Merge pull request #1340 from mdecimus/main

mdecimus · web-flow · commit c8891489cbd5 · 2025-03-24T17:54:15.000+01:00
CI job fixes
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -41,6 +41,8 @@ jobs:
     needs: [linux]
     if: github.event_name == 'push' || inputs.Docker
     steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
       - name: Log In to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -82,6 +84,8 @@ jobs:
           echo "GHCR_DIGEST_SHA=$(cat GHCR_DIGEST_SHA)" | tee -a "${GITHUB_ENV}"
           docker buildx imagetools inspect --format '{{json .Manifest}}' index.docker.io/${{github.repository}}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/${{matrix.variant}}/bake-meta.json) | jq -r '.digest' > DOCKERHUB_DIGEST_SHA
           echo "DOCKERHUB_DIGEST_SHA=$(cat DOCKERHUB_DIGEST_SHA)" | tee -a "${GITHUB_ENV}"
+          cosign sign --yes $(jq --arg GHCR_DIGEST_SHA "$(cat GHCR_DIGEST_SHA)" -cr '.target."docker-metadata-action".tags | map(select(startswith("ghcr.io/${{github.repository}}")) | . + "@" + $GHCR_DIGEST_SHA) | join(" ")' ${{ runner.temp }}/${{matrix.variant}}/bake-meta.json)
+          cosign sign --yes $(jq --arg DOCKERHUB_DIGEST_SHA "$(cat DOCKERHUB_DIGEST_SHA)" -cr '.target."docker-metadata-action".tags | map(select(startswith("index.docker.io/${{github.repository}}")) | . + "@" + $DOCKERHUB_DIGEST_SHA) | join(" ")' ${{ runner.temp }}/${{matrix.variant}}/bake-meta.json)
 
       - name: Attest GHCR
         uses: actions/attest-build-provenance@v2
@@ -411,16 +415,25 @@ jobs:
             archive/**/*.tar.gz
             archive/**/*.zip
 
+      - name: Use cosign to sign existing artifacts
+        uses: sigstore/gh-action-sigstore-python@v3.0.0
+        with:
+          inputs: |
+            archive/**/*.tar.gz
+            archive/**/*.zip
+
       - name: Release
         uses: softprops/action-gh-release@v2
         with:
           files: |
             archive/**/*.tar.gz
             archive/**/*.zip
+            archive/**/*.sigstore.json
           prerelease: ${{!startsWith(github.ref, 'refs/tags/') || null}}
           tag_name: ${{!startsWith(github.ref, 'refs/tags/') && 'nightly' || null}}
+          # TODO add instructions about using cosign to verify binary artifact
           append_body: true
           body: |
             <hr />
 
-            ## Check binary attestation at [here](${{ steps.attest.outputs.attestation-url }})
+            ### Check binary attestation at [here](${{ steps.attest.outputs.attestation-url }})
diff --git a/Dockerfile.build b/Dockerfile.build
@@ -28,11 +28,6 @@ RUN \
     ln -s "/usr/local/zig-linux-$(uname -m)-${ZIG_VERSION}/zig" /usr/local/bin/zig
 # Install cargo-binstall
 RUN curl --retry 5 -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
-# Install FoundationDB
-# TODO According to https://github.com/apple/foundationdb/issues/11448#issuecomment-2417766293
-# Once FoundationDB v7.3.53 gets released, we should be able to build the aarch64-unknown-linux-gnu target.
-# The last command is for future build use, so if you are building on a native arm64 device, please use docker qemu.
-RUN curl --retry 5 -Lso /usr/lib/libfdb_c.so "$(curl --retry 5 -Ls 'https://api.github.com/repos/apple/foundationdb/releases' | jq --arg arch "$(uname -m)" -r '.[] | select(.prerelease == false) | .assets[] | select(.name | test("libfdb_c." + $arch + ".so")) | .browser_download_url' | head -n1)"
 # Install cargo-chef & sccache & cargo-zigbuild
 RUN cargo binstall --no-confirm cargo-chef sccache cargo-zigbuild
 
@@ -56,24 +51,31 @@ ARG BUILD_ENV
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 # Install toolchain and specify some env variables
 RUN \
-  rustup set profile minimal && \
-  rustup target add ${TARGET} && \
-  mkdir -p artifact && \
-  touch /env-cargo && \
-  if [ ! -z "${BUILD_ENV}" ]; then \
-      echo "export ${BUILD_ENV}" >> /env-cargo; \
-      echo "Setting up ${BUILD_ENV}"; \
-  fi
+    rustup set profile minimal && \
+    rustup target add ${TARGET} && \
+    mkdir -p artifact && \
+    touch /env-cargo && \
+    if [ ! -z "${BUILD_ENV}" ]; then \
+        echo "export ${BUILD_ENV}" >> /env-cargo; \
+        echo "Setting up ${BUILD_ENV}"; \
+    fi && \
+    if [[ "${TARGET}" == *gnu ]]; then \
+        echo "export FDB_ARCH=${TARGET%%-*}" >> /env-cargo; \
+    fi
+# Install FoundationDB
+RUN \
+    source /env-cargo && \
+    if [ ! -z "${FDB_ARCH}" ]; then \
+        curl --retry 5 -Lso /usr/lib/libfdb_c.so "$(curl --retry 5 -Ls 'https://api.github.com/repos/apple/foundationdb/releases' | jq --arg FDB_ARCH "$FDB_ARCH" -r '.[] | select(.prerelease == false) | .assets[] | select(.name | test("libfdb_c." + $FDB_ARCH + ".so")) | .browser_download_url' | head -n1)"; \
+    fi
 # Cargo-chef Cache layer
 RUN \
     --mount=type=secret,id=ACTIONS_CACHE_URL,env=ACTIONS_CACHE_URL \
     --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN,env=ACTIONS_RUNTIME_TOKEN \
     --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/usr/local/cargo/git \
-    # TODO According to https://github.com/apple/foundationdb/issues/11448#issuecomment-2417766293
-    # Once FoundationDB v7.3.53 gets released, we should be able to build the aarch64-unknown-linux-gnu target.
     source /env-cargo && \
-    if [ "${TARGET}" = "x86_64-unknown-linux-gnu" ]; then \
+    if [ ! -z "${FDB_ARCH}" ]; then \
         RUSTFLAGS="-L /usr/lib" cargo chef cook --recipe-path recipe.json --zigbuild --release --target ${TARGET} -p mail-server --no-default-features --features "foundationdb elastic s3 redis enterprise"; \
     fi
 RUN \
@@ -88,16 +90,14 @@ RUN \
 COPY . .
 ENV RUSTC_WRAPPER="sccache" \
     SCCACHE_GHA_ENABLED=true
-# Build foundationdb version
+# Build FoundationDB version
 RUN \
     --mount=type=secret,id=ACTIONS_CACHE_URL,env=ACTIONS_CACHE_URL \
     --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN,env=ACTIONS_RUNTIME_TOKEN \
     --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/usr/local/cargo/git \
-    # TODO According to https://github.com/apple/foundationdb/issues/11448#issuecomment-2417766293
-    # Once FoundationDB v7.3.53 gets released, we should be able to build the aarch64-unknown-linux-gnu target.
     source /env-cargo && \
-    if [ "${TARGET}" = "x86_64-unknown-linux-gnu" ]; then \
+    if [ ! -z "${FDB_ARCH}" ]; then \
         RUSTFLAGS="-L /usr/lib" cargo zigbuild --release --target ${TARGET} -p mail-server --no-default-features --features "foundationdb elastic s3 redis enterprise"; \
         mv /app/target/${TARGET}/release/stalwart-mail /app/artifact/stalwart-mail-foundationdb; \
     fi
diff --git a/crates/store/Cargo.toml b/crates/store/Cargo.toml
@@ -9,7 +9,7 @@ utils = { path = "../utils" }
 nlp = { path = "../nlp" }
 trc = { path = "../trc" }
 rocksdb = { version = "0.23", optional = true, features = ["multi-threaded-cf"] }
-foundationdb = { version = "0.9.0", features = ["embedded-fdb-include", "fdb-7_1"], optional = true }
+foundationdb = { version = "0.9.2", features = ["embedded-fdb-include", "fdb-7_3"], optional = true }
 rusqlite = { version = "0.32", features = ["bundled"], optional = true }
 rust-s3 = { version = "=0.35.0-alpha.2", default-features = false, features = ["tokio-rustls-tls", "no-verify-ssl"], optional = true }
 azure_core = { version = "0.21.0", optional = true }
