Build

Bump alpine from 3.23 to 3.24 #176

Workflow file for this run

	name: Build

	on:
	workflow_dispatch:
	schedule:
	- cron: '0 6 * * 5' # Every Friday at 06:00 UTC
	push:
	branches:
	- '**'
	paths-ignore:
	- '*/.md'
	- '*/.png'
	tags:
	- 'v*'
	pull_request:
	branches:
	- 'main'

	env:
	NET_SOLUTION: GostGen/GostGen.slnx
	NET_PROJECT: GostGen/source/GostGen.csproj
	NET_PUBLISH_DIR: GostGen/publish/
	NET_PUBLISH_ARGS: "--verbosity normal --configuration Release -p:DebugType=embedded -p:PublishSingleFile=true --self-contained"
	DOCKER_REGISTRY: ghcr.io
	DOCKER_FULL_IMAGE_NAME: ghcr.io/chrschu90/mullvad-proxy-gateway # Make sure to use lowercase only
	DOCKER_PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7

	jobs:
	build:
	name: Build
	runs-on: ubuntu-latest
	permissions:
	packages: write # Docker push image to GHCR
	id-token: write # GHCR auth and Cosign OIDC signing/verification
	contents: write # Create/update GitHub Releases
	steps:
	- name: Checkout
	uses: actions/checkout@v6
	with:
	fetch-depth: 0
	fetch-tags: true

	- name: .NET Setup
	uses: actions/setup-dotnet@v5
	with:
	dotnet-version: \|
	10.0.x

	- name: Get Version from Tag
	uses: ChrSchu90/GitTagSemanticVersion@v1.1
	if: startsWith(github.event.ref, 'refs/tags/v')
	id: tagver

	- name: .NET Restore
	run: dotnet restore ${{ env.NET_SOLUTION }}

	- name: .NET Build
	run: dotnet build ${{ env.NET_SOLUTION }} --verbosity normal --no-restore --configuration Release

	- name: .NET Test
	run: dotnet test --solution ${{ env.NET_SOLUTION }} --verbosity normal --no-restore --configuration Release

	- name: .NET Publish amd64
	run: \|
	if [ -n "${{ steps.tagver.outputs.version }}" ]; then
	dotnet publish ${{ env.NET_PROJECT }} -r linux-musl-x64 ${{ env.NET_PUBLISH_ARGS }} -p:Version=${{ steps.tagver.outputs.version }} -o ${{ env.NET_PUBLISH_DIR }}linux/amd64
	else
	dotnet publish ${{ env.NET_PROJECT }} -r linux-musl-x64 ${{ env.NET_PUBLISH_ARGS }} -o ${{ env.NET_PUBLISH_DIR }}linux/amd64
	fi

	- name: .NET Publish arm64
	run: \|
	if [ -n "${{ steps.tagver.outputs.version }}" ]; then
	dotnet publish ${{ env.NET_PROJECT }} -r linux-musl-arm64 ${{ env.NET_PUBLISH_ARGS }} -p:Version=${{ steps.tagver.outputs.version }} -o ${{ env.NET_PUBLISH_DIR }}linux/arm64
	else
	dotnet publish ${{ env.NET_PROJECT }} -r linux-musl-arm64 ${{ env.NET_PUBLISH_ARGS }} -o ${{ env.NET_PUBLISH_DIR }}linux/arm64
	fi

	- name: .NET Publish armv7
	run: \|
	if [ -n "${{ steps.tagver.outputs.version }}" ]; then
	dotnet publish ${{ env.NET_PROJECT }} -r linux-musl-arm ${{ env.NET_PUBLISH_ARGS }} -p:Version=${{ steps.tagver.outputs.version }} -o ${{ env.NET_PUBLISH_DIR }}linux/armv7
	else
	dotnet publish ${{ env.NET_PROJECT }} -r linux-musl-arm ${{ env.NET_PUBLISH_ARGS }} -o ${{ env.NET_PUBLISH_DIR }}linux/armv7
	fi

	- name: Docker QEMU Setup
	uses: docker/setup-qemu-action@v4

	- name: Docker Buildx Setup
	uses: docker/setup-buildx-action@v4

	- name: Cosign Setup
	uses: sigstore/cosign-installer@v4.1.2

	- name: Docker Login
	uses: docker/login-action@v4
	if: ${{ steps.tagver.outputs.is_valid == 'true' }}
	with:
	registry: ${{ env.DOCKER_REGISTRY }}
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Docker tags/labels
	uses: docker/metadata-action@v6
	id: dockermeta
	with:
	images: ${{ env.DOCKER_FULL_IMAGE_NAME }}
	tags: \|
	# Specific stable patch version (fully pinned)
	type=raw,value=${{ steps.tagver.outputs.version }},enable=${{ steps.tagver.outputs.is_release == 'true' }}
	# Latest stable release in major + minor version
	type=raw,value=${{ steps.tagver.outputs.major }}.${{ steps.tagver.outputs.minor }},enable=${{ steps.tagver.outputs.is_release == 'true' }}
	# Latest stable release in major version
	type=raw,value=${{ steps.tagver.outputs.major }},enable=${{ steps.tagver.outputs.is_release == 'true' }}
	# latest – Most recent stable release
	type=raw,value=latest,enable=${{ steps.tagver.outputs.is_release == 'true' }}
	# Specific preview build (fully pinned)
	type=raw,value=${{ steps.tagver.outputs.version }}-${{ steps.tagver.outputs.suffix }},enable=${{ steps.tagver.outputs.is_prerelease == 'true' }}
	# Latest preview for minor + minor + patch version
	type=raw,value=${{ steps.tagver.outputs.version }}-preview,enable=${{ steps.tagver.outputs.is_prerelease == 'true' \|\| steps.tagver.outputs.is_release == 'true' }}
	# Latest preview for minor + minor version
	type=raw,value=${{ steps.tagver.outputs.major }}.${{ steps.tagver.outputs.minor }}-preview,enable=${{ steps.tagver.outputs.is_prerelease == 'true' \|\| steps.tagver.outputs.is_release == 'true' }}
	# Latest preview for major version
	type=raw,value=${{ steps.tagver.outputs.major }}-preview,enable=${{ steps.tagver.outputs.is_prerelease == 'true' \|\| steps.tagver.outputs.is_release == 'true' }}
	# Latest preview build
	type=raw,value=preview,enable=${{ steps.tagver.outputs.is_prerelease == 'true' \|\| steps.tagver.outputs.is_release == 'true' }}
	# Test build
	type=raw,value=ci,enable=${{ steps.tagver.outputs.is_valid != 'true' }}

	- name: Docker build/push
	uses: docker/build-push-action@v7
	if: ${{ steps.dockermeta.outcome == 'success' }}
	id: docker_build
	with:
	context: .
	push: ${{ steps.tagver.outputs.is_valid == 'true' }}
	platforms: ${{ env.DOCKER_PLATFORMS }}
	tags: ${{ steps.dockermeta.outputs.tags }}
	labels: ${{ steps.dockermeta.outputs.labels }}
	annotations: ${{ steps.dockermeta.outputs.annotations }}
	#cache-from: type=gha
	#cache-to: type=gha,mode=max

	- name: Sign Docker Image
	if: ${{ steps.tagver.outputs.is_valid == 'true' }}
	id: docker_sign
	shell: bash
	env:
	IMAGE_REF: ${{ env.DOCKER_FULL_IMAGE_NAME }}@${{ steps.docker_build.outputs.digest }}
	run: \|
	echo "::notice::Signing image: ${IMAGE_REF}"
	for i in {1..5}; do
	if cosign sign --yes "${IMAGE_REF}"; then
	echo "Signed: ${IMAGE_REF}"
	echo "signed=true" >> "$GITHUB_OUTPUT"
	exit 0
	fi
	echo "Signing attempt ${i} failed, retrying..."
	sleep $((2 ** i))
	done
	echo "signed=false" >> "$GITHUB_OUTPUT"
	echo "::error::Failed to sign image ${IMAGE_REF}"
	exit 1

	- name: Verify Docker Image
	if: ${{ steps.tagver.outputs.is_valid == 'true' }}
	id: docker_verify
	shell: bash
	env:
	IMAGE_REF: ${{ env.DOCKER_FULL_IMAGE_NAME }}@${{ steps.docker_build.outputs.digest }}
	COSIGN_IDENTITY: ^https://github.com/${{ github.repository }}/\.github/workflows/build\.yml@refs/tags/v.*$
	COSIGN_ISSUER: https://token.actions.githubusercontent.com
	run: \|
	echo "::notice::Verifying image: ${IMAGE_REF}"
	for i in {1..5}; do
	if cosign verify \
	--certificate-identity-regexp "${COSIGN_IDENTITY}" \
	--certificate-oidc-issuer "${COSIGN_ISSUER}" \
	"${IMAGE_REF}"; then
	echo "Image verified: ${IMAGE_REF}"
	echo "verified=true" >> "$GITHUB_OUTPUT"
	exit 0
	fi
	echo "Verification attempt ${i} failed, retrying..."
	sleep $((2 ** i))
	done
	echo "verified=false" >> "$GITHUB_OUTPUT"
	echo "::error::Image verification failed for ${IMAGE_REF}"
	exit 1

	- name: Create Release
	uses: softprops/action-gh-release@v3
	if: ${{ steps.tagver.outputs.is_valid == 'true' }}
	with:
	tag_name: ${{ steps.tagver.outputs.version_tag }}
	prerelease: ${{ steps.tagver.outputs.is_prerelease == 'true' }}
	make_latest: ${{ steps.tagver.outputs.is_release == 'true' }}
	generate_release_notes: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump alpine from 3.23 to 3.24 #176

Workflow file

Bump alpine from 3.23 to 3.24 #176

Uh oh!

Workflow file for this run