magmaus3/continuwuity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

improve gh actions security using zizmor

Browse source 
https://github.com/woodruffw/zizmor
Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-12-14 21:00:33 -05:00
parent e4489a5d20
commit c6bf8f5ea1
No known key found for this signature in database
3 changed files with 176 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

166
.github/workflows/ci.yml vendored
View file

@ -53,10 +53,10 @@ env:
# complement uses libolm # complement uses libolm
NIXPKGS_ALLOW_INSECURE: 1 NIXPKGS_ALLOW_INSECURE: 1
WEB_UPLOAD_SSH_USERNAME: ${{ secrets.WEB_UPLOAD_SSH_USERNAME }} WEB_UPLOAD_SSH_USERNAME: ${{ secrets.WEB_UPLOAD_SSH_USERNAME }}
GH_SHA: ${{ github.sha }}
GH_REF_NAME: ${{ github.ref_name }}
permissions: permissions: {}
packages: write
contents: read
jobs: jobs:
tests: tests:
@ -88,8 +88,8 @@ jobs:
ssh -q website "echo test" ssh -q website "echo test"
echo "Creating commit rev directory on web server" echo "Creating commit rev directory on web server"
ssh -q website "rm -rf /var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/" ssh -q website "rm -rf /var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/$GITHUB_SHA/"
ssh -q website "mkdir -v /var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/" ssh -q website "mkdir -v /var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/$GITHUB_SHA/"
- name: Install liburing - name: Install liburing
run: | run: |
@ -106,6 +106,8 @@ jobs:
- name: Sync repository - name: Sync repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Tag comparison check - name: Tag comparison check
if: ${{ startsWith(github.ref, 'refs/tags/v') && !endsWith(github.ref, '-rc') }} if: ${{ startsWith(github.ref, 'refs/tags/v') && !endsWith(github.ref, '-rc') }}
@ -113,7 +115,7 @@ jobs:
# Tag mismatch with latest repo tag check to prevent potential downgrades # Tag mismatch with latest repo tag check to prevent potential downgrades
LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`) LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`)
if [ $LATEST_TAG != ${{ github.ref_name }} ]; then if [ ${LATEST_TAG} != ${GH_REF_NAME} ]; then
echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.'
echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' >> $GITHUB_STEP_SUMMARY echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' >> $GITHUB_STEP_SUMMARY
exit 1 exit 1
@ -162,8 +164,8 @@ jobs:
if: ${{ (env.ATTIC_ENDPOINT != '') && (env.ATTIC_PUBLIC_KEY != '') }} if: ${{ (env.ATTIC_ENDPOINT != '') && (env.ATTIC_PUBLIC_KEY != '') }}
run: | run: |
sudo tee -a "${XDG_CONFIG_HOME:-$HOME/.config}/nix/nix.conf" > /dev/null <<EOF sudo tee -a "${XDG_CONFIG_HOME:-$HOME/.config}/nix/nix.conf" > /dev/null <<EOF
extra-substituters = ${{ env.ATTIC_ENDPOINT }} extra-substituters = ${ATTIC_ENDPOINT}
extra-trusted-public-keys = ${{ env.ATTIC_PUBLIC_KEY }} extra-trusted-public-keys = ${ATTIC_PUBLIC_KEY}
EOF EOF
- name: Prepare build environment - name: Prepare build environment
@ -233,9 +235,11 @@ jobs:
diff -u --color=always tests/test_results/complement/test_results.jsonl complement_test_results.jsonl > >(tee -a complement_diff_output.log) diff -u --color=always tests/test_results/complement/test_results.jsonl complement_test_results.jsonl > >(tee -a complement_diff_output.log)
- name: Update Job Summary - name: Update Job Summary
env:
GH_JOB_STATUS: ${{ job.status }}
if: success() || failure() if: success() || failure()
run: | run: |
if [ ${{ job.status }} == 'success' ]; then if [ ${GH_JOB_STATUS} == 'success' ]; then
echo '# ✅ completed suwuccessfully' >> $GITHUB_STEP_SUMMARY echo '# ✅ completed suwuccessfully' >> $GITHUB_STEP_SUMMARY
else else
echo '# CI failure' >> $GITHUB_STEP_SUMMARY echo '# CI failure' >> $GITHUB_STEP_SUMMARY
@ -264,6 +268,8 @@ jobs:
steps: steps:
- name: Sync repository - name: Sync repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup SSH web publish - name: Setup SSH web publish
if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]' if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]'
@ -332,8 +338,8 @@ jobs:
if: ${{ (env.ATTIC_ENDPOINT != '') && (env.ATTIC_PUBLIC_KEY != '') }} if: ${{ (env.ATTIC_ENDPOINT != '') && (env.ATTIC_PUBLIC_KEY != '') }}
run: | run: |
sudo tee -a "${XDG_CONFIG_HOME:-$HOME/.config}/nix/nix.conf" > /dev/null <<EOF sudo tee -a "${XDG_CONFIG_HOME:-$HOME/.config}/nix/nix.conf" > /dev/null <<EOF
extra-substituters = ${{ env.ATTIC_ENDPOINT }} extra-substituters = ${ATTIC_ENDPOINT}
extra-trusted-public-keys = ${{ env.ATTIC_PUBLIC_KEY }} extra-trusted-public-keys = ${ATTIC_PUBLIC_KEY}
EOF EOF
- name: Prepare build environment - name: Prepare build environment
@ -476,28 +482,28 @@ jobs:
if: ${{ matrix.target == 'x86_64-linux-musl' }} if: ${{ matrix.target == 'x86_64-linux-musl' }}
run: | run: |
if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then
scp static-x86_64-linux-musl-x86_64-haswell-optimised website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/static-x86_64-linux-musl-x86_64-haswell-optimised scp static-x86_64-linux-musl-x86_64-haswell-optimised website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/static-x86_64-linux-musl-x86_64-haswell-optimised
fi fi
- name: Upload static-${{ matrix.target }}-all-features to webserver - name: Upload static-${{ matrix.target }}-all-features to webserver
if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]' if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]'
run: | run: |
if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then
scp static-${{ matrix.target }} website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/static-${{ matrix.target }} scp static-${{ matrix.target }} website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/static-${{ matrix.target }}
fi fi
- name: Upload static deb x86_64-linux-musl-all-features-x86_64-haswell-optimised to webserver - name: Upload static deb x86_64-linux-musl-all-features-x86_64-haswell-optimised to webserver
if: ${{ matrix.target == 'x86_64-linux-musl' }} if: ${{ matrix.target == 'x86_64-linux-musl' }}
run: | run: |
if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then
scp x86_64-linux-musl-x86_64-haswell-optimised.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/x86_64-linux-musl-x86_64-haswell-optimised.deb scp x86_64-linux-musl-x86_64-haswell-optimised.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/x86_64-linux-musl-x86_64-haswell-optimised.deb
fi fi
- name: Upload static deb ${{ matrix.target }}-all-features to webserver - name: Upload static deb ${{ matrix.target }}-all-features to webserver
if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]' if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]'
run: | run: |
if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then
scp ${{ matrix.target }}.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/${{ matrix.target }}.deb scp ${{ matrix.target }}.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/${{ matrix.target }}.deb
fi fi
- name: Upload static-${{ matrix.target }}-debug-all-features to GitHub - name: Upload static-${{ matrix.target }}-debug-all-features to GitHub
@ -519,14 +525,14 @@ jobs:
if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]' if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]'
run: | run: |
if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then
scp static-${{ matrix.target }}-debug website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/static-${{ matrix.target }}-debug scp static-${{ matrix.target }}-debug website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/static-${{ matrix.target }}-debug
fi fi
- name: Upload static deb ${{ matrix.target }}-debug-all-features to webserver - name: Upload static deb ${{ matrix.target }}-debug-all-features to webserver
if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]' if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]'
run: | run: |
if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then
scp ${{ matrix.target }}-debug.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/${{ matrix.target }}-debug.deb scp ${{ matrix.target }}-debug.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/${{ matrix.target }}-debug.deb
fi fi
- name: Build OCI image ${{ matrix.target }}-all-features - name: Build OCI image ${{ matrix.target }}-all-features
@ -568,21 +574,21 @@ jobs:
if: ${{ matrix.target == 'x86_64-linux-musl' }} if: ${{ matrix.target == 'x86_64-linux-musl' }}
run: | run: |
if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then
scp oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz scp oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz
fi fi
- name: Upload OCI image ${{ matrix.target }}-all-features to webserver - name: Upload OCI image ${{ matrix.target }}-all-features to webserver
if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]' if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]'
run: | run: |
if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then
scp oci-image-${{ matrix.target }}.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/oci-image-${{ matrix.target }}.tar.gz scp oci-image-${{ matrix.target }}.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/oci-image-${{ matrix.target }}.tar.gz
fi fi
- name: Upload OCI image ${{ matrix.target }}-debug-all-features to webserver - name: Upload OCI image ${{ matrix.target }}-debug-all-features to webserver
if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]' if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]'
run: | run: |
if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then
scp oci-image-${{ matrix.target }}-debug.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/oci-image-${{ matrix.target }}-debug.tar.gz scp oci-image-${{ matrix.target }}-debug.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/oci-image-${{ matrix.target }}-debug.tar.gz
fi fi
build_mac_binaries: build_mac_binaries:
@ -594,6 +600,8 @@ jobs:
steps: steps:
- name: Sync repository - name: Sync repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup SSH web publish - name: Setup SSH web publish
if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]' if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]'
@ -624,7 +632,8 @@ jobs:
run: | run: |
# Tag mismatch with latest repo tag check to prevent potential downgrades # Tag mismatch with latest repo tag check to prevent potential downgrades
LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`) LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`)
if [ $LATEST_TAG != ${{ github.ref_name }} ]; then
if [ ${LATEST_TAG} != ${GH_REF_NAME} ]; then
echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.'
echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' >> $GITHUB_STEP_SUMMARY echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' >> $GITHUB_STEP_SUMMARY
exit 1 exit 1
@ -671,14 +680,14 @@ jobs:
if: ${{ matrix.os == 'macos-13' }} if: ${{ matrix.os == 'macos-13' }}
run: | run: |
if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then
scp conduwuit-macos-x86_64 website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/conduwuit-macos-x86_64 scp conduwuit-macos-x86_64 website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/conduwuit-macos-x86_64
fi fi
- name: Upload macOS arm64 binary to webserver - name: Upload macOS arm64 binary to webserver
if: ${{ matrix.os == 'macos-latest' }} if: ${{ matrix.os == 'macos-latest' }}
run: | run: |
if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then
scp conduwuit-macos-arm64 website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${{ github.sha }}/conduwuit-macos-arm64 scp conduwuit-macos-arm64 website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/conduwuit-macos-arm64
fi fi
- name: Upload macOS x86_64 binary - name: Upload macOS x86_64 binary
@ -701,6 +710,9 @@ jobs:
name: Docker publish name: Docker publish
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
needs: build needs: build
permissions:
packages: write
contents: read
if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]' if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && github.event.pull_request.user.login != 'renovate[bot]'
env: env:
DOCKER_ARM64: docker.io/${{ github.repository }}:${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }}-arm64v8 DOCKER_ARM64: docker.io/${{ github.repository }}:${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }}-arm64v8
@ -756,92 +768,92 @@ jobs:
if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }} if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }}
run: | run: |
docker load -i oci-image-amd64.tar.gz docker load -i oci-image-amd64.tar.gz
docker tag $(docker images -q conduit:main) ${{ env.DOCKER_AMD64 }} docker tag $(docker images -q conduwuit:main) ${DOCKER_AMD64}
docker tag $(docker images -q conduit:main) ${{ env.GHCR_AMD64 }} docker tag $(docker images -q conduwuit:main) ${GHCR_AMD64}
docker tag $(docker images -q conduit:main) ${{ env.GLCR_AMD64 }} docker tag $(docker images -q conduwuit:main) ${GLCR_AMD64}
docker push ${{ env.DOCKER_AMD64 }} docker push ${DOCKER_AMD64}
docker push ${{ env.GHCR_AMD64 }} docker push ${GHCR_AMD64}
docker push ${{ env.GLCR_AMD64 }} docker push ${GLCR_AMD64}
- name: Load and push arm64 image - name: Load and push arm64 image
if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }} if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }}
run: | run: |
docker load -i oci-image-arm64v8.tar.gz docker load -i oci-image-arm64v8.tar.gz
docker tag $(docker images -q conduit:main) ${{ env.DOCKER_ARM64 }} docker tag $(docker images -q conduwuit:main) ${DOCKER_ARM64}
docker tag $(docker images -q conduit:main) ${{ env.GHCR_ARM64 }} docker tag $(docker images -q conduwuit:main) ${GHCR_ARM64}
docker tag $(docker images -q conduit:main) ${{ env.GLCR_ARM64 }} docker tag $(docker images -q conduwuit:main) ${GLCR_ARM64}
docker push ${{ env.DOCKER_ARM64 }} docker push ${DOCKER_ARM64}
docker push ${{ env.GHCR_ARM64 }} docker push ${GHCR_ARM64}
docker push ${{ env.GLCR_ARM64 }} docker push ${GLCR_ARM64}
- name: Load and push amd64 debug image - name: Load and push amd64 debug image
if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }} if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }}
run: | run: |
docker load -i oci-image-amd64-debug.tar.gz docker load -i oci-image-amd64-debug.tar.gz
docker tag $(docker images -q conduit:main) ${{ env.DOCKER_AMD64 }}-debug docker tag $(docker images -q conduwuit:main) ${DOCKER_AMD64}-debug
docker tag $(docker images -q conduit:main) ${{ env.GHCR_AMD64 }}-debug docker tag $(docker images -q conduwuit:main) ${GHCR_AMD64}-debug
docker tag $(docker images -q conduit:main) ${{ env.GLCR_AMD64 }}-debug docker tag $(docker images -q conduwuit:main) ${GLCR_AMD64}-debug
docker push ${{ env.DOCKER_AMD64 }}-debug docker push ${DOCKER_AMD64}-debug
docker push ${{ env.GHCR_AMD64 }}-debug docker push ${GHCR_AMD64}-debug
docker push ${{ env.GLCR_AMD64 }}-debug docker push ${GLCR_AMD64}-debug
- name: Load and push arm64 debug image - name: Load and push arm64 debug image
if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }} if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }}
run: | run: |
docker load -i oci-image-arm64v8-debug.tar.gz docker load -i oci-image-arm64v8-debug.tar.gz
docker tag $(docker images -q conduit:main) ${{ env.DOCKER_ARM64 }}-debug docker tag $(docker images -q conduwuit:main) ${DOCKER_ARM64}-debug
docker tag $(docker images -q conduit:main) ${{ env.GHCR_ARM64 }}-debug docker tag $(docker images -q conduwuit:main) ${GHCR_ARM64}-debug
docker tag $(docker images -q conduit:main) ${{ env.GLCR_ARM64 }}-debug docker tag $(docker images -q conduwuit:main) ${GLCR_ARM64}-debug
docker push ${{ env.DOCKER_ARM64 }}-debug docker push ${DOCKER_ARM64}-debug
docker push ${{ env.GHCR_ARM64 }}-debug docker push ${GHCR_ARM64}-debug
docker push ${{ env.GLCR_ARM64 }}-debug docker push ${GLCR_ARM64}-debug
- name: Create Docker combined manifests - name: Create Docker combined manifests
run: | run: |
# Dockerhub Container Registry # Dockerhub Container Registry
docker manifest create ${{ env.DOCKER_TAG }} --amend ${{ env.DOCKER_ARM64 }} --amend ${{ env.DOCKER_AMD64 }} docker manifest create ${DOCKER_TAG} --amend ${DOCKER_ARM64} --amend ${DOCKER_AMD64}
docker manifest create ${{ env.DOCKER_BRANCH }} --amend ${{ env.DOCKER_ARM64 }} --amend ${{ env.DOCKER_AMD64 }} docker manifest create ${DOCKER_BRANCH} --amend ${DOCKER_ARM64} --amend ${DOCKER_AMD64}
# GitHub Container Registry # GitHub Container Registry
docker manifest create ${{ env.GHCR_TAG }} --amend ${{ env.GHCR_ARM64 }} --amend ${{ env.GHCR_AMD64 }} docker manifest create ${GHCR_TAG} --amend ${GHCR_ARM64} --amend ${GHCR_AMD64}
docker manifest create ${{ env.GHCR_BRANCH }} --amend ${{ env.GHCR_ARM64 }} --amend ${{ env.GHCR_AMD64 }} docker manifest create ${GHCR_BRANCH} --amend ${GHCR_ARM64} --amend ${GHCR_AMD64}
# GitLab Container Registry # GitLab Container Registry
docker manifest create ${{ env.GLCR_TAG }} --amend ${{ env.GLCR_ARM64 }} --amend ${{ env.GLCR_AMD64 }} docker manifest create ${GLCR_TAG} --amend ${GLCR_ARM64} --amend ${GLCR_AMD64}
docker manifest create ${{ env.GLCR_BRANCH }} --amend ${{ env.GLCR_ARM64 }} --amend ${{ env.GLCR_AMD64 }} docker manifest create ${GLCR_BRANCH} --amend ${GLCR_ARM64} --amend ${GLCR_AMD64}
- name: Create Docker combined debug manifests - name: Create Docker combined debug manifests
run: | run: |
# Dockerhub Container Registry # Dockerhub Container Registry
docker manifest create ${{ env.DOCKER_TAG }}-debug --amend ${{ env.DOCKER_ARM64 }}-debug --amend ${{ env.DOCKER_AMD64 }}-debug docker manifest create ${DOCKER_TAG}-debug --amend ${DOCKER_ARM64}-debug --amend ${DOCKER_AMD64}-debug
docker manifest create ${{ env.DOCKER_BRANCH }}-debug --amend ${{ env.DOCKER_ARM64 }}-debug --amend ${{ env.DOCKER_AMD64 }}-debug docker manifest create ${DOCKER_BRANCH}-debug --amend ${DOCKER_ARM64}-debug --amend ${DOCKER_AMD64}-debug
# GitHub Container Registry # GitHub Container Registry
docker manifest create ${{ env.GHCR_TAG }}-debug --amend ${{ env.GHCR_ARM64 }}-debug --amend ${{ env.GHCR_AMD64 }}-debug docker manifest create ${GHCR_TAG}-debug --amend ${GHCR_ARM64}-debug --amend ${GHCR_AMD64}-debug
docker manifest create ${{ env.GHCR_BRANCH }}-debug --amend ${{ env.GHCR_ARM64 }}-debug --amend ${{ env.GHCR_AMD64 }}-debug docker manifest create ${GHCR_BRANCH}-debug --amend ${GHCR_ARM64}-debug --amend ${GHCR_AMD64}-debug
# GitLab Container Registry # GitLab Container Registry
docker manifest create ${{ env.GLCR_TAG }}-debug --amend ${{ env.GLCR_ARM64 }}-debug --amend ${{ env.GLCR_AMD64 }}-debug docker manifest create ${GLCR_TAG}-debug --amend ${GLCR_ARM64}-debug --amend ${GLCR_AMD64}-debug
docker manifest create ${{ env.GLCR_BRANCH }}-debug --amend ${{ env.GLCR_ARM64 }}-debug --amend ${{ env.GLCR_AMD64 }}-debug docker manifest create ${GLCR_BRANCH}-debug --amend ${GLCR_ARM64}-debug --amend ${GLCR_AMD64}-debug
- name: Push manifests to Docker registries - name: Push manifests to Docker registries
if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }} if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }}
run: | run: |
docker manifest push ${{ env.DOCKER_TAG }} docker manifest push ${DOCKER_TAG}
docker manifest push ${{ env.DOCKER_BRANCH }} docker manifest push ${DOCKER_BRANCH}
docker manifest push ${{ env.GHCR_TAG }} docker manifest push ${GHCR_TAG}
docker manifest push ${{ env.GHCR_BRANCH }} docker manifest push ${GHCR_BRANCH}
docker manifest push ${{ env.GLCR_TAG }} docker manifest push ${GLCR_TAG}
docker manifest push ${{ env.GLCR_BRANCH }} docker manifest push ${GLCR_BRANCH}
docker manifest push ${{ env.DOCKER_TAG }}-debug docker manifest push ${DOCKER_TAG}-debug
docker manifest push ${{ env.DOCKER_BRANCH }}-debug docker manifest push ${DOCKER_BRANCH}-debug
docker manifest push ${{ env.GHCR_TAG }}-debug docker manifest push ${GHCR_TAG}-debug
docker manifest push ${{ env.GHCR_BRANCH }}-debug docker manifest push ${GHCR_BRANCH}-debug
docker manifest push ${{ env.GLCR_TAG }}-debug docker manifest push ${GLCR_TAG}-debug
docker manifest push ${{ env.GLCR_BRANCH }}-debug docker manifest push ${GLCR_BRANCH}-debug
- name: Add Image Links to Job Summary - name: Add Image Links to Job Summary
if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }} if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }}
run: | run: |
echo "- \`docker pull ${{ env.DOCKER_TAG }}\`" >> $GITHUB_STEP_SUMMARY echo "- \`docker pull ${DOCKER_TAG}\`" >> $GITHUB_STEP_SUMMARY
echo "- \`docker pull ${{ env.GHCR_TAG }}\`" >> $GITHUB_STEP_SUMMARY echo "- \`docker pull ${GHCR_TAG}\`" >> $GITHUB_STEP_SUMMARY
echo "- \`docker pull ${{ env.GLCR_TAG }}\`" >> $GITHUB_STEP_SUMMARY echo "- \`docker pull ${GLCR_TAG}\`" >> $GITHUB_STEP_SUMMARY
echo "- \`docker pull ${{ env.DOCKER_TAG }}-debug\`" >> $GITHUB_STEP_SUMMARY echo "- \`docker pull ${DOCKER_TAG}-debug\`" >> $GITHUB_STEP_SUMMARY
echo "- \`docker pull ${{ env.GHCR_TAG }}-debug\`" >> $GITHUB_STEP_SUMMARY echo "- \`docker pull ${GHCR_TAG}-debug\`" >> $GITHUB_STEP_SUMMARY
echo "- \`docker pull ${{ env.GLCR_TAG }}-debug\`" >> $GITHUB_STEP_SUMMARY echo "- \`docker pull ${GLCR_TAG}-debug\`" >> $GITHUB_STEP_SUMMARY

8
.github/workflows/documentation.yml vendored
View file

@ -36,6 +36,8 @@ concurrency:
group: "pages" group: "pages"
cancel-in-progress: false cancel-in-progress: false
permissions: {}
jobs: jobs:
docs: docs:
name: Documentation and GitHub Pages name: Documentation and GitHub Pages
@ -61,6 +63,8 @@ jobs:
- name: Sync repository - name: Sync repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup GitHub Pages - name: Setup GitHub Pages
if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main') && (github.event_name != 'pull_request') if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main') && (github.event_name != 'pull_request')
@ -109,8 +113,8 @@ jobs:
if: ${{ (env.ATTIC_ENDPOINT != '') && (env.ATTIC_PUBLIC_KEY != '') }} if: ${{ (env.ATTIC_ENDPOINT != '') && (env.ATTIC_PUBLIC_KEY != '') }}
run: | run: |
sudo tee -a "${XDG_CONFIG_HOME:-$HOME/.config}/nix/nix.conf" > /dev/null <<EOF sudo tee -a "${XDG_CONFIG_HOME:-$HOME/.config}/nix/nix.conf" > /dev/null <<EOF
extra-substituters = ${{ env.ATTIC_ENDPOINT }} extra-substituters = ${ATTIC_ENDPOINT}
extra-trusted-public-keys = ${{ env.ATTIC_PUBLIC_KEY }} extra-trusted-public-keys = ${ATTIC_PUBLIC_KEY}
EOF EOF
- name: Prepare build environment - name: Prepare build environment

154
.github/workflows/release.yml vendored
View file

@ -14,93 +14,101 @@ on:
required: true required: true
type: string type: string
permissions: permissions: {}
contents: writes
jobs: jobs:
build: publish:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: write
env:
GH_EVENT_NAME: ${{ github.event_name }}
GH_EVENT_INPUTS_ACTION_ID: ${{ github.event.inputs.action_id }}
GH_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }}
GH_REPOSITORY: ${{ github.repository }}
GH_SHA: ${{ github.sha }}
GH_TAG: ${{ github.event.release.tag_name }}
steps: steps:
- name: get latest ci id - name: get latest ci id
id: get_ci_id id: get_ci_id
env: env:
GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }}
run: | run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ] if [ "${GH_EVENT_NAME}" == "workflow_dispatch" ]; then
then id="${GH_EVENT_INPUTS_ACTION_ID}"
id="${{ github.event.inputs.action_id }}" tag="${GH_EVENT_INPUTS_TAG}"
tag="${{ github.event.inputs.tag }}" else
else # get all runs of the ci workflow
# get all runs of the ci workflow json=$(gh api "repos/${GH_REPOSITORY}/actions/workflows/ci.yml/runs")
json=$(gh api "repos/${{ github.repository }}/actions/workflows/ci.yml/runs")
# find first run that is github sha and status is completed # find first run that is github sha and status is completed
id=$(echo "$json" | jq ".workflow_runs[] | select(.head_sha == \"${{ github.sha }}\" and .status == \"completed\") | .id" | head -n 1) id=$(echo "$json" | jq ".workflow_runs[] | select(.head_sha == \"${GH_SHA}\" and .status == \"completed\") | .id" | head -n 1)
if [ ! "$id" ]; then
echo "No completed runs found" if [ ! "$id" ]; then
echo "ci_id=0" >> "$GITHUB_OUTPUT" echo "No completed runs found"
exit 0 echo "ci_id=0" >> "$GITHUB_OUTPUT"
exit 0
fi
tag="${GH_TAG}}"
fi fi
tag="${{ github.event.release.tag_name }}" echo "ci_id=$id" >> "$GITHUB_OUTPUT"
fi echo "tag=$tag" >> "$GITHUB_OUTPUT"
echo "ci_id=$id" >> "$GITHUB_OUTPUT" - name: get latest ci artifacts
echo "tag=$tag" >> "$GITHUB_OUTPUT" if: steps.get_ci_id.outputs.ci_id != 0
uses: actions/download-artifact@v4
env:
GH_TOKEN: ${{ github.token }}
with:
merge-multiple: true
run-id: ${{ steps.get_ci_id.outputs.ci_id }}
github-token: ${{ github.token }}
- name: get latest ci artifacts - run: |
if: steps.get_ci_id.outputs.ci_id != 0 ls
uses: actions/download-artifact@v4
env:
GH_TOKEN: ${{ github.token }}
with:
merge-multiple: true
run-id: ${{ steps.get_ci_id.outputs.ci_id }}
github-token: ${{ github.token }}
- run: | - name: upload release assets
ls if: steps.get_ci_id.outputs.ci_id != 0
env:
GH_TOKEN: ${{ github.token }}
TAG: ${{ steps.get_ci_id.outputs.tag }}
run: |
for file in $(find . -type f); do
echo "Uploading $file..."
gh release upload $TAG "$file" --clobber --repo="${GH_REPOSITORY}" || echo "Something went wrong, skipping."
done
- name: upload release assets - name: upload release assets to website
if: steps.get_ci_id.outputs.ci_id != 0 if: steps.get_ci_id.outputs.ci_id != 0
env: env:
GH_TOKEN: ${{ github.token }} TAG: ${{ steps.get_ci_id.outputs.tag }}
TAG: ${{ steps.get_ci_id.outputs.tag }} run: |
run: | mkdir -p -v ~/.ssh
for file in $(find . -type f); do
echo "Uploading $file..."
gh release upload $TAG "$file" --clobber --repo="${{github.repository}}" || echo "Something went wrong, skipping."
done
- name: upload release assets to website echo "${{ secrets.WEB_UPLOAD_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
if: steps.get_ci_id.outputs.ci_id != 0 echo "${{ secrets.WEB_UPLOAD_SSH_PRIVATE_KEY }}" >> ~/.ssh/id_ed25519
env:
TAG: ${{ steps.get_ci_id.outputs.tag }}
run: |
mkdir -p -v ~/.ssh
echo "${{ secrets.WEB_UPLOAD_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts chmod 600 ~/.ssh/id_ed25519
echo "${{ secrets.WEB_UPLOAD_SSH_PRIVATE_KEY }}" >> ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519 cat >>~/.ssh/config <<END
Host website
HostName ${{ secrets.WEB_UPLOAD_SSH_HOSTNAME }}
User ${{ secrets.WEB_UPLOAD_SSH_USERNAME }}
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
AddKeysToAgent no
ForwardX11 no
BatchMode yes
END
cat >>~/.ssh/config <<END echo "Creating tag directory on web server"
Host website ssh -q website "rm -rf /var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/"
HostName ${{ secrets.WEB_UPLOAD_SSH_HOSTNAME }} ssh -q website "mkdir -v /var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/"
User ${{ secrets.WEB_UPLOAD_SSH_USERNAME }}
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
AddKeysToAgent no
ForwardX11 no
BatchMode yes
END
echo "Creating tag directory on web server" for file in $(find . -type f); do
ssh -q website "rm -rf /var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/" echo "Uploading $file to website"
ssh -q website "mkdir -v /var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/" scp $file website:/var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/$file
done
for file in $(find . -type f); do
echo "Uploading $file to website"
scp $file website:/var/www/girlboss.ceo/~strawberry/conduwuit/releases/$TAG/$file
done