wip: syn2mas tip (for build artefacts) #668
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - 'release/**' | |
| tags: | |
| - "v*" | |
| # Only run for pull requests if relevant files were changed | |
| pull_request: | |
| branches: | |
| - main | |
| - 'release/**' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_TERM_COLOR: always | |
| CARGO_NET_GIT_FETCH_WITH_CLI: "true" | |
| SCCACHE_GHA_ENABLED: "true" | |
| RUSTC_WRAPPER: "sccache" | |
| IMAGE: ghcr.io/element-hq/matrix-authentication-service | |
| IMAGE_SYN2MAS: ghcr.io/element-hq/matrix-authentication-service/syn2mas | |
| BUILDCACHE: ghcr.io/element-hq/matrix-authentication-service/buildcache | |
| DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
| jobs: | |
| compute-version: | |
| name: Compute version using git describe | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| describe: ${{ steps.git.outputs.describe }} | |
| timestamp: ${{ steps.git.outputs.timestamp }} | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/[email protected] | |
| with: | |
| # Need a full clone so that `git describe` reports the right version | |
| fetch-depth: 0 | |
| - name: Compute version and timestamp out of git history | |
| id: git | |
| run: | | |
| echo "describe=$(git describe --tags --match 'v*.*.*' --always)" >> $GITHUB_OUTPUT | |
| echo "timestamp=$(git log -1 --format=%ct)" >> $GITHUB_OUTPUT | |
| build-assets: | |
| name: Build assets | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/[email protected] | |
| - uses: ./.github/actions/build-frontend | |
| - uses: ./.github/actions/build-policies | |
| - name: Prepare assets artifact | |
| run: | | |
| mkdir -p assets-dist/share | |
| cp policies/policy.wasm assets-dist/share/policy.wasm | |
| cp frontend/dist/manifest.json assets-dist/share/manifest.json | |
| cp -r frontend/dist/ assets-dist/share/assets | |
| cp -r templates/ assets-dist/share/templates | |
| cp -r translations/ assets-dist/share/translations | |
| cp LICENSE assets-dist/LICENSE | |
| chmod -R u=rwX,go=rX assets-dist/ | |
| - name: Upload assets | |
| uses: actions/[email protected] | |
| with: | |
| name: assets | |
| path: assets-dist | |
| build-binaries: | |
| name: Build binaries | |
| runs-on: ubuntu-24.04 | |
| needs: | |
| - compute-version | |
| strategy: | |
| matrix: | |
| include: | |
| - target: x86_64-unknown-linux-gnu | |
| - target: aarch64-unknown-linux-gnu | |
| env: | |
| VERGEN_GIT_DESCRIBE: ${{ needs.compute-version.outputs.describe }} | |
| SOURCE_DATE_EPOCH: ${{ needs.compute-version.outputs.timestamp }} | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/[email protected] | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: | | |
| ${{ matrix.target }} | |
| - name: Setup sccache | |
| uses: mozilla-actions/[email protected] | |
| - name: Install zig | |
| uses: goto-bus-stop/setup-zig@v2 | |
| with: | |
| version: 0.13.0 | |
| - name: Install cargo-zigbuild | |
| uses: taiki-e/install-action@v2 | |
| with: | |
| tool: cargo-zigbuild | |
| - name: Build the binary | |
| run: | | |
| cargo zigbuild \ | |
| --release \ | |
| --target ${{ matrix.target }}.2.17 \ | |
| --no-default-features \ | |
| --features dist \ | |
| -p mas-cli | |
| - name: Upload binary artifact | |
| uses: actions/[email protected] | |
| with: | |
| name: binary-${{ matrix.target }} | |
| path: target/${{ matrix.target }}/release/mas-cli | |
| assemble-archives: | |
| name: Assemble release archives | |
| runs-on: ubuntu-24.04 | |
| needs: | |
| - build-assets | |
| - build-binaries | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Download assets | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: assets | |
| path: assets-dist | |
| - name: Download binary x86_64 | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: binary-x86_64-unknown-linux-gnu | |
| path: binary-x86_64 | |
| - name: Download binary aarch64 | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: binary-aarch64-unknown-linux-gnu | |
| path: binary-aarch64 | |
| - name: Create final archives | |
| run: | | |
| for arch in x86_64 aarch64; do | |
| mkdir -p dist/${arch}/share | |
| cp -r assets-dist/share/* dist/${arch}/share/ | |
| cp assets-dist/LICENSE dist/${arch}/LICENSE | |
| cp binary-$arch/mas-cli dist/${arch}/mas-cli | |
| chmod -R u=rwX,go=rX dist/${arch}/ | |
| chmod u=rwx,go=rx dist/${arch}/mas-cli | |
| tar -czvf mas-cli-${arch}-linux.tar.gz --owner=0 --group=0 -C dist/${arch}/ . | |
| done | |
| - name: Upload aarch64 archive | |
| uses: actions/[email protected] | |
| with: | |
| name: mas-cli-aarch64-linux | |
| path: mas-cli-aarch64-linux.tar.gz | |
| - name: Upload x86_64 archive | |
| uses: actions/[email protected] | |
| with: | |
| name: mas-cli-x86_64-linux | |
| path: mas-cli-x86_64-linux.tar.gz | |
| build-image: | |
| name: Build and push Docker image | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| metadata: ${{ steps.output.outputs.metadata }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| needs: | |
| - compute-version | |
| env: | |
| VERGEN_GIT_DESCRIBE: ${{ needs.compute-version.outputs.describe }} | |
| SOURCE_DATE_EPOCH: ${{ needs.compute-version.outputs.timestamp }} | |
| steps: | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/[email protected] | |
| with: | |
| images: "${{ env.IMAGE }}" | |
| bake-target: docker-metadata-action | |
| flavor: | | |
| latest=auto | |
| tags: | | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha | |
| - name: Docker meta (debug variant) | |
| id: meta-debug | |
| uses: docker/[email protected] | |
| with: | |
| images: "${{ env.IMAGE }}" | |
| bake-target: docker-metadata-action-debug | |
| flavor: | | |
| latest=auto | |
| suffix=-debug,onlatest=true | |
| tags: | | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha | |
| - name: Docker meta (syn2mas) | |
| id: meta-syn2mas | |
| uses: docker/[email protected] | |
| with: | |
| images: "${{ env.IMAGE_SYN2MAS }}" | |
| bake-target: docker-metadata-action-syn2mas | |
| flavor: | | |
| latest=auto | |
| tags: | | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha | |
| - name: Setup Cosign | |
| uses: sigstore/[email protected] | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| with: | |
| buildkitd-config-inline: | | |
| [registry."docker.io"] | |
| mirrors = ["mirror.gcr.io"] | |
| - name: Login to GitHub Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/[email protected] | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # For pull-requests, only read from the cache, do not try to push to the | |
| # cache or the image itself | |
| - name: Build | |
| uses: docker/[email protected] | |
| if: github.event_name == 'pull_request' | |
| with: | |
| files: | | |
| ./docker-bake.hcl | |
| cwd://${{ steps.meta.outputs.bake-file }} | |
| cwd://${{ steps.meta-debug.outputs.bake-file }} | |
| cwd://${{ steps.meta-syn2mas.outputs.bake-file }} | |
| set: | | |
| base.cache-from=type=registry,ref=${{ env.BUILDCACHE }}:buildcache | |
| - name: Build and push | |
| id: bake | |
| uses: docker/[email protected] | |
| if: github.event_name != 'pull_request' | |
| with: | |
| files: | | |
| ./docker-bake.hcl | |
| cwd://${{ steps.meta.outputs.bake-file }} | |
| cwd://${{ steps.meta-debug.outputs.bake-file }} | |
| cwd://${{ steps.meta-syn2mas.outputs.bake-file }} | |
| set: | | |
| base.output=type=image,push=true | |
| base.cache-from=type=registry,ref=${{ env.BUILDCACHE }}:buildcache | |
| base.cache-to=type=registry,ref=${{ env.BUILDCACHE }}:buildcache,mode=max | |
| - name: Transform bake output | |
| # This transforms the ouput to an object which looks like this: | |
| # { reguar: { digest: "…", tags: ["…", "…"] }, debug: { digest: "…", tags: ["…"] }, … } | |
| id: output | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| echo 'metadata<<EOF' >> $GITHUB_OUTPUT | |
| echo '${{ steps.bake.outputs.metadata }}' | jq -c 'with_entries(select(.value | (type == "object" and has("containerimage.digest")))) | map_values({ digest: .["containerimage.digest"], tags: (.["image.name"] | split(",")) })' >> $GITHUB_OUTPUT | |
| echo 'EOF' >> $GITHUB_OUTPUT | |
| - name: Sign the images with GitHub Actions provided token | |
| # Only sign on tags and on commits on main branch | |
| if: | | |
| github.event_name != 'pull_request' | |
| && (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main') | |
| env: | |
| REGULAR_DIGEST: ${{ steps.output.outputs.metadata && fromJSON(steps.output.outputs.metadata).regular.digest }} | |
| DEBUG_DIGEST: ${{ steps.output.outputs.metadata && fromJSON(steps.output.outputs.metadata).debug.digest }} | |
| SYN2MAS_DIGEST: ${{ steps.output.outputs.metadata && fromJSON(steps.output.outputs.metadata).syn2mas.digest }} | |
| run: |- | |
| cosign sign --yes \ | |
| "$IMAGE@$REGULAR_DIGEST" \ | |
| "$IMAGE@$DEBUG_DIGEST" \ | |
| "$IMAGE_SYN2MAS@$SYN2MAS_DIGEST" | |
| syn2mas: | |
| name: Release syn2mas on NPM | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| if: github.event_name != 'pull_request' | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/[email protected] | |
| - name: Install Node | |
| uses: actions/[email protected] | |
| with: | |
| node-version-file: ./tools/syn2mas/.nvmrc | |
| - name: Install Node dependencies | |
| working-directory: ./tools/syn2mas | |
| run: npm ci | |
| - name: Publish | |
| uses: JS-DevTools/npm-publish@v3 | |
| with: | |
| package: ./tools/syn2mas | |
| token: ${{ secrets.NPM_TOKEN }} | |
| provenance: true | |
| dry-run: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| release: | |
| name: Release | |
| if: startsWith(github.ref, 'refs/tags/') | |
| runs-on: ubuntu-24.04 | |
| needs: | |
| - assemble-archives | |
| - build-image | |
| - syn2mas | |
| steps: | |
| - name: Download the artifacts from the previous job | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: mas-cli-* | |
| path: artifacts | |
| merge-multiple: true | |
| - name: Prepare a release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| generate_release_notes: true | |
| body: | | |
| ### Docker image | |
| Regular image: | |
| - Digest: | |
| ``` | |
| ${{ env.IMAGE }}@${{ fromJSON(needs.build-image.outputs.metadata).regular.digest }} | |
| ``` | |
| - Tags: | |
| ``` | |
| ${{ join(fromJSON(needs.build-image.outputs.metadata).regular.tags, ' | |
| ') }} | |
| ``` | |
| Debug variant: | |
| - Digest: | |
| ``` | |
| ${{ env.IMAGE }}@${{ fromJSON(needs.build-image.outputs.metadata).debug.digest }} | |
| ``` | |
| - Tags: | |
| ``` | |
| ${{ join(fromJSON(needs.build-image.outputs.metadata).debug.tags, ' | |
| ') }} | |
| ``` | |
| `syn2mas` migration tool: | |
| - Digest: | |
| ``` | |
| ${{ env.IMAGE_SYN2MAS }}@${{ fromJSON(needs.build-image.outputs.metadata).syn2mas.digest }} | |
| ``` | |
| - Tags: | |
| ``` | |
| ${{ join(fromJSON(needs.build-image.outputs.metadata).syn2mas.tags, ' | |
| ') }} | |
| ``` | |
| files: | | |
| artifacts/mas-cli-aarch64-linux.tar.gz | |
| artifacts/mas-cli-x86_64-linux.tar.gz | |
| draft: true | |
| unstable: | |
| name: Update the unstable release | |
| runs-on: ubuntu-24.04 | |
| needs: | |
| - assemble-archives | |
| - build-image | |
| if: github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/[email protected] | |
| with: | |
| sparse-checkout: | | |
| .github/scripts | |
| - name: Download the artifacts from the previous job | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: mas-cli-* | |
| path: artifacts | |
| merge-multiple: true | |
| - name: Update unstable git tag | |
| uses: actions/[email protected] | |
| with: | |
| script: | | |
| const script = require('./.github/scripts/update-unstable-tag.cjs'); | |
| await script({ core, github, context }); | |
| - name: Update unstable release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| name: 'Unstable build' | |
| tag_name: unstable | |
| body: | | |
| This is an automatically updated unstable release containing the latest builds from the main branch. | |
| **⚠️ Warning: These are development builds and may be unstable.** | |
| Last updated: ${{ github.event.head_commit.timestamp }} | |
| Commit: ${{ github.sha }} | |
| ### Docker image | |
| Regular image: | |
| - Digest: | |
| ``` | |
| ${{ env.IMAGE }}@${{ fromJSON(needs.build-image.outputs.metadata).regular.digest }} | |
| ``` | |
| - Tags: | |
| ``` | |
| ${{ join(fromJSON(needs.build-image.outputs.metadata).regular.tags, ' | |
| ') }} | |
| ``` | |
| Debug variant: | |
| - Digest: | |
| ``` | |
| ${{ env.IMAGE }}@${{ fromJSON(needs.build-image.outputs.metadata).debug.digest }} | |
| ``` | |
| - Tags: | |
| ``` | |
| ${{ join(fromJSON(needs.build-image.outputs.metadata).debug.tags, ' | |
| ') }} | |
| ``` | |
| files: | | |
| artifacts/mas-cli-aarch64-linux.tar.gz | |
| artifacts/mas-cli-x86_64-linux.tar.gz | |
| prerelease: true | |
| make_latest: false |