name: CI and Artifacts on: pull_request: push: paths-ignore: - '.gitlab-ci.yml' - '.gitignore' - 'renovate.json' - 'debian/**' - 'docker/**' branches: - main tags: - '*' # Allows you to run this workflow manually from the Actions tab workflow_dispatch: concurrency: group: ${{ github.head_ref || github.ref_name }} cancel-in-progress: true env: # sccache only on main repo SCCACHE_GHA_ENABLED: "${{ (github.event.pull_request.draft != true) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && (vars.SCCACHE_ENDPOINT != '') && (github.event.pull_request.user.login != 'renovate[bot]') && 'true' || 'false' }}" RUSTC_WRAPPER: "${{ (github.event.pull_request.draft != true) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && (vars.SCCACHE_ENDPOINT != '') && (github.event.pull_request.user.login != 'renovate[bot]') && 'sccache' || '' }}" SCCACHE_BUCKET: "${{ (github.event.pull_request.draft != true) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && (vars.SCCACHE_ENDPOINT != '') && (github.event.pull_request.user.login != 'renovate[bot]') && 'sccache' || '' }}" SCCACHE_S3_USE_SSL: ${{ vars.SCCACHE_S3_USE_SSL }} SCCACHE_REGION: ${{ vars.SCCACHE_REGION }} SCCACHE_ENDPOINT: ${{ vars.SCCACHE_ENDPOINT }} SCCACHE_CACHE_MULTIARCH: ${{ vars.SCCACHE_CACHE_MULTIARCH }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} # Required to make some things output color TERM: ansi # Publishing to my nix binary cache ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} # conduwuit.cachix.org CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} # Just in case incremental is still being set to true, speeds up CI CARGO_INCREMENTAL: 0 # Custom nix binary cache if fork is being used ATTIC_ENDPOINT: ${{ vars.ATTIC_ENDPOINT }} ATTIC_PUBLIC_KEY: ${{ vars.ATTIC_PUBLIC_KEY }} # Get error output from nix that we can actually use, and use our binary caches for the earlier CI steps NIX_CONFIG: | show-trace = true extra-substituters = https://attic.kennel.juneis.dog/conduwuit https://attic.kennel.juneis.dog/conduit https://cache.lix.systems https://conduwuit.cachix.org https://aseipp-nix-cache.freetls.fastly.net extra-trusted-public-keys = conduit:eEKoUwlQGDdYmAI/Q/0slVlegqh/QmAvQd7HBSm21Wk= conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o= conduwuit.cachix.org-1:MFRm6jcnfTf0jSAbmvLfhO3KBMt4px+1xaereWXp8Xg= experimental-features = nix-command flakes extra-experimental-features = nix-command flakes accept-flake-config = true # complement uses libolm NIXPKGS_ALLOW_INSECURE: 1 WEB_UPLOAD_SSH_USERNAME: ${{ secrets.WEB_UPLOAD_SSH_USERNAME }} GH_SHA: ${{ github.sha }} GH_REF_NAME: ${{ github.ref_name }} permissions: {} jobs: tests: name: Test runs-on: ubuntu-24.04 steps: - name: Setup SSH web publish env: web_upload_ssh_private_key: ${{ secrets.WEB_UPLOAD_SSH_PRIVATE_KEY }} if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | mkdir -p -v ~/.ssh echo "${{ secrets.WEB_UPLOAD_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts echo "${{ secrets.WEB_UPLOAD_SSH_PRIVATE_KEY }}" >> ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 cat >>~/.ssh/config <> $GITHUB_STEP_SUMMARY exit 1 fi - uses: nixbuild/nix-quick-install-action@master - name: Restore and cache Nix store uses: nix-community/cache-nix-action@v5.1.0 with: # restore and save a cache using this key primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/.lock') }} # if there's no cache hit, restore a cache by this prefix restore-prefixes-first-match: nix-${{ runner.os }}- # collect garbage until Nix store size (in bytes) is at most this number # before trying to save a new cache gc-max-store-size-linux: 2073741824 # do purge caches purge: true # purge all versions of the cache purge-prefixes: nix-${{ runner.os }}- # created more than this number of seconds ago relative to the start of the `Post Restore` phase purge-last-accessed: 86400 # except the version with the `primary-key`, if it exists purge-primary-key: never # always save the cache save-always: true - name: Enable Cachix binary cache run: | nix profile install nixpkgs#cachix cachix use crane cachix use nix-community - name: Apply Nix binary cache configuration run: | sudo tee -a "${XDG_CONFIG_HOME:-$HOME/.config}/nix/nix.conf" > /dev/null < /dev/null < "$HOME/.direnvrc" nix profile install --inputs-from . nixpkgs#direnv nixpkgs#nix-direnv direnv allow nix develop .#all-features --command true - name: Cache CI dependencies run: | bin/nix-build-and-cache ci bin/nix-build-and-cache just '.#devShells.x86_64-linux.default' bin/nix-build-and-cache just '.#devShells.x86_64-linux.all-features' bin/nix-build-and-cache just '.#devShells.x86_64-linux.dynamic' # use sccache for Rust - name: Run sccache-cache if: (env.SCCACHE_GHA_ENABLED == 'true') uses: mozilla-actions/sccache-action@main # use rust-cache - uses: Swatinem/rust-cache@v2 with: cache-all-crates: "true" cache-on-failure: "true" cache-targets: "true" - name: Run CI tests env: CARGO_PROFILE: "test" run: | direnv exec . engage > >(tee -a test_output.log) - name: Run Complement tests env: CARGO_PROFILE: "test" run: | # the nix devshell sets $COMPLEMENT_SRC, so "/dev/null" is no-op direnv exec . bin/complement "/dev/null" complement_test_logs.jsonl complement_test_results.jsonl > >(tee -a test_output.log) cp -v -f result complement_oci_image.tar.gz - name: Upload Complement OCI image uses: actions/upload-artifact@v4 with: name: complement_oci_image.tar.gz path: complement_oci_image.tar.gz if-no-files-found: error compression-level: 0 - name: Upload Complement logs uses: actions/upload-artifact@v4 with: name: complement_test_logs.jsonl path: complement_test_logs.jsonl if-no-files-found: error - name: Upload Complement results uses: actions/upload-artifact@v4 with: name: complement_test_results.jsonl path: complement_test_results.jsonl if-no-files-found: error - name: Diff Complement results with checked-in repo results run: | diff -u --color=always tests/test_results/complement/test_results.jsonl complement_test_results.jsonl > >(tee -a complement_diff_output.log) - name: Update Job Summary env: GH_JOB_STATUS: ${{ job.status }} if: success() || failure() run: | if [ ${GH_JOB_STATUS} == 'success' ]; then echo '# ✅ completed suwuccessfully' >> $GITHUB_STEP_SUMMARY else echo '# CI failure' >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY tail -n 40 test_output.log | sed 's/\x1b\[[0-9;]*m//g' >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY echo '# Complement diff results' >> $GITHUB_STEP_SUMMARY echo '```diff' >> $GITHUB_STEP_SUMMARY tail -n 100 complement_diff_output.log | sed 's/\x1b\[[0-9;]*m//g' >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY fi - name: Run cargo clean test artifacts to free up space run: | cargo clean --profile test build: name: Build runs-on: ubuntu-24.04 strategy: matrix: include: - target: aarch64-linux-musl - target: x86_64-linux-musl steps: - name: Free up a bit of runner space run: | set +o pipefail sudo docker image prune --all --force || true sudo apt purge -y 'php.*' '^mongodb-.*' '^mysql-.*' azure-cli google-cloud-cli google-chrome-stable firefox powershell microsoft-edge-stable || true sudo apt clean sudo rm -rf /usr/local/lib/android /usr/local/julia* /usr/local/games /usr/local/sqlpackage /usr/local/share/powershell /usr/local/share/edge_driver /usr/local/share/gecko_driver /usr/local/share/chromium /usr/local/share/chromedriver-linux64 /usr/lib/google-cloud-sdk /usr/lib/jvm /usr/lib/mono /usr/local/lib/heroku /usr/lib/heroku /usr/local/share/boost /usr/share/dotnet /usr/local/bin/cmake* /usr/local/bin/stack /usr/local/bin/terraform /opt/microsoft/powershell /opt/hostedtoolcache/CodeQL /opt/hostedtoolcache/go /opt/hostedtoolcache/PyPy /usr/local/bin/sam || true set -o pipefail - name: Sync repository uses: actions/checkout@v4 with: persist-credentials: false - name: Setup SSH web publish env: web_upload_ssh_private_key: ${{ secrets.WEB_UPLOAD_SSH_PRIVATE_KEY }} if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | mkdir -p -v ~/.ssh echo "${{ secrets.WEB_UPLOAD_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts echo "${{ secrets.WEB_UPLOAD_SSH_PRIVATE_KEY }}" >> ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 cat >>~/.ssh/config < /dev/null < /dev/null < "$HOME/.direnvrc" nix profile install --impure --inputs-from . nixpkgs#direnv nixpkgs#nix-direnv direnv allow nix develop .#all-features --command true --impure # use sccache for Rust - name: Run sccache-cache if: (env.SCCACHE_GHA_ENABLED == 'true') uses: mozilla-actions/sccache-action@main # use rust-cache - uses: Swatinem/rust-cache@v2 with: cache-all-crates: "true" cache-on-failure: "true" cache-targets: "true" - name: Build static ${{ matrix.target }}-all-features run: | if [[ ${{ matrix.target }} == "x86_64-linux-musl" ]] then CARGO_DEB_TARGET_TUPLE="x86_64-unknown-linux-musl" elif [[ ${{ matrix.target }} == "aarch64-linux-musl" ]] then CARGO_DEB_TARGET_TUPLE="aarch64-unknown-linux-musl" fi SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) bin/nix-build-and-cache just .#static-${{ matrix.target }}-all-features mkdir -v -p target/release/ mkdir -v -p target/$CARGO_DEB_TARGET_TUPLE/release/ cp -v -f result/bin/conduwuit target/release/conduwuit cp -v -f result/bin/conduwuit target/$CARGO_DEB_TARGET_TUPLE/release/conduwuit direnv exec . cargo deb --verbose --no-build --no-strip -p conduwuit --target=$CARGO_DEB_TARGET_TUPLE --output target/release/${{ matrix.target }}.deb mv -v target/release/conduwuit static-${{ matrix.target }} mv -v target/release/${{ matrix.target }}.deb ${{ matrix.target }}.deb - name: Build static x86_64-linux-musl-all-features-x86_64-haswell-optimised if: ${{ matrix.target == 'x86_64-linux-musl' }} run: | CARGO_DEB_TARGET_TUPLE="x86_64-unknown-linux-musl" SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) bin/nix-build-and-cache just .#static-x86_64-linux-musl-all-features-x86_64-haswell-optimised mkdir -v -p target/release/ mkdir -v -p target/$CARGO_DEB_TARGET_TUPLE/release/ cp -v -f result/bin/conduwuit target/release/conduwuit cp -v -f result/bin/conduwuit target/$CARGO_DEB_TARGET_TUPLE/release/conduwuit direnv exec . cargo deb --verbose --no-build --no-strip -p conduwuit --target=$CARGO_DEB_TARGET_TUPLE --output target/release/x86_64-linux-musl-x86_64-haswell-optimised.deb mv -v target/release/conduwuit static-x86_64-linux-musl-x86_64-haswell-optimised mv -v target/release/x86_64-linux-musl-x86_64-haswell-optimised.deb x86_64-linux-musl-x86_64-haswell-optimised.deb # quick smoke test of the x86_64 static release binary - name: Quick smoke test the x86_64 static release binary if: ${{ matrix.target == 'x86_64-linux-musl' }} run: | # GH actions default runners are x86_64 only if file result/bin/conduwuit | grep x86-64; then result/bin/conduwuit --version result/bin/conduwuit --help result/bin/conduwuit -Oserver_name="'$(date -u +%s).local'" -Odatabase_path="'/tmp/$(date -u +%s)'" --execute "server admin-notice awawawawawawawawawawa" --execute "server memory-usage" --execute "server shutdown" fi - name: Build static debug ${{ matrix.target }}-all-features run: | if [[ ${{ matrix.target }} == "x86_64-linux-musl" ]] then CARGO_DEB_TARGET_TUPLE="x86_64-unknown-linux-musl" elif [[ ${{ matrix.target }} == "aarch64-linux-musl" ]] then CARGO_DEB_TARGET_TUPLE="aarch64-unknown-linux-musl" fi SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) bin/nix-build-and-cache just .#static-${{ matrix.target }}-all-features-debug # > warning: dev profile is not supported and will be a hard error in the future. cargo-deb is for making releases, and it doesn't make sense to use it with dev profiles. # so we need to coerce cargo-deb into thinking this is a release binary mkdir -v -p target/release/ mkdir -v -p target/$CARGO_DEB_TARGET_TUPLE/release/ cp -v -f result/bin/conduwuit target/release/conduwuit cp -v -f result/bin/conduwuit target/$CARGO_DEB_TARGET_TUPLE/release/conduwuit direnv exec . cargo deb --verbose --no-build --no-strip -p conduwuit --target=$CARGO_DEB_TARGET_TUPLE --output target/release/${{ matrix.target }}-debug.deb mv -v target/release/conduwuit static-${{ matrix.target }}-debug mv -v target/release/${{ matrix.target }}-debug.deb ${{ matrix.target }}-debug.deb # quick smoke test of the x86_64 static debug binary - name: Run x86_64 static debug binary run: | # GH actions default runners are x86_64 only if file result/bin/conduwuit | grep x86-64; then result/bin/conduwuit --version fi # check validity of produced deb package, invalid debs will error on these commands - name: Validate produced deb package run: | # List contents dpkg-deb --contents ${{ matrix.target }}.deb dpkg-deb --contents ${{ matrix.target }}-debug.deb # List info dpkg-deb --info ${{ matrix.target }}.deb dpkg-deb --info ${{ matrix.target }}-debug.deb - name: Upload static-x86_64-linux-musl-all-features-x86_64-haswell-optimised to GitHub uses: actions/upload-artifact@v4 if: ${{ matrix.target == 'x86_64-linux-musl' }} with: name: static-x86_64-linux-musl-x86_64-haswell-optimised path: static-x86_64-linux-musl-x86_64-haswell-optimised if-no-files-found: error - name: Upload static-${{ matrix.target }}-all-features to GitHub uses: actions/upload-artifact@v4 with: name: static-${{ matrix.target }} path: static-${{ matrix.target }} if-no-files-found: error - name: Upload static deb ${{ matrix.target }}-all-features to GitHub uses: actions/upload-artifact@v4 with: name: deb-${{ matrix.target }} path: ${{ matrix.target }}.deb if-no-files-found: error compression-level: 0 - name: Upload static-x86_64-linux-musl-all-features-x86_64-haswell-optimised to webserver if: ${{ matrix.target == 'x86_64-linux-musl' }} run: | if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then scp static-x86_64-linux-musl-x86_64-haswell-optimised website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/static-x86_64-linux-musl-x86_64-haswell-optimised fi - name: Upload static-${{ matrix.target }}-all-features to webserver if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then scp static-${{ matrix.target }} website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/static-${{ matrix.target }} fi - name: Upload static deb x86_64-linux-musl-all-features-x86_64-haswell-optimised to webserver if: ${{ matrix.target == 'x86_64-linux-musl' }} run: | if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then scp x86_64-linux-musl-x86_64-haswell-optimised.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/x86_64-linux-musl-x86_64-haswell-optimised.deb fi - name: Upload static deb ${{ matrix.target }}-all-features to webserver if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then scp ${{ matrix.target }}.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/${{ matrix.target }}.deb fi - name: Upload static-${{ matrix.target }}-debug-all-features to GitHub uses: actions/upload-artifact@v4 with: name: static-${{ matrix.target }}-debug path: static-${{ matrix.target }}-debug if-no-files-found: error - name: Upload static deb ${{ matrix.target }}-debug-all-features to GitHub uses: actions/upload-artifact@v4 with: name: deb-${{ matrix.target }}-debug path: ${{ matrix.target }}-debug.deb if-no-files-found: error compression-level: 0 - name: Upload static-${{ matrix.target }}-debug-all-features to webserver if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then scp static-${{ matrix.target }}-debug website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/static-${{ matrix.target }}-debug fi - name: Upload static deb ${{ matrix.target }}-debug-all-features to webserver if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then scp ${{ matrix.target }}-debug.deb website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/${{ matrix.target }}-debug.deb fi - name: Build OCI image ${{ matrix.target }}-all-features run: | bin/nix-build-and-cache just .#oci-image-${{ matrix.target }}-all-features cp -v -f result oci-image-${{ matrix.target }}.tar.gz - name: Build OCI image x86_64-linux-musl-all-features-x86_64-haswell-optimised if: ${{ matrix.target == 'x86_64-linux-musl' }} run: | bin/nix-build-and-cache just .#oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised cp -v -f result oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz - name: Build debug OCI image ${{ matrix.target }}-all-features run: | bin/nix-build-and-cache just .#oci-image-${{ matrix.target }}-all-features-debug cp -v -f result oci-image-${{ matrix.target }}-debug.tar.gz - name: Upload OCI image ${{ matrix.target }}-all-features to GitHub uses: actions/upload-artifact@v4 with: name: oci-image-${{ matrix.target }} path: oci-image-${{ matrix.target }}.tar.gz if-no-files-found: error compression-level: 0 - name: Upload OCI image ${{ matrix.target }}-debug-all-features to GitHub uses: actions/upload-artifact@v4 with: name: oci-image-${{ matrix.target }}-debug path: oci-image-${{ matrix.target }}-debug.tar.gz if-no-files-found: error compression-level: 0 - name: Upload OCI image x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz to webserver if: ${{ matrix.target == 'x86_64-linux-musl' }} run: | if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then scp oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/oci-image-x86_64-linux-musl-all-features-x86_64-haswell-optimised.tar.gz fi - name: Upload OCI image ${{ matrix.target }}-all-features to webserver if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then scp oci-image-${{ matrix.target }}.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/oci-image-${{ matrix.target }}.tar.gz fi - name: Upload OCI image ${{ matrix.target }}-debug-all-features to webserver if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then scp oci-image-${{ matrix.target }}-debug.tar.gz website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/oci-image-${{ matrix.target }}-debug.tar.gz fi build_mac_binaries: name: Build MacOS Binaries strategy: matrix: os: [macos-latest, macos-13] runs-on: ${{ matrix.os }} steps: - name: Sync repository uses: actions/checkout@v4 with: persist-credentials: false - name: Setup SSH web publish env: web_upload_ssh_private_key: ${{ secrets.WEB_UPLOAD_SSH_PRIVATE_KEY }} if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && (env.web_upload_ssh_private_key != '') && github.event.pull_request.user.login != 'renovate[bot]' run: | mkdir -p -v ~/.ssh echo "${{ secrets.WEB_UPLOAD_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts echo "${{ secrets.WEB_UPLOAD_SSH_PRIVATE_KEY }}" >> ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 cat >>~/.ssh/config <> $GITHUB_STEP_SUMMARY exit 1 fi # use sccache for Rust - name: Run sccache-cache if: (env.SCCACHE_GHA_ENABLED == 'true') uses: mozilla-actions/sccache-action@main # use rust-cache - uses: Swatinem/rust-cache@v2 with: cache-all-crates: "true" cache-on-failure: "true" cache-targets: "true" # Nix can't do portable macOS builds yet - name: Build macOS x86_64 binary if: ${{ matrix.os == 'macos-13' }} run: | CONDUWUIT_VERSION_EXTRA="$(git rev-parse --short ${{ github.sha }})" cargo build --release cp -v -f target/release/conduwuit conduwuit-macos-x86_64 otool -L conduwuit-macos-x86_64 # quick smoke test of the x86_64 macOS binary - name: Run x86_64 macOS release binary if: ${{ matrix.os == 'macos-13' }} run: | ./conduwuit-macos-x86_64 --version - name: Build macOS arm64 binary if: ${{ matrix.os == 'macos-latest' }} run: | CONDUWUIT_VERSION_EXTRA="$(git rev-parse --short ${{ github.sha }})" cargo build --release cp -v -f target/release/conduwuit conduwuit-macos-arm64 otool -L conduwuit-macos-arm64 # quick smoke test of the arm64 macOS binary - name: Run arm64 macOS release binary if: ${{ matrix.os == 'macos-latest' }} run: | ./conduwuit-macos-arm64 --version - name: Upload macOS x86_64 binary to webserver if: ${{ matrix.os == 'macos-13' }} run: | if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then scp conduwuit-macos-x86_64 website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/conduwuit-macos-x86_64 fi - name: Upload macOS arm64 binary to webserver if: ${{ matrix.os == 'macos-latest' }} run: | if [ ! -z $WEB_UPLOAD_SSH_USERNAME ]; then scp conduwuit-macos-arm64 website:/var/www/girlboss.ceo/~strawberry/conduwuit/ci-bins/${GH_SHA}/conduwuit-macos-arm64 fi - name: Upload macOS x86_64 binary if: ${{ matrix.os == 'macos-13' }} uses: actions/upload-artifact@v4 with: name: conduwuit-macos-x86_64 path: conduwuit-macos-x86_64 if-no-files-found: error - name: Upload macOS arm64 binary if: ${{ matrix.os == 'macos-latest' }} uses: actions/upload-artifact@v4 with: name: conduwuit-macos-arm64 path: conduwuit-macos-arm64 if-no-files-found: error variables: outputs: github_repository: ${{ steps.var.outputs.github_repository }} runs-on: "ubuntu-latest" steps: - name: Setting global variables uses: actions/github-script@v7 id: var with: script: | core.setOutput('github_repository', '${{ github.repository }}'.toLowerCase()) docker: name: Docker publish runs-on: ubuntu-24.04 needs: [build, variables] permissions: packages: write contents: read if: (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' || (github.event.pull_request.draft != true)) && github.event.pull_request.user.login != 'renovate[bot]' env: DOCKER_ARM64: docker.io/${{ needs.variables.outputs.github_repository }}:${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }}-arm64v8 DOCKER_AMD64: docker.io/${{ needs.variables.outputs.github_repository }}:${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }}-amd64 DOCKER_TAG: docker.io/${{ needs.variables.outputs.github_repository }}:${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }} DOCKER_BRANCH: docker.io/${{ needs.variables.outputs.github_repository }}:${{ (startsWith(github.ref, 'refs/tags/v') && !endsWith(github.ref, '-rc') && 'latest') || (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }} GHCR_ARM64: ghcr.io/${{ needs.variables.outputs.github_repository }}:${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }}-arm64v8 GHCR_AMD64: ghcr.io/${{ needs.variables.outputs.github_repository }}:${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }}-amd64 GHCR_TAG: ghcr.io/${{ needs.variables.outputs.github_repository }}:${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }} GHCR_BRANCH: ghcr.io/${{ needs.variables.outputs.github_repository }}:${{ (startsWith(github.ref, 'refs/tags/v') && !endsWith(github.ref, '-rc') && 'latest') || (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }} GLCR_ARM64: registry.gitlab.com/conduwuit/conduwuit:${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }}-arm64v8 GLCR_AMD64: registry.gitlab.com/conduwuit/conduwuit:${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }}-amd64 GLCR_TAG: registry.gitlab.com/conduwuit/conduwuit:${{ (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }}-${{ github.sha }} GLCR_BRANCH: registry.gitlab.com/conduwuit/conduwuit:${{ (startsWith(github.ref, 'refs/tags/v') && !endsWith(github.ref, '-rc') && 'latest') || (github.head_ref != '' && format('merge-{0}-{1}', github.event.number, github.event.pull_request.user.login)) || github.ref_name }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }} GHCR_ENABLED: "${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) && 'true' || 'false' }}" steps: - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }} uses: docker/login-action@v3 with: registry: docker.io username: ${{ vars.DOCKER_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitLab Container Registry if: ${{ (vars.GITLAB_USERNAME != '') && (env.GITLAB_TOKEN != '') }} uses: docker/login-action@v3 with: registry: registry.gitlab.com username: ${{ vars.GITLAB_USERNAME }} password: ${{ secrets.GITLAB_TOKEN }} - name: Download artifacts uses: actions/download-artifact@v4 - name: Move OCI images into position run: | mv -v oci-image-x86_64-linux-musl/*.tar.gz oci-image-amd64.tar.gz mv -v oci-image-aarch64-linux-musl/*.tar.gz oci-image-arm64v8.tar.gz mv -v oci-image-x86_64-linux-musl-debug/*.tar.gz oci-image-amd64-debug.tar.gz mv -v oci-image-aarch64-linux-musl-debug/*.tar.gz oci-image-arm64v8-debug.tar.gz - name: Load and push amd64 image run: | docker load -i oci-image-amd64.tar.gz if [ ! -z $DOCKERHUB_TOKEN ]; then docker tag $(docker images -q conduwuit:main) ${DOCKER_AMD64} docker push ${DOCKER_AMD64} fi if [ $GHCR_ENABLED = "true" ]; then docker tag $(docker images -q conduwuit:main) ${GHCR_AMD64} docker push ${GHCR_AMD64} fi if [ ! -z $GITLAB_TOKEN ]; then docker tag $(docker images -q conduwuit:main) ${GLCR_AMD64} docker push ${GLCR_AMD64} fi - name: Load and push arm64 image run: | docker load -i oci-image-arm64v8.tar.gz if [ ! -z $DOCKERHUB_TOKEN ]; then docker tag $(docker images -q conduwuit:main) ${DOCKER_ARM64} docker push ${DOCKER_ARM64} fi if [ $GHCR_ENABLED = "true" ]; then docker tag $(docker images -q conduwuit:main) ${GHCR_ARM64} docker push ${GHCR_ARM64} fi if [ ! -z $GITLAB_TOKEN ]; then docker tag $(docker images -q conduwuit:main) ${GLCR_ARM64} docker push ${GLCR_ARM64} fi - name: Load and push amd64 debug image run: | docker load -i oci-image-amd64-debug.tar.gz if [ ! -z $DOCKERHUB_TOKEN ]; then docker tag $(docker images -q conduwuit:main) ${DOCKER_AMD64}-debug docker push ${DOCKER_AMD64}-debug fi if [ $GHCR_ENABLED = "true" ]; then docker tag $(docker images -q conduwuit:main) ${GHCR_AMD64}-debug docker push ${GHCR_AMD64}-debug fi if [ ! -z $GITLAB_TOKEN ]; then docker tag $(docker images -q conduwuit:main) ${GLCR_AMD64}-debug docker push ${GLCR_AMD64}-debug fi - name: Load and push arm64 debug image run: | docker load -i oci-image-arm64v8-debug.tar.gz if [ ! -z $DOCKERHUB_TOKEN ]; then docker tag $(docker images -q conduwuit:main) ${DOCKER_ARM64}-debug docker push ${DOCKER_ARM64}-debug fi if [ $GHCR_ENABLED = "true" ]; then docker tag $(docker images -q conduwuit:main) ${GHCR_ARM64}-debug docker push ${GHCR_ARM64}-debug fi if [ ! -z $GITLAB_TOKEN ]; then docker tag $(docker images -q conduwuit:main) ${GLCR_ARM64}-debug docker push ${GLCR_ARM64}-debug fi - name: Create Docker combined manifests run: | # Dockerhub Container Registry if [ ! -z $DOCKERHUB_TOKEN ]; then docker manifest create ${DOCKER_TAG} --amend ${DOCKER_ARM64} --amend ${DOCKER_AMD64} docker manifest create ${DOCKER_BRANCH} --amend ${DOCKER_ARM64} --amend ${DOCKER_AMD64} fi # GitHub Container Registry if [ $GHCR_ENABLED = "true" ]; then docker manifest create ${GHCR_TAG} --amend ${GHCR_ARM64} --amend ${GHCR_AMD64} docker manifest create ${GHCR_BRANCH} --amend ${GHCR_ARM64} --amend ${GHCR_AMD64} fi # GitLab Container Registry if [ ! -z $GITLAB_TOKEN ]; then docker manifest create ${GLCR_TAG} --amend ${GLCR_ARM64} --amend ${GLCR_AMD64} docker manifest create ${GLCR_BRANCH} --amend ${GLCR_ARM64} --amend ${GLCR_AMD64} fi - name: Create Docker combined debug manifests run: | # Dockerhub Container Registry if [ ! -z $DOCKERHUB_TOKEN ]; then docker manifest create ${DOCKER_TAG}-debug --amend ${DOCKER_ARM64}-debug --amend ${DOCKER_AMD64}-debug docker manifest create ${DOCKER_BRANCH}-debug --amend ${DOCKER_ARM64}-debug --amend ${DOCKER_AMD64}-debug fi # GitHub Container Registry if [ $GHCR_ENABLED = "true" ]; then docker manifest create ${GHCR_TAG}-debug --amend ${GHCR_ARM64}-debug --amend ${GHCR_AMD64}-debug docker manifest create ${GHCR_BRANCH}-debug --amend ${GHCR_ARM64}-debug --amend ${GHCR_AMD64}-debug fi # GitLab Container Registry if [ ! -z $GITLAB_TOKEN ]; then docker manifest create ${GLCR_TAG}-debug --amend ${GLCR_ARM64}-debug --amend ${GLCR_AMD64}-debug docker manifest create ${GLCR_BRANCH}-debug --amend ${GLCR_ARM64}-debug --amend ${GLCR_AMD64}-debug fi - name: Push manifests to Docker registries run: | if [ ! -z $DOCKERHUB_TOKEN ]; then docker manifest push ${DOCKER_TAG} docker manifest push ${DOCKER_BRANCH} docker manifest push ${DOCKER_TAG}-debug docker manifest push ${DOCKER_BRANCH}-debug fi if [ $GHCR_ENABLED = "true" ]; then docker manifest push ${GHCR_TAG} docker manifest push ${GHCR_BRANCH} docker manifest push ${GHCR_TAG}-debug docker manifest push ${GHCR_BRANCH}-debug fi if [ ! -z $GITLAB_TOKEN ]; then docker manifest push ${GLCR_TAG} docker manifest push ${GLCR_BRANCH} docker manifest push ${GLCR_TAG}-debug docker manifest push ${GLCR_BRANCH}-debug fi - name: Add Image Links to Job Summary run: | if [ ! -z $DOCKERHUB_TOKEN ]; then echo "- \`docker pull ${DOCKER_TAG}\`" >> $GITHUB_STEP_SUMMARY echo "- \`docker pull ${DOCKER_TAG}-debug\`" >> $GITHUB_STEP_SUMMARY fi if [ $GHCR_ENABLED = "true" ]; then echo "- \`docker pull ${GHCR_TAG}\`" >> $GITHUB_STEP_SUMMARY echo "- \`docker pull ${GHCR_TAG}-debug\`" >> $GITHUB_STEP_SUMMARY fi if [ ! -z $GITLAB_TOKEN ]; then echo "- \`docker pull ${GLCR_TAG}\`" >> $GITHUB_STEP_SUMMARY echo "- \`docker pull ${GLCR_TAG}-debug\`" >> $GITHUB_STEP_SUMMARY fi