name: build on: workflow_call: inputs: crate: required: true type: string bin: required: false type: string git: required: false type: string ref: required: false type: string path: required: false type: string toolchain: required: false type: string default: stable locked: required: false type: boolean default: false secrets: private_key: required: true jobs: build: name: ${{inputs.crate}} runs-on: ubuntu-latest permissions: contents: write timeout-minutes: 45 steps: - uses: actions/checkout@v4 - uses: actions/checkout@v4 with: repository: ${{inputs.git}} ref: ${{inputs.ref}} path: ${{inputs.crate}} if: inputs.git - uses: dtolnay/rust-toolchain@master with: toolchain: ${{inputs.toolchain}} - run: cargo install --force ${{inputs.git && format('--path={0}', inputs.path || '.') || inputs.crate}} --bin ${{inputs.bin || inputs.crate}} ${{inputs.locked && '--locked' || ''}} working-directory: ${{inputs.git && inputs.crate || '.'}} - id: which run: echo "which=$(which ${{inputs.bin || inputs.crate}})" >> $GITHUB_OUTPUT - id: version run: echo "version=$(cargo install --list | grep -o '^${{inputs.crate}} \([^ :]\)\+')" >> $GITHUB_OUTPUT - run: echo "$PRIVATE_KEY" | gpg --import env: PRIVATE_KEY: ${{secrets.private_key}} - run: gpg --output ${{inputs.bin || inputs.crate}}.sig --detach-sig ${{steps.which.outputs.which}} - run: gpg --output signing-key.gpg --dearmor signing-key.asc - run: gpg --no-default-keyring --keyring ./signing-key.gpg --verify ${{inputs.bin || inputs.crate}}.sig ${{steps.which.outputs.which}} - run: git tag -d ${{inputs.crate}} || true - run: git tag ${{inputs.crate}} - run: git push origin tag ${{inputs.crate}} --force - uses: softprops/action-gh-release@v2 with: tag_name: ${{inputs.crate}} target_commitish: ${{github.ref}} files: | ${{steps.which.outputs.which}} ${{inputs.bin || inputs.crate}}.sig fail_on_unmatched_files: true body: ${{steps.version.outputs.version}}