ci: experiment with a binary release build (#828)

.cargo/config.toml

@@ -0,0 +1,2 @@
+[target.'cfg(all(target_env = "msvc", target_os = "windows"))']
+rustflags = ["-C", "target-feature=+crt-static"]

.github/workflows/release-binaries.yml

@@ -0,0 +1,97 @@
+name: zizmor binary releases for GitHub 🐙
+
+on:
+  release:
+    types: [published]
+
+permissions: {}
+
+jobs:
+  build:
+    name: Build for ${{ matrix.target }} on ${{ matrix.runner }}
+    runs-on: ${{ matrix.runner }}
+
+    strategy:
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            target: x86_64-unknown-linux-gnu
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-gnu
+          - runner: macos-latest
+            target: x86_64-apple-darwin
+          - runner: macos-latest
+            target: aarch64-apple-darwin
+          - runner: windows-latest
+            target: x86_64-pc-windows-msvc
+          - runner: windows-latest
+            target: i686-pc-windows-msvc
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Rust toolchain and target information
+        run: |
+          rustup show
+
+      - name: Install Rust target for ${{ matrix.target }}
+        run: rustup target add "${TARGET}"
+        env:
+          TARGET: ${{ matrix.target }}
+        shell: bash
+
+      - name: Build release
+        run: cargo build --release --target "${TARGET}"
+        env:
+          TARGET: ${{ matrix.target }}
+        shell: bash
+
+      - name: Archive release
+        id: archive-release
+        run: |
+          ./support/archive-release.sh
+        env:
+          TARGET: ${{ matrix.target }}
+        shell: bash
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: artifacts-${{ matrix.target }}
+          path: ${{ steps.archive-release.outputs.filename }}
+          if-no-files-found: error
+
+  release:
+    name: Release binaries
+    runs-on: ubuntu-latest
+    needs: build
+
+    permissions:
+      id-token: write # for attestations
+      attestations: write # for attestations
+      contents: write # for release artifacts
+
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          pattern: artifacts-*
+          path: distrib/
+          merge-multiple: true
+
+      - name: List artifacts
+        run: ls -l distrib/
+
+      - name: Attest to artifacts
+        uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
+        with:
+          subject-path: "distrib/*"
+
+      - name: Upload to release
+        run: |
+          gh release upload "${GITHUB_REF_NAME}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash

support/archive-release.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+# Turns a target-specific release build into an appropriately
+# named archive for distribution via a GitHub release.
+#
+# Expects to be run from the root of the repository.
+
+set -eo pipefail
+
+if [[ -z "${TARGET}" ]]; then
+  >&2 echo "Error: TARGET environment variable not set"
+  exit 1
+fi
+
+TARGET_DIR="./target"
+RELEASE_DIR="${TARGET_DIR}/${TARGET}/release"
+
+if [[ ! -d "${RELEASE_DIR}" ]]; then
+  >&2 echo "Error: missing target release directory?"
+  exit 1
+fi
+
+ARCHIVE_DIR="${TARGET_DIR}/archive/zizmor-${TARGET}"
+mkdir -p "${ARCHIVE_DIR}"
+cp "${RELEASE_DIR}/zizmor" "${ARCHIVE_DIR}/zizmor"
+
+if [[ "${TARGET}" == *"windows"* ]]; then
+  ARCHIVE_FILE="${TARGET_DIR}/archive/zizmor-${TARGET}.zip"
+  7z a "${ARCHIVE_FILE}" "${ARCHIVE_DIR}"/*
+else
+  ARCHIVE_FILE="${TARGET_DIR}/archive/zizmor-${TARGET}.tar.gz"
+  tar -C "${ARCHIVE_DIR}" -czf "${ARCHIVE_FILE}" .
+fi
+
+if [[ -z "${GITHUB_OUTPUT}" ]]; then
+  echo "${ARCHIVE_FILE}"
+else
+  echo "filename=${ARCHIVE_FILE}" >> "${GITHUB_OUTPUT}"
+fi