Skip to content

Build

Build #91

Workflow file for this run

name: Build
on:
workflow_run:
workflows: ["test"]
branches: [main]
types:
- completed
permissions:
contents: read
env:
GO_VERSION: 1.22
MAGEARGS: "-v -d build/magefiles -w ."
jobs:
check_release:
permissions:
contents: write
pull-requests: write
if: ${{ github.event.workflow_run.conclusion == 'success' }}
runs-on: ubuntu-latest
outputs:
release_created: ${{ steps.release_please.outputs.release_created }}
release_tag: ${{ steps.release_please.outputs.tag_name }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Run release please
uses: googleapis/release-please-action@v4
id: release_please
with:
token: ${{ secrets.GITHUB_TOKEN }}
build:
needs: check_release
permissions:
contents: write
runs-on: ubuntu-latest
strategy:
matrix:
arch: [amd64,arm,arm64]
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Checkout source
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Go
id: setup_go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Install Mage
uses: magefile/mage-action@v3
with:
install-only: true
- name: Build with Mage
run: mage ${MAGEARGS} build:ci ${{ matrix.arch }}
- name: Package with Mage
run: mage ${MAGEARGS} package:ci ${{ matrix.arch }}
- name: Install cosign
id: cosign_install
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.2'
- name: Sign artifacts with cosign
id: cosign_sign
shell: bash
run: |
shopt -s nullglob
echo Need to sign dist/*.{rpm,deb,zst} fyne-cross/dist/linux-${{ matrix.arch }}/*.tar.xz
for artifact in dist/*.{rpm,deb,zst} fyne-cross/dist/linux-${{ matrix.arch }}/*.tar.xz; do
echo Signing ${artifact}
cosign --verbose=true sign-blob --yes --key cosign.key --output-signature=${artifact}.sig ${artifact}
done
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }}
- name: Upload build artifacts
id: upload_artifacts
if: ${{ ! needs.check_release.outputs.release_created }}
uses: actions/upload-artifact@v4
with:
name: build-${{ matrix.arch }}-${{ github.sha }}
path: |
dist
fyne-cross/dist/linux-${{ matrix.arch }}
- name: Upload release artifacts
id: upload_release
if: ${{ needs.check_release.outputs.release_created }}
run: |
gh release upload ${{ needs.check_release.outputs.release_tag }} dist/*.{rpm,deb,zst,sig}
gh release upload ${{ needs.check_release.outputs.release_tag }} fyne-cross/dist/linux-${{ matrix.arch }}/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
build_container:
needs: check_release
permissions:
contents: write
packages: write
runs-on: ubuntu-20.04
# strategy:
# matrix:
# platform:
# - linux/amd64
# - linux/arm/v7
# - linux/arm64
env:
REGISTRY: ghcr.io
IMAGE: ${{ github.repository }}
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
config: ${{ vars.PERMISSIONS_CONFIG }}
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up environment
run: |
echo "APPVERSION=$(git describe --tags --abbrev=0)-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
# platform=${{ matrix.platform }}
# echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Set app version for release
if: ${{ needs.check_release.outputs.release_created }}
run: echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV
# - name: Set up QEMU
# uses: docker/setup-qemu-action@v3
- name: Log in to the Container registry
id: registry_login
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get Docker metadata
id: docker_metadata
uses: docker/metadata-action@v5
with:
images: |
${{ env.REGISTRY }}/${{ env.IMAGE }}
tags: |
type=raw,value=latest
type=edge
type=sha
type=ref,event=branch
type=ref,event=pr
type=schedule
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
type=raw,value=${{ env.APPVERSION }}
- name: Build container image
id: build_image
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.docker_metadata.outputs.tags }}
labels: ${{ steps.docker_metadata.outputs.labels }}
- name: Check and install cosign
uses: sigstore/[email protected]
# if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
cosign-release: 'v2.2.2'
- name: Sign image with a key
# if: github.event_name == 'push' && github.ref == 'refs/heads/main'
env:
DIGEST: ${{ steps.build_image.outputs.digest }}
TAGS: ${{ steps.docker_metadata.outputs.tags }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign --verbose=true sign --yes --key cosign.key \
-a "repo=${{ github.repository }}" \
-a "ref=${{ github.ref }}" \
${images}