ci: add publish workflows, update actions

SiaFoundation · Jun 10, 2024 · df07ba2 · df07ba2
1 parent 853e117
commit df07ba2
Show file tree

Hide file tree

Showing 4 changed files with 294 additions and 48 deletions.
diff --git a/.github/actions/test/action.yml b/.github/actions/test/action.yml
@@ -8,7 +8,7 @@ runs:
       shell: bash
       run: git config --global core.autocrlf false
     - name: Lint
-      uses: golangci/golangci-lint-action@v3
+      uses: golangci/golangci-lint-action@v4
       with:
         skip-cache: true
     - name: Analyze
@@ -19,6 +19,6 @@ runs:
         directories: |
           api
     - name: Test
-      uses: n8maninger/action-golang-test@v1
+      uses: n8maninger/action-golang-test@v2
       with:
         args: "-race;-tags=testing netgo"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -20,8 +20,8 @@ jobs:
     steps:
       - name: Configure git
         run: git config --global core.autocrlf false # required on Windows
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
       - name: Test

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,261 @@
+name: Publish
+
+# Controls when the action will run.
+on:
+  # Triggers the workflow on new SemVer tags
+  push:
+    branches:
+      - master
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-**'
+
+concurrency:
+  group: ${{ github.workflow }}
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - name: Test
+        uses: ./.github/actions/test
+  docker:
+    runs-on: ubuntu-latest
+    needs: [ test ]
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/metadata-action@v5
+        name: generate tags
+        id: meta
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch
+            type=sha,prefix=
+            type=semver,pattern={{version}}
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+  build-linux:
+    runs-on: ubuntu-latest
+    needs: [ test ]
+    strategy:
+      matrix:
+        go-arch: [amd64, arm64]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - name: Setup
+        run: |
+          sudo apt update
+          go generate ./...
+          if [ ${{ matrix.go-arch }} == "arm64" ]; then
+            sudo apt install -y gcc-aarch64-linux-gnu
+            echo "CC=aarch64-linux-gnu-gcc" >> $GITHUB_ENV
+          fi
+      - name: Build ${{ matrix.go-arch }}
+        env:
+          CGO_ENABLED: 1
+          GOOS: linux
+          GOARCH: ${{ matrix.go-arch }}
+        run: |
+          mkdir -p release
+          ZIP_OUTPUT=release/explored_${GOOS}_${GOARCH}.zip
+          go build -tags='netgo' -trimpath -o bin/ -a -ldflags '-s -w -linkmode external -extldflags "-static"' ./cmd/explored
+          cp README.md LICENSE bin/
+          zip -qj $ZIP_OUTPUT bin/*
+      - uses: actions/upload-artifact@v4
+        with:
+          name: explored_linux_${{ matrix.go-arch }}
+          path: release/*
+  build-mac:
+    runs-on: macos-latest
+    needs: [ test ]
+    strategy:
+      matrix:
+        go-arch: [amd64, arm64]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - name: Setup
+        env:
+          APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }}
+          APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }}
+          APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
+          APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+        run: |
+          # extract apple cert
+          APPLE_CERT_PATH=$RUNNER_TEMP/apple_cert.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          echo -n "$APPLE_CERT_B64" | base64 --decode --output $APPLE_CERT_PATH
+
+          # extract apple key
+          mkdir -p ~/private_keys
+          APPLE_API_KEY_PATH=~/private_keys/AuthKey_$APPLE_API_KEY.p8
+          echo -n "$APPLE_KEY_B64" | base64 --decode --output $APPLE_API_KEY_PATH
+
+          # create temp keychain
+          security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security default-keychain -s $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import keychain
+          security import $APPLE_CERT_PATH -P $APPLE_CERT_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security find-identity -v $KEYCHAIN_PATH -p codesigning
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $APPLE_KEYCHAIN_PASSWORD $KEYCHAIN_PATH
+
+          # generate
+          go generate ./...
+
+          # resync system clock https://github.com/actions/runner/issues/2996#issuecomment-1833103110
+          sudo sntp -sS time.windows.com
+      - name: Build ${{ matrix.go-arch }}
+        env:
+          APPLE_CERT_ID: ${{ secrets.APPLE_CERT_ID }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_KEY_B64: ${{ secrets.APPLE_KEY_B64 }}
+          APPLE_CERT_B64: ${{ secrets.APPLE_CERT_B64 }}
+          APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
+          APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+          CGO_ENABLED: 1
+          GOOS: darwin
+          GOARCH: ${{ matrix.go-arch }}
+        run: |
+          ZIP_OUTPUT=release/explored_${GOOS}_${GOARCH}.zip
+          mkdir -p release
+          go build -tags='netgo' -trimpath -o bin/ -a -ldflags '-s -w' ./cmd/explored
+          cp README.md LICENSE bin/
+          /usr/bin/codesign --deep -f -v --timestamp -o runtime,library -s $APPLE_CERT_ID bin/explored
+          ditto -ck bin $ZIP_OUTPUT
+          xcrun notarytool submit -k ~/private_keys/AuthKey_$APPLE_API_KEY.p8 -d $APPLE_API_KEY -i $APPLE_API_ISSUER --wait --timeout 10m $ZIP_OUTPUT
+      - uses: actions/upload-artifact@v4
+        with:
+          name: explored_darwin_${{ matrix.go-arch }}
+          path: release/*
+  build-windows:
+    runs-on: windows-latest
+    needs: [ test ]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+      - name: Setup
+        shell: bash
+        run: |
+          dotnet tool install --global AzureSignTool
+          go generate ./...
+      - name: Build amd64
+        env:
+          CGO_ENABLED: 1
+          GOOS: windows
+          GOARCH: amd64
+        shell: bash
+        run: |
+          mkdir -p release
+          ZIP_OUTPUT=release/explored_${GOOS}_${GOARCH}.zip
+          go build -tags='netgo' -trimpath -o bin/ -a -ldflags '-s -w -linkmode external -extldflags "-static"' ./cmd/explored
+          azuresigntool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v bin/explored.exe
+          cp README.md LICENSE bin/
+          7z a $ZIP_OUTPUT ./bin/*
+      - uses: actions/upload-artifact@v4
+        with:
+          name: explored_windows_amd64
+          path: release/*
+  combine-release-assets:
+    runs-on: ubuntu-latest
+    needs: [ build-linux, build-mac, build-windows ]
+    steps:
+      - name: Merge Artifacts
+        uses: actions/upload-artifact/merge@v4
+        with:
+          name: explored
+
+#  dispatch-homebrew: # only runs on full releases
+#    if: startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-')
+#    needs: [ build-mac ]
+#    runs-on: ubuntu-latest
+#    steps:
+#      - name: Extract Tag Name
+#        id: get_tag
+#        run: echo "::set-output name=tag_name::${GITHUB_REF#refs/tags/}"
+#
+#      - name: Dispatch
+#        uses: peter-evans/repository-dispatch@v3
+#        with:
+#          token: ${{ secrets.PAT_REPOSITORY_DISPATCH }}
+#          repository: siafoundation/homebrew-sia
+#          event-type: release-tagged
+#          client-payload: >
+#            {
+#              "description": "explored: The Next-Gen Sia Explorer",
+#              "tag": "${{ steps.get_tag.outputs.tag_name }}",
+#              "project": "explored",
+#              "workflow_id": "${{ github.run_id }}"
+#            }
+#  dispatch-linux: # always runs
+#    needs: [ build-linux ]
+#    runs-on: ubuntu-latest
+#    steps:
+#      - name: Build Dispatch Payload
+#        id: get_payload
+#        uses: actions/github-script@v7
+#        with:
+#          script: |
+#            const isRelease = context.ref.startsWith('refs/tags/v'),
+#              isBeta = isRelease && context.ref.includes('-beta'),
+#              tag = isRelease ? context.ref.replace('refs/tags/', '') : 'master';
+#
+#            let component = 'nightly';
+#            if (isBeta) {
+#              component = 'beta';
+#            } else if (isRelease) {
+#              component = 'main';
+#            }
+#
+#            return {
+#              description: "explored: The Next-Gen Sia Explorer",
+#              tag: tag,
+#              project: "explored",
+#              workflow_id: context.runId,
+#              component: component
+#            };
+#
+#      - name: Dispatch
+#        uses: peter-evans/repository-dispatch@v3
+#        with:
+#          token: ${{ secrets.PAT_REPOSITORY_DISPATCH }}
+#          repository: siafoundation/linux
+#          event-type: release-tagged
+#          client-payload: ${{ steps.get_payload.outputs.result }}