Release to Chocolatey #16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release to Chocolatey | |
| on: | |
| workflow_dispatch: | |
| push: | |
| tags: | |
| - "v[0-9]*" | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| jobs: | |
| release-chocolatey: | |
| runs-on: windows-2025 | |
| environment: chocolatey_release | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Get version from Cargo.toml | |
| id: get_version | |
| run: | | |
| $RELEASE_VERSION = Get-Content Cargo.toml -Raw | npx -y celq@0.2.0 --from-toml --raw-output "this.package.version" | Select-Object -First 1 | |
| $RELEASE_VERSION = "0.2.0" # temporary hard-code for re-release | |
| $TAG_NAME = "v$RELEASE_VERSION" | |
| echo "VERSION=$RELEASE_VERSION" >> $env:GITHUB_OUTPUT | |
| echo "TAG=$TAG_NAME" >> $env:GITHUB_OUTPUT | |
| echo "Release version: $RELEASE_VERSION" | |
| echo "Tag: $TAG_NAME" | |
| shell: pwsh | |
| - name: Check if version is pre-release | |
| id: check_prerelease | |
| run: | | |
| $VERSION = "${{ steps.get_version.outputs.VERSION }}" | |
| if ($VERSION -match "(alpha|beta|rc)") { | |
| echo "IS_PRERELEASE=true" >> $env:GITHUB_OUTPUT | |
| echo "Detected pre-release version: $VERSION" | |
| } else { | |
| echo "IS_PRERELEASE=false" >> $env:GITHUB_OUTPUT | |
| echo "Detected stable version: $VERSION" | |
| } | |
| shell: pwsh | |
| - name: Download release artifact | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| run: | | |
| $TAG = "${{ steps.get_version.outputs.TAG }}" | |
| $URL = "https://github.com/IvanIsCoding/celq/releases/download/$TAG/celq-windows-x86_64.zip" | |
| echo "Downloading from: $URL" | |
| Invoke-WebRequest -Uri $URL -OutFile celq-windows-x86_64.zip | |
| shell: pwsh | |
| - name: Download SHA256SUMS | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| run: | | |
| $TAG = "${{ steps.get_version.outputs.TAG }}" | |
| $URL = "https://github.com/IvanIsCoding/celq/releases/download/$TAG/SHA256SUMS" | |
| echo "Downloading SHA256SUMS from: $URL" | |
| Invoke-WebRequest -Uri $URL -OutFile SHA256SUMS | |
| shell: pwsh | |
| - name: Verify SHA256 checksum | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| run: | | |
| # Get expected hash from SHA256SUMS | |
| $EXPECTED_HASH = (Get-Content SHA256SUMS | Select-String "celq-windows-x86_64.zip").Line.Split()[0] | |
| echo "Expected hash: $EXPECTED_HASH" | |
| # Calculate actual hash | |
| $ACTUAL_HASH = (CertUtil -hashfile celq-windows-x86_64.zip SHA256 | Select-Object -Index 1).Trim().ToLower() | |
| echo "Actual hash: $ACTUAL_HASH" | |
| # Compare | |
| if ($ACTUAL_HASH -ne $EXPECTED_HASH.ToLower()) { | |
| echo "ERROR: Hash mismatch!" | |
| echo "Expected: $EXPECTED_HASH" | |
| echo "Got: $ACTUAL_HASH" | |
| exit 1 | |
| } | |
| echo "✓ Hash verification passed" | |
| shell: pwsh | |
| - name: Extract and prepare Chocolatey package structure | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| run: | | |
| # Extract the zip | |
| Expand-Archive -Path celq-windows-x86_64.zip -DestinationPath extracted -Force | |
| # Create tools directory | |
| New-Item -ItemType Directory -Force -Path tools | |
| # Copy files | |
| Copy-Item extracted\celq.exe -Destination tools\ | |
| Copy-Item LICENSE-MIT -Destination tools\LICENSE.txt | |
| shell: pwsh | |
| - name: Generate attestation for celq.exe | |
| id: attest_exe | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| uses: actions/attest-build-provenance@v3 | |
| with: | |
| subject-path: 'tools/celq.exe' | |
| - name: Template VERIFICATION.txt | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| run: | | |
| # Calculate SHA256 of celq.exe | |
| $hash = (CertUtil -hashfile tools\celq.exe SHA256 | Select-Object -Index 1).Trim() | |
| # Get the specific attestation URL from the previous step's output | |
| $attestationUrl = "${{ steps.attest_exe.outputs.attestation-url }}" | |
| $content = Get-Content choco\VERIFICATION.txt -Raw | |
| $content = $content -replace "CELQ_SHA256_EXE", $hash | |
| $content = $content -replace "CELQ_ATTESTATION_URL", $attestationUrl | |
| $content | Set-Content VERIFICATION.txt -Encoding UTF8 -NoNewline | |
| echo "SHA256: $hash" | |
| echo "Attestation URL: $attestationUrl" | |
| shell: pwsh | |
| - name: Import GPG key | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| with: | |
| gpg_private_key: ${{ secrets.CHOCO_GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.CHOCO_GPG_PASSPHRASE }} | |
| - name: Clearsign VERIFICATION.txt | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| run: | | |
| gpg --clearsign --armor --output VERIFICATION.txt.asc VERIFICATION.txt | |
| Move-Item VERIFICATION.txt.asc tools\VERIFICATION.txt -Force | |
| shell: pwsh | |
| - name: Template nuspec file | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| run: | | |
| $content = Get-Content choco\celq.nuspec -Raw | |
| $content = $content -replace "CELQ_VERSION_PLACEHOLDER", "${{ steps.get_version.outputs.VERSION }}" | |
| $content | Set-Content celq.nuspec -Encoding UTF8 | |
| shell: pwsh | |
| - name: Create Chocolatey package | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| run: choco pack celq.nuspec | |
| - name: Publish to Chocolatey | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| run: choco push celq.${{ steps.get_version.outputs.VERSION }}.nupkg -s https://push.chocolatey.org/ --api-key=${{ secrets.CHOCO_API_KEY }} | |
| shell: cmd | |
| - name: Generate attestation for Chocolatey package | |
| if: steps.check_prerelease.outputs.IS_PRERELEASE == 'false' | |
| uses: actions/attest-build-provenance@v3 | |
| with: | |
| subject-path: 'celq.${{ steps.get_version.outputs.VERSION }}.nupkg' |