Skip to content

ci: improve release workflow #1663

ci: improve release workflow

ci: improve release workflow #1663

Workflow file for this run

name: build-workflow
on:
push:
branches: [ main ]
tags:
- "*"
merge_group:
workflow_dispatch:
inputs:
disable_cache:
description: Disable rust caching
type: boolean
required: false
default: false
include:
description: Only run tests matching tests with the given tags
type: string
required: false
default: ""
processes:
description: Number of processes to run tests
type: string
required: false
default: "10"
# Use a manual approval process before PR's are given access to
# the secrets which are required to run the integration tests.
# The PR code should be manually approved to see if it can be trusted.
# When in doubt, do not approve the test run.
# Reference: https://dev.to/petrsvihlik/using-environment-protection-rules-to-secure-secrets-when-building-external-forks-with-pullrequesttarget-hci
pull_request_target:
branches: [ main ]
env:
CARGO_TERM_COLOR: always
RUSTFLAGS: -D warnings
jobs:
build:
name: Build ${{ matrix.job.target }}
runs-on: ubuntu-20.04
strategy:
fail-fast: false
matrix:
job:
- { target: x86_64-unknown-linux-musl, cache: true }
- { target: aarch64-unknown-linux-musl, cache: true }
- { target: arm-unknown-linux-musleabihf, cache: true }
- { target: armv7-unknown-linux-musleabihf, cache: true }
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Retrieve MSRV from workspace Cargo.toml
id: rust_version
uses: SebRollen/[email protected]
with:
file: Cargo.toml
field: "workspace.package.rust-version"
- name: Enable toolchain via github action
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ steps.rust_version.outputs.value }}
targets: ${{ matrix.job.target }}
- name: Enable cache
if: ${{ matrix.job.cache && !inputs.disable_cache }}
# https://github.com/marketplace/actions/rust-cache
uses: Swatinem/rust-cache@v2
# Install nfpm used to for linux packaging
- uses: actions/setup-go@v5
with:
go-version: 'stable'
cache: false
- run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest
- uses: extractions/setup-just@v1
- name: Build for ${{ matrix.job.target }}
run: just release ${{ matrix.job.target }}
- name: Upload packages as zip
# https://github.com/marketplace/actions/upload-a-build-artifact
uses: actions/upload-artifact@v4
with:
name: packages-${{ matrix.job.target }}
path: target/${{ matrix.job.target }}/packages/*.*
approve:
# Note: Use approval as a job so that the downstream jobs are only prompted once (if more than 1 matrix job is defined)
name: Approve
environment:
# For security reasons, all pull requests need to be approved first before granting access to secrets
# So the environment should be set to have a reviewer/s inspect it before approving it
name: ${{ github.event_name == 'pull_request_target' && 'Test Pull Request' || 'Test Auto' }}
runs-on: ubuntu-22.04
steps:
- name: Wait for approval
run: echo "Approved"
test:
name: Test ${{ matrix.job.name }}
# Don't tests on tagging as it has already run in the merge queue
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
needs: [approve, build]
environment:
name: Test Auto
runs-on: ubuntu-20.04
strategy:
matrix:
job:
- { name: x86_64, target: x86_64-unknown-linux-musl, output: target/packages }
steps:
# Checkout either the PR or the branch
- name: Checkout PR
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }} # Check out the code of the PR. Only after the manual approval process
fetch-depth: 0
- name: Download release artifacts
uses: actions/download-artifact@v4
with:
name: packages-${{ matrix.job.target }}
path: tests/images/debian-systemd/files/packages/
- name: create .env file
working-directory: tests/RobotFramework
run: |
touch .env
echo 'C8Y_BASEURL="${{ secrets.C8Y_BASEURL }}"' >> .env
echo 'C8Y_USER="${{ secrets.C8Y_USER }}"' >> .env
echo 'C8Y_TENANT="${{ secrets.C8Y_TENANT }}"' >> .env
echo 'C8Y_PASSWORD="${{ secrets.C8Y_PASSWORD }}"' >> .env
echo 'CA_KEY="${{ secrets.CA_KEY || '' }}"' >> .env
echo 'CA_PUB="${{ secrets.CA_PUB || '' }}"' >> .env
- uses: actions/setup-python@v5
with:
python-version: '3.9'
cache: 'pip'
cache-dependency-path: |
**/requirements/requirements*.txt
- name: Install dependencies
run: |
./bin/setup.sh
working-directory: tests/RobotFramework
- name: Build images
working-directory: tests/RobotFramework
run: |
source .venv/bin/activate
invoke build
- name: Run tests
working-directory: tests/RobotFramework
run: |
source .venv/bin/activate
invoke test \
--processes "${{ inputs.processes || '' }}" \
--include "${{ inputs.include || '' }}" \
--exclude "test:on_demand OR theme:benchmarks" \
--outputdir output
- name: Upload test results
uses: actions/upload-artifact@v4
if: always()
with:
name: report-${{ matrix.job.target }}
path: tests/RobotFramework/output
- name: Send report to commit
uses: joonvena/[email protected]
if: always() && github.event_name == 'pull_request'
with:
gh_access_token: ${{ secrets.GITHUB_TOKEN }}
report_path: 'tests/RobotFramework/output'
show_passed_tests: 'false'
publish:
name: Publish ${{ matrix.job.target }}
runs-on: ubuntu-20.04
needs: [test]
strategy:
fail-fast: false
matrix:
job:
- { target: x86_64-unknown-linux-musl, repo: tedge-main, component: main }
- { target: aarch64-unknown-linux-musl, repo: tedge-main, component: main }
# Keep arm-unknown-linux-musleabihf in separate repo due to armhf conflict between raspbian and debian
- { target: arm-unknown-linux-musleabihf, repo: tedge-main-armv6, component: main }
- { target: armv7-unknown-linux-musleabihf, repo: tedge-main, component: main }
steps:
- name: Checkout
uses: actions/checkout@v4
# Setup python required by cloudsmith cli
- uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Download release artifacts
uses: actions/download-artifact@v4
# https://github.com/marketplace/actions/download-a-build-artifact
with:
name: packages-${{ matrix.job.target }}
path: target/${{ matrix.job.target }}/packages/
- uses: extractions/setup-just@v1
- name: Publish packages
env:
PUBLISH_OWNER: ${{ secrets.PUBLISH_OWNER }}
PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
run: |
just publish-linux-target "${{ matrix.job.target }}" \
--repo "${{ matrix.job.repo }}" \
--component "${{ matrix.job.component }}"
# Wait until all other publishing jobs are finished
# before publishing the virtual packages (which are architecture agnostic)
publish-containers:
name: Publish Containers
runs-on: ubuntu-20.04
needs: [test]
env:
BUILDX_NO_DEFAULT_ATTESTATIONS: 1
permissions:
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: extractions/setup-just@v1
- id: tedge
name: Get Version
run: |
version=$(just version container)
echo "Detected version: $version"
echo "version=$version" >> "$GITHUB_OUTPUT"
# Download artifacts for all targets
# The docker build step will select the correct target for the
# given container target platform
- name: Download release artifacts
uses: actions/download-artifact@v4
with:
path: containers/tedge/packages/
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
name=ghcr.io/thin-edge/tedge,enable=${{ startsWith(github.ref, 'refs/tags/') }}
name=ghcr.io/thin-edge/tedge-main,enable=true
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=${{ steps.tedge.outputs.version }},enable=${{ !startsWith(github.ref, 'refs/tags/') }}
type=raw,value=latest
- name: Build and push
uses: docker/build-push-action@v5
with:
context: containers/tedge
push: ${{ github.event_name != 'pull_request' }}
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
BUILDTIME=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
# Wait until all other publishing jobs are finished
# before publishing the virtual packages (which are architecture agnostic)
publish-virtual-packages:
name: Publish Virtual Packages
runs-on: ubuntu-20.04
needs: [publish]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
# Setup python required by cloudsmith cli
- uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
# Install nfpm used to for linux packaging
- uses: actions/setup-go@v5
with:
go-version: 'stable'
cache: false
- run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest
- uses: extractions/setup-just@v1
- name: Build virtual packages
run: just release-linux-virtual
- name: Publish packages
env:
PUBLISH_OWNER: ${{ secrets.PUBLISH_OWNER }}
PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
run: |
just publish-linux-virtual --repo tedge-main
just publish-linux-virtual --repo tedge-main-armv6
release:
runs-on: ubuntu-latest
needs: [publish-virtual-packages, publish-containers]
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Release
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
generate_release_notes: true
draft: true
- name: Create tedge-docs snapshot
run: |
gh workflow run snapshot.yml -R thin-edge/tedge-docs -f version=${{github.ref_name}}
env:
# Triggering another workflow requires more additional credentials
GITHUB_TOKEN: ${{ secrets.ACTIONS_PAT }}