mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-03-21 21:41:48 +00:00
8faa01230a
Bumps [hashicorp/tfc-workflows-github](https://github.com/hashicorp/tfc-workflows-github) from 1.0.4 to 1.1.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/tfc-workflows-github/releases">hashicorp/tfc-workflows-github's releases</a>.</em></p> <blockquote> <h2>v1.1.1</h2> <ul> <li>Adds new <code>actions/workspace-output</code> action to fetch the latest state version output(s) for a given Terraform Cloud Workspace.</li> <li>Bug fixes and enhancements from <a href="https://github.com/hashicorp/tfc-workflows-tooling/releases/tag/v1.1.1">tfc-workflows-tooling@v1.1.1</a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/tfc-workflows-github/blob/main/CHANGELOG.md">hashicorp/tfc-workflows-github's changelog</a>.</em></p> <blockquote> <h1>v1.1.1</h1> <ul> <li>Adds new <code>actions/workspace-output</code> action to fetch the latest state version output(s) for a given Terraform Cloud Workspace.</li> <li>Bug fixes and enhancements from <a href="https://github.com/hashicorp/tfc-workflows-tooling/releases/tag/v1.1.1">tfc-workflows-tooling@v1.1.1</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="4e91ea58dd"><code>4e91ea5</code></a> Prepare release v1.1.1 (<a href="https://redirect.github.com/hashicorp/tfc-workflows-github/issues/29">#29</a>)</li> <li><a href="3eea78a1c7"><code>3eea78a</code></a> docs: update <code>create-run</code> and <code>upload-configuration</code> actions (<a href="https://redirect.github.com/hashicorp/tfc-workflows-github/issues/28">#28</a>)</li> <li><a href="2f37261b9e"><code>2f37261</code></a> Merge pull request <a href="https://redirect.github.com/hashicorp/tfc-workflows-github/issues/27">#27</a> from gerbyzation/patch-1</li> <li><a href="30f19c0c06"><code>30f19c0</code></a> reword</li> <li><a href="b38fd77d30"><code>b38fd77</code></a> Update action.yml</li> <li>See full diff in <a href="https://github.com/hashicorp/tfc-workflows-github/compare/v1.0.4...v1.1.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
349 lines
12 KiB
YAML
349 lines
12 KiB
YAML
name: Continuous Delivery
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
env:
|
|
# mark:automatic-version
|
|
VERSION: "1.20231001.0"
|
|
|
|
jobs:
|
|
ci:
|
|
uses: ./.github/workflows/ci.yml
|
|
secrets: inherit
|
|
|
|
deploy-staging:
|
|
runs-on: ubuntu-22.04
|
|
# if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
|
permissions:
|
|
contents: write
|
|
# Cancel old workflow runs if new code is pushed
|
|
concurrency:
|
|
group: "staging-deploy-${{ github.workflow }}-${{ github.ref }}"
|
|
cancel-in-progress: false
|
|
needs:
|
|
- ci
|
|
env:
|
|
TF_CLOUD_ORGANIZATION: "firezone"
|
|
TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
|
|
TF_WORKSPACE: "staging"
|
|
steps:
|
|
- name: Get Terraform Version
|
|
run: |
|
|
TERRAFORM_VERSION=$(cat .tool-versions | grep terraform | awk '{ print $NF; }')
|
|
echo "TERRAFORM_VERSION=${TERRAFORM_VERSION}" >> $GITHUB_ENV
|
|
- uses: hashicorp/setup-terraform@v3
|
|
with:
|
|
terraform_version: ${{ env.TERRAFORM_VERSION }}
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.event.workflow_run.head_branch }}
|
|
- name: Upload Configuration
|
|
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@v1.1.1
|
|
id: apply-upload
|
|
with:
|
|
workspace: ${{ env.TF_WORKSPACE }}
|
|
# Subdirectory is set in the project settings:
|
|
# https://app.terraform.io/app/firezone/workspaces/staging/settings/general
|
|
directory: "./"
|
|
- name: Create Plan Run
|
|
uses: hashicorp/tfc-workflows-github/actions/create-run@v1.1.1
|
|
id: apply-run
|
|
env:
|
|
TF_VAR_image_tag: '"${{ env.VERSION }}-${{ github.sha }}"'
|
|
with:
|
|
workspace: ${{ env.TF_WORKSPACE }}
|
|
configuration_version:
|
|
${{ steps.apply-upload.outputs.configuration_version_id }}
|
|
- name: Apply
|
|
uses: hashicorp/tfc-workflows-github/actions/apply-run@v1.1.1
|
|
if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
|
|
id: apply
|
|
with:
|
|
run: ${{ steps.apply-run.outputs.run_id }}
|
|
comment: "Apply Run from GitHub Actions CI ${{ github.sha }}"
|
|
- name: Report Status
|
|
if: failure()
|
|
uses: rtCamp/action-slack-notify@v2
|
|
env:
|
|
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
|
|
SLACK_USERNAME: "GitHub Actions"
|
|
SLACK_COLOR: "#ff0000"
|
|
MSG_MINIMAL: "ref,actions url"
|
|
SLACK_TITLE: "Deployment Failed"
|
|
SLACK_MESSAGE:
|
|
"Automatic deployment to ${{ env.TF_WORKSPACE }} failed"
|
|
with:
|
|
status: ${{ job.status }}
|
|
notify_when: "failure"
|
|
|
|
update-release-draft:
|
|
needs: deploy-staging
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
# write permission is required to create a github release
|
|
contents: write
|
|
# autolabeler
|
|
pull-requests: write
|
|
concurrency:
|
|
group: "staging-draft-release-${{ github.workflow }}-${{ github.ref }}"
|
|
cancel-in-progress: true
|
|
steps:
|
|
- uses: release-drafter/release-drafter@v5
|
|
id: update-release-draft
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
with:
|
|
prerelease: true
|
|
version: ${{ env.VERSION }}
|
|
- name: Delete stale artifacts
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
set -xe
|
|
|
|
gh release view ${{ steps.update-release-draft.outputs.tag_name }} \
|
|
--repo ${{ github.repository }} \
|
|
--json assets \
|
|
--jq '.assets[] | .name' \
|
|
| xargs -I{} gh release delete-asset ${{ steps.update-release-draft.outputs.tag_name }} {} --repo ${{ github.repository }} --yes
|
|
outputs:
|
|
name: ${{ steps.update-release-draft.outputs.name }}
|
|
tag_name: ${{ steps.update-release-draft.outputs.tag_name }}
|
|
upload_url: ${{ steps.update-release-draft.outputs.upload_url }}
|
|
|
|
build-push-linux-release-artifacts:
|
|
permissions:
|
|
id-token: write
|
|
contents: write
|
|
needs: update-release-draft
|
|
runs-on: ubuntu-22.04
|
|
defaults:
|
|
run:
|
|
working-directory: ./rust
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
arch:
|
|
- target: x86_64-unknown-linux-musl
|
|
shortname: x64
|
|
platform: linux/amd64
|
|
- target: aarch64-unknown-linux-musl # E.g. AWS Graviton
|
|
shortname: arm64
|
|
platform: linux/arm64
|
|
- target: armv7-unknown-linux-musleabihf # E.g. Raspberry Pi
|
|
platform: linux/arm/v7
|
|
shortname: arm
|
|
# Requires ring v0.17 which a number of our dependencies don't yet support
|
|
# - target: mips64-unknown-linux-muslabi64 # E.g. UniFi Routers
|
|
# platform: linux/mips64le
|
|
name:
|
|
- package: firezone-linux-client
|
|
artifact: client
|
|
- package: firezone-relay
|
|
artifact: relay
|
|
- package: firezone-gateway
|
|
artifact: gateway
|
|
env:
|
|
BINARY_DEST_PATH: ${{ matrix.name.artifact }}-${{ matrix.arch.shortname }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-rust
|
|
with:
|
|
targets: aarch64-unknown-linux-musl armv7-unknown-linux-musleabihf
|
|
- uses: taiki-e/install-action@v2
|
|
with:
|
|
tool: cross
|
|
- name: Build release binaries
|
|
run: |
|
|
set -xe
|
|
|
|
cross build --release -p ${{ matrix.name.package }} --target ${{ matrix.arch.target }}
|
|
|
|
# Used for release artifact
|
|
cp target/${{ matrix.arch.target }}/release/${{ matrix.name.package }} $BINARY_DEST_PATH
|
|
|
|
# Used for Docker images
|
|
cp target/${{ matrix.arch.target }}/release/${{ matrix.name.package }} ${{ matrix.name.package }}
|
|
sha256sum $BINARY_DEST_PATH > $BINARY_DEST_PATH.sha256sum.txt
|
|
|
|
ls -la $BINARY_DEST_PATH
|
|
ls -la $BINARY_DEST_PATH.sha256sum.txt
|
|
- name: Upload Release Assets
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
set -xe
|
|
|
|
gh release upload ${{ needs.update-release-draft.outputs.tag_name }} \
|
|
${{ env.BINARY_DEST_PATH }} \
|
|
${{ env.BINARY_DEST_PATH }}.sha256sum.txt \
|
|
--clobber \
|
|
--repo ${{ github.repository }}
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
# We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
|
|
# supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
|
|
# We should for any updates on buildx and on the setup-buildx-action itself.
|
|
driver-opts: |
|
|
image=moby/buildkit:v0.12.0
|
|
- uses: ./.github/actions/gcp-docker-login
|
|
id: login
|
|
with:
|
|
project: firezone-staging
|
|
- name: Build Version Tags
|
|
run: |
|
|
set -xe
|
|
MAJOR_VERSION="${VERSION%%.*}"
|
|
MAJOR_MINOR_VERSION="${VERSION%.*}"
|
|
|
|
echo "MAJOR_VERSION=${MAJOR_VERSION}" >> $GITHUB_ENV
|
|
echo "MAJOR_MINOR_VERSION=${MAJOR_MINOR_VERSION}" >> $GITHUB_ENV
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images:
|
|
${{ steps.login.outputs.registry }}/firezone/${{matrix.name.artifact }}
|
|
tags: |
|
|
type=raw,value=${{ github.sha }}
|
|
type=raw,value=${{ env.VERSION }}
|
|
type=raw,value=${{ env.MAJOR_VERSION }}
|
|
type=raw,value=${{ env.MAJOR_MINOR_VERSION }}
|
|
- name: Build and push release Docker images by digest
|
|
id: build
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
platforms: ${{ matrix.arch.platform }}
|
|
build-args: |
|
|
PACKAGE=${{ matrix.name.package }}
|
|
TARGET=${{ matrix.arch.target }}
|
|
context: rust
|
|
cache-from: |
|
|
type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.name.artifact }}:main
|
|
cache-to: |
|
|
type=registry,ref=${{ steps.login.outputs.registry }}/cache/${{ matrix.name.artifact }}:main,mode=max
|
|
target: release
|
|
outputs:
|
|
type=image,name=${{ steps.login.outputs.registry }}/firezone/${{matrix.name.artifact}},push-by-digest=true,name-canonical=true,push=true
|
|
- name: Export digest
|
|
run: |
|
|
mkdir -p /tmp/digests/${{ matrix.name.artifact }}
|
|
digest="${{ steps.build.outputs.digest }}"
|
|
touch "/tmp/digests/${{ matrix.name.artifact }}/${digest#sha256:}"
|
|
- name: Upload digest
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: digests
|
|
path: /tmp/digests/*
|
|
if-no-files-found: error
|
|
retention-days: 1
|
|
|
|
# Build for Windows
|
|
build-push-windows-release-artifacts:
|
|
permissions:
|
|
id-token: write
|
|
contents: write
|
|
needs: update-release-draft
|
|
runs-on: windows-2019
|
|
defaults:
|
|
run:
|
|
working-directory: ./rust
|
|
strategy:
|
|
fail-fast: false
|
|
# The matrix is 1x1 to match the style of build-push-linux-release-artifacts
|
|
# In the future we could try to cross-compile aarch64-windows here.
|
|
matrix:
|
|
name:
|
|
- package: firezone-windows-client
|
|
artifact: windows-client
|
|
env:
|
|
BINARY_DEST_PATH: ${{ matrix.name.artifact }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-rust
|
|
with:
|
|
targets: x86_64-pc-windows-msvc
|
|
- name: Build release binaries
|
|
run: |
|
|
cargo install tauri-cli
|
|
|
|
# Tauri build already defaults to '--release'
|
|
cargo tauri build
|
|
|
|
# Used for release artifact
|
|
cp target/release/${{ matrix.name.package }}.exe "${{ env.BINARY_DEST_PATH }}-x64.exe"
|
|
|
|
pwd
|
|
ls *.exe
|
|
|
|
# There's an MSI and NSIS installer here but their names include the version so I'll try those later.
|
|
|
|
|
|
- name: Upload Release Assets
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
# TODO: Calculate sha256sum for this binary and attach to release
|
|
gh release upload ${{ needs.update-release-draft.outputs.tag_name }} `
|
|
${{ env.BINARY_DEST_PATH }}-x64.exe `
|
|
--clobber `
|
|
--repo ${{ github.repository }}
|
|
|
|
merge-release-artifacts:
|
|
permissions:
|
|
id-token: write
|
|
needs: build-push-linux-release-artifacts
|
|
runs-on: ubuntu-22.04
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- image_name: relay
|
|
- image_name: gateway
|
|
- image_name: client
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/gcp-docker-login
|
|
id: login
|
|
with:
|
|
project: firezone-staging
|
|
- name: Download digests
|
|
uses: actions/download-artifact@v3
|
|
with:
|
|
name: digests
|
|
path: /tmp/digests
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Build Version Tags
|
|
run: |
|
|
set -xe
|
|
MAJOR_VERSION="${VERSION%%.*}"
|
|
MAJOR_MINOR_VERSION="${VERSION%.*}"
|
|
|
|
echo "MAJOR_VERSION=${MAJOR_VERSION}" >> $GITHUB_ENV
|
|
echo "MAJOR_MINOR_VERSION=${MAJOR_MINOR_VERSION}" >> $GITHUB_ENV
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images:
|
|
${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}
|
|
tags: |
|
|
type=raw,value=${{ github.sha }}
|
|
type=raw,value=${{ env.VERSION }}
|
|
type=raw,value=${{ env.MAJOR_VERSION }}
|
|
type=raw,value=${{ env.MAJOR_MINOR_VERSION }}
|
|
- name: Create manifest list and push
|
|
working-directory: /tmp/digests/${{ matrix.image_name }}
|
|
run: |
|
|
tags=$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON")
|
|
sources=$(printf '${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}@sha256:%s ' *)
|
|
echo "$sources"
|
|
docker buildx imagetools create $tags $sources
|
|
docker buildx imagetools inspect "${{ steps.login.outputs.registry }}/firezone/${{ matrix.image_name }}"
|