Build #94
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| workflow_run: | |
| workflows: ["test"] | |
| branches: [main] | |
| types: | |
| - completed | |
| permissions: | |
| contents: read | |
| env: | |
| GO_VERSION: 1.22 | |
| MAGEARGS: "-v -d build/magefiles -w ." | |
| jobs: | |
| check_release: | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
| runs-on: ubuntu-latest | |
| outputs: | |
| release_created: ${{ steps.release_please.outputs.release_created }} | |
| release_tag: ${{ steps.release_please.outputs.tag_name }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1 | |
| with: | |
| egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
| - name: Run release please | |
| uses: googleapis/release-please-action@v4 | |
| id: release_please | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| build: | |
| needs: check_release | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| arch: [amd64,arm,arm64] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v1 | |
| with: | |
| egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
| - name: Checkout source | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Go | |
| id: setup_go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install Mage | |
| uses: magefile/mage-action@v3 | |
| with: | |
| install-only: true | |
| - name: Build with Mage | |
| run: mage ${MAGEARGS} build:ci ${{ matrix.arch }} | |
| - name: Package with Mage | |
| run: mage ${MAGEARGS} package:ci ${{ matrix.arch }} | |
| - name: Install cosign | |
| id: cosign_install | |
| uses: sigstore/[email protected] | |
| with: | |
| cosign-release: 'v2.2.2' | |
| - name: Sign artifacts with cosign | |
| id: cosign_sign | |
| shell: bash | |
| run: | | |
| shopt -s nullglob | |
| echo Need to sign dist/*.{rpm,deb,zst} fyne-cross/dist/linux-${{ matrix.arch }}/*.tar.xz | |
| for artifact in dist/*.{rpm,deb,zst} fyne-cross/dist/linux-${{ matrix.arch }}/*.tar.xz; do | |
| echo Signing ${artifact} | |
| cosign --verbose=true sign-blob --yes --key cosign.key --output-signature=${artifact}.sig ${artifact} | |
| done | |
| env: | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }} | |
| - name: Upload build artifacts | |
| id: upload_artifacts | |
| if: ${{ ! needs.check_release.outputs.release_created }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-${{ matrix.arch }}-${{ github.sha }} | |
| path: | | |
| dist | |
| fyne-cross/dist/linux-${{ matrix.arch }} | |
| - name: Upload release artifacts | |
| id: upload_release | |
| if: ${{ needs.check_release.outputs.release_created }} | |
| run: | | |
| gh release upload ${{ needs.check_release.outputs.release_tag }} dist/*.{rpm,deb,zst,sig} | |
| gh release upload ${{ needs.check_release.outputs.release_tag }} fyne-cross/dist/linux-${{ matrix.arch }}/* | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| build_container: | |
| needs: check_release | |
| permissions: | |
| contents: write | |
| packages: write | |
| runs-on: ubuntu-20.04 | |
| # strategy: | |
| # matrix: | |
| # platform: | |
| # - linux/amd64 | |
| # - linux/arm/v7 | |
| # - linux/arm64 | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE: ${{ github.repository }} | |
| steps: | |
| - uses: GitHubSecurityLab/actions-permissions/monitor@v1 | |
| with: | |
| config: ${{ vars.PERMISSIONS_CONFIG }} | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up environment | |
| run: | | |
| echo "APPVERSION=$(git describe --tags --abbrev=0)-$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
| # platform=${{ matrix.platform }} | |
| # echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
| - name: Set app version for release | |
| if: ${{ needs.check_release.outputs.release_created }} | |
| run: echo "APPVERSION=${{ needs.check_release.outputs.release_tag }}" >> $GITHUB_ENV | |
| # - name: Set up QEMU | |
| # uses: docker/setup-qemu-action@v3 | |
| - name: Log in to the Container registry | |
| id: registry_login | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Get Docker metadata | |
| id: docker_metadata | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ${{ env.REGISTRY }}/${{ env.IMAGE }} | |
| tags: | | |
| type=raw,value=latest | |
| type=edge | |
| type=sha | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=schedule | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} | |
| type=raw,value=${{ env.APPVERSION }} | |
| - name: Build container image | |
| id: build_image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.docker_metadata.outputs.tags }} | |
| labels: ${{ steps.docker_metadata.outputs.labels }} | |
| - name: Check and install cosign | |
| uses: sigstore/[email protected] | |
| # if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| with: | |
| cosign-release: 'v2.2.2' | |
| - name: Sign image with a key | |
| # if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| env: | |
| DIGEST: ${{ steps.build_image.outputs.digest }} | |
| TAGS: ${{ steps.docker_metadata.outputs.tags }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PWD }} | |
| run: | | |
| images="" | |
| for tag in ${TAGS}; do | |
| images+="${tag}@${DIGEST} " | |
| done | |
| cosign --verbose=true sign --yes --key cosign.key \ | |
| -a "repo=${{ github.repository }}" \ | |
| -a "ref=${{ github.ref }}" \ | |
| ${images} |