feat(pkg): proxy IRMA /statusevents SSE endpoint #261
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Delivery | |
| # | |
| # Pipeline overview | |
| # ================= | |
| # | |
| # Release-plz and Docker delivery are combined in one workflow because | |
| # GITHUB_TOKEN-created tags do not trigger new workflow runs. This means a | |
| # versioned Docker image must be built in the same run that release-plz | |
| # creates the release, using its job outputs to pass the version through. | |
| # | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| jobs: | |
| # --------------------------------------------------------------------------- | |
| # Release-plz: tag, publish crates, create GitHub releases | |
| # --------------------------------------------------------------------------- | |
| release-plz-release: | |
| name: Release-plz release | |
| if: github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: read | |
| id-token: write | |
| outputs: | |
| releases_created: ${{ steps.release-plz.outputs.releases_created }} | |
| pg_pkg_version: ${{ steps.parse.outputs.pg_pkg_version }} | |
| pg_core_version: ${{ steps.parse.outputs.pg_core_version }} | |
| pg_ffi_version: ${{ steps.parse.outputs.pg_ffi_version }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Run release-plz | |
| id: release-plz | |
| uses: release-plz/action@v0.5 | |
| with: | |
| command: release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Parse released versions | |
| id: parse | |
| if: steps.release-plz.outputs.releases_created == 'true' | |
| run: | | |
| RELEASES='${{ steps.release-plz.outputs.releases }}' | |
| PG_PKG_VERSION=$(echo "$RELEASES" | jq -r '.[] | select(.package_name == "pg-pkg") | .version // empty') | |
| PG_CORE_VERSION=$(echo "$RELEASES" | jq -r '.[] | select(.package_name == "pg-core") | .version // empty') | |
| echo "pg_pkg_version=$PG_PKG_VERSION" >> "$GITHUB_OUTPUT" | |
| echo "pg_core_version=$PG_CORE_VERSION" >> "$GITHUB_OUTPUT" | |
| PG_FFI_VERSION=$(echo "$RELEASES" | jq -r '.[] | select(.package_name == "pg-ffi") | .version // empty') | |
| echo "pg_ffi_version=$PG_FFI_VERSION" >> "$GITHUB_OUTPUT" | |
| # Create a PR with the new versions and changelog, preparing the next release. | |
| release-plz-pr: | |
| name: Release-plz PR | |
| needs: release-plz-release | |
| if: github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| concurrency: | |
| group: release-plz-${{ github.ref }} | |
| cancel-in-progress: false | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Run release-plz | |
| uses: release-plz/action@v0.5 | |
| with: | |
| command: release-pr | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # --------------------------------------------------------------------------- | |
| # Docker: build, scan, and publish multi-arch image for pg-pkg | |
| # --------------------------------------------------------------------------- | |
| # Build each platform on its native runner and push by digest (no tag yet). | |
| build: | |
| name: Build (${{ matrix.name }}) | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - platform: linux/amd64 | |
| runner: ubuntu-24.04 | |
| name: amd64 | |
| - platform: linux/arm64 | |
| runner: ubuntu-24.04-arm | |
| name: arm64 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push by digest | |
| id: build | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| platforms: ${{ matrix.platform }} | |
| build-args: CARGO_PROFILE=edge | |
| outputs: type=image,name=ghcr.io/${{ github.repository }},push-by-digest=true,name-canonical=true,push=true | |
| cache-from: type=gha,scope=build-${{ matrix.name }} | |
| cache-to: type=gha,mode=max,scope=build-${{ matrix.name }} | |
| - name: Export digest | |
| run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - name: Upload digest | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: digest-${{ matrix.name }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| # Security scan the amd64 image. | |
| scan-docker: | |
| name: Scan Docker image | |
| needs: build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: read | |
| security-events: write | |
| steps: | |
| - name: Download amd64 digest | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: digest-amd64 | |
| path: /tmp/digests | |
| - name: Resolve image reference | |
| id: ref | |
| run: | | |
| DIGEST=$(ls /tmp/digests | head -1) | |
| echo "image=ghcr.io/${{ github.repository }}@sha256:${DIGEST}" >> "$GITHUB_OUTPUT" | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Scan image | |
| uses: anchore/scan-action@v6 | |
| id: scan | |
| with: | |
| image: ${{ steps.ref.outputs.image }} | |
| only-fixed: true | |
| fail-build: true | |
| severity-cutoff: critical | |
| output-format: sarif | |
| - name: Upload Anchore scan SARIF report | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: ${{ !cancelled() }} | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| # Merge platform digests into a single multi-platform manifest and apply tags. | |
| # - push to main (no release) → ghcr.io/.../postguard:edge | |
| # - push to main (release) → ghcr.io/.../postguard:edge + postguard:0.3.1 | |
| # - pull request → ghcr.io/.../postguard:pr-123 | |
| finalize-docker: | |
| name: Finalize Docker manifest | |
| needs: [build, scan-docker, release-plz-release] | |
| if: always() && needs.build.result == 'success' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Download digests | |
| uses: actions/download-artifact@v8 | |
| with: | |
| path: /tmp/digests | |
| pattern: digest-* | |
| merge-multiple: true | |
| - name: Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| tags: | | |
| type=edge,branch=main | |
| type=ref,event=pr | |
| type=raw,value=${{ needs.release-plz-release.outputs.pg_pkg_version }},enable=${{ needs.release-plz-release.outputs.pg_pkg_version != '' }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create and push manifest | |
| working-directory: /tmp/digests | |
| run: | | |
| docker buildx imagetools create \ | |
| $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
| $(printf 'ghcr.io/${{ github.repository }}@sha256:%s ' *) | |
| # --------------------------------------------------------------------------- | |
| # pg-ffi: build native libraries for all platforms | |
| # --------------------------------------------------------------------------- | |
| # Build pg-ffi native libraries and upload as GitHub release assets. | |
| build-ffi: | |
| name: Build pg-ffi (${{ matrix.name }}) | |
| needs: release-plz-release | |
| if: needs.release-plz-release.outputs.pg_ffi_version != '' | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| contents: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - target: x86_64-unknown-linux-gnu | |
| runner: ubuntu-24.04 | |
| name: linux-x64 | |
| lib: libpg_ffi.so | |
| - target: aarch64-unknown-linux-gnu | |
| runner: ubuntu-24.04-arm | |
| name: linux-arm64 | |
| lib: libpg_ffi.so | |
| - target: aarch64-apple-darwin | |
| runner: macos-latest | |
| name: osx-arm64 | |
| lib: libpg_ffi.dylib | |
| - target: x86_64-apple-darwin | |
| runner: macos-latest | |
| name: osx-x64 | |
| lib: libpg_ffi.dylib | |
| - target: x86_64-pc-windows-msvc | |
| runner: windows-latest | |
| name: win-x64 | |
| lib: pg_ffi.dll | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| - name: Build pg-ffi | |
| run: cargo build --release --target ${{ matrix.target }} -p pg-ffi | |
| - name: Package artifact (unix) | |
| if: runner.os != 'Windows' | |
| run: | | |
| mkdir -p staging | |
| cp target/${{ matrix.target }}/release/${{ matrix.lib }} staging/ | |
| cd staging && tar czf ../pg-ffi-${{ matrix.name }}.tar.gz * | |
| - name: Package artifact (windows) | |
| if: runner.os == 'Windows' | |
| run: | | |
| mkdir staging | |
| cp target/${{ matrix.target }}/release/${{ matrix.lib }} staging/ | |
| Compress-Archive -Path staging/* -DestinationPath pg-ffi-${{ matrix.name }}.zip | |
| - name: Upload to GitHub release | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| TAG="pg-ffi-v${{ needs.release-plz-release.outputs.pg_ffi_version }}" | |
| gh release upload "$TAG" pg-ffi-${{ matrix.name }}.* --clobber | |
| # --------------------------------------------------------------------------- | |
| # npm: publish pg-wasm to npmjs | |
| # --------------------------------------------------------------------------- | |
| # pg-wasm is excluded from the workspace because pg-core's "web" feature | |
| # uses compile_error! on non-wasm32 targets, making cargo package fail. | |
| # pg-wasm's npm version is kept in sync with pg-core: when pg-core is | |
| # released, pg-wasm is published at the same version. | |
| publish-wasm: | |
| name: Publish pg-wasm to npm | |
| needs: release-plz-release | |
| if: needs.release-plz-release.outputs.pg_core_version != '' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Install wasm-pack | |
| run: cargo install wasm-pack | |
| - name: Build pg-wasm (bundler) | |
| run: wasm-pack build --release -d pkg/bundler --out-name index --scope e4a --target bundler ./pg-wasm | |
| - name: Build pg-wasm (web) | |
| run: wasm-pack build --release -d pkg/web --out-name index --scope e4a --target web ./pg-wasm | |
| - name: Assemble package | |
| working-directory: pg-wasm/pkg | |
| run: | | |
| # Clean up wasm-pack generated files from subdirectories | |
| rm -f bundler/package.json bundler/.gitignore bundler/README.md | |
| rm -f web/package.json web/.gitignore web/README.md | |
| # Write the combined package.json using node to ensure valid JSON | |
| node -e " | |
| const pkg = { | |
| name: '@e4a/pg-wasm', | |
| type: 'module', | |
| collaborators: [ | |
| 'Leon Botros <l.botros@cs.ru.nl>', | |
| 'Bas Westerbaan <bas@westerbaan.name>' | |
| ], | |
| description: 'PostGuard WebAssembly bindings for the browser', | |
| version: '0.0.0', | |
| license: 'MIT', | |
| repository: { | |
| type: 'git', | |
| url: 'https://github.com/encryption4all/postguard/tree/main/pg-wasm' | |
| }, | |
| exports: { | |
| '.': { types: './bundler/index.d.ts', import: './bundler/index.js' }, | |
| './web': { types: './web/index.d.ts', import: './web/index.js' } | |
| }, | |
| main: './bundler/index.js', | |
| types: './bundler/index.d.ts', | |
| sideEffects: ['./bundler/index.js', './snippets/*'], | |
| keywords: ['ibe', 'encryption', 'ecc'] | |
| }; | |
| require('fs').writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n'); | |
| " | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '24' | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Set version and publish | |
| working-directory: pg-wasm/pkg | |
| run: | | |
| npm version "${{ needs.release-plz-release.outputs.pg_core_version }}" --no-git-tag-version | |
| npm publish --provenance --access public | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |