build(controlplane): set version properly #62
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Naisdevice workflow | ||
| on: | ||
| pull_request: | ||
| types: [opened, reopened, synchronize] | ||
| push: | ||
| branches: [main] | ||
| paths: | ||
| - "go.*" | ||
| - "cmd/naisdevice-*" | ||
| - "internal/device-agent" | ||
| - "internal/enroll" | ||
| - "internal/systray" | ||
| - "internal/helper" | ||
| - "internal/otel" | ||
| - "internal/bootstrap" | ||
| - "internal/ioconvenience" | ||
| - "internal/logger" | ||
| - "internal/program" | ||
| - "internal/notify" | ||
| - "internal/random" | ||
| - "internal/unixsocket" | ||
| - "internal/version" | ||
| - "internal/wireguard" | ||
| - ".github/workflows/build.yaml" | ||
| - "mise/config.toml" | ||
| - "mise/tasks/**" | ||
| paths-ignore: | ||
| - "mise/tasks/**/*controlplane*" | ||
| concurrency: | ||
| group: ${{ github.ref }} | ||
| cancel-in-progress: true | ||
| jobs: | ||
| release-info: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| pull-requests: write | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: jdx/mise-action@v3 | ||
| with: | ||
| cache: false | ||
| - id: generate | ||
| run: mise run ci:release-info | ||
| outputs: | ||
| version: ${{ steps.generate.outputs.version }} | ||
| changelog: ${{ steps.generate.outputs.changelog }} | ||
| checks: | ||
| needs: [release-info] | ||
| strategy: | ||
| matrix: | ||
| mise_task: | ||
| - check:govulncheck | ||
| - check:staticcheck | ||
| - check:govet | ||
| - ci:fmt | ||
| - test | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| checks: write | ||
| pull-requests: write | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: jdx/mise-action@v3 | ||
| with: | ||
| cache: false | ||
| - run: mise run ${{ matrix.mise_task }} | ||
| builds: | ||
| name: build ${{ matrix.platform.goos }} / ${{ matrix.arch }} / ${{ matrix.gotags || 'Nav' }} | ||
| needs: [release-info] | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| gotags: ["", tenant] | ||
| arch: [amd64, arm64] | ||
| platform: | ||
| - goos: windows | ||
| os: windows | ||
| runner: ubuntu-latest | ||
| ext: exe | ||
| - goos: linux | ||
| os: linux | ||
| runner: ubuntu-latest | ||
| ext: deb | ||
| - goos: darwin | ||
| os: macos | ||
| runner: macos-latest | ||
| ext: pkg | ||
| runs-on: ${{ matrix.platform.runner }} | ||
| env: | ||
| VERSION: ${{ needs.release-info.outputs.version }} | ||
| GOOS: ${{ matrix.platform.goos }} | ||
| GOARCH: ${{ matrix.arch }} | ||
| GOTAGS: ${{ matrix.gotags }} | ||
| OUTFILE: ./release_artifacts/naisdevice${{ matrix.gotags == 'tenant' && '-tenant' || '' }}_${{ matrix.platform.os }}_${{ matrix.arch }}.${{ matrix.platform.ext }} | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: jdx/mise-action@v3 | ||
| - if: matrix.platform.os == 'windows' | ||
| run: sudo apt-get update && sudo apt-get install --yes nsis osslsigncode | ||
| - if: matrix.platform.os == 'macos' | ||
| uses: Apple-Actions/import-codesign-certs@v3 | ||
| with: | ||
| p12-file-base64: ${{ secrets.CERTIFICATES_P12 }} | ||
| p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }} | ||
| - name: mise run package:${{ matrix.platform.os }} | ||
| env: # Vars for all matrix variants are mixed together here. | ||
| MSI_SIGN_CERT: ${{ secrets.MSI_SIGN_CERT }} | ||
| MSI_SIGN_KEY: ${{ secrets.MSI_SIGN_KEY }} | ||
| APPLE_NOTARIZE_AUTH_KEY_P8_BASE64: ${{ secrets.APPLE_NOTARIZE_AUTH_KEY_P8_BASE64 }} | ||
| APPLE_NOTARIZE_D: ${{ secrets.APPLE_NOTARIZE_D }} | ||
| APPLE_NOTARIZE_I: ${{ secrets.APPLE_NOTARIZE_I }} | ||
| RELEASE: ${{ github.ref == 'refs/heads/main' && 'true' || 'false' }} | ||
| run: | | ||
| mkdir -p "$(dirname $OUTFILE)" | ||
| mise run "package:${{ matrix.platform.os }}" | ||
| - if: github.ref == 'refs/heads/main' | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: installer-${{ matrix.platform.os }}-${{ matrix.arch }}-${{ matrix.gotags || 'nav' }} | ||
| path: ${{ env.OUTFILE }} | ||
| # Used by GitHub to determine if all checks/builds have passed | ||
| branch-protection-checkpoint: | ||
| needs: [checks, builds] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - run: echo Checks and builds passed | ||
| release-github: | ||
| if: github.ref == 'refs/heads/main' && needs.release-info.outputs.changelog != '' | ||
| needs: [release-info, branch-protection-checkpoint] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: jdx/mise-action@v3 | ||
| with: | ||
| cache: false | ||
| - run: git tag ${{ needs.release-info.outputs.version }} | ||
| - uses: actions/download-artifact@v5 | ||
| with: | ||
| merge-multiple: true | ||
| path: release_artifacts | ||
| - run: mise run ci:generate-checksums ./release_artifacts/ > ./release_artifacts/checksums.txt | ||
| - uses: softprops/action-gh-release@v2 | ||
| id: release | ||
| with: | ||
| tag_name: ${{ needs.release-info.outputs.version }} | ||
| body: ${{ needs.release-info.outputs.changelog }} | ||
| prerelease: true | ||
| files: ./release_artifacts/* | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| - run: echo '${{ steps.release.outputs.assets }}' > assets.json | ||
| - env: | ||
| VERSION: ${{ needs.release-info.outputs.version }} | ||
| run: mise run ci:prepare-template-vars ./release_artifacts/checksums.txt ./assets.json -v > template.vars | ||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: template-vars | ||
| path: ./template.vars | ||
| - run: | | ||
| echo "## :rocket: Release ${{ needs.release-info.outputs.version }}" >> $GITHUB_STEP_SUMMARY | ||
| echo "A new release is available over at https://github.com/${{ github.repository }}/releases/tag/${{ needs.release-info.outputs.version }}." >> $GITHUB_STEP_SUMMARY | ||
| release-gar: | ||
| if: github.ref == 'refs/heads/main' | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| arch: [arm64, amd64] | ||
| suffix: [nav, tenant] | ||
| needs: [release-github] | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - id: auth | ||
| uses: google-github-actions/auth@v3 | ||
| with: | ||
| workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} | ||
| service_account: [email protected] | ||
| token_format: access_token | ||
| - uses: google-github-actions/setup-gcloud@v3 | ||
| - uses: actions/download-artifact@v5 | ||
| with: | ||
| name: installer-linux-${{ matrix.arch }}-${{ matrix.suffix }} | ||
| path: ./downloaded-artifact/ | ||
| - run: | | ||
| gcloud artifacts apt upload nais-ppa --project nais-io --quiet --location europe-north1 --source ./downloaded-artifact/* | ||
| release-external-repos: | ||
| if: github.ref == 'refs/heads/main' | ||
| needs: | ||
| - release-info | ||
| - release-github | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| target: | ||
| - repo: nais/scoop-bucket | ||
| file: naisdevice-tenant.json | ||
| - repo: nais/scoop-bucket | ||
| file: naisdevice-tenant.json | ||
| - repo: nais/homebrew-tap | ||
| file: Casks/naisdevice.rb | ||
| - repo: nais/homebrew-tap | ||
| file: Casks/naisdevice-tenant.rb | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: navikt/github-app-token-generator@v1 | ||
| id: token | ||
| with: | ||
| private-key: ${{ secrets.NAIS_APP_PRIVATE_KEY }} | ||
| app-id: ${{ secrets.NAIS_APP_ID }} | ||
| repo: ${{ matrix.target.repo }} | ||
| - uses: jdx/mise-action@v3 | ||
| with: | ||
| cache: false | ||
| - uses: actions/download-artifact@v5 | ||
| with: | ||
| name: template-vars | ||
| - name: update ${{ matrix.target.repo }} | ||
| env: | ||
| VERSION: ${{ needs.release-info.outputs.version }} | ||
| REPO_TOKEN: ${{ steps.token.outputs.token }} | ||
| run: mise run ci:create-package-manager-pr "${{ matrix.target.repo }}" "${{ matrix.target.file }}" | ||
