fix(workflow): add packages write permission and improve release dele… #164
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: docker | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| env: | |
| REGISTRY: ghcr.io | |
| VORPAL_DEV_IMAGE: alt-f4-llc/vorpal-dev | |
| VORPAL_SANDBOX_IMAGE: alt-f4-llc/vorpal-sandbox | |
| jobs: | |
| dev: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| attestations: write | |
| contents: read | |
| id-token: write | |
| packages: write | |
| steps: | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: actions/checkout@v4 | |
| - id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| annotations: | | |
| org.opencontainers.image.description=Build and deliver software reliably with one magical tool. | |
| images: ${{ env.REGISTRY }}/${{ env.VORPAL_DEV_IMAGE }} | |
| labels: | | |
| org.opencontainers.image.title=${{ env.VORPAL_DEV_IMAGE }} | |
| org.opencontainers.image.description=Build and deliver software reliably with one magical tool. | |
| org.opencontainers.image.vendor=ALT-F4-LLC | |
| tags: | | |
| edge | |
| - if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| - id: push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| file: Dockerfile.dev | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ github.ref == 'refs/heads/main' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| - if: github.ref == 'refs/heads/main' | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| push-to-registry: true | |
| subject-digest: ${{ steps.push.outputs.digest }} | |
| subject-name: ${{ env.REGISTRY }}/${{ env.VORPAL_DEV_IMAGE }} | |
| sandbox: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| attestations: write | |
| contents: read | |
| id-token: write | |
| packages: write | |
| steps: | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: actions/checkout@v4 | |
| - id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| annotations: | | |
| org.opencontainers.image.description=Build and deliver software reliably with one magical tool. | |
| images: ${{ env.REGISTRY }}/${{ env.VORPAL_SANDBOX_IMAGE }} | |
| labels: | | |
| org.opencontainers.image.title=${{ env.VORPAL_SANDBOX_IMAGE }} | |
| org.opencontainers.image.description=Build and deliver software reliably with one magical tool. | |
| org.opencontainers.image.vendor=ALT-F4-LLC | |
| tags: | | |
| edge | |
| - if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| - id: push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| file: Dockerfile.sandbox | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ github.ref == 'refs/heads/main' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| - if: github.ref == 'refs/heads/main' | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| push-to-registry: true | |
| subject-digest: ${{ steps.push.outputs.digest }} | |
| subject-name: ${{ env.REGISTRY }}/${{ env.VORPAL_SANDBOX_IMAGE }} | |
| code-quality: | |
| env: | |
| DOCKER_BUILD_RECORD_UPLOAD: false | |
| DOCKER_BUILD_SUMMARY: false | |
| needs: | |
| - dev | |
| - sandbox | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: actions/checkout@v4 | |
| - uses: docker/build-push-action@v6 | |
| with: | |
| cache-from: type=gha | |
| file: Dockerfile.dev | |
| load: true | |
| tags: ${{ env.REGISTRY }}/${{ env.VORPAL_DEV_IMAGE }}:edge | |
| - run: | | |
| echo "ARCH=$(uname -m | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| echo "OS=$(uname -s | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| - uses: actions/cache/restore@v4 | |
| with: | |
| key: target-${{ env.ARCH }}-${{ env.OS }}-${{ hashFiles('**/Cargo.*') }} | |
| path: target | |
| - run: ./dev.sh just format | |
| - run: ./dev.sh just lint | |
| package: | |
| env: | |
| DOCKER_BUILD_RECORD_UPLOAD: false | |
| DOCKER_BUILD_SUMMARY: false | |
| needs: | |
| - code-quality | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, ubuntu-latest-arm64] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: actions/checkout@v4 | |
| - uses: docker/build-push-action@v6 | |
| with: | |
| cache-from: type=gha | |
| file: Dockerfile.dev | |
| load: true | |
| tags: ${{ env.REGISTRY }}/${{ env.VORPAL_DEV_IMAGE }}:edge | |
| - run: | | |
| echo "ARCH=$(uname -m | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| echo "OS=$(uname -s | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| - uses: actions/cache/restore@v4 | |
| with: | |
| key: target-${{ env.ARCH }}-${{ env.OS }}-${{ hashFiles('**/Cargo.*') }} | |
| path: target | |
| - run: ./dev.sh just check --release | |
| - run: ./dev.sh just build --release | |
| - run: ./dev.sh just test --release | |
| - run: tar -czvf vorpal-$ARCH-$OS.tar.gz -C ./target/release vorpal | |
| - uses: actions/cache/save@v4 | |
| with: | |
| key: target-${{ env.ARCH }}-${{ env.OS }}-${{ hashFiles('**/Cargo.*') }} | |
| path: target | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: vorpal-${{ env.ARCH }}-${{ env.OS }} | |
| path: vorpal-${{ env.ARCH }}-${{ env.OS }}.tar.gz | |
| release: | |
| needs: | |
| - package | |
| permissions: | |
| attestations: write | |
| contents: read | |
| id-token: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| pattern: vorpal-* | |
| - run: git fetch --tags | |
| - if: github.ref == 'refs/heads/main' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| if gh release view edge > /dev/null 2>&1; then | |
| gh release delete --cleanup-tag --yes edge | |
| fi | |
| git tag edge | |
| git push --tags | |
| - if: github.ref == 'refs/heads/main' | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| fail_on_unmatched_files: true | |
| files: | | |
| vorpal-aarch64-linux/vorpal-aarch64-linux.tar.gz | |
| vorpal-x86_64-linux/vorpal-x86_64-linux.tar.gz | |
| generate_release_notes: true | |
| name: edge | |
| prerelease: true | |
| tag_name: refs/tags/edge | |
| - run: | | |
| tar -xzf vorpal-aarch64-linux/vorpal-aarch64-linux.tar.gz | |
| tar -xzf vorpal-x86_64-linux/vorpal-x86_64-linux.tar.gz | |
| ls -alh | |
| - if: github.ref == 'refs/heads/main' | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: vorpal-aarch64-linux/vorpal | |
| - if: github.ref == 'refs/heads/main' | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: vorpal-x86_64-linux/vorpal |