a5e20269dd
- Pin all GitHub Actions to commit SHA to prevent supply chain attacks - Enable SLSA provenance attestation (mode=max) and SBOM generation - Add cosign keyless signing for Docker images via GitHub OIDC - Capture and output image digests to GitHub Job Summary - Pin Dockerfile base images to digest (bun:1, golang:1.26.1-alpine, debian:bookworm-slim) - Add SHA256 checksum generation for binary releases (Linux/macOS/Windows) - Update actions/checkout v3->v4, actions/setup-go v3->v5 in release.yml
157 lines
4.8 KiB
YAML
157 lines
4.8 KiB
YAML
name: Release (Linux, macOS, Windows)
|
|
permissions:
|
|
contents: write
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
name:
|
|
description: 'reason'
|
|
required: false
|
|
push:
|
|
tags:
|
|
- '*'
|
|
- '!*-alpha*'
|
|
|
|
jobs:
|
|
linux:
|
|
name: Linux Release
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Determine Version
|
|
run: |
|
|
VERSION=$(git describe --tags)
|
|
echo "VERSION=$VERSION" >> $GITHUB_ENV
|
|
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
|
|
with:
|
|
bun-version: latest
|
|
- name: Build Frontend
|
|
env:
|
|
CI: ""
|
|
run: |
|
|
cd web
|
|
bun install
|
|
DISABLE_ESLINT_PLUGIN='true' VITE_REACT_APP_VERSION=$VERSION bun run build
|
|
cd ..
|
|
- name: Set up Go
|
|
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
|
|
with:
|
|
go-version: '>=1.25.1'
|
|
- name: Build Backend (amd64)
|
|
run: |
|
|
go mod download
|
|
go build -ldflags "-s -w -X 'new-api/common.Version=$VERSION' -extldflags '-static'" -o new-api-$VERSION
|
|
- name: Build Backend (arm64)
|
|
run: |
|
|
sudo apt-get update
|
|
DEBIAN_FRONTEND=noninteractive sudo apt-get install -y gcc-aarch64-linux-gnu
|
|
CC=aarch64-linux-gnu-gcc CGO_ENABLED=1 GOOS=linux GOARCH=arm64 go build -ldflags "-s -w -X 'new-api/common.Version=$VERSION' -extldflags '-static'" -o new-api-arm64-$VERSION
|
|
- name: Generate checksums
|
|
run: sha256sum new-api-* > checksums-linux.txt
|
|
|
|
- name: Release
|
|
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
|
|
if: startsWith(github.ref, 'refs/tags/')
|
|
with:
|
|
files: |
|
|
new-api-*
|
|
checksums-linux.txt
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
macos:
|
|
name: macOS Release
|
|
runs-on: macos-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Determine Version
|
|
run: |
|
|
VERSION=$(git describe --tags)
|
|
echo "VERSION=$VERSION" >> $GITHUB_ENV
|
|
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
|
|
with:
|
|
bun-version: latest
|
|
- name: Build Frontend
|
|
env:
|
|
CI: ""
|
|
NODE_OPTIONS: "--max-old-space-size=4096"
|
|
run: |
|
|
cd web
|
|
bun install
|
|
DISABLE_ESLINT_PLUGIN='true' VITE_REACT_APP_VERSION=$VERSION bun run build
|
|
cd ..
|
|
- name: Set up Go
|
|
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
|
|
with:
|
|
go-version: '>=1.25.1'
|
|
- name: Build Backend
|
|
run: |
|
|
go mod download
|
|
go build -ldflags "-X 'new-api/common.Version=$VERSION'" -o new-api-macos-$VERSION
|
|
- name: Generate checksums
|
|
run: shasum -a 256 new-api-macos-* > checksums-macos.txt
|
|
|
|
- name: Release
|
|
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
|
|
if: startsWith(github.ref, 'refs/tags/')
|
|
with:
|
|
files: |
|
|
new-api-macos-*
|
|
checksums-macos.txt
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
windows:
|
|
name: Windows Release
|
|
runs-on: windows-latest
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Determine Version
|
|
run: |
|
|
VERSION=$(git describe --tags)
|
|
echo "VERSION=$VERSION" >> $GITHUB_ENV
|
|
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
|
|
with:
|
|
bun-version: latest
|
|
- name: Build Frontend
|
|
env:
|
|
CI: ""
|
|
run: |
|
|
cd web
|
|
bun install
|
|
DISABLE_ESLINT_PLUGIN='true' VITE_REACT_APP_VERSION=$VERSION bun run build
|
|
cd ..
|
|
- name: Set up Go
|
|
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
|
|
with:
|
|
go-version: '>=1.25.1'
|
|
- name: Build Backend
|
|
run: |
|
|
go mod download
|
|
go build -ldflags "-s -w -X 'new-api/common.Version=$VERSION'" -o new-api-$VERSION.exe
|
|
- name: Generate checksums
|
|
run: sha256sum new-api-*.exe > checksums-windows.txt
|
|
|
|
- name: Release
|
|
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
|
|
if: startsWith(github.ref, 'refs/tags/')
|
|
with:
|
|
files: |
|
|
new-api-*.exe
|
|
checksums-windows.txt
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|