Add GHA to upload draft release assets

[hamishmack]

Automate generating release binaries for musl/mac/win on every tag to cardano-node repository (similar to how our docker containers work).

[hamishmack]

An example of workflow running is here https://github.com/input-output-hk/cardano-node/actions/runs/4933488682

[jbgi]

This looks good, but I don't understand why the release binaries don't appear on the release page : https://github.com/input-output-hk/cardano-node/releases/tag/hkm/test-tag-8

[jbgi]

This looks good, but I don't understand why the release binaries don't appear on the release page : https://github.com/input-output-hk/cardano-node/releases/tag/hkm/test-tag-8

never mind, it works but the release was deleted (creating it as draft should avoid being in a hurry to delete it).

[jbgi]

Wondering though, do we need to upload the artifacts to the build (as double-zip, so not very practical)? Could we just upload to the GH release?

[angerman]

Wondering though, do we need to upload the artifacts to the build (as double-zip, so not very practical)? Could we just upload to the GH release?

I think we should do just release.

I'll discuss a few security concerns with @disassembler tomorrow.

• do we trust GH runners? Should we have shared runners?
• do we trust the release action? Should we fork it, audit it?
• do we want additional backups on S3?
• do we want to instantiate only on the runners and force realization from a trusted store?

[jbgi]

also need to remove unofficial nix cache.

[jbgi]

* do we want to instantiate only on the runners and force realization from a trusted store?

we could use something like nix --builders "" --max-jobs 0 to enforce that the binaries come from our trusted cache.