diff --git a/.github/workflows/ghcr-publish.yml b/.github/workflows/ghcr-publish.yml deleted file mode 100644 index bca294453..000000000 --- a/.github/workflows/ghcr-publish.yml +++ /dev/null @@ -1,160 +0,0 @@ -name: Publish to ghcr - -# This workflow is a modification of a example. -# @ see: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners - -on: - push: - branches: ["main"] - tags: ["v*.*.*"] - workflow_dispatch: - inputs: - version: - description: 'Version tag (e.g., v4.10.5)' - required: false - type: string - workflow_call: - inputs: - version: - description: 'Version tag (e.g., v4.10.5)' - required: false - type: string - -env: - # Use docker.io for Docker Hub if empty - REGISTRY_IMAGE: ghcr.io/sourcebot-dev/sourcebot - -jobs: - build: - runs-on: ${{ matrix.runs-on}} - environment: oss - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - strategy: - matrix: - platform: [linux/amd64, linux/arm64] - include: - - platform: linux/amd64 - runs-on: ubuntu-latest - - platform: linux/arm64 - runs-on: ubuntu-24.04-arm - - steps: - - name: Prepare - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - - name: Checkout repository - uses: actions/checkout@v4 - with: - ref: ${{ inputs.version || github.ref_name }} - submodules: "true" - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - uses: sigstore/cosign-installer@v3.5.0 - with: - cosign-release: "v2.2.4" - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GitHub Packages Docker Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build Docker image - id: build - uses: docker/build-push-action@v6 - with: - context: . - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha,scope=${{ env.PLATFORM_PAIR }} - cache-to: type=gha,mode=max,scope=${{ env.PLATFORM_PAIR }} - platforms: ${{ matrix.platform }} - outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true,annotation.org.opencontainers.image.description=Blazingly fast code search - - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} - - merge: - runs-on: ubuntu-latest - permissions: - packages: write - needs: - - build - steps: - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: /tmp/digests - pattern: digests-* - merge-multiple: true - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - - - name: Login to GitHub Packages Docker Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} diff --git a/.github/workflows/release-sourcebot.yml b/.github/workflows/release-sourcebot.yml index 236971fcc..62b2b6cfe 100644 --- a/.github/workflows/release-sourcebot.yml +++ b/.github/workflows/release-sourcebot.yml @@ -16,13 +16,18 @@ concurrency: group: release-sourcebot cancel-in-progress: false +env: + # Use docker.io for Docker Hub if empty + REGISTRY_IMAGE: ghcr.io/sourcebot-dev/sourcebot + jobs: - release: + prepare-release: runs-on: ubuntu-latest permissions: contents: write outputs: version: ${{ steps.calculate_version.outputs.version }} + temp_branch: ${{ steps.push_temp_branch.outputs.temp_branch }} steps: - name: Generate GitHub App token @@ -126,32 +131,272 @@ jobs: git add CHANGELOG.md packages/shared/src/version.ts git commit -m "Release v$VERSION" + - name: Push to temporary branch + id: push_temp_branch + env: + GH_TOKEN: ${{ steps.generate_token.outputs.token }} + run: | + TEMP_BRANCH="release-v$VERSION" + git push origin HEAD:refs/heads/$TEMP_BRANCH + echo "Pushed commit to temporary branch: $TEMP_BRANCH" + echo "temp_branch=$TEMP_BRANCH" >> $GITHUB_OUTPUT + + build: + needs: prepare-release + runs-on: ${{ matrix.runs-on}} + environment: oss + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + strategy: + matrix: + platform: [linux/amd64, linux/arm64] + include: + - platform: linux/amd64 + runs-on: ubuntu-latest + - platform: linux/arm64 + runs-on: ubuntu-24.04-arm + + steps: + - name: Generate GitHub App token + id: generate_token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.RELEASE_APP_ID }} + private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} + + - name: Prepare + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ needs.prepare-release.outputs.temp_branch }} + submodules: "true" + fetch-depth: 0 + token: ${{ steps.generate_token.outputs.token }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + tags: | + type=raw,value=v${{ needs.prepare-release.outputs.version }} + type=raw,value=latest + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + uses: sigstore/cosign-installer@v3.5.0 + with: + cosign-release: "v2.2.4" + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Packages Docker Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build Docker image + id: build + uses: docker/build-push-action@v6 + with: + context: . + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha,scope=${{ env.PLATFORM_PAIR }} + cache-to: type=gha,mode=max,scope=${{ env.PLATFORM_PAIR }} + platforms: ${{ matrix.platform }} + outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true,annotation.org.opencontainers.image.description=Blazingly fast code search + + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + + finalize-release: + needs: [prepare-release, build] + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + + steps: + - name: Generate GitHub App token + id: generate_token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.RELEASE_APP_ID }} + private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} + + - name: Checkout temporary branch + uses: actions/checkout@v4 + with: + ref: ${{ needs.prepare-release.outputs.temp_branch }} + fetch-depth: 0 + token: ${{ steps.generate_token.outputs.token }} + + - name: Configure git + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + + - name: Fast-forward main to temporary branch + env: + GH_TOKEN: ${{ steps.generate_token.outputs.token }} + VERSION: ${{ needs.prepare-release.outputs.version }} + TEMP_BRANCH: ${{ needs.prepare-release.outputs.temp_branch }} + run: | + # Fetch main branch + git fetch origin main:main + git checkout main + + # Check if fast-forward is possible + if ! git merge-base --is-ancestor main "$TEMP_BRANCH"; then + echo "❌ ERROR: Cannot fast-forward main branch to release commit" + echo "" + echo "This means new commits were pushed to main after the release process started." + echo "" + echo "Recent commits on main that caused the conflict:" + git log --oneline $TEMP_BRANCH..main | head -5 + exit 1 + fi + + # Fast-forward main to release commit + git merge --ff-only "$TEMP_BRANCH" + + echo "✓ Successfully fast-forwarded main to release commit" + - name: Create annotated tag + env: + VERSION: ${{ needs.prepare-release.outputs.version }} run: | git tag -a "v$VERSION" -m "sourcebot v$VERSION" + echo "Created tag v$VERSION" - - name: Push changes + - name: Push main and tag env: GH_TOKEN: ${{ steps.generate_token.outputs.token }} run: | git push origin main git push origin --tags + echo "Pushed main branch and tags" + + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + tags: | + type=raw,value=v${{ needs.prepare-release.outputs.version }} + type=raw,value=latest + + - name: Login to GitHub Packages Docker Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:v${{ needs.prepare-release.outputs.version }} - name: Create GitHub release env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.generate_token.outputs.token }} + VERSION: ${{ needs.prepare-release.outputs.version }} run: | gh release create "v$VERSION" \ --verify-tag \ --generate-notes \ --latest - publish: - needs: release - uses: ./.github/workflows/ghcr-publish.yml - with: - version: v${{ needs.release.outputs.version }} + update-helm-chart: + needs: finalize-release permissions: contents: read - packages: write - id-token: write + uses: sourcebot-dev/sourcebot-helm-chart/.github/workflows/update-sourcebot-version.yaml@main + + cleanup: + needs: [prepare-release, build, finalize-release, update-helm-chart] + if: always() && needs.prepare-release.outputs.temp_branch != '' + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - name: Generate GitHub App token + id: generate_token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.RELEASE_APP_ID }} + private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} + + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + token: ${{ steps.generate_token.outputs.token }} + + - name: Delete temporary branch + env: + TEMP_BRANCH: ${{ needs.prepare-release.outputs.temp_branch }} + run: | + # Check if branch exists before attempting to delete + if git ls-remote --heads origin "$TEMP_BRANCH" | grep -q "$TEMP_BRANCH"; then + git push origin --delete "$TEMP_BRANCH" + echo "✓ Deleted temporary branch: $TEMP_BRANCH" + else + echo "ℹ Temporary branch $TEMP_BRANCH does not exist (may have been already deleted)" + fi \ No newline at end of file