Build #145
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
workflow_run: | |
workflows: ["test"] | |
branches: [main] | |
types: | |
- completed | |
workflow_dispatch: | |
permissions: | |
contents: read | |
env: | |
GO_VERSION: 1.22 | |
MAGEARGS: -v -d build/magefiles -w . | |
jobs: | |
check_release: | |
permissions: | |
contents: write | |
pull-requests: write | |
if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
runs-on: ubuntu-latest | |
outputs: | |
release_created: ${{ steps.release_please.outputs.release_created }} | |
release_tag: ${{ steps.release_please.outputs.tag_name }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v1 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: Run release please | |
uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4 | |
id: release_please | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
build: | |
needs: check_release | |
permissions: | |
contents: write | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
arch: [amd64,arm,arm64] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v1 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: Set app version for release | |
if: ${{ needs.check_release.outputs.release_created }} | |
run: echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV | |
- name: Checkout source | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
with: | |
fetch-depth: 0 | |
- name: Setup Go | |
id: setup_go | |
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Install Mage | |
uses: magefile/mage-action@6a5dcb5fe61f43d7c08a98bc3cf9bc63c308c08e # v3 | |
with: | |
install-only: true | |
- name: Build with Mage | |
run: mage ${MAGEARGS} build:ci | |
env: | |
TARGETARCH: ${{ matrix.arch }} | |
- name: Package with Mage | |
run: mage ${MAGEARGS} package:ci | |
env: | |
TARGETARCH: ${{ matrix.arch }} | |
- name: Install cosign | |
id: cosign_install | |
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3 | |
with: | |
cosign-release: 'v2.2.2' | |
- name: Sign artifacts with cosign | |
id: cosign_sign | |
shell: bash | |
run: | | |
shopt -s nullglob | |
echo Need to sign dist/pkg/*.{rpm,deb,zst} fyne-cross/dist/linux-${{ matrix.arch }}/*.tar.xz | |
for artifact in dist/pkg/*.{rpm,deb,zst} fyne-cross/dist/linux-${{ matrix.arch }}/*.tar.xz; do | |
echo Signing ${artifact} | |
cosign --verbose=true sign-blob --yes --key cosign.key --output-signature=${artifact}.sig ${artifact} | |
done | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }} | |
- name: Upload build artifacts | |
id: upload_artifacts | |
if: ${{ ! needs.check_release.outputs.release_created }} | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 | |
with: | |
name: build-${{ matrix.arch }}-${{ github.sha }} | |
path: | | |
dist/pkg | |
fyne-cross/dist/linux-${{ matrix.arch }} | |
- name: Upload release artifacts | |
id: upload_release | |
if: ${{ needs.check_release.outputs.release_created }} | |
run: | | |
gh release upload ${{ needs.check_release.outputs.release_tag }} dist/pkg/*.{rpm,deb,zst,sig} | |
gh release upload ${{ needs.check_release.outputs.release_tag }} fyne-cross/dist/linux-${{ matrix.arch }}/*-${{ matrix.arch }}.tar.xz{,.sig} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
build_container: | |
needs: check_release | |
permissions: | |
contents: write | |
packages: write | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: | |
platform: | |
- linux/amd64 | |
- linux/arm/v7 | |
- linux/arm64 | |
env: | |
REGISTRY: ghcr.io | |
IMAGE: ${{ github.repository }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up environment | |
run: | | |
echo "APPVERSION=$(git describe --tags --always --dirty)" >> $GITHUB_ENV | |
- name: Set app version for release | |
if: ${{ needs.check_release.outputs.release_created }} | |
run: echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3 | |
- name: Log in to the Container registry | |
id: registry_login | |
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Get Docker metadata | |
id: docker_metadata | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 | |
with: | |
images: | | |
${{ env.REGISTRY }}/${{ env.IMAGE }} | |
tags: | | |
type=raw,value=latest | |
type=edge | |
type=sha | |
type=ref,event=branch | |
type=ref,event=pr | |
type=schedule | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} | |
type=raw,value=${{ env.APPVERSION }} | |
- name: Build container image | |
id: build_image | |
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 | |
with: | |
context: . | |
push: true | |
tags: ${{ steps.docker_metadata.outputs.tags }} | |
labels: ${{ steps.docker_metadata.outputs.labels }} | |
platforms: ${{ matrix.platform }} | |
build-args: | | |
GO_VERSION=${GO_VERSION} | |
- name: Check and install cosign | |
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3 | |
with: | |
cosign-release: 'v2.2.2' | |
- name: Sign image with a key | |
env: | |
DIGEST: ${{ steps.build_image.outputs.digest }} | |
TAGS: ${{ steps.docker_metadata.outputs.tags }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }} | |
run: | | |
images="" | |
for tag in ${TAGS}; do | |
images+="${tag}@${DIGEST} " | |
done | |
cosign --verbose=true sign --yes --key cosign.key \ | |
-a "repo=${{ github.repository }}" \ | |
-a "ref=${{ github.ref }}" \ | |
${images} |