190 lines (159 loc) · 6.22 KB
/
packages.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
---
# This workflow is dangerous and should be handled with great care to avoid security problems.
# See the warning at conform-pr.yml.
# We also tried a different approach: build Docker image in one normal, secure `pull_request` workflow,
# upload artifact, and then download and publish it in another workflow that has access to secrets, but treats
# artifact as passive data. We use buildx for building multi-platform images, and there is a way to export
# multi-platform OCI tarball: https://docs.docker.com/engine/reference/commandline/buildx_build/#output
# Unfortunately, it seems that there is no way to import that tarball in another workflow and publish it
# as a Docker image, as strange as it sounds: https://github.com/docker/buildx/issues/186
name: Packages
on:
pull_request_target:
types:
# not for "labeled" to prevent two builds for "labeled" and "unlabeled" when labels are changed
- unlabeled # if GitHub Actions stuck, add and remove "not ready" label to force rebuild
- opened
- reopened
- synchronize
push:
branches:
- main
- main-*
- releases/*
tags:
- "*"
schedule:
- cron: "10 1 * * 1" # after cleanup
# Do not run this workflow in parallel for any PR change or branch/tag push
# to prevent concurrent pushes for the same Docker image tag
# and save some resources.
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
cancel-in-progress: false
env:
GOPATH: /home/runner/go
GOCACHE: /home/runner/go/cache
GOLANGCI_LINT_CACHE: /home/runner/go/cache/lint
GOMODCACHE: /home/runner/go/mod
GOPROXY: https://proxy.golang.org
GOTOOLCHAIN: local
jobs:
build:
name: Build packages
runs-on: server
timeout-minutes: 40
if: >
github.event_name != 'pull_request_target' ||
(
contains(github.event.pull_request.labels.*.name, 'trust') &&
!contains(github.event.pull_request.labels.*.name, 'not ready') &&
contains(github.event.pull_request.labels.*.name, 'packages')
)
permissions:
packages: write
steps:
# TODO https://github.com/FerretDB/github-actions/issues/211
- name: Checkout code
if: github.event_name != 'pull_request_target'
uses: actions/checkout@v4
with:
fetch-depth: 0 # for `git describe` to work
lfs: false # LFS is used only by website
# TODO https://github.com/FerretDB/github-actions/issues/211
- name: Checkout pull request code
if: github.event_name == 'pull_request_target'
uses: actions/checkout@v4
with:
fetch-depth: 0
lfs: false
ref: ${{ github.event.pull_request.head.sha }}
# for version.txt on push tags; see https://github.com/actions/checkout/issues/290
- name: Fetch annotated tags
run: |
git fetch --tags --force
git status
# for branch.txt on pull_request_target; the correct branch is already checked out on push / schedule
- name: Name branch
if: github.event_name == 'pull_request_target'
env:
BRANCH: ${{ github.head_ref }} # see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
run: git checkout -b $BRANCH
- name: Setup Go
uses: FerretDB/github-actions/setup-go@main
- name: Install Task
run: go generate -x
working-directory: tools
- name: Run init
run: bin/task init
- name: Setup QEMU
uses: docker/setup-qemu-action@v3
- name: Initialize Docker Buildx builder
run: bin/task docker-init
- name: Extract Docker image names
id: extract
uses: FerretDB/github-actions/extract-docker-tag@main
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ferretdbbot
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Quay.io
uses: docker/login-action@v3
with:
registry: quay.io
username: ferretdbbot
password: ${{ secrets.QUAY_TOKEN }}
- name: Build and push all-in-one Docker images ${{ steps.extract.outputs.all_in_one_images }}
if: steps.extract.outputs.all_in_one_images != ''
run: bin/task docker-all-in-one-push DOCKER_IMAGES=${{ steps.extract.outputs.all_in_one_images }}
- name: Build and push development Docker images ${{ steps.extract.outputs.development_images }}
if: steps.extract.outputs.development_images != ''
run: bin/task docker-development-push DOCKER_IMAGES=${{ steps.extract.outputs.development_images }}
- name: Build and push production Docker images ${{ steps.extract.outputs.production_images }}
if: steps.extract.outputs.production_images != ''
run: bin/task docker-production-push DOCKER_IMAGES=${{ steps.extract.outputs.production_images }}
- name: Build development binaries
run: bin/task build-development
- name: Upload development binaries
uses: actions/upload-artifact@v4
with:
name: bin-dev
path: tmp/bin-dev/
retention-days: 1
if-no-files-found: error
- name: Build production binaries
run: bin/task build-production
- name: Upload production binaries
uses: actions/upload-artifact@v4
with:
name: bin
path: tmp/bin/
retention-days: 1
if-no-files-found: error
- name: Build Linux packages
run: bin/task packages
- name: Upload .deb packages
uses: actions/upload-artifact@v4
with:
name: debs
path: tmp/debs/
retention-days: 1
if-no-files-found: error
- name: Upload .rpm packages
uses: actions/upload-artifact@v4
with:
name: rpms
path: tmp/rpms/
retention-days: 1
if-no-files-found: error
- name: Check dirty
run: |
git status
git diff --exit-code