mirror of
https://github.com/php/pie.git
synced 2026-03-23 23:12:17 +01:00
165 lines
5.9 KiB
YAML
165 lines
5.9 KiB
YAML
# Invoking this pipeline requires additional permissions, so must be invoked
|
|
# in a way to pass those permissions on, e.g.:
|
|
#
|
|
# build-assets:
|
|
# permissions:
|
|
# contents: read
|
|
# id-token: write
|
|
# attestations: write
|
|
# uses: ./.github/workflows/build-assets.yml
|
|
|
|
name: "Build the PIE assets"
|
|
|
|
on:
|
|
workflow_call:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
build-phar:
|
|
runs-on: ${{ matrix.operating-system }}
|
|
strategy:
|
|
matrix:
|
|
operating-system:
|
|
- ubuntu-latest
|
|
php-versions:
|
|
- '8.1'
|
|
permissions:
|
|
# id-token:write is required for build provenance attestation.
|
|
id-token: write
|
|
# attestations:write is required for build provenance attestation.
|
|
attestations: write
|
|
steps:
|
|
- name: Setup PHP
|
|
uses: shivammathur/setup-php@v2
|
|
with:
|
|
coverage: none
|
|
tools: composer, box:4.7.x
|
|
php-version: "${{ matrix.php-version }}"
|
|
- uses: actions/checkout@v6
|
|
with:
|
|
fetch-depth: 0
|
|
# Fixes `git describe` picking the wrong tag - see https://github.com/php/pie/issues/307
|
|
- run: git fetch --tags --force
|
|
# Ensure some kind of previous tag exists, otherwise box fails
|
|
- run: git describe --tags HEAD || git tag 0.0.0
|
|
- uses: ramsey/composer-install@v3
|
|
- name: Build PHAR
|
|
run: box compile
|
|
- name: Check the PHAR executes
|
|
run: php pie.phar --version
|
|
- name: Generate build provenance attestation
|
|
# It does not make sense to do this for PR builds, nor do contributors
|
|
# have permission to do. We can't write attestations to `php/pie` in an
|
|
# unprivileged context, otherwise anyone could send a PR with malicious
|
|
# code, which would store attestation that `php/pie` built the PHAR, and
|
|
# it would look genuine. So this should NOT run for PR builds.
|
|
if: github.event_name != 'pull_request'
|
|
uses: actions/attest@v4
|
|
with:
|
|
subject-path: '${{ github.workspace }}/pie.phar'
|
|
- uses: actions/upload-artifact@v7
|
|
with:
|
|
name: pie-${{ github.sha }}.phar
|
|
path: pie.phar
|
|
|
|
build-executable:
|
|
needs:
|
|
- build-phar
|
|
runs-on: ${{ matrix.operating-system }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
operating-system:
|
|
- ubuntu-24.04
|
|
- ubuntu-24.04-arm
|
|
- macos-15-intel
|
|
- macos-26
|
|
- windows-2025
|
|
permissions:
|
|
# id-token:write is required for build provenance attestation.
|
|
id-token: write
|
|
# attestations:write is required for build provenance attestation.
|
|
attestations: write
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
|
|
- name: Download SPC (non-Windows)
|
|
if: runner.os != 'Windows'
|
|
run: |
|
|
# @todo find a better way to do this :/
|
|
# Source URL: https://static-php.dev/en/guide/manual-build.html#build-locally-using-spc-binary-recommended
|
|
case "${{ matrix.operating-system }}" in
|
|
ubuntu-24.04)
|
|
curl -fsSL -o spc https://dl.static-php.dev/static-php-cli/spc-bin/nightly/spc-linux-x86_64
|
|
;;
|
|
|
|
ubuntu-24.04-arm)
|
|
curl -fsSL -o spc https://dl.static-php.dev/static-php-cli/spc-bin/nightly/spc-linux-aarch64
|
|
;;
|
|
|
|
macos-15-intel)
|
|
curl -fsSL -o spc https://dl.static-php.dev/static-php-cli/spc-bin/nightly/spc-macos-x86_64
|
|
;;
|
|
|
|
macos-26)
|
|
curl -fsSL -o spc https://dl.static-php.dev/static-php-cli/spc-bin/nightly/spc-macos-aarch64
|
|
;;
|
|
|
|
*)
|
|
echo "unsupported operating system: ${{ matrix.operating-system }}"
|
|
exit 1
|
|
;;
|
|
esac
|
|
chmod +x spc
|
|
echo "SPC_BINARY=./spc" >> $GITHUB_ENV
|
|
echo "PIE_BINARY_OUTPUT=pie-${{ runner.os }}-${{ runner.arch }}" >> $GITHUB_ENV
|
|
- name: Download SPC (Windows)
|
|
if: runner.os == 'Windows'
|
|
run: |
|
|
curl.exe -fsSL -o spc.exe https://dl.static-php.dev/static-php-cli/spc-bin/nightly/spc-windows-x64.exe
|
|
chmod +x spc.exe
|
|
echo "SPC_BINARY=.\spc.exe" >> $env:GITHUB_ENV
|
|
echo "PIE_BINARY_OUTPUT=pie-${{ runner.os }}-${{ runner.arch }}.exe" >> $env:GITHUB_ENV
|
|
|
|
- name: Check SPC version
|
|
run: ${{ env.SPC_BINARY }} --version
|
|
|
|
- name: Grab the pie.phar from artifacts
|
|
uses: actions/download-artifact@v8
|
|
with:
|
|
name: pie-${{ github.sha }}.phar
|
|
|
|
- name: Build for ${{ runner.os }} ${{ runner.arch }} on ${{ matrix.operating-system }}
|
|
run: ${{ env.SPC_BINARY }} craft resources/spc/craft.yml
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Bundle pie.phar into executable PIE binary
|
|
run: ${{ env.SPC_BINARY }} micro:combine pie.phar --output=${{ env.PIE_BINARY_OUTPUT }}
|
|
|
|
- name: Setup PHP
|
|
uses: shivammathur/setup-php@v2
|
|
with:
|
|
coverage: none
|
|
tools: composer
|
|
php-version: "7.4"
|
|
- name: Quick validation that the binary runs
|
|
run: ./${{ env.PIE_BINARY_OUTPUT }} show --all
|
|
|
|
- name: Generate build provenance attestation
|
|
# It does not make sense to do this for PR builds, nor do contributors
|
|
# have permission to do. We can't write attestations to `php/pie` in an
|
|
# unprivileged context, otherwise anyone could send a PR with malicious
|
|
# code, which would store attestation that `php/pie` built the binaries,
|
|
# and it would look genuine. So this should NOT run for PR builds.
|
|
if: github.event_name != 'pull_request'
|
|
uses: actions/attest@v4
|
|
with:
|
|
subject-path: '${{ github.workspace }}/${{ env.PIE_BINARY_OUTPUT }}'
|
|
|
|
- uses: actions/upload-artifact@v7
|
|
with:
|
|
name: pie-${{ github.sha }}-${{ runner.os }}-${{ runner.arch }}.bin
|
|
path: ${{ env.PIE_BINARY_OUTPUT }}
|