ci: improve release workflow #1664
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build-workflow | |
on: | |
push: | |
branches: [ main ] | |
tags: | |
- "*" | |
merge_group: | |
workflow_dispatch: | |
inputs: | |
disable_cache: | |
description: Disable rust caching | |
type: boolean | |
required: false | |
default: false | |
include: | |
description: Only run tests matching tests with the given tags | |
type: string | |
required: false | |
default: "" | |
processes: | |
description: Number of processes to run tests | |
type: string | |
required: false | |
default: "10" | |
# Use a manual approval process before PR's are given access to | |
# the secrets which are required to run the integration tests. | |
# The PR code should be manually approved to see if it can be trusted. | |
# When in doubt, do not approve the test run. | |
# Reference: https://dev.to/petrsvihlik/using-environment-protection-rules-to-secure-secrets-when-building-external-forks-with-pullrequesttarget-hci | |
pull_request_target: | |
branches: [ main ] | |
env: | |
CARGO_TERM_COLOR: always | |
RUSTFLAGS: -D warnings | |
jobs: | |
build: | |
name: Build ${{ matrix.job.target }} | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
job: | |
- { target: x86_64-unknown-linux-musl, cache: true } | |
- { target: aarch64-unknown-linux-musl, cache: true } | |
- { target: arm-unknown-linux-musleabihf, cache: true } | |
- { target: armv7-unknown-linux-musleabihf, cache: true } | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Retrieve MSRV from workspace Cargo.toml | |
id: rust_version | |
uses: SebRollen/[email protected] | |
with: | |
file: Cargo.toml | |
field: "workspace.package.rust-version" | |
- name: Enable toolchain via github action | |
uses: dtolnay/rust-toolchain@master | |
with: | |
toolchain: ${{ steps.rust_version.outputs.value }} | |
targets: ${{ matrix.job.target }} | |
- name: Enable cache | |
if: ${{ matrix.job.cache && !inputs.disable_cache }} | |
# https://github.com/marketplace/actions/rust-cache | |
uses: Swatinem/rust-cache@v2 | |
# Install nfpm used to for linux packaging | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: 'stable' | |
cache: false | |
- run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest | |
- uses: extractions/setup-just@v1 | |
- name: Build for ${{ matrix.job.target }} | |
run: just release ${{ matrix.job.target }} | |
- name: Upload packages as zip | |
# https://github.com/marketplace/actions/upload-a-build-artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: packages-${{ matrix.job.target }} | |
path: target/${{ matrix.job.target }}/packages/*.* | |
approve: | |
# Note: Use approval as a job so that the downstream jobs are only prompted once (if more than 1 matrix job is defined) | |
name: Approve | |
environment: | |
# For security reasons, all pull requests need to be approved first before granting access to secrets | |
# So the environment should be set to have a reviewer/s inspect it before approving it | |
name: ${{ github.event_name == 'pull_request_target' && 'Test Pull Request' || 'Test Auto' }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Wait for approval | |
run: echo "Approved" | |
test: | |
name: Test ${{ matrix.job.name }} | |
# Don't tests on tagging as it has already run in the merge queue | |
if: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
needs: [approve, build] | |
environment: | |
name: Test Auto | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: | |
job: | |
- { name: x86_64, target: x86_64-unknown-linux-musl, output: target/packages } | |
steps: | |
# Checkout either the PR or the branch | |
- name: Checkout PR | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} # Check out the code of the PR. Only after the manual approval process | |
fetch-depth: 0 | |
- name: Download release artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: packages-${{ matrix.job.target }} | |
path: tests/images/debian-systemd/files/packages/ | |
- name: create .env file | |
working-directory: tests/RobotFramework | |
run: | | |
touch .env | |
echo 'C8Y_BASEURL="${{ secrets.C8Y_BASEURL }}"' >> .env | |
echo 'C8Y_USER="${{ secrets.C8Y_USER }}"' >> .env | |
echo 'C8Y_TENANT="${{ secrets.C8Y_TENANT }}"' >> .env | |
echo 'C8Y_PASSWORD="${{ secrets.C8Y_PASSWORD }}"' >> .env | |
echo 'CA_KEY="${{ secrets.CA_KEY || '' }}"' >> .env | |
echo 'CA_PUB="${{ secrets.CA_PUB || '' }}"' >> .env | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: '3.9' | |
cache: 'pip' | |
cache-dependency-path: | | |
**/requirements/requirements*.txt | |
- name: Install dependencies | |
run: | | |
./bin/setup.sh | |
working-directory: tests/RobotFramework | |
- name: Build images | |
working-directory: tests/RobotFramework | |
run: | | |
source .venv/bin/activate | |
invoke build | |
- name: Run tests | |
working-directory: tests/RobotFramework | |
run: | | |
source .venv/bin/activate | |
invoke test \ | |
--processes "${{ inputs.processes || '' }}" \ | |
--include "${{ inputs.include || '' }}" \ | |
--exclude "test:on_demand OR theme:benchmarks" \ | |
--outputdir output | |
- name: Upload test results | |
uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: report-${{ matrix.job.target }} | |
path: tests/RobotFramework/output | |
- name: Send report to commit | |
uses: joonvena/[email protected] | |
if: always() && github.event_name == 'pull_request' | |
with: | |
gh_access_token: ${{ secrets.GITHUB_TOKEN }} | |
report_path: 'tests/RobotFramework/output' | |
show_passed_tests: 'false' | |
publish: | |
name: Publish ${{ matrix.job.target }} | |
runs-on: ubuntu-20.04 | |
needs: [test] | |
strategy: | |
fail-fast: false | |
matrix: | |
job: | |
- { target: x86_64-unknown-linux-musl, repo: tedge-main, component: main } | |
- { target: aarch64-unknown-linux-musl, repo: tedge-main, component: main } | |
# Keep arm-unknown-linux-musleabihf in separate repo due to armhf conflict between raspbian and debian | |
- { target: arm-unknown-linux-musleabihf, repo: tedge-main-armv6, component: main } | |
- { target: armv7-unknown-linux-musleabihf, repo: tedge-main, component: main } | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
# Setup python required by cloudsmith cli | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: '3.11' | |
cache: 'pip' | |
- name: Download release artifacts | |
uses: actions/download-artifact@v4 | |
# https://github.com/marketplace/actions/download-a-build-artifact | |
with: | |
name: packages-${{ matrix.job.target }} | |
path: target/${{ matrix.job.target }}/packages/ | |
- uses: extractions/setup-just@v1 | |
- name: Publish packages | |
env: | |
PUBLISH_OWNER: ${{ secrets.PUBLISH_OWNER }} | |
PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }} | |
run: | | |
just publish-linux-target "${{ matrix.job.target }}" \ | |
--repo "${{ matrix.job.repo }}" \ | |
--component "${{ matrix.job.component }}" | |
# Wait until all other publishing jobs are finished | |
# before publishing the virtual packages (which are architecture agnostic) | |
publish-containers: | |
name: Publish Containers | |
runs-on: ubuntu-20.04 | |
needs: [test] | |
env: | |
BUILDX_NO_DEFAULT_ATTESTATIONS: 1 | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: extractions/setup-just@v1 | |
- id: tedge | |
name: Get Version | |
run: | | |
version=$(just version container) | |
echo "Detected version: $version" | |
echo "version=$version" >> "$GITHUB_OUTPUT" | |
# Download artifacts for all targets | |
# The docker build step will select the correct target for the | |
# given container target platform | |
- name: Download release artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
path: containers/tedge/packages/ | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Setup Docker buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
name=ghcr.io/thin-edge/tedge,enable=${{ startsWith(github.ref, 'refs/tags/') }} | |
name=ghcr.io/thin-edge/tedge-main,enable=true | |
tags: | | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=raw,value=${{ steps.tedge.outputs.version }},enable=${{ !startsWith(github.ref, 'refs/tags/') }} | |
type=raw,value=latest | |
- name: Build and push | |
uses: docker/build-push-action@v5 | |
with: | |
context: containers/tedge | |
push: ${{ github.event_name != 'pull_request' }} | |
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6 | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
build-args: | | |
BUILDTIME=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} | |
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} | |
REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} | |
# Wait until all other publishing jobs are finished | |
# before publishing the virtual packages (which are architecture agnostic) | |
publish-virtual-packages: | |
name: Publish Virtual Packages | |
runs-on: ubuntu-20.04 | |
needs: [publish] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
# Setup python required by cloudsmith cli | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: '3.11' | |
cache: 'pip' | |
# Install nfpm used to for linux packaging | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: 'stable' | |
cache: false | |
- run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest | |
- uses: extractions/setup-just@v1 | |
- name: Build virtual packages | |
run: just release-linux-virtual | |
- name: Publish packages | |
env: | |
PUBLISH_OWNER: ${{ secrets.PUBLISH_OWNER }} | |
PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }} | |
run: | | |
just publish-linux-virtual --repo tedge-main | |
just publish-linux-virtual --repo tedge-main-armv6 | |
release: | |
runs-on: ubuntu-latest | |
needs: [publish-virtual-packages, publish-containers] | |
if: startsWith(github.ref, 'refs/tags/') | |
steps: | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
generate_release_notes: true | |
draft: true | |
- name: Create tedge-docs snapshot | |
run: | | |
gh workflow run snapshot.yml -R thin-edge/tedge-docs -f version=${{github.ref_name}} | |
env: | |
# Triggering another workflow requires more additional credentials | |
GITHUB_TOKEN: ${{ secrets.ACTIONS_PAT }} |