deploy: redeploy SIP, TokenZap #16389
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Go Releaser | |
on: [push] | |
jobs: | |
# build the goreleaser container cgo cross compiler container. Note: this wil not be applied until | |
# the next run since build-goreleaser and run-goreleaser are run concurrently. We expect github actions | |
# to fix this in a future version. | |
build-goreleaser: | |
runs-on: ubuntu-latest | |
outputs: | |
goreleaser-image: ${{ steps.name-export.outputs.TAG_NAME }} | |
permissions: | |
# always required | |
packages: write | |
# only required for private repos | |
actions: read | |
contents: write | |
steps: | |
- name: Git Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # needed if using new-from-rev (see: https://golangci-lint.run/usage/configuration/#issues-configuration) | |
- name: Cache Docker images. | |
uses: ScribeMD/[email protected] | |
with: | |
key: docker-release-${{ runner.os }}-${{ matrix.package }} | |
- uses: dorny/paths-filter@v3 | |
name: check if any changes warrant a new build of goreleaser-cgo-cross-compiler | |
id: changes | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
filters: | | |
src: | |
- 'docker/goreleaser/**' | |
- | |
name: Set up Docker Buildx | |
if: steps.changes.outputs.src == 'true' | |
uses: docker/setup-buildx-action@v2 | |
with: | |
driver-opts: network=host | |
- name: Environment variables | |
# TODO: this if block needs to be run on every step now, but should be fixed in a future version: https://github.com/actions/runner/issues/662 | |
if: steps.changes.outputs.src == 'true' | |
uses: franzdiebold/[email protected] | |
env: | |
ACTIONS_ALLOW_UNSECURE_COMMANDS: true | |
- | |
name: Login to GitHub Container Registry | |
if: steps.changes.outputs.src == 'true' | |
uses: docker/login-action@v1 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# we do this so we can use it in subseuqnet steps | |
- name: Export latest tag name | |
id: name-export | |
run: | |
echo "##[set-output name=TAG_NAME;]$(echo $LATEST_TAG_NAME)" | |
env: | |
LATEST_TAG_NAME: ghcr.io/synapsecns/sanguine-goreleaser:${{ hashFiles('docker/goreleaser/**') }} | |
- | |
name: Build and push | |
if: steps.changes.outputs.src == 'true' | |
uses: docker/build-push-action@v3 | |
with: | |
context: . | |
push: true | |
file: ./docker/goreleaser/Dockerfile | |
# TODO this needs to be versioned | |
# Note: this automatically pushes the latest tag for sanguine-goreleaser even on branched workflows. While unlikely, | |
# this could break local devnets that rely on working versions of this image and as such the latest tag should only be pushed on master | |
# additionally, tags representing a specific version rather than the hash of the file should be considered for future use. | |
tags: ghcr.io/synapsecns/sanguine-goreleaser:latest,${{ steps.name-export.outputs.TAG_NAME }} | |
cache-from: type=registry,ref=ghcr.io/synapsecns/sanguine-goreleaser:buildcache | |
cache-to: type=registry,ref=ghcr.io/synapsecns/sanguine-goreleaser:buildcache,mode=max | |
# TODO: we should find a way for this not to be duplicated with go.yml | |
changes: | |
name: Change Detection | |
runs-on: ubuntu-latest | |
# see: https://stackoverflow.com/a/68414395 | |
if: ${{ format('refs/heads/{0}', github.event.repository.default_branch) == github.ref || contains(github.event.head_commit.message, '[goreleaser]') }} | |
outputs: | |
# Expose matched filters as job 'packages' output variable | |
packages: ${{ steps.filter_go.outputs.changed_modules_deps }} | |
package_count: ${{ steps.length.outputs.FILTER_LENGTH }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: docker://ghcr.io/synapsecns/sanguine/git-changes-action:latest | |
id: filter_go | |
with: | |
github_token: ${{ secrets.WORKFLOW_PAT || secrets.GITHUB_TOKEN }} | |
- id: length | |
run: | | |
export FILTER_LENGTH=$(echo $FILTERED_PATHS | jq '. | length') | |
echo "##[set-output name=FILTER_LENGTH;]$(echo $FILTER_LENGTH)" | |
env: | |
FILTERED_PATHS: ${{ steps.filter_go.outputs.changed_modules_deps }} | |
run-goreleaser: | |
runs-on: | |
- namespace-profile-fast-goreleaser | |
needs: [build-goreleaser,changes] | |
if: ${{ needs.changes.outputs.package_count > 0 }} | |
permissions: | |
id-token: write | |
# always required | |
packages: write | |
# only required for private repos | |
actions: read | |
contents: write | |
strategy: | |
fail-fast: false | |
matrix: | |
# list of packages, if you update this update changes as well | |
package: ${{ fromJSON(needs.changes.outputs.packages) }} | |
container: | |
image: ${{ needs.build-goreleaser.outputs.goreleaser-image }} | |
env: | |
NSC_CACHE_PATH: ${{ env.NSC_CACHE_PATH }} # env.NSC_CACHE_PATH contains the path to Cache Volume directory, that is `/cache`. | |
volumes: | |
- /repo | |
- /cache:/cache | |
options: --cap-add=SYS_ADMIN # Required to by nscloud-cache-action to call `mount`. | |
steps: | |
- name: Git Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: ${{ github.ref == 'refs/heads/master' && '0' || '1' }} | |
- name: Set up cache | |
if: ${{ !contains(runner.name, 'nsc') }} | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cache/go-build | |
~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{matrix.package}}-${{ hashFiles(format('{0}/go.sum', matrix.package)) }} | |
restore-keys: | | |
${{ runner.os }}-go-${{matrix.package}} | |
- name: Setup Go cache | |
uses: namespacelabs/nscloud-cache-action@v1 | |
if: ${{ contains(runner.name, 'nsc') }} | |
with: | |
cache: go | |
- name: Get branch name | |
id: branch-name | |
uses: tj-actions/branch-names@v6 | |
- name: Bump version and push tag | |
id: tag_version | |
if: steps.branch-name.outputs.is_default == 'true' | |
uses: mathieudutour/[email protected] | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
tag_prefix: ${{matrix.package}}/v | |
release_branches: master | |
fetch_all_tags: true | |
- name: Tag Config | |
run: git config --global --add safe.directory /__w/sanguine/sanguine | |
- | |
name: Fetch all tags | |
if: steps.branch-name.outputs.is_default == 'true' | |
run: git fetch --force --tags | |
# get the tag we just created | |
- name: Git Fetch Unshallow | |
if: steps.branch-name.outputs.is_default == 'true' | |
run: git fetch | |
- name: Import GPG key | |
uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5.2.0 | |
id: import_gpg | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
- | |
name: Login to GitHub Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run GoReleaser (Release) | |
if: steps.branch-name.outputs.is_default == 'true' | |
run: goreleaser --timeout 900m --clean --debug -f ${{matrix.package}}/.goreleaser.yml | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GONOSUM: '.*' | |
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
GOGC: 2000 | |
GOMEMLIMIT: 6GiB | |
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} | |
# use this to determine if we need goreleaser for a workflow | |
- name: Check For Docker Images | |
if: steps.branch-name.outputs.is_default != 'true' | |
id: image_check | |
run: | | |
# will be 0 if none present | |
has_images=$(yq eval '.dockers != null' ${{matrix.package}}/.goreleaser.yml) | |
echo "##[set-output name=has_images;]$(echo $has_images)" | |
- name: Run GoReleaser (Snapshot) | |
if: steps.branch-name.outputs.is_default != 'true' && steps.image_check.outputs.has_images == 'true' | |
run: goreleaser --timeout 900m --snapshot --clean --debug -f ${{matrix.package}}/.goreleaser.yml | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GONOSUM: '.*' | |
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
GOGC: 20 | |
GOMEMLIMIT: 6GiB | |
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} | |
- name: Get Project Name | |
id: project_id | |
run: | | |
project_name=$(yq '.project_name' ${{matrix.package}}/.goreleaser.yml) | |
echo "##[set-output name=project_name;]$(echo $project_name)" | |
- name: Push Docker Images (Snapshot) | |
if: steps.branch-name.outputs.is_default != 'true' && steps.image_check.outputs.has_images == 'true' | |
run: | | |
# Load the number of docker configurations | |
docker_configs=$(yq e '.dockers | length' dist/config.yaml) | |
# Check if there are no docker configurations | |
if [ "$docker_configs" -eq "0" ]; then | |
echo "No docker images to push" | |
exit 0 | |
fi | |
# Iterate through each docker configuration | |
i=0 | |
while [ "$i" -lt "$docker_configs" ]; do | |
# Extract the first image template | |
image_template=$(yq e ".dockers[$i].image_templates[0]" dist/config.yaml) | |
# Extract the base name from the image template | |
image_name=$(echo "$image_template" | sed -E 's|^(.*):[^:]+$|\1|') | |
# Tag and push the docker image | |
docker tag "$image_name:latest" "$image_name:${GITHUB_SHA}" | |
docker push "$image_name:${GITHUB_SHA}" | |
i=$((i + 1)) | |
done | |
env: | |
image_name: ${{ steps.project_id.outputs.project_name }} | |
- name: Zip Artifacts (Snapshot) | |
if: steps.branch-name.outputs.is_default != 'true' && steps.image_check.outputs.has_images == 'true' | |
run: | | |
ls | |
zip -rv ${{ steps.project_id.outputs.project_name }}.zip dist | |
- name: Push Artifacts (Snapshot) | |
if: steps.branch-name.outputs.is_default != 'true' && steps.image_check.outputs.has_images == 'true' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{steps.project_id.outputs.project_name}}.zip | |
path: ${{steps.project_id.outputs.project_name}}.zip | |
- name: Refresh Report Card | |
if: steps.branch-name.outputs.is_default == 'true' | |
working-directory: ${{matrix.package}}/ | |
run: | | |
module_name=$(go mod edit -json | jq -r '.Module.Path') | |
curl -X POST -F "repo=$module_name" https://goreportcard.com/checks | |