-
Notifications
You must be signed in to change notification settings - Fork 242
347 lines (282 loc) · 11.3 KB
/
release.yml
File metadata and controls
347 lines (282 loc) · 11.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
name: release
on:
push:
tags:
- 'v*.*.*'
workflow_dispatch:
env:
GOFLAGS: "-tags=pkcs11 -trimpath"
GOX_OUTPUT: "release/{{.Arch}}/{{.OS}}/{{.Dir}}"
GOX_TEST_OUTPUT: "test/{{.Arch}}/{{.OS}}/bin/{{.Dir}}"
gh_ci_key: ${{ secrets.GH_CI_KEY }}
BUILD_NUMBER: ${{ format('{0}-{1}-{2}', github.run_id, github.run_number, github.run_attempt) }}
ZITI_BASE_VERSION: ${{ vars.ZITI_BASE_VERSION || null }}
jobs:
mac-os-build:
name: Build Mac OS binaries
# allow fors to opt-out of time-consuming macOS builds
if: vars.ZITI_SKIP_MACOS_BUILD != 'true'
runs-on: macos-latest
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: ./.github/actions/setup-go
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
- name: Build and Test
shell: bash
run: |
set -o xtrace
go install github.com/mitchellh/gox@latest
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=amd64 -output=$GOX_OUTPUT ./ziti/
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=arm64 -output=$GOX_OUTPUT ./ziti/
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: darwin-release-${{ github.run_id }}
path: release/
retention-days: 5
windows-build:
name: Build Windows binaries
# allow fors to opt-out of time-consuming Windows builds
if: vars.ZITI_SKIP_WINDOWS_BUILD != 'true'
runs-on: windows-2022
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: ./.github/actions/setup-go
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
- name: Build and Test
shell: bash
run: |
set -o xtrace
go install github.com/mitchellh/gox@latest
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=windows -arch=amd64 -output=$GOX_OUTPUT ./ziti/
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: windows-release-${{ github.run_id }}
path: release/
retention-days: 5
linux-build:
name: Build Linux binaries
runs-on: ubuntu-22.04 # pin oldest available Docker host for ABI compatibility
container: ${{ vars.ZITI_BUILDER_IMAGE || 'openziti/ziti-builder:v2' }} # pin v2 (Ubuntu Focal) for glibc compatibility while leveraging Actions's Node.js
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: ./.github/actions/setup-go
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
with:
ziti-ci-version: latest
- name: Build and Test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ziti_ci_gpg_key: ${{ secrets.ZITI_CI_GPG_KEY }}
ziti_ci_gpg_key_id: ${{ secrets.ZITI_CI_GPG_KEY_ID }}
shell: bash
run: |
set -o xtrace
$(go env GOPATH)/bin/ziti-ci configure-git
go install github.com/mitchellh/gox@latest
$(go env GOPATH)/bin/ziti-ci -t go-build-flags
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./ziti/
CC=arm-linux-gnueabihf-gcc \
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./ziti/
CC=aarch64-linux-gnu-gcc \
$(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm64 -output=$GOX_OUTPUT ./ziti/
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: linux-release-${{ github.run_id }}
path: release/
retention-days: 5
tests:
name: Run Unit and Integration Tests
runs-on: ubuntu-24.04
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: ./.github/actions/setup-go
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
- name: Run Go Quickstart Test
timeout-minutes: 5
shell: bash
run: |
go test -v -tags "quickstart automated" ./ziti/cmd/edge/...;
- name: Run Unit and Integration Tests
if: ${{ vars.ZITI_SKIP_INTEGRATION_TESTS != 'true' }}
timeout-minutes: 10
shell: bash
run: |
go test ./... --tags apitests
publish:
name: Publish Binaries
# !cancelled() overrides default behavior, allowing this job to proceed if needed jobs failed, unless "if"
# expression specifies a required outcome
if: ${{
!cancelled()
&& (needs.mac-os-build.result == 'success' || needs.mac-os-build.result == 'skipped')
&& (needs.windows-build.result == 'success' || needs.windows-build.result == 'skipped')
&& (needs.linux-build.result == 'success')
&& (needs.tests.result == 'success')
}}
# ensure required job outcomes are specified in "if" expression
needs: [ tests, linux-build, mac-os-build, windows-build ]
permissions:
contents: write # need write to create the release
id-token: write # need write to get OIDC token for generating attestations
attestations: write # need write to create attestations
runs-on: ubuntu-24.04
outputs:
ZITI_VERSION: ${{ steps.get_version.outputs.ZITI_VERSION }}
steps:
- name: Git Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Go
uses: ./.github/actions/setup-go
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
- name: Install Ziti CI
uses: openziti/ziti-ci@v1
with:
ziti-ci-version: latest
- name: Download linux release artifact
uses: actions/download-artifact@v4
with:
name: linux-release-${{ github.run_id }}
path: release/
- name: Download darwin release artifact
if: needs.mac-os-build.result == 'success'
uses: actions/download-artifact@v4
with:
name: darwin-release-${{ github.run_id }}
path: release/
- name: Download windows release artifact
if: needs.windows-build.result == 'success'
uses: actions/download-artifact@v4
with:
name: windows-release-${{ github.run_id }}
path: release/
- name: Fetch Source Archive
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
set -o xtrace
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/${{ github.repository }}/tarball/${{ github.ref_name }} \
> ./release/source-${{ github.ref_name }}.tar.gz
- name: Fetch SBOM from Dependency Graph API
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
# jq fails the step if not valid JSON
set -o pipefail
set -o xtrace
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/${{ github.repository }}/dependency-graph/sbom \
| jq . | tee ./release/sbom-${{ github.ref_name }}.spdx.json
- name: List Release Artifacts
shell: bash
run: |
ls -lAhR release/
- name: Publish GitHub Release
# forks need to run this step with their own GPG key because ziti-ci creates the GH release
if: env.ziti_ci_gpg_key_id != null && startsWith(github.ref, 'refs/tags/v')
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ziti_ci_gpg_key: ${{ secrets.ZITI_CI_GPG_KEY }}
ziti_ci_gpg_key_id: ${{ secrets.ZITI_CI_GPG_KEY_ID }}
shell: bash
run: |
set -o xtrace
$(go env GOPATH)/bin/ziti-ci configure-git
# dry run to build release tarball we'll use to double-check the internal version matches the tag
$(go env GOPATH)/bin/ziti-ci publish-to-github --use-current-tag --prerelease --archive-base "" --dry-run
# extract the release tarball and verify the internal version matches the tag
tar xfzv ./release/ziti-linux-amd64-* -C /tmp
$(go env GOPATH)/bin/ziti-ci verify-current-version --use-current-tag "$(/tmp/ziti version)"
$(go env GOPATH)/bin/ziti-ci publish-to-github --use-current-tag --prerelease --archive-base ""
- name: Attest Build Provenance
uses: actions/attest-build-provenance@v2
with:
subject-checksums: ./release/attestation-subjects.sha256.txt
# only ziti-ci computed version for release branches and {version}-{run_id} for non-release branches
- name: Compute the Ziti Version String used for Linux Packages and Container Image Tags
id: get_version
shell: bash
run: |
# drop the leading 'v', if any
ZITI_VERSION=${GITHUB_REF_NAME#v}
echo ZITI_VERSION="${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT
call-publish-docker-images:
# - !cancelled() allows evaluating further conditional expressions even if
# needed jobs were skipped
if: ${{ !cancelled() && needs.publish.result == 'success' }}
name: Publish Release Docker Images
needs: publish
uses: ./.github/workflows/publish-docker-images.yml
secrets: inherit
with:
ziti-tag: ${{ needs.publish.outputs.ZITI_VERSION }}
# call on release tags to publish linux packages to "release" package repos in Artifactory
call-publish-linux-packages:
# - !cancelled() allows evaluating further conditional expressions even if
# needed jobs were skipped
if: ${{ !cancelled() && needs.publish.result == 'success' }}
name: Publish Linux Packages
needs: publish
uses: ./.github/workflows/publish-linux-packages.yml
secrets: inherit
with:
ziti-version: ${{ needs.publish.outputs.ZITI_VERSION }}
repository-dispatch:
if: ${{ !cancelled() && needs.publish.result == 'success' }}
needs:
- publish
- call-publish-docker-images
name: Repository Dispatch Event
runs-on: ubuntu-24.04
steps:
- name: Send repository_dispatch event
env:
# this token has fine-grained permission to send repository_dispatch events to the downstream private repo
GH_TOKEN: ${{ secrets.GH_FGPAT_NF_REPO_DISPATCH }}
shell: bash
run: |
set -o pipefail
set -o xtrace
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/netfoundry/ziti-fips/dispatches \
-f "event_type=ziti_release" \
-F "client_payload[version]=${{ needs.publish.outputs.ZITI_VERSION }}" \
-F "client_payload[run_id]=${{ github.run_id }}" \
-F "client_payload[repo]=${{ github.repository }}"