-
-
Notifications
You must be signed in to change notification settings - Fork 12
186 lines (181 loc) · 6.24 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
name: Build
on:
workflow_run:
workflows: ["test"]
branches: [main]
types:
- completed
permissions:
contents: read
env:
GO_VERSION: 1.22
MAGEARGS: "-v -d build/magefiles -w ."
jobs:
check_release:
permissions:
contents: write
pull-requests: write
if: ${{ github.event.workflow_run.conclusion == 'success' }}
runs-on: ubuntu-latest
outputs:
release_created: ${{ steps.release_please.outputs.release_created }}
release_tag: ${{ steps.release_please.outputs.tag_name }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Run release please
uses: googleapis/release-please-action@v4
id: release_please
with:
token: ${{ secrets.GITHUB_TOKEN }}
build:
needs: check_release
permissions:
contents: write
runs-on: ubuntu-latest
strategy:
matrix:
arch: [amd64,arm,arm64]
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Checkout source
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Go
id: setup_go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Install Mage
uses: magefile/mage-action@v3
with:
install-only: true
- name: Build with Mage
run: mage ${MAGEARGS} build:ci ${{ matrix.arch }}
- name: Package with Mage
run: mage ${MAGEARGS} package:ci ${{ matrix.arch }}
- name: Install cosign
id: cosign_install
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.2'
- name: Sign artifacts with cosign
id: cosign_sign
shell: bash
run: |
shopt -s nullglob
echo Need to sign dist/*.{rpm,deb,zst} fyne-cross/dist/linux-${{ matrix.arch }}/*.tar.xz
for artifact in dist/*.{rpm,deb,zst} fyne-cross/dist/linux-${{ matrix.arch }}/*.tar.xz; do
echo Signing ${artifact}
cosign --verbose=true sign-blob --yes --key cosign.key --output-signature=${artifact}.sig ${artifact}
done
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }}
- name: Upload build artifacts
id: upload_artifacts
if: ${{ ! needs.check_release.outputs.release_created }}
uses: actions/upload-artifact@v4
with:
name: build-${{ matrix.arch }}-${{ github.sha }}
path: |
dist
fyne-cross/dist/linux-${{ matrix.arch }}
- name: Upload release artifacts
id: upload_release
if: ${{ needs.check_release.outputs.release_created }}
run: |
gh release upload ${{ needs.check_release.outputs.release_tag }} dist/*.{rpm,deb,zst,sig}
gh release upload ${{ needs.check_release.outputs.release_tag }} fyne-cross/dist/linux-${{ matrix.arch }}/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
build_container:
needs: check_release
permissions:
contents: write
packages: write
runs-on: ubuntu-20.04
# strategy:
# matrix:
# platform:
# - linux/amd64
# - linux/arm/v7
# - linux/arm64
env:
REGISTRY: ghcr.io
IMAGE: ${{ github.repository }}
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
config: ${{ vars.PERMISSIONS_CONFIG }}
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up environment
run: |
echo "APPVERSION=$(git describe --tags --abbrev=0)-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
# platform=${{ matrix.platform }}
# echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Set app version for release
if: ${{ needs.check_release.outputs.release_created }}
run: echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV
# - name: Set up QEMU
# uses: docker/setup-qemu-action@v3
- name: Log in to the Container registry
id: registry_login
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get Docker metadata
id: docker_metadata
uses: docker/metadata-action@v5
with:
images: |
${{ env.REGISTRY }}/${{ env.IMAGE }}
tags: |
type=raw,value=latest
type=edge
type=sha
type=ref,event=branch
type=ref,event=pr
type=schedule
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
type=raw,value=${{ env.APPVERSION }}
- name: Build container image
id: build_image
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.docker_metadata.outputs.tags }}
labels: ${{ steps.docker_metadata.outputs.labels }}
- name: Check and install cosign
uses: sigstore/[email protected]
# if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
cosign-release: 'v2.2.2'
- name: Sign image with a key
# if: github.event_name == 'push' && github.ref == 'refs/heads/main'
env:
DIGEST: ${{ steps.build_image.outputs.digest }}
TAGS: ${{ steps.docker_metadata.outputs.tags }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign --verbose=true sign --yes --key cosign.key \
-a "repo=${{ github.repository }}" \
-a "ref=${{ github.ref }}" \
${images}