mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
8eb738e66a
To avoid burning Azure credits, we move the runners back down to the free tier. Now that caching is properly set up, this should incur only a minor increase in CI time.
129 lines
5.0 KiB
YAML
129 lines
5.0 KiB
YAML
name: Publish
|
|
run-name: Triggered by ${{ github.actor }}
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
release_name:
|
|
description: "Existing release name to publish"
|
|
required: true
|
|
release:
|
|
types:
|
|
- published
|
|
|
|
concurrency:
|
|
group: "publish-production-${{ github.event_name }}-${{ github.workflow }}-${{ github.ref }}"
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
publish-docker-images:
|
|
if: >-
|
|
${{
|
|
startsWith(inputs.release_name || github.event.release.name, 'gateway') ||
|
|
startsWith(inputs.release_name || github.event.release.name, 'headless-client')
|
|
}}
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
# Needed to upload artifacts to a release
|
|
packages: write
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Set variables
|
|
id: set-variables
|
|
env:
|
|
release_name: ${{ inputs.release_name || github.event.release.name }}
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
set -xe
|
|
|
|
if [[ "$release_name" =~ gateway* ]]; then
|
|
ARTIFACT=gateway
|
|
VERSION=${release_name#gateway-}
|
|
elif [[ "$release_name" =~ headless* ]]; then
|
|
ARTIFACT=client
|
|
VERSION=${release_name#headless-client-}
|
|
else
|
|
echo "Shouldn't have gotten here. Exiting."
|
|
exit 1
|
|
fi
|
|
|
|
MAJOR_VERSION="${VERSION%%.*}"
|
|
MAJOR_MINOR_VERSION="${VERSION%.*}"
|
|
|
|
sha=$(gh release view "${release_name}" --json targetCommitish -q '.targetCommitish')
|
|
|
|
# shellcheck disable=SC2129 # individual env exports are cleaner
|
|
echo "artifact=$ARTIFACT" >> "$GITHUB_OUTPUT"
|
|
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
|
|
echo "major_version=$MAJOR_VERSION" >> "$GITHUB_OUTPUT"
|
|
echo "major_minor_version=$MAJOR_MINOR_VERSION" >> "$GITHUB_OUTPUT"
|
|
echo "sha=$sha" >> "$GITHUB_OUTPUT"
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
|
- name: Pull and push
|
|
run: |
|
|
set -xe
|
|
|
|
SOURCE_TAG=ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:${{ steps.set-variables.outputs.sha }}
|
|
|
|
docker buildx imagetools create \
|
|
-t ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:${{ steps.set-variables.outputs.version }} \
|
|
-t ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:${{ steps.set-variables.outputs.version }}-${{ steps.set-variables.outputs.sha }} \
|
|
-t ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:${{ steps.set-variables.outputs.major_version }} \
|
|
-t ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:${{ steps.set-variables.outputs.major_minor_version }} \
|
|
-t ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:latest \
|
|
$SOURCE_TAG
|
|
|
|
create-publish-pr:
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
# TODO: This hack is needed because the macOS client isn't tagged as `apple-client`.
|
|
- tag_prefix: gateway
|
|
component: gateway
|
|
- tag_prefix: gui-client
|
|
component: gui-client
|
|
- tag_prefix: headless-client
|
|
component: headless-client
|
|
- tag_prefix: macos-client
|
|
component: apple-client
|
|
- tag_prefix: android-client
|
|
component: android-client
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
token: ${{ secrets.RELEASE_PR_BOT_GITHUB_TOKEN }}
|
|
- if: ${{ startsWith(inputs.release_name || github.event.release.name, matrix.tag_prefix) }}
|
|
run: |
|
|
set -x
|
|
|
|
# Extract version from release name
|
|
version=${{ inputs.release_name || github.event.release.name }}
|
|
version=${version#${{ matrix.tag_prefix }}-}
|
|
|
|
# Configure gpg
|
|
echo "$RELEASE_PR_BOT_GPG_KEY" | gpg --import --batch
|
|
GPG_KEY_ID=$(gpg --list-secret-keys --with-colons github-bot@firezone.dev 2> /dev/null | grep '^sec:' | cut --delimiter ':' --fields 5)
|
|
|
|
# Configure git
|
|
git config --local user.email "github-bot@firezone.dev"
|
|
git config --local user.name "Firezone Bot"
|
|
git config --local user.signingkey "$GPG_KEY_ID"
|
|
git config --local commit.gpgsign true
|
|
|
|
echo "use-agent" >> ~/.gnupg/gpg.conf
|
|
echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
|
|
|
|
# Create the PR
|
|
scripts/create-publish-pr.sh ${{ matrix.component }} "$version"
|
|
shell: bash
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.RELEASE_PR_BOT_GITHUB_TOKEN }}
|
|
RELEASE_PR_BOT_GPG_KEY: "${{ secrets.RELEASE_PR_BOT_GPG_KEY }}"
|