Release artifacts in tar.gz format to preserve file permissions

Also add a checksum file in addition to the provenance attestation file.

.github/workflows/ci.yml

@@ -85,11 +85,12 @@ jobs:
     name: ${{ matrix.check }}
     steps:
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-      - name: Run the ${{ matrix.check }} check
-        uses: ./.github/actions/ci-checks
-        with:
-          checks: "[\"${{ matrix.check }}\"]"
-          token: ${{ secrets.GITHUB_TOKEN }}
+      # DO NOT MERGE
+      # - name: Run the ${{ matrix.check }} check
+      #   uses: ./.github/actions/ci-checks
+      #   with:
+      #     checks: "[\"${{ matrix.check }}\"]"
+      #     token: ${{ secrets.GITHUB_TOKEN }}
   ubuntu:
     runs-on: ubuntu-latest
     needs: matrix
@@ -98,7 +99,7 @@ jobs:
   release:
     runs-on: ubuntu-latest
     needs: [checks, ubuntu]
-    if: ${{ needs.checks.outputs.release != 0 }}
+    # if: ${{ needs.checks.outputs.release != 0 }} # DO NOT MERGE
     permissions:
       attestations: write
       contents: write
@@ -113,10 +114,12 @@ jobs:
       - run: |
           mv ${{ steps.attest.outputs.bundle-path }} attestation.intoto.jsonl
           echo 'attestation.intoto.jsonl#Provenance attestation' >> artifacts.txt
+          ( cd artifacts && sha256sum * > ../sha256sum.txt )
+          echo 'sha256sum.txt#Checksums' >> artifacts.txt
           COMMIT=$(git rev-parse -q --verify HEAD)
           DATE=$(git log -1 --pretty=%cs)
           xargs --arg-file=artifacts.txt --delimiter='\n' \
             gh release create release/$DATE --target=$COMMIT \
-            --title="Release $DATE" --notes-file=notes.txt
+            --title="TEST-ONLY Release $DATE" --notes-file=notes.txt
         env:
           GH_TOKEN: ${{ github.token }}

scripts/artifacts.sh

@@ -23,12 +23,13 @@ i "Generate notes.txt"
 cat <<EOF > notes.txt
 See the [changelog] for the list of changes in this release.
 
-You can use the following command to verify a downloaded asset:
+You can use the following command to check your downloaded assets:
 
-    gh attestation verify --repo=google/wasefire <asset-path>
+    sha256sum --ignore-missing --check sha256sum.txt
 
-You may also download the provenance attestation and use the \`--bundle\` flag:
+You can use one of the following commands to verify a downloaded asset:
 
+    gh attestation verify --repo=google/wasefire <asset-path>
     gh attestation verify --owner=google --bundle=attestation.intoto.jsonl <asset-path>
 
 [changelog]: https://github.com/google/wasefire/blob/main/docs/releases/$DATE.md
@@ -37,20 +38,23 @@ EOF
 x mkdir artifacts
 
 i "Build web-client once for all supported targets"
-( cd crates/runner-host/crates/web-client && make )
+# ( cd crates/runner-host/crates/web-client && make )
 
 i "Build the CLI for each supported target"
 TARGETS='
 x86_64-unknown-linux-gnu
 '
 for target in $TARGETS; do
   ( set -x
-    cargo build --manifest-path=crates/runner-host/Cargo.toml --release --target=$target \
-      --features=debug,wasm
-    export WASEFIRE_HOST_PLATFORM=$PWD/target/$target/release/runner-host
-    cargo build --manifest-path=crates/cli/Cargo.toml --release --target=$target --features=_prod
+    # cargo build --manifest-path=crates/runner-host/Cargo.toml --release --target=$target \
+    #   --features=debug,wasm
+    # export WASEFIRE_HOST_PLATFORM=$PWD/target/$target/release/runner-host
+    # cargo build --manifest-path=crates/cli/Cargo.toml --release --target=$target --features=_prod
+    # cp target/$target/release/wasefire artifacts/wasefire-$target
+    touch artifacts/wasefire-$target # DO NOT MERGE
+    cd artifacts
+    tar czf wasefire-$target.tar.gz wasefire-$target
+    rm wasefire-$target
   )
-  artifact=artifacts/wasefire-$target
-  cp target/$target/release/wasefire $artifact
-  echo "$artifact#Wasefire CLI ($target)" >> artifacts.txt
+  echo "artifacts/wasefire-$target.tar.gz#Wasefire CLI ($target)" >> artifacts.txt
 done