release #37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Creates a GitHub Release. | |
| # Workflow is manually run. | |
| # Preselect branch or tag before running this workflow. | |
| name: release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| nightly: | |
| description: "Mark as nightly build" | |
| required: true | |
| default: true | |
| type: boolean | |
| permissions: | |
| contents: write | |
| id-token: write | |
| packages: write | |
| jobs: | |
| setup: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Disable release on nightly repository | |
| if: ${{ !inputs.nightly }} | |
| run: | | |
| if [ "$GITHUB_REPOSITORY" == "openbao/openbao-nightly" ]; then | |
| echo "Refusing to run non-nightly release on nightly repo" 1>&2 | |
| exit 1 | |
| fi | |
| - name: Disable nightly on primary repository | |
| if: inputs.nightly | |
| run: | | |
| if [ "$GITHUB_REPOSITORY" != "openbao/openbao-nightly" ]; then | |
| echo "Refusing to run nightly release on non-nightly repo" 1>&2 | |
| exit 1 | |
| fi | |
| build-ui: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - setup | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4.1.7 | |
| with: | |
| fetch-depth: 0 # Required by GoRelease | |
| - name: Configure nightly build | |
| if: inputs.nightly | |
| run: | | |
| # Locally remove previous nightly tags so they do not interfere | |
| # with nightly tag computation. Also add the upstream. | |
| git remote add upstream https://github.com/openbao/openbao | |
| git fetch --all | |
| for tag in $(git tag); do | |
| if [[ "$tag" == *nightly* ]]; then | |
| echo "Deleting $tag" | |
| git tag --delete "$tag" | |
| fi | |
| done | |
| # Then create a nightly tag for this commit. Because this uses the | |
| # time of commit, it is stable across different runners. | |
| nightly_tag="$(bash ./scripts/nightly_tag.sh)" | |
| git tag "$nightly_tag" | |
| - name: Node setup | |
| uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 | |
| with: | |
| node-version-file: "./ui/package.json" | |
| - name: Yarn setup | |
| id: install-yarn | |
| run: | | |
| npm install -g yarn | |
| - name: UI Cache Setup | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| http/web_ui/ | |
| key: ${{ github.ref }}-ui | |
| # Before executing binary builds, build the UI. | |
| - name: Install UI dependencies | |
| id: ui-dependencies | |
| working-directory: ./ui | |
| run: | | |
| yarn install --frozen-lockfile | |
| npm rebuild node-sass | |
| - name: Build UI | |
| id: ui-build | |
| run: | | |
| make static-dist | |
| release: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - setup | |
| - build-ui | |
| env: | |
| DOCKER_CLI_EXPERIMENTAL: "enabled" | |
| strategy: | |
| matrix: | |
| release_os: | |
| - linux | |
| - hsm | |
| - darwin | |
| - freebsd | |
| - illumos | |
| - netbsd | |
| - openbsd | |
| - windows | |
| steps: | |
| - name: "Check free space on runner" | |
| run: | | |
| df -h . | |
| - name: Checkout | |
| uses: actions/checkout@v4.1.7 | |
| with: | |
| fetch-depth: 0 # Required by GoRelease | |
| - name: Configure nightly build | |
| if: inputs.nightly | |
| run: | | |
| # Locally remove previous nightly tags so they do not interfere | |
| # with nightly tag computation. Also add the upstream. | |
| git remote add upstream https://github.com/openbao/openbao | |
| git fetch --all | |
| for tag in $(git tag); do | |
| if [[ "$tag" == *nightly* ]]; then | |
| echo "Deleting $tag" | |
| git tag --delete "$tag" | |
| fi | |
| done | |
| # Then create a nightly tag for this commit. Because this uses the | |
| # time of commit, it is stable across different runners. | |
| nightly_tag="$(bash ./scripts/nightly_tag.sh)" | |
| git tag "$nightly_tag" | |
| - name: Golang Setup | |
| uses: ./.github/actions/set-up-go | |
| - name: go-check | |
| run: go version | |
| - name: UI Cache Setup | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| http/web_ui/ | |
| key: ${{ github.ref }}-ui | |
| # Supports syft/sbom generation | |
| - uses: anchore/sbom-action/download-syft@v0 | |
| # Supports Buildx | |
| - name: Qemu Setup | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Buildx Setup | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Cosign Install | |
| uses: sigstore/cosign-installer@v3 | |
| - name: GPG Import | |
| id: gpg-import | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.GPG_PASSWORD }} | |
| - name: "Docker Login: ghcr.io" | |
| if: startsWith(github.ref, 'refs/tags/') || inputs.nightly | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: "Docker Login: docker.io" | |
| if: startsWith(github.ref, 'refs/tags/') || inputs.nightly | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_TOKEN }} | |
| - name: "Docker Login: quay.io" | |
| if: startsWith(github.ref, 'refs/tags/') || inputs.nightly | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_TOKEN }} | |
| # Needed for nPFM | |
| - name: Create GPG Signing Key File | |
| if: startsWith(github.ref, 'refs/tags/') || inputs.nightly | |
| run: | | |
| GPG_KEY_FILE=/tmp/signing-key.gpg | |
| echo "${{ secrets.GPG_PRIVATE_KEY_BASE64 }}" | base64 -di > "${GPG_KEY_FILE}" | |
| echo "GPG_KEY_FILE=${GPG_KEY_FILE}" >> "${GITHUB_ENV}" | |
| env: | |
| GPG_TTY: /dev/ttys000 # Set the GPG_TTY to avoid issues with pinentry | |
| - name: Install GoReleaser | |
| if: startsWith(github.ref, 'refs/tags/') || inputs.nightly | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| install-only: true | |
| # TODO: remove version pinning when Goreleaser 2.8 is released | |
| version: v2.5.1 | |
| - name: "GoReleaser: Release" | |
| if: startsWith(github.ref, 'refs/tags/') || inputs.nightly | |
| run: | | |
| if [[ ! -f "goreleaser.${{ matrix.release_os }}.yaml" ]]; then | |
| yq e '.builds[0].goos |= ["${{ matrix.release_os }}"] | .checksum.name_template |= "checksums-${{ matrix.release_os }}.txt"' "goreleaser.other.yaml" | goreleaser release --clean --timeout=60m --verbose --parallelism 2 -f - | |
| else | |
| goreleaser release --clean --timeout=60m --verbose --parallelism 2 -f "goreleaser.${{ matrix.release_os }}.yaml" | |
| fi | |
| env: | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GPG_FINGERPRINT: ${{ steps.gpg-import.outputs.fingerprint }} | |
| GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }} | |
| GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | |
| NFPM_DEFAULT_PASSPHRASE: ${{ secrets.GPG_PASSWORD }} | |
| NIGHTLY_RELEASE: ${{ inputs.nightly }} | |
| - name: Remove GPG Signing Key File | |
| if: always() | |
| run: | | |
| if [ -n "${GPG_KEY_FILE}" ]; then | |
| rm -rf "${GPG_KEY_FILE}" | |
| fi |