Merge pull request #3422 from openziti/prep-v1.6.10-release #62
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| tags: | |
| - 'v*.*.*' | |
| workflow_dispatch: | |
| env: | |
| GOFLAGS: "-tags=pkcs11 -trimpath" | |
| GOX_OUTPUT: "release/{{.Arch}}/{{.OS}}/{{.Dir}}" | |
| GOX_TEST_OUTPUT: "test/{{.Arch}}/{{.OS}}/bin/{{.Dir}}" | |
| gh_ci_key: ${{ secrets.GH_CI_KEY }} | |
| BUILD_NUMBER: ${{ format('{0}-{1}-{2}', github.run_id, github.run_number, github.run_attempt) }} | |
| ZITI_BASE_VERSION: ${{ vars.ZITI_BASE_VERSION || null }} | |
| jobs: | |
| mac-os-build: | |
| name: Build Mac OS binaries | |
| # allow fors to opt-out of time-consuming macOS builds | |
| if: vars.ZITI_SKIP_MACOS_BUILD != 'true' | |
| runs-on: macos-latest | |
| steps: | |
| - name: Git Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Go | |
| uses: ./.github/actions/setup-go | |
| - name: Install Ziti CI | |
| uses: openziti/ziti-ci@v1 | |
| - name: Build and Test | |
| shell: bash | |
| run: | | |
| set -o xtrace | |
| go install github.com/mitchellh/gox@latest | |
| $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=amd64 -output=$GOX_OUTPUT ./ziti/ | |
| $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=arm64 -output=$GOX_OUTPUT ./ziti/ | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: darwin-release-${{ github.run_id }} | |
| path: release/ | |
| retention-days: 5 | |
| windows-build: | |
| name: Build Windows binaries | |
| # allow fors to opt-out of time-consuming Windows builds | |
| if: vars.ZITI_SKIP_WINDOWS_BUILD != 'true' | |
| runs-on: windows-2022 | |
| steps: | |
| - name: Git Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Go | |
| uses: ./.github/actions/setup-go | |
| - name: Install Ziti CI | |
| uses: openziti/ziti-ci@v1 | |
| - name: Build and Test | |
| shell: bash | |
| run: | | |
| set -o xtrace | |
| go install github.com/mitchellh/gox@latest | |
| $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=windows -arch=amd64 -output=$GOX_OUTPUT ./ziti/ | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: windows-release-${{ github.run_id }} | |
| path: release/ | |
| retention-days: 5 | |
| linux-build: | |
| name: Build Linux binaries | |
| runs-on: ubuntu-22.04 # pin oldest available Docker host for ABI compatibility | |
| container: ${{ vars.ZITI_BUILDER_IMAGE || 'openziti/ziti-builder:v2' }} # pin v2 (Ubuntu Focal) for glibc compatibility while leveraging Actions's Node.js | |
| steps: | |
| - name: Git Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Go | |
| uses: ./.github/actions/setup-go | |
| - name: Install Ziti CI | |
| uses: openziti/ziti-ci@v1 | |
| with: | |
| ziti-ci-version: latest | |
| - name: Build and Test | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ziti_ci_gpg_key: ${{ secrets.ZITI_CI_GPG_KEY }} | |
| ziti_ci_gpg_key_id: ${{ secrets.ZITI_CI_GPG_KEY_ID }} | |
| shell: bash | |
| run: | | |
| set -o xtrace | |
| $(go env GOPATH)/bin/ziti-ci configure-git | |
| go install github.com/mitchellh/gox@latest | |
| $(go env GOPATH)/bin/ziti-ci -t go-build-flags | |
| $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./ziti/ | |
| CC=arm-linux-gnueabihf-gcc \ | |
| $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./ziti/ | |
| CC=aarch64-linux-gnu-gcc \ | |
| $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm64 -output=$GOX_OUTPUT ./ziti/ | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: linux-release-${{ github.run_id }} | |
| path: release/ | |
| retention-days: 5 | |
| tests: | |
| name: Run Unit and Integration Tests | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Git Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Go | |
| uses: ./.github/actions/setup-go | |
| - name: Install Ziti CI | |
| uses: openziti/ziti-ci@v1 | |
| - name: Run Go Quickstart Test | |
| timeout-minutes: 5 | |
| shell: bash | |
| run: | | |
| go test -v -tags "quickstart automated" ./ziti/cmd/edge/...; | |
| - name: Run Unit and Integration Tests | |
| if: ${{ vars.ZITI_SKIP_INTEGRATION_TESTS != 'true' }} | |
| timeout-minutes: 10 | |
| shell: bash | |
| run: | | |
| go test ./... --tags apitests | |
| publish: | |
| name: Publish Binaries | |
| # !cancelled() overrides default behavior, allowing this job to proceed if needed jobs failed, unless "if" | |
| # expression specifies a required outcome | |
| if: ${{ | |
| !cancelled() | |
| && (needs.mac-os-build.result == 'success' || needs.mac-os-build.result == 'skipped') | |
| && (needs.windows-build.result == 'success' || needs.windows-build.result == 'skipped') | |
| && (needs.linux-build.result == 'success') | |
| && (needs.tests.result == 'success') | |
| }} | |
| # ensure required job outcomes are specified in "if" expression | |
| needs: [ tests, linux-build, mac-os-build, windows-build ] | |
| permissions: | |
| contents: write # need write to create the release | |
| id-token: write # need write to get OIDC token for generating attestations | |
| attestations: write # need write to create attestations | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| ZITI_VERSION: ${{ steps.get_version.outputs.ZITI_VERSION }} | |
| steps: | |
| - name: Git Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Go | |
| uses: ./.github/actions/setup-go | |
| - name: Install Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| - name: Install Ziti CI | |
| uses: openziti/ziti-ci@v1 | |
| with: | |
| ziti-ci-version: latest | |
| - name: Download linux release artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: linux-release-${{ github.run_id }} | |
| path: release/ | |
| - name: Download darwin release artifact | |
| if: needs.mac-os-build.result == 'success' | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: darwin-release-${{ github.run_id }} | |
| path: release/ | |
| - name: Download windows release artifact | |
| if: needs.windows-build.result == 'success' | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: windows-release-${{ github.run_id }} | |
| path: release/ | |
| - name: Fetch Source Archive | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| set -o xtrace | |
| gh api \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| /repos/${{ github.repository }}/tarball/${{ github.ref_name }} \ | |
| > ./release/source-${{ github.ref_name }}.tar.gz | |
| - name: Fetch SBOM from Dependency Graph API | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| # jq fails the step if not valid JSON | |
| set -o pipefail | |
| set -o xtrace | |
| gh api \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| /repos/${{ github.repository }}/dependency-graph/sbom \ | |
| | jq . | tee ./release/sbom-${{ github.ref_name }}.spdx.json | |
| - name: List Release Artifacts | |
| shell: bash | |
| run: | | |
| ls -lAhR release/ | |
| - name: Publish GitHub Release | |
| # forks need to run this step with their own GPG key because ziti-ci creates the GH release | |
| if: env.ziti_ci_gpg_key_id != null && startsWith(github.ref, 'refs/tags/v') | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ziti_ci_gpg_key: ${{ secrets.ZITI_CI_GPG_KEY }} | |
| ziti_ci_gpg_key_id: ${{ secrets.ZITI_CI_GPG_KEY_ID }} | |
| shell: bash | |
| run: | | |
| set -o xtrace | |
| $(go env GOPATH)/bin/ziti-ci configure-git | |
| # dry run to build release tarball we'll use to double-check the internal version matches the tag | |
| $(go env GOPATH)/bin/ziti-ci publish-to-github --use-current-tag --prerelease --archive-base "" --dry-run | |
| # extract the release tarball and verify the internal version matches the tag | |
| tar xfzv ./release/ziti-linux-amd64-* -C /tmp | |
| $(go env GOPATH)/bin/ziti-ci verify-current-version --use-current-tag "$(/tmp/ziti version)" | |
| $(go env GOPATH)/bin/ziti-ci publish-to-github --use-current-tag --prerelease --archive-base "" | |
| - name: Attest Build Provenance | |
| uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-checksums: ./release/attestation-subjects.sha256.txt | |
| # only ziti-ci computed version for release branches and {version}-{run_id} for non-release branches | |
| - name: Compute the Ziti Version String used for Linux Packages and Container Image Tags | |
| id: get_version | |
| shell: bash | |
| run: | | |
| # drop the leading 'v', if any | |
| ZITI_VERSION=${GITHUB_REF_NAME#v} | |
| echo ZITI_VERSION="${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT | |
| call-publish-docker-images: | |
| # - !cancelled() allows evaluating further conditional expressions even if | |
| # needed jobs were skipped | |
| if: ${{ !cancelled() && needs.publish.result == 'success' }} | |
| name: Publish Release Docker Images | |
| needs: publish | |
| uses: ./.github/workflows/publish-docker-images.yml | |
| secrets: inherit | |
| with: | |
| ziti-tag: ${{ needs.publish.outputs.ZITI_VERSION }} | |
| # call on release tags to publish linux packages to "release" package repos in Artifactory | |
| call-publish-linux-packages: | |
| # - !cancelled() allows evaluating further conditional expressions even if | |
| # needed jobs were skipped | |
| if: ${{ !cancelled() && needs.publish.result == 'success' }} | |
| name: Publish Linux Packages | |
| needs: publish | |
| uses: ./.github/workflows/publish-linux-packages.yml | |
| secrets: inherit | |
| with: | |
| ziti-version: ${{ needs.publish.outputs.ZITI_VERSION }} | |
| repository-dispatch: | |
| if: ${{ !cancelled() && needs.publish.result == 'success' }} | |
| needs: | |
| - publish | |
| - call-publish-docker-images | |
| name: Repository Dispatch Event | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Send repository_dispatch event | |
| env: | |
| # this token has fine-grained permission to send repository_dispatch events to the downstream private repo | |
| GH_TOKEN: ${{ secrets.GH_FGPAT_NF_REPO_DISPATCH }} | |
| shell: bash | |
| run: | | |
| set -o pipefail | |
| set -o xtrace | |
| gh api \ | |
| --method POST \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| /repos/netfoundry/ziti-fips/dispatches \ | |
| -f "event_type=ziti_release" \ | |
| -F "client_payload[version]=${{ needs.publish.outputs.ZITI_VERSION }}" \ | |
| -F "client_payload[run_id]=${{ github.run_id }}" \ | |
| -F "client_payload[repo]=${{ github.repository }}" |