Skip to content

Build

Build #531

Workflow file for this run

name: Build
on:
workflow_run:
workflows: ["test"]
branches: [main]
types:
- completed
workflow_dispatch:
permissions:
contents: read
concurrency:
group: "build"
cancel-in-progress: true
env:
MAGEARGS: -d build/magefiles -w .
jobs:
check_release:
permissions:
contents: write
pull-requests: write
if: ${{ github.event.workflow_run.conclusion == 'success' }}
runs-on: ubuntu-22.04
outputs:
release_created: ${{ steps.release_please.outputs.release_created }}
release_tag: ${{ steps.release_please.outputs.tag_name }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
- name: Run release please
uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4
id: release_please
with:
token: ${{ secrets.GITHUB_TOKEN }}
build:
needs: check_release
permissions:
contents: write
# if: ${{ !startsWith( 'doc') }}
runs-on: ubuntu-22.04
strategy:
matrix:
platform:
- linux/amd64
- linux/arm/v6
- linux/arm/v7
- linux/arm64
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: block
disable-sudo: false
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
azure.archive.ubuntu.com:80
esm.ubuntu.com:443
fyne.io:443
github.com:443
go.dev:443
go.googlesource.com:443
golang.org:443
gopkg.in:443
motd.ubuntu.com:443
objects.githubusercontent.com:443
packages.microsoft.com:443
pkg.go.dev:443
ports.ubuntu.com:80
production.cloudflare.docker.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
registry-1.docker.io:443
rekor.sigstore.dev:443
storage.googleapis.com:443
sum.golang.org:443
uploads.github.com:443
- name: Set up environment
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Set app version for release
if: ${{ needs.check_release.outputs.release_created }}
run: |
echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV
- name: Checkout source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
- name: Setup Go
id: setup_go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
with:
go-version-file: "go.mod"
- name: Install Mage
uses: magefile/mage-action@6a5dcb5fe61f43d7c08a98bc3cf9bc63c308c08e # v3
with:
install-only: true
- name: Build with Mage
run: mage ${MAGEARGS} build:ci
env:
TARGETPLATFORM: ${{ matrix.platform }}
- name: Package with Mage
run: mage ${MAGEARGS} package:ci
env:
TARGETPLATFORM: ${{ matrix.platform }}
- name: Install cosign
id: cosign_install
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3
- name: Sign artifacts with cosign
id: cosign_sign
shell: bash
run: |
shopt -s nullglob
echo Need to sign dist/pkg/*.{rpm,deb,zst} # fyne-cross/dist/linux-*/*.tar.xz
for artifact in dist/pkg/*.{rpm,deb,zst}; do
echo Signing ${artifact}
cosign --verbose=true sign-blob --yes --key cosign.key --output-signature=${artifact}.sig ${artifact}
done
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Upload build artifacts
id: upload_artifacts
if: ${{ ! needs.check_release.outputs.release_created }}
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
with:
name: build-${{ env.PLATFORM_PAIR }}-${{ github.sha }}
path: |
dist/pkg
- name: Upload release artifacts
id: upload_release
if: ${{ needs.check_release.outputs.release_created }}
run: |
gh release upload ${{ needs.check_release.outputs.release_tag }} dist/pkg/*.{rpm,deb,zst,sig}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
build_container:
needs: check_release
permissions:
contents: write
packages: write
runs-on: ubuntu-22.04
# NOTE: Ubuntu does not provide a container for armv6, so we can't build for that :(
strategy:
matrix:
platform:
- linux/amd64
- linux/arm/v7
- linux/arm/v6
- linux/arm64
env:
REGISTRY: ghcr.io
IMAGE: ${{ github.repository }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
dl-cdn.alpinelinux.org:443
ghcr.io:443
github.com:443
production.cloudflare.docker.com:443
proxy.golang.org:443
registry-1.docker.io:443
storage.googleapis.com:443
sum.golang.org:443
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
- name: Set up environment
run: |
echo "APPVERSION=$(git describe --tags --always --dirty)" >> $GITHUB_ENV
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Set app version for release
if: ${{ needs.check_release.outputs.release_created }}
run: echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV
- name: Get Docker metadata
id: docker_metadata
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
with:
images: |
${{ env.REGISTRY }}/${{ env.IMAGE }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=${{ env.APPVERSION }}
type=edge
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
- name: Log in to the Container registry
id: registry_login
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build container image
id: build_image
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v5
with:
context: .
labels: ${{ steps.docker_metadata.outputs.labels }}
annotations: ${{ steps.docker_metadata.outputs.annotations }}
platforms: ${{ matrix.platform }}
outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE }},push-by-digest=true,name-canonical=true,push=true
- name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.build_image.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
merge:
runs-on: ubuntu-22.04
needs:
- check_release
- build_container
permissions:
contents: read
packages: write
env:
REGISTRY: ghcr.io
IMAGE: ${{ github.repository }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
ghcr.io:443
github.com:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
production.cloudflare.docker.com:443
raw.githubusercontent.com:443
registry-1.docker.io:443
rekor.sigstore.dev:443
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
- name: Set up environment
run: |
echo "APPVERSION=$(git describe --tags --always --dirty)" >> $GITHUB_ENV
- name: Set app version for release
if: ${{ needs.check_release.outputs.release_created }}
run: echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV
- name: Download digests
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
- name: Get Docker metadata
id: docker_metadata
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
with:
images: |
${{ env.REGISTRY }}/${{ env.IMAGE }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=${{ env.APPVERSION }}
- name: Log in to the Container registry
id: registry_login
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create manifest list and push
working-directory: /tmp/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.REGISTRY }}/${{ env.IMAGE }}@sha256:%s ' *)
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ steps.docker_metadata.outputs.version }}
- name: Check and install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3
- name: Sign image with a key
env:
TAGS: ${{ steps.docker_metadata.outputs.tags }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: |
images=""
for digest in /tmp/digests/*; do
for tag in ${TAGS}; do
images+="${tag}@sha256:$(basename $digest) "
done
done
cosign --verbose=true sign --yes --key cosign.key \
-a "repo=${{ github.repository }}" \
-a "ref=${{ github.ref }}" \
${images}