Humanerror #101
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Naisdevice workflow | |
| on: | |
| pull_request: | |
| types: [opened, reopened, synchronize] | |
| push: | |
| branches: [main] | |
| paths: | |
| - "go.*" | |
| - "cmd/naisdevice-*" | |
| - "internal/device-agent" | |
| - "internal/enroll" | |
| - "internal/systray" | |
| - "internal/helper" | |
| - "internal/otel" | |
| - "internal/bootstrap" | |
| - "internal/ioconvenience" | |
| - "internal/logger" | |
| - "internal/program" | |
| - "internal/notify" | |
| - "internal/random" | |
| - "internal/unixsocket" | |
| - "internal/version" | |
| - "internal/wireguard" | |
| - ".github/workflows/build.yaml" | |
| - ".github/workflows/templates/*" | |
| - "mise/config.toml" | |
| - "mise/tasks/**" | |
| - "!mise/tasks/**/*controlplane*" | |
| concurrency: | |
| group: ${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| release-info: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@v3 | |
| - id: generate | |
| run: mise run ci:release-info | |
| outputs: | |
| version: ${{ steps.generate.outputs.version }} | |
| changelog: ${{ steps.generate.outputs.changelog }} | |
| checks: | |
| strategy: | |
| matrix: | |
| mise_task: | |
| - check:govulncheck | |
| - check:staticcheck | |
| - check:govet | |
| - ci:fmt | |
| - test | |
| runs-on: ubuntu-latest | |
| permissions: | |
| checks: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: jdx/mise-action@v3 | |
| - run: mise run ${{ matrix.mise_task }} | |
| builds: | |
| name: build ${{ matrix.platform.goos }} / ${{ matrix.arch }} / ${{ matrix.gotags || 'Nav' }} | |
| needs: [release-info] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| gotags: ["", tenant] | |
| arch: [amd64, arm64] | |
| platform: | |
| - goos: windows | |
| os: windows | |
| runner: ubuntu-latest | |
| ext: exe | |
| - goos: linux | |
| os: linux | |
| runner: ubuntu-latest | |
| ext: deb | |
| - goos: darwin | |
| os: macos | |
| runner: macos-latest | |
| ext: pkg | |
| runs-on: ${{ matrix.platform.runner }} | |
| env: | |
| VERSION: ${{ needs.release-info.outputs.version || 'none' }} # Allow builds to continue with no version, it won't release. | |
| GOOS: ${{ matrix.platform.goos }} | |
| GOARCH: ${{ matrix.arch }} | |
| GOTAGS: ${{ matrix.gotags }} | |
| OUTFILE: ./release_artifacts/naisdevice${{ matrix.gotags == 'tenant' && '-tenant' || '' }}_${{ matrix.platform.os }}_${{ matrix.arch }}.${{ matrix.platform.ext }} | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: jdx/mise-action@v3 | |
| - if: matrix.platform.os == 'windows' | |
| run: sudo apt-get update && sudo apt-get install --yes nsis osslsigncode | |
| - if: matrix.platform.os == 'macos' | |
| uses: Apple-Actions/import-codesign-certs@v3 | |
| with: | |
| p12-file-base64: ${{ secrets.CERTIFICATES_P12 }} | |
| p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }} | |
| - name: mise run package:${{ matrix.platform.os }} | |
| env: # Vars for all matrix variants are mixed together here. | |
| MSI_SIGN_CERT: ${{ secrets.MSI_SIGN_CERT }} | |
| MSI_SIGN_KEY: ${{ secrets.MSI_SIGN_KEY }} | |
| APPLE_NOTARIZE_AUTH_KEY_P8_BASE64: ${{ secrets.APPLE_NOTARIZE_AUTH_KEY_P8_BASE64 }} | |
| APPLE_NOTARIZE_D: ${{ secrets.APPLE_NOTARIZE_D }} | |
| APPLE_NOTARIZE_I: ${{ secrets.APPLE_NOTARIZE_I }} | |
| RELEASE: ${{ github.ref == 'refs/heads/main' && 'true' || 'false' }} | |
| run: | | |
| mkdir -p "$(dirname $OUTFILE)" | |
| mise run "package:${{ matrix.platform.os }}" | |
| - if: github.ref == 'refs/heads/main' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: installer-${{ matrix.platform.os }}-${{ matrix.arch }}-${{ matrix.gotags || 'nav' }} | |
| path: ${{ env.OUTFILE }} | |
| # Used by GitHub to determine if all checks/builds have passed | |
| branch-protection-checkpoint: | |
| needs: [checks, builds] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: echo Checks and builds passed | |
| release-github: | |
| if: github.ref == 'refs/heads/main' && needs.release-info.outputs.changelog != '' && needs.release-info.outputs.version != '' | |
| needs: [release-info, branch-protection-checkpoint] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@v3 | |
| - run: git tag ${{ needs.release-info.outputs.version }} | |
| - uses: actions/download-artifact@v5 | |
| with: | |
| merge-multiple: true | |
| path: release_artifacts | |
| - run: mise run ci:generate-checksums ./release_artifacts/ > ./release_artifacts/checksums.txt | |
| - uses: softprops/action-gh-release@v2 | |
| id: release | |
| with: | |
| tag_name: ${{ needs.release-info.outputs.version }} | |
| body: ${{ needs.release-info.outputs.changelog }} | |
| prerelease: false | |
| files: ./release_artifacts/* | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - run: echo '${{ steps.release.outputs.assets }}' > assets.json | |
| - env: | |
| VERSION: ${{ needs.release-info.outputs.version }} | |
| run: mise run ci:prepare-template-vars ./release_artifacts/checksums.txt ./assets.json -v > template.vars | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: template-vars | |
| path: ./template.vars | |
| - run: | | |
| echo "## :rocket: Release ${{ needs.release-info.outputs.version }}" >> $GITHUB_STEP_SUMMARY | |
| echo "A new release is available over at https://github.com/${{ github.repository }}/releases/tag/${{ needs.release-info.outputs.version }}." >> $GITHUB_STEP_SUMMARY | |
| release-gar: | |
| if: github.ref == 'refs/heads/main' | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [arm64, amd64] | |
| suffix: [nav, tenant] | |
| needs: [release-github] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - id: auth | |
| uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: [email protected] | |
| token_format: access_token | |
| - uses: google-github-actions/setup-gcloud@v3 | |
| - uses: actions/download-artifact@v5 | |
| with: | |
| name: installer-linux-${{ matrix.arch }}-${{ matrix.suffix }} | |
| path: ./downloaded-artifact/ | |
| - run: | | |
| gcloud artifacts apt upload nais-ppa --project nais-io --quiet --location europe-north1 --source ./downloaded-artifact/* | |
| release-external-repos: | |
| if: github.ref == 'refs/heads/main' | |
| needs: | |
| - release-github | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: | |
| - repo: nais/scoop-bucket | |
| file: naisdevice.json | |
| - repo: nais/scoop-bucket | |
| file: naisdevice-tenant.json | |
| - repo: nais/homebrew-tap | |
| file: Casks/naisdevice.rb | |
| - repo: nais/homebrew-tap | |
| file: Casks/naisdevice-tenant.rb | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: navikt/github-app-token-generator@v1 | |
| id: token | |
| with: | |
| private-key: ${{ secrets.NAIS_APP_PRIVATE_KEY }} | |
| app-id: ${{ secrets.NAIS_APP_ID }} | |
| repo: ${{ matrix.target.repo }} | |
| - uses: jdx/mise-action@v3 | |
| - uses: actions/download-artifact@v5 | |
| with: | |
| name: template-vars | |
| - name: update ${{ matrix.target.repo }} | |
| timeout-minutes: 1 | |
| env: | |
| GH_TOKEN: ${{ steps.token.outputs.token }} | |
| run: | | |
| mise run ci:create-package-manager-pr "${{ matrix.target.repo }}" "${{ matrix.target.file }}" |