/wrangler/blob/master/.github/workflows/release.yml name: GitHub Release needs: build @@ -173,11 +166,6 @@ jobs: echo "version=${GITHUB_REF:15}" >> $GITHUB_OUTPUT - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Get Changelog Entry - id: changelog_reader - uses: mindsers/changelog-reader-action@32aa5b4c155d76c94e4ec883a223c947b2f02656 # v2.2.3 - with: - path: ./mla/CHANGELOG.md - name: Create Release id: create_release uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 @@ -186,9 +174,19 @@ jobs: with: tag_name: mla-${{ steps.get_version.outputs.VERSION }} release_name: mla-${{ steps.get_version.outputs.VERSION }} - body: ${{ steps.changelog_reader.outputs.changes }} draft: true - + body: | + Verification of assets + + This release assets are built by Github Runners and are attested so ( https://docs.github.com/en/actions/concepts/security/artifact-attestations ). + + To verify the provenance and transparency of assets you download, you can run `gh attestation verify --repo ANSSI-FR/MLA ` where `` is the file path to the downloaded asset. + + To do this without a github account, you can first download the trusted root with `gh attestation trusted-root > ./trusted-root.jsonl`, download the attestation at https://github.com/ANSSI-FR/MLA/attestations to `./attestation.json` and run `gh attestation verify --repo ANSSI-FR/MLA --bundle ./attestation.json --custom-trusted-root ./trusted-root.jsonl `. + + Changelog + + https://github.com/ANSSI-FR/MLA/blob/mla-${{ steps.get_version.outputs.VERSION }}/mla/CHANGELOG.md - name: Download linux-x86_64 artifact uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: @@ -331,3 +329,30 @@ jobs: asset_content_type: application/octet-stream asset_name: mla.hpp + - name: Attest artifacts + uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 + with: + subject-path: | + ./mla-linux-x86_86/libmla.a + ./windows-i686.zip + ./windows-x86_64.zip + ./windows-i686-debug.zip + ./windows-x86_64-debug.zip + ./windows7-i686.zip + ./windows7-x86_64.zip + ./bindings/C/mla.h + ./bindings/C/mla.hpp + + publish: + name: Publish mla + needs: release + runs-on: ubuntu-24.04 + container: rust@sha256:f58923369ba295ae1f60bc49d03f2c955a5c93a0b7d49acfb2b2a65bebaf350d # v1.92.0 : Pin to known-good previous stable release for increased stability and security + environment: + name: cratesio + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Publish to crates.io + run: cargo publish --package mla + env: + CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }} diff --git a/.github/workflows/mlar_release.yml b/.github/workflows/mlar_release.yml index 5f54950a..d03035ed 100644 --- a/.github/workflows/mlar_release.yml +++ b/.github/workflows/mlar_release.yml @@ -53,15 +53,6 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6 - if: matrix.container == null - with: - # Pin Rust toolchain for releases to a known-good previous stable release - # for increased stability and security. - # Rust does not provide an "old-stable" channel, so we explicitly specify the version (including its patch level). - toolchain: 1.92.0 - # For non-release builds, use 'stable'. - # toolchain: stable - name: Set target if any # Skip rustup target add for win7 targets — rustup doesn't support these tier-3 targets if: matrix.target && !contains(matrix.target, 'win7') @@ -89,15 +80,12 @@ jobs: if: matrix.container != null run: cargo build --release --all-features --package mlar --verbose ${{ matrix.cargo_build }} - name: Build (outside container) - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # v1.0.1 if: matrix.container == null env: # RUSTC_BOOTSTRAP=1 allows use of -Z build-std on stable toolchain # Required because win7 targets aren't officially supported in stable RUSTC_BOOTSTRAP: "${{ contains(matrix.target, 'win7') && '1' || '' }}" - with: - command: build - args: --release --all-features --package mlar --verbose ${{ matrix.cargo_build }} + run: cargo build --release --all-features --package mlar --verbose ${{ matrix.cargo_build }} - name: Upload resulting 'mlar' uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: @@ -106,7 +94,12 @@ jobs: release: permissions: + # Used to generate artifact attestation + attestations: write + # Used to upload release artifacts contents: write + # Use to sign the release artifacts + id-token: write # From https://github.com/cloudflare/wrangler/blob/master/.github/workflows/release.yml name: GitHub Release needs: build @@ -120,11 +113,6 @@ jobs: echo "version=${GITHUB_REF:15}" >> $GITHUB_OUTPUT - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Get Changelog Entry - id: changelog_reader - uses: mindsers/changelog-reader-action@32aa5b4c155d76c94e4ec883a223c947b2f02656 # v2.2.3 - with: - path: ./mlar/CHANGELOG.md - name: Create Release id: create_release uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 @@ -133,9 +121,19 @@ jobs: with: tag_name: mlar-${{ steps.get_version.outputs.VERSION }} release_name: mlar-${{ steps.get_version.outputs.VERSION }} - body: ${{ steps.changelog_reader.outputs.changes }} draft: true - + body: | + Verification of assets + + This release assets are built by Github Runners and are attested so ( https://docs.github.com/en/actions/concepts/security/artifact-attestations ). + + To verify the provenance and transparency of assets you download, you can run `gh attestation verify --repo ANSSI-FR/MLA ` where `` is the file path to the downloaded asset. + + To do this without a github account, you can first download the trusted root with `gh attestation trusted-root > ./trusted-root.jsonl`, download the attestation at https://github.com/ANSSI-FR/MLA/attestations to `./attestation.json` and run `gh attestation verify --repo ANSSI-FR/MLA --bundle ./attestation.json --custom-trusted-root ./trusted-root.jsonl `. + + Changelog + + https://github.com/ANSSI-FR/MLA/blob/mlar-${{ steps.get_version.outputs.VERSION }}/mlar/CHANGELOG.md - name: Download Linux artifact uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: @@ -215,3 +213,27 @@ jobs: asset_path: ./mlar-macos/mlar asset_content_type: application/octet-stream asset_name: mlar-macos-${{ steps.get_version.outputs.VERSION }} + + - name: Attest artifacts + uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 + with: + subject-path: | + ./mlar-linux/mlar + ./mlar-windows/mlar.exe + ./mlar-windows7-i686/mlar.exe + ./mlar-windows7-x86_64/mlar.exe + ./mlar-macos/mlar + + publish: + name: Publish mlar + needs: release + runs-on: ubuntu-24.04 + container: rust@sha256:f58923369ba295ae1f60bc49d03f2c955a5c93a0b7d49acfb2b2a65bebaf350d # v1.92.0 : Pin to known-good previous stable release for increased stability and security + environment: + name: cratesio + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Publish to crates.io + run: cargo publish --package mlar + env: + CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }} diff --git a/.github/workflows/py-bindings.yml b/.github/workflows/py-bindings.yml index 75d39a4c..0151b18a 100644 --- a/.github/workflows/py-bindings.yml +++ b/.github/workflows/py-bindings.yml @@ -9,6 +9,8 @@ on: push: branches: - main + tags: + - "mla-py-bindings-v*" pull_request: permissions: @@ -20,17 +22,17 @@ jobs: strategy: matrix: platform: - - runner: ubuntu-latest + - runner: ubuntu-24.04 target: x86_64 - - runner: ubuntu-latest + - runner: ubuntu-24.04 target: x86 - - runner: ubuntu-latest + - runner: ubuntu-24.04 target: aarch64 - - runner: ubuntu-latest + - runner: ubuntu-24.04 target: armv7 - - runner: ubuntu-latest + - runner: ubuntu-24.04 target: s390x - - runner: ubuntu-latest + - runner: ubuntu-24.04 target: ppc64le steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -78,6 +80,37 @@ jobs: mypy bindings/python/tests/test_mla.py mypy bindings/python/tests/test_examples.py + musllinux: + runs-on: ${{ matrix.platform.runner }} + strategy: + matrix: + platform: + - runner: ubuntu-24.04 + target: x86_64 + - runner: ubuntu-24.04 + target: x86 + - runner: ubuntu-24.04 + target: aarch64 + - runner: ubuntu-24.04 + target: armv7 + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 + with: + python-version: 3.11 + - name: Build wheels + uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab + with: + target: ${{ matrix.platform.target }} + args: --release --out dist --find-interpreter --manifest-path bindings/python/Cargo.toml + sccache: true + manylinux: musllinux_1_2 + - name: Upload wheels + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + with: + name: wheels-musllinux-${{ matrix.platform.target }} + path: dist + windows: runs-on: ${{ matrix.platform.runner }} strategy: @@ -181,7 +214,7 @@ jobs: mypy bindings/python/tests/test_mla.py mypy bindings/python/tests/test_examples.py sdist: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build sdist @@ -193,4 +226,33 @@ jobs: uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: wheels-sdist - path: dist \ No newline at end of file + path: dist + + release: + name: Release py-bindings + runs-on: ubuntu-24.04 + if: ${{ startsWith(github.ref, 'refs/tags/mla-py-bindings-v') }} + environment: + name: pypi + url: https://test.pypi.org/p/mla-archive + needs: [linux, musllinux, windows, macos, sdist] + permissions: + # Use to sign the release artifacts + id-token: write + # Used to upload release artifacts + contents: write + # Used to generate artifact attestation + attestations: write + steps: + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 + - name: Move artifacts to dist + run: | + rm -rf dist + mkdir dist + mv wheels-*/* dist +# - name: Generate artifact attestation +# uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 +# with: +# subject-path: dist/ + - name: publish + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4810913b..57ad0626 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -174,6 +174,7 @@ jobs: - name: Security audit uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3 # v1.2.0 with: + ignore: RUSTSEC-2025-0144 # As documented in README, we do not care enough for side channel attacks to update to an rc version of ml-dsa. Will update when final ml-dsa version is released. token: ${{ secrets.GITHUB_TOKEN }} clippy: @@ -209,4 +210,4 @@ jobs: run: cd mla && cargo publish --dry-run - name: Dry-run publish mlar run: cd mlar && cargo publish --dry-run - \ No newline at end of file +