-
Notifications
You must be signed in to change notification settings - Fork 51
106 lines (92 loc) · 3.73 KB
/
release.yml
File metadata and controls
106 lines (92 loc) · 3.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Copyright 2026 Phillip Cloud
# Licensed under the Apache License, Version 2.0
name: Release Artifacts
on:
release:
types: [published]
workflow_dispatch:
inputs:
tag:
description: "Release tag to (re)build artifacts for (e.g. v2.6.0)"
required: true
type: string
concurrency:
group: release-artifacts
cancel-in-progress: false
permissions:
contents: read
env:
REGISTRY: ghcr.io
jobs:
goreleaser:
name: Build & Release
runs-on: blacksmith-4vcpu-ubuntu-2404
permissions:
contents: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
with:
deploy-on-self-hosted-vm: true
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.event.release.tag_name || inputs.tag }}
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: "1.26"
# QEMU is not needed: the Dockerfile is FROM scratch with only a COPY
# of pre-built CGO_ENABLED=0 binaries. Buildx assembles the multi-arch
# manifest without emulation.
- name: Setup Blacksmith Builder
uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
# useblacksmith/setup-docker-builder drops buildkitd.toml in the repo
# root, which trips goreleaser's dirty-state check. Exclude it locally
# so both release:published runs and workflow_dispatch backfills of
# older tags see a clean working tree.
- name: Ignore buildkitd.toml locally
run: echo buildkitd.toml >> .git/info/exclude
- uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Advance :latest / :<major> / :<major>.<minor> only when the ref we
# are building is the repository's current latest release. On a normal
# release:published run, the just-published tag is the latest by
# definition. On a workflow_dispatch backfill we ask GitHub which tag
# it considers "Latest" and compare -- this way a backfill of an older
# tag never drags the moving tags backward.
- name: Determine whether to advance moving Docker tags
id: move-tags
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BUILD_REF: ${{ github.event.release.tag_name || inputs.tag }}
run: |
set -euo pipefail
latest=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
if [ "$BUILD_REF" = "$latest" ]; then
echo "value=true" >> "$GITHUB_OUTPUT"
else
echo "value=false" >> "$GITHUB_OUTPUT"
fi
- uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0
with:
version: "v2.13.3"
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
MOVE_TAGS: ${{ steps.move-tags.outputs.value }}
- name: Clean up untagged GHCR images
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
ids=$(gh api /orgs/micasa-dev/packages/container/micasa/versions \
--paginate --jq '[.[] | select(.metadata.container.tags | length == 0) | .id] | .[]' 2>/dev/null) || true
for id in $ids; do
gh api -X DELETE "/orgs/micasa-dev/packages/container/micasa/versions/$id" 2>/dev/null || true
done