CI: update release procedure to separately upload artifacts

Author: Techatrix

.github/workflows/artifacts.yml

@@ -23,19 +23,31 @@ jobs:
       - name: Install APT packages
         run: |
           sudo apt-get update
-          sudo apt-get install tar 7zip
+          sudo apt-get install tar 7zip s3cmd
 
       - name: Install minisign
         run: |
           wget https://github.com/jedisct1/minisign/releases/download/0.11/minisign-0.11-linux.tar.gz
           tar -xf minisign-0.11-linux.tar.gz --directory ${HOME}
           echo "${HOME}/minisign-linux/x86_64/" >> $GITHUB_PATH
 
-      - name: Build and Publish artifacts
+      - name: Build release artifacts
         run: |
           echo "${MINISIGN_SECRET_FILE}" > minisign.key
-          zig build publish -Drelease-minisign -Doptimize=ReleaseSafe --summary all
+          zig build release -Drelease-minisign -Doptimize=ReleaseSafe --summary all
           rm -f minisign.key
         env:
-          ZLS_WORKER_API_TOKEN: ${{ secrets.ZLS_WORKER_API_TOKEN }}
           MINISIGN_SECRET_FILE: ${{ secrets.MINISIGN_SECRET_FILE }}
+
+      - name: Upload release artifacts
+        run: s3cmd --host=${R2_ACCOUNT_ID}.r2.cloudflarestorage.com --host-bucket=${R2_ACCOUNT_ID}.r2.cloudflarestorage.com put ./zig-out/artifacts/ --recursive s3://${R2_BUCKET}
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
+          R2_BUCKET: ${{ secrets.R2_BUCKET }}
+
+      - name: Publish release
+        run: zig build publish -Drelease-minisign -Doptimize=ReleaseSafe --summary new
+        env:
+          ZLS_WORKER_API_TOKEN: ${{ secrets.ZLS_WORKER_API_TOKEN }}

build.zig

@@ -451,56 +451,24 @@ fn release(b: *Build, release_artifacts: []const *Build.Step.Compile) void {
     std.debug.assert(release_artifacts.len > 0);
     for (release_artifacts) |compile| std.debug.assert(compile.version != null);
 
-    const publish_step = b.step("publish", "Publish release artifacts to releases.zigtools.org");
+    const publish_step = b.step("publish", "Publish release artifacts to releases.zigtools.org (requires curl)");
     const release_step = b.step("release", "Build all release artifacts. (requires tar and 7z)");
     const release_minisign = b.option(bool, "release-minisign", "Sign release artifacts with Minisign") orelse false;
 
-    const FileExtension = enum {
-        zip,
-        @"tar.xz",
-        @"tar.gz",
-    };
+    publish_step.dependOn(release_step);
 
-    const uri: std.Uri = if (b.graph.env_map.get("ZLS_WORKER_ENDPOINT")) |endpoint| blk: {
-        var uri = std.Uri.parse(endpoint) catch std.debug.panic("invalid URI: '{s}'", .{endpoint});
-        if (!uri.path.isEmpty()) std.debug.panic("ZLS_WORKER_ENDPOINT URI must have no path component: '{s}'", .{endpoint});
-        uri.path = .{ .raw = "/v1/zls/publish" };
-        break :blk uri;
-    } else .{
-        .scheme = "https",
-        .host = .{ .raw = "releases.zigtools.org" },
-        .path = .{ .raw = "/v1/zls/publish" },
-    };
-
-    const password = b.graph.env_map.get("ZLS_WORKER_API_TOKEN") orelse "amogus";
-
-    const publish_exe = b.addExecutable(.{
-        .name = "publish",
-        .target = b.graph.host,
-        .root_source_file = b.path("src/tools/publish_http_form.zig"),
-    });
-
-    // var publish_artifacts = b.addSystemCommand("curl")
-    var publish_artifacts = b.addRunArtifact(publish_exe);
-    publish_step.dependOn(&publish_artifacts.step);
-
-    publish_artifacts.addArgs(&.{
-        b.fmt("{}", .{uri}),
-        "--user",
-        b.fmt("admin:{s}", .{password}),
-    });
     // It is possible for the version to be something like `0.12.0-dev` when `git describe` failed.
     // Ideally we would want to report a failure about this when running one of the release/publish steps.
     // The problem is during the configure phase, it is not possible to know which top level steps gets run.
     // So instead we use rely on the release-worker to reject this version string during the make phase.
     // One possible alternative would be to use a configuration option (i.e. -Dpublish) to conditionally run an assertion.
-    publish_artifacts.addArgs(&.{
-        "--form", b.fmt("zls-version={}", .{release_artifacts[0].version.?}),
-        "--form", "compatibility=full",
-        "--form", b.fmt("zig-version={s}", .{builtin.zig_version_string}),
-        "--form", b.fmt("minimum-build-zig-version={s}", .{minimum_build_zig_version}),
-        "--form", b.fmt("minimum-runtime-zig-version={s}", .{minimum_runtime_zig_version}),
-    });
+    const released_zls_version = release_artifacts[0].version.?;
+
+    const FileExtension = enum {
+        zip,
+        @"tar.xz",
+        @"tar.gz",
+    };
 
     var compressed_artifacts: std.StringArrayHashMapUnmanaged(std.Build.LazyPath) = .empty;
 
@@ -524,6 +492,7 @@ fn release(b: *Build, release_artifacts: []const *Build.Step.Compile) void {
             });
 
             const compress_cmd = std.Build.Step.Run.create(b, "compress artifact");
+            compress_cmd.clearEnvironment();
             compress_cmd.step.max_rss = switch (extension) {
                 .zip => 160 * 1024 * 1024, // 160 MiB
                 .@"tar.xz" => 512 * 1024 * 1024, // 512 MiB
@@ -568,24 +537,77 @@ fn release(b: *Build, release_artifacts: []const *Build.Step.Compile) void {
 
         const install_tarball = b.addInstallFileWithDir(file_path, install_dir, file_name);
         release_step.dependOn(&install_tarball.step);
-        publish_artifacts.addArg("--form");
-        publish_artifacts.addPrefixedFileArg(b.fmt("{s}=@", .{file_name}), file_path);
 
         if (release_minisign) {
             const minisign_basename = b.fmt("{s}.minisig", .{file_name});
 
             const minising_cmd = b.addSystemCommand(&.{ "minisign", "-Sm" });
+            minising_cmd.clearEnvironment();
             minising_cmd.addFileArg(file_path);
             minising_cmd.addPrefixedFileArg("-s", .{ .cwd_relative = "minisign.key" });
             const minising_file_path = minising_cmd.addPrefixedOutputFileArg("-x", minisign_basename);
 
             const install_minising = b.addInstallFileWithDir(minising_file_path, install_dir, minisign_basename);
             release_step.dependOn(&install_minising.step);
-
-            publish_artifacts.addArg("--form");
-            publish_artifacts.addPrefixedFileArg(b.fmt("{s}=@", .{minisign_basename}), minising_file_path);
         }
     }
+
+    // Create JSON request data
+
+    const prepare_release = b.addRunArtifact(b.addExecutable(.{
+        .name = "prepare_release",
+        .root_module = b.createModule(.{
+            .root_source_file = b.path("src/tools/prepare_release.zig"),
+            .target = b.graph.host,
+            .optimize = .Debug,
+        }),
+    }));
+
+    prepare_release.addArgs(&.{
+        "--zls-version",
+        b.fmt("{}", .{released_zls_version}),
+        "--zig-version",
+        b.fmt("{s}", .{builtin.zig_version_string}),
+        "--minimum-build-zig-version",
+        b.fmt("{s}", .{minimum_build_zig_version}),
+        "--minimum-runtime-zig-version",
+        b.fmt("{s}", .{minimum_runtime_zig_version}),
+        "--compatibility",
+        "full",
+    });
+
+    for (compressed_artifacts.values()) |path| {
+        prepare_release.addFileArg(path);
+    }
+
+    // Send Post request to `https://releases.zigtools.org/v1/zls/publish`
+
+    const uri: std.Uri = if (b.graph.env_map.get("ZLS_WORKER_ENDPOINT")) |endpoint| blk: {
+        var uri = std.Uri.parse(endpoint) catch std.debug.panic("invalid URI: '{s}'", .{endpoint});
+        if (!uri.path.isEmpty()) std.debug.panic("ZLS_WORKER_ENDPOINT URI must have no path component: '{s}'", .{endpoint});
+        uri.path = .{ .raw = "/v1/zls/publish" };
+        break :blk uri;
+    } else .{
+        .scheme = "https",
+        .host = .{ .raw = "releases.zigtools.org" },
+        .path = .{ .raw = "/v1/zls/publish" },
+    };
+
+    const password = b.graph.env_map.get("ZLS_WORKER_API_TOKEN") orelse "amogus";
+
+    var publish_artifacts = b.addSystemCommand(&.{"curl"});
+    publish_artifacts.has_side_effects = true;
+    publish_step.dependOn(&publish_artifacts.step);
+
+    publish_artifacts.addArgs(&.{
+        b.fmt("{}", .{uri}),
+        "--fail",
+        "--show-error",
+        "--user",
+        b.fmt("admin:{s}", .{password}),
+        "--json",
+    });
+    publish_artifacts.addPrefixedFileArg("@", prepare_release.captureStdOut());
 }
 
 const Build = blk: {

src/tools/prepare_release.zig

@@ -0,0 +1,90 @@
+const std = @import("std");
+const assert = std.debug.assert;
+
+pub fn main() !void {
+    var arena_allocator: std.heap.ArenaAllocator = .init(std.heap.page_allocator);
+    const arena = arena_allocator.allocator();
+
+    const args = try std.process.argsAlloc(arena);
+    var arg_i: usize = 1;
+
+    assert(std.mem.eql(u8, "--zls-version", nextArg(args, &arg_i).?));
+    const zls_version = nextArg(args, &arg_i).?;
+    assert(std.mem.eql(u8, "--zig-version", nextArg(args, &arg_i).?));
+    const zig_version = nextArg(args, &arg_i).?;
+    assert(std.mem.eql(u8, "--minimum-build-zig-version", nextArg(args, &arg_i).?));
+    const minimum_build_zig_version = nextArg(args, &arg_i).?;
+    assert(std.mem.eql(u8, "--minimum-runtime-zig-version", nextArg(args, &arg_i).?));
+    const minimum_runtime_zig_version = nextArg(args, &arg_i).?;
+    assert(std.mem.eql(u8, "--compatibility", nextArg(args, &arg_i).?));
+    const compatibility = nextArg(args, &arg_i).?;
+
+    var output_buffer: std.ArrayListUnmanaged(u8) = .empty;
+
+    var write_stream = std.json.writeStream(output_buffer.writer(arena), .{ .whitespace = .indent_2 });
+
+    try write_stream.beginObject();
+
+    try write_stream.objectField("zlsVersion");
+    try write_stream.write(zls_version);
+
+    try write_stream.objectField("zigVersion");
+    try write_stream.write(zig_version);
+
+    try write_stream.objectField("minimumBuildZigVersion");
+    try write_stream.write(minimum_build_zig_version);
+
+    try write_stream.objectField("minimumRuntimeZigVersion");
+    try write_stream.write(minimum_runtime_zig_version);
+
+    try write_stream.objectField("compatibility");
+    try write_stream.write(compatibility);
+
+    try write_stream.objectField("artifacts");
+
+    try write_stream.beginObject();
+
+    while (nextArg(args, &arg_i)) |file_path| {
+        const file_name = std.fs.path.basename(file_path);
+
+        try write_stream.objectField(file_name);
+        try write_stream.beginObject();
+
+        var file = try std.fs.cwd().openFile(file_path, .{});
+        defer file.close();
+
+        const stat = try file.stat();
+
+        var sha256sum: std.crypto.hash.sha2.Sha256 = .init(.{});
+        var read_buffer: [16 * 1024]u8 = undefined;
+        while (true) {
+            const amt = try file.read(&read_buffer);
+            if (amt == 0) break;
+            sha256sum.update(read_buffer[0..amt]);
+        }
+        assert(sha256sum.total_len == stat.size);
+
+        const hash = sha256sum.finalResult();
+
+        try write_stream.objectField("shasum");
+        try write_stream.print("\"{}\"", .{std.fmt.fmtSliceHexLower(&hash)});
+
+        try write_stream.objectField("size");
+        try write_stream.write(sha256sum.total_len);
+
+        try write_stream.endObject();
+        try std.fs.cwd().access(file_path, .{});
+    }
+
+    try write_stream.endObject();
+
+    try write_stream.endObject();
+
+    try std.io.getStdOut().writeAll(output_buffer.items);
+}
+
+fn nextArg(args: []const [:0]const u8, i: *usize) ?[:0]const u8 {
+    if (i.* >= args.len) return null;
+    defer i.* += 1;
+    return args[i.*];
+}