ci-builds-and-releases #111

Workflow file for this run

.github/workflows/ci-builds-and-releases.yml at e20a069

	name: ci-builds-and-releases

	on:
	push:
	branches:
	- main
	release:
	types:
	- created
	schedule:
	- cron: "0 0 * * *"

	permissions:
	contents: read

	jobs:
	docker_build:
	name: Build and Push Docker Image
	runs-on: ubuntu-20.04
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit

	- name: Harden Runner
	uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit

	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
	- name: Log in to DockerHub
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	- name: Get short SHA
	id: vars
	run: echo "SHORT_SHA=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV
	- name: Get repo name
	id: repo_vars
	run: echo "GH_REPO_NAME=${GITHUB_REPOSITORY##*/}" >> $GITHUB_ENV
	- name: Build and Push Docker Image
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
	with:
	context: .
	tags: ${{ secrets.DOCKER_USERNAME }}/${{ env.GH_REPO_NAME }}:${{ env.SHORT_SHA }}, ${{ secrets.DOCKER_USERNAME }}/${{ env.GH_REPO_NAME }}:latest
	push: true
	platforms: 'linux/amd64,linux/arm64'
	labels: ${{ github.github_repository }}
	release:
	name: Create GitHub Release
	runs-on: ubuntu-20.04
	needs: docker_build
	permissions:
	contents: write
	actions: read
	discussions: write
	steps:
	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0
	- name: Get last 4 commits
	id: last_commits
	run: \|
	printf "Changelogs:\n" > last_commits.txt
	git log -4 --pretty=format:"- %s (%h)" >> last_commits.txt
	- name: Determine next tag
	id: tag_version
	run: \|
	latest_tag=$(git describe --tags --abbrev=0 2>/dev/null \|\| echo "v0.0.0")
	echo "Latest tag: $latest_tag"
	IFS='.' read -r major minor patch <<< "${latest_tag#v}"
	patch=$((patch + 1))
	new_tag="v$major.$minor.$patch"
	while git rev-parse "$new_tag" >/dev/null 2>&1; do
	patch=$((patch + 1))
	new_tag="v$major.$minor.$patch"
	done
	echo "New tag: $new_tag"
	echo "TAG_NAME=$new_tag" >> $GITHUB_ENV
	- name: Create and push new tag
	run: \|
	git tag ${{ env.TAG_NAME }}
	git push origin ${{ env.TAG_NAME }}
	- name: Upload source code to GitHub Release
	uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
	with:
	body_path: last_commits.txt
	tag_name: ${{ env.TAG_NAME }}
	- name: Import GPG key
	run: \|
	echo "${{ secrets.GPG_PRIVATE_KEY }}" \| gpg --batch --import
	echo "use-agent" >> ~/.gnupg/gpg.conf
	echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
	echo RELOADAGENT \| gpg-connect-agent
	- name: Get Release ID
	run: \|
	RELEASE_ID=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ env.TAG_NAME }} \| jq -r '.id')
	echo "Release ID: $RELEASE_ID"
	echo "RELEASE_ID=$RELEASE_ID" >> $GITHUB_ENV
	- name: Sleep before fetching assets
	run: \|
	echo "Waiting for assets to be added to the release..."
	sleep 15
	- name: Get Release Assets and Log Response
	run: \|
	echo "Fetching assets for release ID: ${{ env.RELEASE_ID }}"
	ASSET_RESPONSE=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/${{ env.RELEASE_ID }}/assets)
	echo "Response from API:"
	echo "$ASSET_RESPONSE"
	RELEASE_ASSETS=$(echo "$ASSET_RESPONSE" \| jq -r '.[] \| select(.name != "source code") \| .url')
	echo "Assets: $RELEASE_ASSETS"

	if [ -z "$RELEASE_ASSETS" ]; then
	echo "No assets found. Exiting."
	exit 1
	fi
	- name: Sign and Upload Assets
	if: success()
	run: \|
	for asset_url in $RELEASE_ASSETS; do
	echo "Downloading and signing asset: $asset_url"
	curl -sSL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
	-H "Accept: application/octet-stream" $asset_url -o asset

	gpg --detach-sign -a asset
	asset_name=$(basename $asset_url)

	echo "Uploading signature for $asset_name"
	curl -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
	-H "Content-Type: application/octet-stream" \
	--data-binary @asset.sig \
	"https://uploads.github.com/repos/${{ github.repository }}/releases/${{ env.RELEASE_ID }}/assets?name=${asset_name}.asc"
	done

	- name: Sign and Upload Source Code Assets
	run: \|
	for asset_name in "source code.zip" "source code.tar.gz"; do
	asset_url=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/${{ env.RELEASE_ID }}/assets \| jq -r '.[] \| select(.name == "'$asset_name'") \| .url')

	if [ -n "$asset_url" ]; then
	echo "Downloading and signing asset: $asset_name"
	curl -sSL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
	-H "Accept: application/octet-stream" $asset_url -o asset

	gpg --detach-sign -a asset

	echo "Uploading signature for $asset_name"
	curl -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
	-H "Content-Type: application/octet-stream" \
	--data-binary @asset.sig \
	"https://uploads.github.com/repos/${{ github.repository }}/releases/${{ env.RELEASE_ID }}/assets?name=${asset_name}.asc"
	else
	echo "No asset found for $asset_name"
	fi
	done

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci-builds-and-releases #111

Workflow file

ci-builds-and-releases #111

Jobs

Run details

Workflow file for this run