280 lines
10 KiB
YAML
280 lines
10 KiB
YAML
name: Build
|
|
|
|
on:
|
|
workflow_run:
|
|
workflows: ["test"]
|
|
branches: [main]
|
|
types:
|
|
- completed
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: "build"
|
|
cancel-in-progress: false
|
|
|
|
env:
|
|
COSIGN_VERSION: 'v2.4.0'
|
|
MAGEARGS: -d build/magefiles -w .
|
|
|
|
jobs:
|
|
check_release:
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
|
runs-on: ubuntu-22.04
|
|
outputs:
|
|
release_created: ${{ steps.release_please.outputs.release_created }}
|
|
release_tag: ${{ steps.release_please.outputs.tag_name }}
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v1
|
|
with:
|
|
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
|
- name: Run release please
|
|
uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4
|
|
id: release_please
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
build:
|
|
needs: check_release
|
|
permissions:
|
|
contents: write
|
|
# if: ${{ !startsWith( 'doc') }}
|
|
runs-on: ubuntu-22.04
|
|
strategy:
|
|
matrix:
|
|
platform:
|
|
- linux/amd64
|
|
- linux/arm/v6
|
|
- linux/arm/v7
|
|
- linux/arm64
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v1
|
|
with:
|
|
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
|
- name: Set up environment
|
|
run: |
|
|
platform=${{ matrix.platform }}
|
|
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
|
|
- name: Set app version for release
|
|
if: ${{ needs.check_release.outputs.release_created }}
|
|
run: |
|
|
echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV
|
|
- name: Checkout source
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Setup Go
|
|
id: setup_go
|
|
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
- name: Install Mage
|
|
uses: magefile/mage-action@6a5dcb5fe61f43d7c08a98bc3cf9bc63c308c08e # v3
|
|
with:
|
|
install-only: true
|
|
- name: Build with Mage
|
|
run: mage ${MAGEARGS} build:ci
|
|
env:
|
|
TARGETPLATFORM: ${{ matrix.platform }}
|
|
- name: Package with Mage
|
|
run: mage ${MAGEARGS} package:ci
|
|
env:
|
|
TARGETPLATFORM: ${{ matrix.platform }}
|
|
- name: Install cosign
|
|
id: cosign_install
|
|
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3
|
|
with:
|
|
cosign-release: ${{ env.COSIGN_VERSION }}
|
|
- name: Sign artifacts with cosign
|
|
id: cosign_sign
|
|
shell: bash
|
|
run: |
|
|
shopt -s nullglob
|
|
echo Need to sign dist/pkg/*.{rpm,deb,zst} # fyne-cross/dist/linux-*/*.tar.xz
|
|
for artifact in dist/pkg/*.{rpm,deb,zst}; do
|
|
echo Signing ${artifact}
|
|
cosign --verbose=true sign-blob --yes --key cosign.key --output-signature=${artifact}.sig ${artifact}
|
|
done
|
|
env:
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }}
|
|
- name: Upload build artifacts
|
|
id: upload_artifacts
|
|
if: ${{ ! needs.check_release.outputs.release_created }}
|
|
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
|
|
with:
|
|
name: build-${{ env.PLATFORM_PAIR }}-${{ github.sha }}
|
|
path: |
|
|
dist/pkg
|
|
- name: Upload release artifacts
|
|
id: upload_release
|
|
if: ${{ needs.check_release.outputs.release_created }}
|
|
run: |
|
|
gh release upload ${{ needs.check_release.outputs.release_tag }} dist/pkg/*.{rpm,deb,zst,sig}
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
build_container:
|
|
needs: check_release
|
|
permissions:
|
|
contents: write
|
|
packages: write
|
|
runs-on: ubuntu-22.04
|
|
# NOTE: Ubuntu does not provide a container for armv6, so we can't build for that :(
|
|
strategy:
|
|
matrix:
|
|
platform:
|
|
- linux/amd64
|
|
- linux/arm/v7
|
|
- linux/arm/v6
|
|
- linux/arm64
|
|
env:
|
|
REGISTRY: ghcr.io
|
|
IMAGE: ${{ github.repository }}
|
|
steps:
|
|
- name: Checkout repo
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Set up environment
|
|
run: |
|
|
echo "APPVERSION=$(git describe --tags --always --dirty)" >> $GITHUB_ENV
|
|
platform=${{ matrix.platform }}
|
|
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
|
|
- name: Set app version for release
|
|
if: ${{ needs.check_release.outputs.release_created }}
|
|
run: echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV
|
|
- name: Get Docker metadata
|
|
id: docker_metadata
|
|
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
|
|
with:
|
|
images: |
|
|
${{ env.REGISTRY }}/${{ env.IMAGE }}
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=pr
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=raw,value=${{ env.APPVERSION }}
|
|
env:
|
|
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3
|
|
- name: Log in to the Container registry
|
|
id: registry_login
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Build container image
|
|
id: build_image
|
|
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v5
|
|
with:
|
|
context: .
|
|
labels: ${{ steps.docker_metadata.outputs.labels }}
|
|
annotations: ${{ steps.docker_metadata.outputs.annotations }}
|
|
platforms: ${{ matrix.platform }}
|
|
outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE }},push-by-digest=true,name-canonical=true,push=true
|
|
- name: Export digest
|
|
run: |
|
|
mkdir -p /tmp/digests
|
|
digest="${{ steps.build_image.outputs.digest }}"
|
|
touch "/tmp/digests/${digest#sha256:}"
|
|
- name: Upload digest
|
|
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
|
|
with:
|
|
name: digests-${{ env.PLATFORM_PAIR }}
|
|
path: /tmp/digests/*
|
|
if-no-files-found: error
|
|
retention-days: 1
|
|
|
|
merge:
|
|
runs-on: ubuntu-22.04
|
|
needs:
|
|
- check_release
|
|
- build_container
|
|
permissions:
|
|
contents: write
|
|
packages: write
|
|
env:
|
|
REGISTRY: ghcr.io
|
|
IMAGE: ${{ github.repository }}
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v1
|
|
with:
|
|
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
|
- name: Checkout repo
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Set up environment
|
|
run: |
|
|
echo "APPVERSION=$(git describe --tags --always --dirty)" >> $GITHUB_ENV
|
|
- name: Set app version for release
|
|
if: ${{ needs.check_release.outputs.release_created }}
|
|
run: echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV
|
|
- name: Download digests
|
|
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
|
|
with:
|
|
path: /tmp/digests
|
|
pattern: digests-*
|
|
merge-multiple: true
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3
|
|
- name: Get Docker metadata
|
|
id: docker_metadata
|
|
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
|
|
with:
|
|
images: |
|
|
${{ env.REGISTRY }}/${{ env.IMAGE }}
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=pr
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=raw,value=${{ env.APPVERSION }}
|
|
- name: Log in to the Container registry
|
|
id: registry_login
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Create manifest list and push
|
|
working-directory: /tmp/digests
|
|
run: |
|
|
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
|
|
$(printf '${{ env.REGISTRY }}/${{ env.IMAGE }}@sha256:%s ' *)
|
|
- name: Inspect image
|
|
run: |
|
|
docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ steps.docker_metadata.outputs.version }}
|
|
- name: Check and install cosign
|
|
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3
|
|
with:
|
|
cosign-release: ${{ env.COSIGN_VERSION }}
|
|
- name: Sign image with a key
|
|
env:
|
|
TAGS: ${{ steps.docker_metadata.outputs.tags }}
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }}
|
|
run: |
|
|
images=""
|
|
for digest in /tmp/digests/*; do
|
|
for tag in ${TAGS}; do
|
|
images+="${tag}@sha256:$(basename $digest) "
|
|
done
|
|
done
|
|
cosign --verbose=true sign --yes --key cosign.key \
|
|
-a "repo=${{ github.repository }}" \
|
|
-a "ref=${{ github.ref }}" \
|
|
${images}
|