image-webconfig/.github/workflows/release.yml at c4eabfbeac33ed26449ab9d911588e672930f55a · airplanes-live/image-webconfig · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: Release

# Triggers:
#   push of a v[MAJOR].[MINOR].[PATCH] tag — full stable release: build
#       both arch binaries, assemble rootfs.tar.gz + manifest.json + SHA256SUMS,
#       publish a GitHub Release at that tag and mark it latest.
#   push to dev — moving prerelease at the "dev-latest" tag. The tag is
#       force-recreated to point at the new HEAD; the release is updated
#       in-place with new assets. This is what feeders on the dev channel
#       resolve via airplanes_webconfig_resolve_dev_latest_tag.
#   workflow_dispatch — manual rebuild of dev-latest (rare; for re-pushing
#       assets when something goes wrong).
on:
  push:
    tags: ['v*']
    branches: [dev]
  workflow_dispatch: {}

permissions:
  contents: read

jobs:
  classify:
    name: classify release type
    runs-on: ubuntu-24.04
    timeout-minutes: 2
    outputs:
      kind: ${{ steps.k.outputs.kind }}
      tag: ${{ steps.k.outputs.tag }}
    steps:
      - id: k
        env:
          EVENT: ${{ github.event_name }}
          REF: ${{ github.ref }}
          REF_NAME: ${{ github.ref_name }}
        run: |
          if [[ "$EVENT" == "push" && "$REF" == refs/tags/* ]]; then
            if ! [[ "$REF_NAME" =~ ^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)$ ]]; then
              echo "::error::Tag '$REF_NAME' does not match v[MAJOR].[MINOR].[PATCH]"
              exit 1
            fi
            echo "kind=stable" >> "$GITHUB_OUTPUT"
            echo "tag=$REF_NAME" >> "$GITHUB_OUTPUT"
          elif [[ "$EVENT" == "push" && "$REF" == "refs/heads/dev" ]]; then
            echo "kind=dev" >> "$GITHUB_OUTPUT"
            echo "tag=dev-latest" >> "$GITHUB_OUTPUT"
          elif [[ "$EVENT" == "workflow_dispatch" ]]; then
            echo "kind=dev" >> "$GITHUB_OUTPUT"
            echo "tag=dev-latest" >> "$GITHUB_OUTPUT"
          else
            echo "::error::Unsupported trigger: event=$EVENT ref=$REF"
            exit 1
          fi

  build:
    name: cross-compile + package release assets
    needs: [classify]
    runs-on: ubuntu-24.04
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
        with:
          go-version-file: go.mod
      - name: resolve commit sha
        id: sha
        # github.sha resolves to the tag-object SHA on annotated tag pushes,
        # which would not equal `git rev-parse HEAD` at runtime. Capture the
        # commit SHA explicitly so the manifest and ldflags both agree with
        # the cloned source HEAD.
        run: echo "commit=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
      - name: assemble release (binaries + rootfs.tar.gz + manifest + SHA256SUMS)
        env:
          TAG: ${{ needs.classify.outputs.tag }}
          KIND: ${{ needs.classify.outputs.kind }}
          COMMIT_SHA: ${{ steps.sha.outputs.commit }}
        run: |
          bash scripts/lib/build-release.sh \
            --version "$TAG" \
            --kind "$KIND" \
            --commit-sha "$COMMIT_SHA" \
            --output "$RUNNER_TEMP/release"
      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
        with:
          name: release-assets
          path: |
            ${{ runner.temp }}/release/airplanes-webconfig-arm64
            ${{ runner.temp }}/release/airplanes-webconfig-armhf
            ${{ runner.temp }}/release/rootfs.tar.gz
            ${{ runner.temp }}/release/manifest.json
            ${{ runner.temp }}/release/SHA256SUMS
          retention-days: 7

  publish:
    name: publish GitHub Release
    needs: [classify, build]
    runs-on: ubuntu-24.04
    timeout-minutes: 10
    permissions:
      contents: write
    # Two updates against the same target must not interleave: a slow older
    # run could overwrite a newer release's assets, leaving devices on an
    # older binary while the tag points at the newer commit. For dev pushes
    # cancel the older in-flight run; for stable tags fail fast on overlap.
    concurrency:
      group: publish-${{ needs.classify.outputs.tag }}
      cancel-in-progress: ${{ needs.classify.outputs.kind == 'dev' }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          # The dev path runs `git tag -f` and `git push --force` to move
          # dev-latest. Persist the default GITHUB_TOKEN credentials so git
          # has push auth without re-encoding the token in a remote URL.
          persist-credentials: true
          fetch-depth: 0
      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
        with:
          name: release-assets
          path: dist/
      - name: Verify SHA256SUMS
        working-directory: dist
        run: sha256sum -c SHA256SUMS
      - name: Stable release (tag push)
        if: needs.classify.outputs.kind == 'stable'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAG: ${{ needs.classify.outputs.tag }}
        run: |
          if gh release view "$TAG" >/dev/null 2>&1; then
            gh release upload "$TAG" --clobber \
              dist/airplanes-webconfig-arm64 \
              dist/airplanes-webconfig-armhf \
              dist/rootfs.tar.gz \
              dist/manifest.json \
              dist/SHA256SUMS
            gh release edit "$TAG" --draft=false --latest
          else
            gh release create "$TAG" --title "$TAG" --generate-notes --latest \
              dist/airplanes-webconfig-arm64 \
              dist/airplanes-webconfig-armhf \
              dist/rootfs.tar.gz \
              dist/manifest.json \
              dist/SHA256SUMS
          fi
      - name: Dev release (moving dev-latest)
        if: needs.classify.outputs.kind == 'dev'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAG: dev-latest
          SHA: ${{ github.sha }}
        run: |
          # Force-move dev-latest to point at the current commit and
          # rebuild the release in place. Concurrency: cancel-in-progress on
          # dev means an older run cannot land after this one. The release
          # is marked prerelease so the repo home page still shows the
          # latest stable tag as "Latest".
          if gh release view "$TAG" >/dev/null 2>&1; then
            gh release delete "$TAG" --yes --cleanup-tag
          fi
          git tag -f "$TAG" "$SHA"
          git push origin "refs/tags/$TAG" --force
          gh release create "$TAG" \
            --title "dev-latest (${SHA:0:8})" \
            --notes "Moving prerelease for the dev channel. Commit: $SHA" \
            --prerelease \
            dist/airplanes-webconfig-arm64 \
            dist/airplanes-webconfig-armhf \
            dist/rootfs.tar.gz \
            dist/manifest.json \
            dist/SHA256SUMS