josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
21014c1268f02692b0a6ff766ae4b33500721cab
Vetting/.gitea/workflows/release.yml
T
josh 05ceb8e042
CI / Lint + build + test (push) Successful in 1m41s
Details
Release / release (push) Successful in 16m47s
Details
ci(release): skip release workflow for non-bundle changes 
Adds a paths-ignore filter to the push trigger so README tweaks,
*_test.go edits, other workflows, and fake-binary scaffolding no
longer spend 45 min debootstrapping + republishing an identical
bundle to the package registry. Adds workflow_dispatch as a manual
escape hatch for the cases where paths-ignore swallows something
that needs republishing.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 21:08:26 -04:00

111 lines
4.0 KiB
YAML
Raw Blame History

name: Release
# Builds the full release tarball (orchestrator + agent + live image +
# deploy scripts) and publishes it to the Gitea generic package
# registry under two versions:
# - sha-<short-sha> immutable, per-commit pin
# - latest rolling alias (DELETE+PUT on each run)
#
# The LXC installer (deploy/proxmox-install.sh) curls the "latest"
# version by default; operators can pin via VETTING_VERSION=sha-abc1234.
on:
push:
branches: [main]
paths-ignore:
- '**/*.md'
- '**/*_test.go'
- 'docs/**'
- 'test/**'
- 'tools/**'
- 'agent/tests/fakes/**'
- '.gitea/workflows/ci.yml'
- '.gitea/workflows/e2e.yml'
- 'deploy/proxmox-install.sh'
- 'deploy/vetting.example.yaml'
- '.gitignore'
- 'LICENSE'
workflow_dispatch:
permissions:
contents: read
jobs:
release:
runs-on: ubuntu-latest
timeout-minutes: 45
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.26.x"
cache: false
- name: Install live-image build dependencies
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
debootstrap squashfs-tools dosfstools \
systemd-ukify systemd-boot kmod bubblewrap \
debian-archive-keyring python3-pip git zstd cpio
# Ubuntu's apt-packaged mkosi is too old to wire
# non-free-firmware shorthand through to debootstrap.
# mkosi isn't published on PyPI under v24+ — install the
# pinned tag from upstream git instead. bubblewrap provides
# the sandbox mkosi uses for its `cp`/chroot plumbing.
sudo pip install --break-system-packages \
"git+https://github.com/systemd/mkosi.git@v25.3"
- name: Install templ
run: go install github.com/a-h/templ/cmd/templ@v0.3.1001
- name: Build release bundle
run: make release
- name: Resolve bundle path + short sha
id: meta
run: |
short_sha=$(git rev-parse --short HEAD)
echo "short_sha=${short_sha}" >> "$GITHUB_OUTPUT"
echo "bundle=bin/vetting-bundle-${short_sha}.tar.gz" >> "$GITHUB_OUTPUT"
- name: Publish sha-pinned bundle
env:
REGISTRY_URL: ${{ vars.REGISTRY_URL }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
OWNER: ${{ gitea.repository_owner }}
SHORT_SHA: ${{ steps.meta.outputs.short_sha }}
BUNDLE: ${{ steps.meta.outputs.bundle }}
run: |
curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
--upload-file "${BUNDLE}" \
"${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/sha-${SHORT_SHA}/vetting-bundle.tar.gz"
- name: Replace latest alias
env:
REGISTRY_URL: ${{ vars.REGISTRY_URL }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
OWNER: ${{ gitea.repository_owner }}
BUNDLE: ${{ steps.meta.outputs.bundle }}
run: |
set -euo pipefail
# Delete the whole "latest" version, not the file inside it.
# Deleting the file leaves a ghost version that makes PUT 404.
status=$(curl -sS -o /dev/null -w '%{http_code}' \
-H "Authorization: token ${REGISTRY_TOKEN}" \
-X DELETE \
"${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest")
echo "DELETE latest -> ${status}"
case "${status}" in
204|404) ;;
*) echo "unexpected DELETE status ${status}"; exit 1 ;;
esac
# Give Gitea a moment to finalize the version delete before
# the upload re-creates it under the same name.
sleep 2
curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
--upload-file "${BUNDLE}" \
"${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest/vetting-bundle.tar.gz"
Reference in New Issue View Git Blame Copy Permalink