Upgrade to vault v2024.8.3-4 #10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- '*' | |
jobs: | |
# https://github.com/marketplace/actions/skip-duplicate-actions | |
# Some checks to determine if we need to continue with building a new docker. | |
# We will skip this check if we are creating a tag, because that has the same hash as a previous run already. | |
skip_check: | |
runs-on: ubuntu-24.04 | |
if: ${{ github.repository == 'timshel/oidcwarden' }} | |
outputs: | |
should_skip: ${{ steps.skip_check.outputs.should_skip }} | |
steps: | |
- name: Skip Duplicates Actions | |
id: skip_check | |
uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1 | |
with: | |
cancel_others: 'true' | |
# Only run this when not creating a tag | |
if: ${{ github.ref_type == 'branch' }} | |
docker-build: | |
runs-on: ubuntu-24.04 | |
environment: main | |
timeout-minutes: 120 | |
needs: skip_check | |
if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'timshel/oidcwarden' }} | |
# Start a local docker registry to extract the final Alpine static build binaries | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
env: | |
SOURCE_COMMIT: ${{ github.sha }} | |
SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}" | |
# The *_REPO variables need to be configured as repository variables | |
# Append `/settings/variables/actions` to your repo url | |
# DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>' | |
# Check for Docker hub credentials in secrets | |
HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} | |
# GHCR_REPO needs to be 'ghcr.io/<user>/<repo>' | |
# Check for Github credentials in secrets | |
HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }} | |
# QUAY_REPO needs to be 'quay.io/<user>/<repo>' | |
# Check for Quay.io credentials in secrets | |
HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }} | |
strategy: | |
matrix: | |
base_image: ["debian","alpine"] | |
steps: | |
# Checkout the repo | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: Initialize QEMU binfmt support | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
with: | |
platforms: "arm64,arm" | |
# Start Docker Buildx | |
- name: Setup Docker Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
# https://github.com/moby/buildkit/issues/3969 | |
# Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills | |
with: | |
buildkitd-config-inline: | | |
[worker.oci] | |
max-parallelism = 2 | |
driver-opts: | | |
network=host | |
# Determine Base Tags and Source Version | |
- name: Determine Base Tags and Source Version | |
shell: bash | |
run: | | |
# Check which main tag we are going to build determined by github.ref_type | |
if [[ "${{ github.ref_type }}" == "tag" ]]; then | |
echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}" | |
elif [[ "${{ github.ref_type }}" == "branch" ]]; then | |
echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}" | |
fi | |
# Get the Source Version for this release | |
GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)" | |
if [[ -n "${GIT_EXACT_TAG}" ]]; then | |
echo "SOURCE_VERSION=${GIT_EXACT_TAG}" | tee -a "${GITHUB_ENV}" | |
else | |
GIT_LAST_TAG="$(git describe --tags --abbrev=0)" | |
echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}" | |
fi | |
# End Determine Base Tags | |
# Login to Docker Hub | |
- name: Login to Docker Hub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} | |
- name: Add registry for DockerHub | |
if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} | |
shell: bash | |
run: | | |
echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}" | |
# Login to GitHub Container Registry | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} | |
- name: Add registry for ghcr.io | |
if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} | |
shell: bash | |
run: | | |
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}" | |
# Login to Quay.io | |
- name: Login to Quay.io | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_TOKEN }} | |
if: ${{ env.HAVE_QUAY_LOGIN == 'true' }} | |
- name: Add registry for Quay.io | |
if: ${{ env.HAVE_QUAY_LOGIN == 'true' }} | |
shell: bash | |
run: | | |
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}" | |
- name: Configure build cache from/to | |
shell: bash | |
run: | | |
# | |
# Check if there is a GitHub Container Registry Login and use it for caching | |
if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then | |
echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}" | |
echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}" | |
else | |
echo "BAKE_CACHE_FROM=" | |
echo "BAKE_CACHE_TO=" | |
fi | |
# | |
- name: Add localhost registry | |
if: ${{ matrix.base_image == 'alpine' }} | |
shell: bash | |
run: | | |
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/timshel/oidcwarden" | tee -a "${GITHUB_ENV}" | |
- name: Bake ${{ matrix.base_image }} containers | |
uses: docker/bake-action@76cc8060bdff6d632a465001e4cf300684c5472c # v5.7.0 | |
env: | |
BASE_TAGS: "${{ env.BASE_TAGS }}" | |
SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}" | |
SOURCE_VERSION: "${{ env.SOURCE_VERSION }}" | |
SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}" | |
CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}" | |
with: | |
pull: true | |
push: true | |
files: docker/docker-bake.hcl | |
targets: "${{ matrix.base_image }}-multi" | |
set: | | |
*.cache-from=${{ env.BAKE_CACHE_FROM }} | |
*.cache-to=${{ env.BAKE_CACHE_TO }} | |
# Extract the Alpine binaries from the containers | |
- name: Extract binaries | |
if: ${{ matrix.base_image == 'alpine' }} | |
shell: bash | |
run: | | |
# Check which main tag we are going to build determined by github.ref_type | |
if [[ "${{ github.ref_type }}" == "tag" ]]; then | |
EXTRACT_TAG="latest" | |
elif [[ "${{ github.ref_type }}" == "branch" ]]; then | |
EXTRACT_TAG="testing" | |
fi | |
# After each extraction the image is removed. | |
# This is needed because using different platforms doesn't trigger a new pull/download | |
# Extract amd64 binary | |
docker create --name amd64 --platform=linux/amd64 "localhost:5000/timshel/oidcwarden:${EXTRACT_TAG}-alpine" | |
docker cp amd64:/oidcwarden oidcwarden-amd64 | |
docker rm --force amd64 | |
docker rmi --force "localhost:5000/timshel/oidcwarden:${EXTRACT_TAG}-alpine" | |
# Extract arm64 binary | |
docker create --name arm64 --platform=linux/arm64 "localhost:5000/timshel/oidcwarden:${EXTRACT_TAG}-alpine" | |
docker cp arm64:/oidcwarden oidcwarden-arm64 | |
docker rm --force arm64 | |
docker rmi --force "localhost:5000/timshel/oidcwarden:${EXTRACT_TAG}-alpine" | |
# Extract armv7 binary | |
docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/timshel/oidcwarden:${EXTRACT_TAG}-alpine" | |
docker cp armv7:/oidcwarden oidcwarden-armv7 | |
docker rm --force armv7 | |
docker rmi --force "localhost:5000/timshel/oidcwarden:${EXTRACT_TAG}-alpine" | |
# Extract armv6 binary | |
docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/timshel/oidcwarden:${EXTRACT_TAG}-alpine" | |
docker cp armv6:/oidcwarden oidcwarden-armv6 | |
docker rm --force armv6 | |
docker rmi --force "localhost:5000/timshel/oidcwarden:${EXTRACT_TAG}-alpine" | |
# Upload artifacts to Github Actions | |
- name: "Upload amd64 artifact" | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
if: ${{ matrix.base_image == 'alpine' }} | |
with: | |
name: oidcwarden-${{ env.SOURCE_VERSION }}-linux-amd64 | |
path: oidcwarden-amd64 | |
- name: "Upload arm64 artifact" | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
if: ${{ matrix.base_image == 'alpine' }} | |
with: | |
name: oidcwarden-${{ env.SOURCE_VERSION }}-linux-arm64 | |
path: oidcwarden-arm64 | |
- name: "Upload armv7 artifact" | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
if: ${{ matrix.base_image == 'alpine' }} | |
with: | |
name: oidcwarden-${{ env.SOURCE_VERSION }}-linux-armv7 | |
path: oidcwarden-armv7 | |
- name: "Upload armv6 artifact" | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
if: ${{ matrix.base_image == 'alpine' }} | |
with: | |
name: oidcwarden-${{ env.SOURCE_VERSION }}-linux-armv6 | |
path: oidcwarden-armv6 | |
# End Upload artifacts to Github Actions |