From 3b0195e6b387364d8919ce90e2f461e82d2f51d1 Mon Sep 17 00:00:00 2001 From: June Clementine Strawberry Date: Sat, 25 Jan 2025 21:04:52 -0500 Subject: [PATCH] misc various github actions ci fixes Signed-off-by: June Clementine Strawberry --- .gitea/PULL_REQUEST_TEMPLATE.md | 8 - .gitea/workflows/ci.yml | 264 ------------------- .github/workflows/ci.yml | 80 +++--- .github/workflows/docker-hub-description.yml | 5 + .github/workflows/documentation.yml | 3 + 5 files changed, 56 insertions(+), 304 deletions(-) delete mode 100644 .gitea/PULL_REQUEST_TEMPLATE.md delete mode 100644 .gitea/workflows/ci.yml diff --git a/.gitea/PULL_REQUEST_TEMPLATE.md b/.gitea/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index 4210554b..00000000 --- a/.gitea/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,8 +0,0 @@ - - - ------------------------------------------------------------------------------ - -- [ ] I ran `cargo fmt`, `cargo clippy`, and `cargo test` -- [ ] I agree to release my code and all other changes of this MR under the Apache-2.0 license - diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml deleted file mode 100644 index ef436734..00000000 --- a/.gitea/workflows/ci.yml +++ /dev/null @@ -1,264 +0,0 @@ -name: CI and Artifacts - -on: - pull_request: - push: - # documentation workflow deals with this or is not relevant for this workflow - paths-ignore: - - '*.md' - - 'conduwuit-example.toml' - - 'book.toml' - - '.gitlab-ci.yml' - - '.gitignore' - - 'renovate.json' - - 'docs/**' - - 'debian/**' - - 'docker/**' - branches: - - main - tags: - - '*' - # Allows you to run this workflow manually from the Actions tab - #workflow_dispatch: - -#concurrency: -# group: ${{ gitea.head_ref || gitea.ref_name }} -# cancel-in-progress: true - -env: - # Required to make some things output color - TERM: ansi - # Publishing to my nix binary cache - ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} - # conduwuit.cachix.org - CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} - # Just in case incremental is still being set to true, speeds up CI - CARGO_INCREMENTAL: 0 - # Custom nix binary cache if fork is being used - ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }} - ATTIC_PUBLIC_KEY: ${{ vars.ATTIC_PUBLIC_KEY }} - # Get error output from nix that we can actually use - NIX_CONFIG: show-trace = true - -#permissions: -# packages: write -# contents: read - -jobs: - tests: - name: Test - runs-on: ubuntu-latest - steps: - - name: Sync repository - uses: https://github.com/actions/checkout@v4 - - - name: Tag comparison check - if: startsWith(gitea.ref, 'refs/tags/v') - run: | - # Tag mismatch with latest repo tag check to prevent potential downgrades - LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`) - - if [ $LATEST_TAG != ${{ gitea.ref_name }} ]; then - echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' - echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' >> $GITHUB_STEP_SUMMARY - exit 1 - fi - - - name: Install Nix - uses: https://github.com/DeterminateSystems/nix-installer-action@main - with: - diagnostic-endpoint: "" - extra-conf: | - experimental-features = nix-command flakes - accept-flake-config = true - - - name: Enable Cachix binary cache - run: | - nix profile install nixpkgs#cachix - cachix use crane - cachix use nix-community - - - name: Configure Magic Nix Cache - uses: https://github.com/DeterminateSystems/magic-nix-cache-action@main - with: - diagnostic-endpoint: "" - upstream-cache: "https://attic.kennel.juneis.dog/conduwuit" - - - name: Apply Nix binary cache configuration - run: | - sudo tee -a /etc/nix/nix.conf > /dev/null < /dev/null < "$HOME/.direnvrc" - nix profile install --impure --inputs-from . nixpkgs#direnv nixpkgs#nix-direnv - direnv allow - nix develop .#all-features --command true - - - name: Cache CI dependencies - run: | - bin/nix-build-and-cache ci - - - name: Run CI tests - run: | - direnv exec . engage > >(tee -a test_output.log) - - - name: Sync Complement repository - uses: https://github.com/actions/checkout@v4 - with: - repository: 'matrix-org/complement' - path: complement_src - - - name: Run Complement tests - run: | - direnv exec . bin/complement 'complement_src' 'complement_test_logs.jsonl' 'complement_test_results.jsonl' - cp -v -f result complement_oci_image.tar.gz - - - name: Upload Complement OCI image - uses: https://github.com/actions/upload-artifact@v4 - with: - name: complement_oci_image.tar.gz - path: complement_oci_image.tar.gz - if-no-files-found: error - - - name: Upload Complement logs - uses: https://github.com/actions/upload-artifact@v4 - with: - name: complement_test_logs.jsonl - path: complement_test_logs.jsonl - if-no-files-found: error - - - name: Upload Complement results - uses: https://github.com/actions/upload-artifact@v4 - with: - name: complement_test_results.jsonl - path: complement_test_results.jsonl - if-no-files-found: error - - - name: Diff Complement results with checked-in repo results - run: | - diff -u --color=always tests/test_results/complement/test_results.jsonl complement_test_results.jsonl > >(tee -a complement_test_output.log) - echo '# Complement diff results' >> $GITHUB_STEP_SUMMARY - echo '```diff' >> $GITHUB_STEP_SUMMARY - tail -n 100 complement_test_output.log | sed 's/\x1b\[[0-9;]*m//g' >> $GITHUB_STEP_SUMMARY - echo '```' >> $GITHUB_STEP_SUMMARY - - - name: Update Job Summary - if: success() || failure() - run: | - if [ ${{ job.status }} == 'success' ]; then - echo '# ✅ completed suwuccessfully' >> $GITHUB_STEP_SUMMARY - else - echo '```' >> $GITHUB_STEP_SUMMARY - tail -n 40 test_output.log | sed 's/\x1b\[[0-9;]*m//g' >> $GITHUB_STEP_SUMMARY - echo '```' >> $GITHUB_STEP_SUMMARY - fi - - build: - name: Build - runs-on: ubuntu-latest - needs: tests - strategy: - matrix: - include: - - target: aarch64-unknown-linux-musl - - target: x86_64-unknown-linux-musl - steps: - - name: Sync repository - uses: https://github.com/actions/checkout@v4 - - - name: Install Nix - uses: https://github.com/DeterminateSystems/nix-installer-action@main - with: - diagnostic-endpoint: "" - extra-conf: | - experimental-features = nix-command flakes - accept-flake-config = true - - - name: Install and enable Cachix binary cache - run: | - nix profile install nixpkgs#cachix - cachix use crane - cachix use nix-community - - - name: Configure Magic Nix Cache - uses: https://github.com/DeterminateSystems/magic-nix-cache-action@main - with: - diagnostic-endpoint: "" - upstream-cache: "https://attic.kennel.juneis.dog/conduwuit" - - - name: Apply Nix binary cache configuration - run: | - sudo tee -a /etc/nix/nix.conf > /dev/null < /dev/null < "$HOME/.direnvrc" - nix profile install --impure --inputs-from . nixpkgs#direnv nixpkgs#nix-direnv - direnv allow - nix develop .#all-features --command true - - - name: Build static ${{ matrix.target }} - run: | - CARGO_DEB_TARGET_TUPLE=$(echo ${{ matrix.target }} | grep -o -E '^([^-]*-){3}[^-]*') - SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) - - bin/nix-build-and-cache just .#static-${{ matrix.target }} - mkdir -v -p target/release/ - mkdir -v -p target/$CARGO_DEB_TARGET_TUPLE/release/ - cp -v -f result/bin/conduit target/release/conduwuit - cp -v -f result/bin/conduit target/$CARGO_DEB_TARGET_TUPLE/release/conduwuit - # -p conduit is the main crate name - direnv exec . cargo deb --verbose --no-build --no-strip -p conduit --target=$CARGO_DEB_TARGET_TUPLE --output target/release/${{ matrix.target }}.deb - mv -v target/release/conduwuit static-${{ matrix.target }} - mv -v target/release/${{ matrix.target }}.deb ${{ matrix.target }}.deb - - - name: Upload static-${{ matrix.target }} - uses: https://github.com/actions/upload-artifact@v4 - with: - name: static-${{ matrix.target }} - path: static-${{ matrix.target }} - if-no-files-found: error - - - name: Upload deb ${{ matrix.target }} - uses: https://github.com/actions/upload-artifact@v4 - with: - name: deb-${{ matrix.target }} - path: ${{ matrix.target }}.deb - if-no-files-found: error - compression-level: 0 - - - name: Build OCI image ${{ matrix.target }} - run: | - bin/nix-build-and-cache just .#oci-image-${{ matrix.target }} - cp -v -f result oci-image-${{ matrix.target }}.tar.gz - - - name: Upload OCI image ${{ matrix.target }} - uses: https://github.com/actions/upload-artifact@v4 - with: - name: oci-image-${{ matrix.target }} - path: oci-image-${{ matrix.target }}.tar.gz - if-no-files-found: error - compression-level: 0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 345713aa..b0b0bd53 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,8 +22,8 @@ concurrency: env: # sccache only on main repo - SCCACHE_GHA_ENABLED: "${{ (github.event.pull_request.draft != true) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && (vars.SCCACHE_ENDPOINT != '') && (github.event.pull_request.user.login != 'renovate[bot]') && 'true' || 'false' }}" - RUSTC_WRAPPER: "${{ (github.event.pull_request.draft != true) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && (vars.SCCACHE_ENDPOINT != '') && (github.event.pull_request.user.login != 'renovate[bot]') && 'sccache' || '' }}" + SCCACHE_GHA_ENABLED: "${{ !startsWith(github.ref, 'refs/tags/') && (github.event.pull_request.draft != true) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && (vars.SCCACHE_ENDPOINT != '') && (github.event.pull_request.user.login != 'renovate[bot]') && 'true' || 'false' }}" + RUSTC_WRAPPER: "${{ !startsWith(github.ref, 'refs/tags/') && (github.event.pull_request.draft != true) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && (vars.SCCACHE_ENDPOINT != '') && (github.event.pull_request.user.login != 'renovate[bot]') && 'sccache' || '' }}" SCCACHE_BUCKET: "${{ (github.event.pull_request.draft != true) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && (vars.SCCACHE_ENDPOINT != '') && (github.event.pull_request.user.login != 'renovate[bot]') && 'sccache' || '' }}" SCCACHE_S3_USE_SSL: ${{ vars.SCCACHE_S3_USE_SSL }} SCCACHE_REGION: ${{ vars.SCCACHE_REGION }} @@ -51,8 +51,8 @@ env: extra-experimental-features = nix-command flakes accept-flake-config = true WEB_UPLOAD_SSH_USERNAME: ${{ secrets.WEB_UPLOAD_SSH_USERNAME }} - GH_SHA: ${{ github.sha }} GH_REF_NAME: ${{ github.ref_name }} + WEBSERVER_DIR_NAME: ${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }} permissions: {} @@ -85,11 +85,13 @@ jobs: END echo "Checking connection" - ssh -q website "echo test" + ssh -q website "echo test" || ssh -q website "echo test" echo "Creating commit rev directory on web server" - ssh -q website "rm -rf /var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/$GITHUB_SHA/" - ssh -q website "mkdir -v /var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/$GITHUB_SHA/" + ssh -q website "rm -rf /var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/" || ssh -q website "rm -rf /var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/" + ssh -q website "mkdir -v /var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/" || ssh -q website "mkdir -v /var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/" + + echo "SSH_WEBSITE=1" >> "$GITHUB_ENV" - name: Install liburing run: | @@ -124,6 +126,9 @@ jobs: - uses: nixbuild/nix-quick-install-action@master - name: Restore and cache Nix store + # we want a fresh-state when we do releases/tags to avoid potential cache poisoning attacks impacting + # releases and tags + if: ${{ !startsWith(github.ref, 'refs/tags/') }} uses: nix-community/cache-nix-action@v5.1.0 with: # restore and save a cache using this key @@ -184,11 +189,16 @@ jobs: # use sccache for Rust - name: Run sccache-cache - if: (env.SCCACHE_GHA_ENABLED == 'true') + # we want a fresh-state when we do releases/tags to avoid potential cache poisoning attacks impacting + # releases and tags + if: ${{ (env.SCCACHE_GHA_ENABLED == 'true') && !startsWith(github.ref, 'refs/tags/') }} uses: mozilla-actions/sccache-action@main # use rust-cache - uses: Swatinem/rust-cache@v2 + # we want a fresh-state when we do releases/tags to avoid potential cache poisoning attacks impacting + # releases and tags + if: ${{ !startsWith(github.ref, 'refs/tags/') }} with: cache-all-crates: "true" cache-on-failure: "true" @@ -304,13 +314,16 @@ jobs: END echo "Checking connection" - ssh -q website "echo test" + ssh -q website "echo test" || ssh -q website "echo test" echo "SSH_WEBSITE=1" >> "$GITHUB_ENV" - uses: nixbuild/nix-quick-install-action@master - name: Restore and cache Nix store + # we want a fresh-state when we do releases/tags to avoid potential cache poisoning attacks impacting + # releases and tags + if: ${{ !startsWith(github.ref, 'refs/tags/') }} uses: nix-community/cache-nix-action@v5.1.0 with: # restore and save a cache using this key @@ -364,11 +377,16 @@ jobs: # use sccache for Rust - name: Run sccache-cache - if: (env.SCCACHE_GHA_ENABLED == 'true') + # we want a fresh-state when we do releases/tags to avoid potential cache poisoning attacks impacting + # releases and tags + if: ${{ (env.SCCACHE_GHA_ENABLED == 'true') && !startsWith(github.ref, 'refs/tags/') }} uses: mozilla-actions/sccache-action@main # use rust-cache - uses: Swatinem/rust-cache@v2 + # we want a fresh-state when we do releases/tags to avoid potential cache poisoning attacks impacting + # releases and tags + if: ${{ !startsWith(github.ref, 'refs/tags/') }} with: cache-all-crates: "true" cache-on-failure: "true" @@ -493,29 +511,27 @@ jobs: run: | if [ ! -z $SSH_WEBSITE ]; then chmod +x static-x86_64-linux-musl-x86_64-haswell-optimised - scp static-x86_64-linux-musl-x86_64-haswell-optimised website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/static-x86_64-linux-musl-x86_64-haswell-optimised + scp static-x86_64-linux-musl-x86_64-haswell-optimised website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/static-x86_64-linux-musl-x86_64-haswell-optimised fi - name: Upload static-${{ matrix.target }}-all-features to webserver - if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | if [ ! -z $SSH_WEBSITE ]; then chmod +x static-${{ matrix.target }} - scp static-${{ matrix.target }} website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/static-${{ matrix.target }} + scp static-${{ matrix.target }} website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/static-${{ matrix.target }} fi - name: Upload static deb x86_64-linux-musl-all-features-x86_64-haswell-optimised to webserver if: ${{ matrix.target == 'x86_64-linux-musl' }} run: | if [ ! -z $SSH_WEBSITE ]; then - scp x86_64-linux-musl-x86_64-haswell-optimised.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/x86_64-linux-musl-x86_64-haswell-optimised.deb + scp x86_64-linux-musl-x86_64-haswell-optimised.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/x86_64-linux-musl-x86_64-haswell-optimised.deb fi - name: Upload static deb ${{ matrix.target }}-all-features to webserver - if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | if [ ! -z $SSH_WEBSITE ]; then - scp ${{ matrix.target }}.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/${{ matrix.target }}.deb + scp ${{ matrix.target }}.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/${{ matrix.target }}.deb fi - name: Upload static-${{ matrix.target }}-debug-all-features to GitHub @@ -534,17 +550,15 @@ jobs: compression-level: 0 - name: Upload static-${{ matrix.target }}-debug-all-features to webserver - if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | if [ ! -z $SSH_WEBSITE ]; then - scp static-${{ matrix.target }}-debug website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/static-${{ matrix.target }}-debug + scp static-${{ matrix.target }}-debug website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/static-${{ matrix.target }}-debug fi - name: Upload static deb ${{ matrix.target }}-debug-all-features to webserver - if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | - if [ ! -z $SSH_WEBSITE]; then - scp ${{ matrix.target }}-debug.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/${{ matrix.target }}-debug.deb + if [ ! -z $SSH_WEBSITE ]; then + scp ${{ matrix.target }}-debug.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/${{ matrix.target }}-debug.deb fi - name: Build OCI image ${{ matrix.target }}-all-features @@ -594,21 +608,19 @@ jobs: if: ${{ matrix.target == 'x86_64-linux-musl' }} run: | if [ ! -z $SSH_WEBSITE ]; then - scp oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz + scp oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz fi - name: Upload OCI image ${{ matrix.target }}-all-features to webserver - if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | if [ ! -z $SSH_WEBSITE ]; then - scp oci-image-${{ matrix.target }}.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/oci-image-${{ matrix.target }}.tar.gz + scp oci-image-${{ matrix.target }}.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/oci-image-${{ matrix.target }}.tar.gz fi - name: Upload OCI image ${{ matrix.target }}-debug-all-features to webserver - if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | if [ ! -z $SSH_WEBSITE ]; then - scp oci-image-${{ matrix.target }}-debug.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/oci-image-${{ matrix.target }}-debug.tar.gz + scp oci-image-${{ matrix.target }}-debug.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/oci-image-${{ matrix.target }}-debug.tar.gz fi build_mac_binaries: @@ -647,7 +659,9 @@ jobs: END echo "Checking connection" - ssh -q website "echo test" + ssh -q website "echo test" || ssh -q website "echo test" + + echo "SSH_WEBSITE=1" >> "$GITHUB_ENV" - name: Tag comparison check if: ${{ startsWith(github.ref, 'refs/tags/v') && !endsWith(github.ref, '-rc') }} @@ -663,7 +677,9 @@ jobs: # use sccache for Rust - name: Run sccache-cache - if: (env.SCCACHE_GHA_ENABLED == 'true') + # we want a fresh-state when we do releases/tags to avoid potential cache poisoning attacks impacting + # releases and tags + if: ${{ (env.SCCACHE_GHA_ENABLED == 'true') && !startsWith(github.ref, 'refs/tags/') }} uses: mozilla-actions/sccache-action@main # use rust-cache @@ -707,7 +723,7 @@ jobs: run: | if [ ! -z $SSH_WEBSITE ]; then chmod +x conduwuit-macos-x86_64 - scp conduwuit-macos-x86_64 website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/conduwuit-macos-x86_64 + scp conduwuit-macos-x86_64 website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/conduwuit-macos-x86_64 fi - name: Upload macOS arm64 binary to webserver @@ -715,7 +731,7 @@ jobs: run: | if [ ! -z $SSH_WEBSITE ]; then chmod +x conduwuit-macos-arm64 - scp conduwuit-macos-arm64 website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/conduwuit-macos-arm64 + scp conduwuit-macos-arm64 website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${WEBSERVER_DIR_NAME}/conduwuit-macos-arm64 fi - name: Upload macOS x86_64 binary @@ -881,15 +897,15 @@ jobs: run: | # Dockerhub Container Registry if [ ! -z $DOCKERHUB_TOKEN ]; then - docker manifest create ${DOCKER_HUB_REPO}:${BRANCH_TAG}-haswell --amend ${DOCKER_HUB_REPO}:${UNIQUE_TAG}-haswell + docker manifest create ${DOCKER_HUB_REPO}:${UNIQUE_TAG}-haswell --amend ${DOCKER_HUB_REPO}:${BRANCH_TAG}-haswell fi # GitHub Container Registry if [ $GHCR_ENABLED = "true" ]; then - docker manifest create ${GHCR_REPO}:${BRANCH_TAG}-haswell --amend ${GHCR_REPO}:${UNIQUE_TAG}-haswell + docker manifest create ${GHCR_REPO}:${UNIQUE_TAG}-haswell --amend ${GHCR_REPO}:${BRANCH_TAG}-haswell fi # GitLab Container Registry if [ ! -z $GITLAB_TOKEN ]; then - docker manifest create ${GLCR_REPO}:${BRANCH_TAG}-haswell --amend ${GLCR_REPO}:${UNIQUE_TAG}-haswell + docker manifest create ${GLCR_REPO}:${UNIQUE_TAG}-haswell --amend ${GLCR_REPO}:${BRANCH_TAG}-haswell fi - name: Create Docker combined manifests diff --git a/.github/workflows/docker-hub-description.yml b/.github/workflows/docker-hub-description.yml index 5ff5f666..96b2d38b 100644 --- a/.github/workflows/docker-hub-description.yml +++ b/.github/workflows/docker-hub-description.yml @@ -8,13 +8,17 @@ on: - README.md - .github/workflows/docker-hub-description.yml + workflow_dispatch: + jobs: dockerHubDescription: runs-on: ubuntu-latest + if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && github.event.pull_request.user.login != 'renovate[bot]' steps: - uses: actions/checkout@v4 with: persist-credentials: false + - name: Setting variables uses: actions/github-script@v7 id: var @@ -26,6 +30,7 @@ jobs: core.setOutput('github_repository', githubRepo) const dockerRepo = '${{ vars.DOCKER_USERNAME }}'.toLowerCase() + '/' + repoId core.setOutput('docker_repo', dockerRepo) + - name: Docker Hub Description uses: peter-evans/dockerhub-description@v4 with: diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index b0ccdb47..0eefe0a4 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -73,6 +73,9 @@ jobs: - uses: nixbuild/nix-quick-install-action@master - name: Restore and cache Nix store + # we want a fresh-state when we do releases/tags to avoid potential cache poisoning attacks impacting + # releases and tags + if: ${{ !startsWith(github.ref, 'refs/tags/') }} uses: nix-community/cache-nix-action@v5.1.0 with: # restore and save a cache using this key