From 3c919e781548c9fb66032c2fc5c0029257b244dc Mon Sep 17 00:00:00 2001 From: kvs96 Date: Thu, 7 Mar 2024 14:01:15 +0000 Subject: [PATCH] refactoring release --- .github/workflows/CI-docker-gear.yml | 95 +++++++++++++++++++++----- .github/workflows/release.yml | 1 + .github/workflows/release_listener.yml | 50 ++++++++++++++ docker/Dockerfile-release | 8 ++- 4 files changed, 134 insertions(+), 20 deletions(-) create mode 100644 .github/workflows/release_listener.yml diff --git a/.github/workflows/CI-docker-gear.yml b/.github/workflows/CI-docker-gear.yml index 3e65f3cc713..19d1c55f546 100644 --- a/.github/workflows/CI-docker-gear.yml +++ b/.github/workflows/CI-docker-gear.yml @@ -1,12 +1,21 @@ -name: CI | docker-gear release version +name: Release (docker) on: workflow_dispatch: inputs: release_version: - description: 'Release version from https://get.gear.rs Example: v1.0.0. *Null = latest' - required: false + description: 'Release version. Example: v1.0.0, latest' + required: true default: '' + latest: + description: 'Tag as latest ?' + type: boolean + required: false + default: false + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true env: RELEASE_VERSION: ${{ github.event.inputs.release_version }} @@ -15,35 +24,87 @@ jobs: build: runs-on: [kuberunner] steps: - - uses: actions/checkout@v4 - - uses: docker/setup-buildx-action@v3 + - name: Validate Release Version + run: | + if [[ ! "${{ env.RELEASE_VERSION }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]] && [[ "${{ env.RELEASE_VERSION }}" != "latest" ]]; then + echo "Release version format is incorrect. It should be 'latest' or 'v*.*.*'." + exit 1 + fi - - uses: actions/cache@v4 + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Cache Docker layers + uses: actions/cache@v4 with: path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-gear-${{ github.sha }} + key: ${{ runner.os }}-buildx-gear restore-keys: | ${{ runner.os }}-buildx-gear - - - uses: docker/login-action@v3 + ${{ runner.os }} + + - name: Log in to Docker Hub + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - - run: | - if [ -z "${{ env.RELEASE_VERSION }}" ]; then - echo "DOCKER_TAGS=ghcr.io/gear-tech/node:latest" >> $GITHUB_ENV + + - name: Prepare Docker Tags + run: | + if [[ "${{ github.event.inputs.latest }}" == "true" ]]; then + echo "DOCKER_TAGS=ghcr.io/gear-tech/node:${{ env.RELEASE_VERSION }},ghcr.io/gear-tech/node:latest" >> $GITHUB_ENV else - echo "DOCKER_TAGS=ghcr.io/gear-tech/node:latest,ghcr.io/gear-tech/node:${{ env.RELEASE_VERSION }}" >> $GITHUB_ENV + echo "DOCKER_TAGS=ghcr.io/gear-tech/node:${{ env.RELEASE_VERSION }}" >> $GITHUB_ENV fi - - uses: docker/build-push-action@v5 + - name: Build and push Docker image + uses: docker/build-push-action@v5 with: file: ./docker/Dockerfile-release push: true tags: ${{ env.DOCKER_TAGS }} - build-args: | - RELEASE_VERSION=${{ env.RELEASE_VERSION }} + build-args: RELEASE_VERSION=${{ env.RELEASE_VERSION }} cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache + + - name: Scan the Docker image with Trivy + uses: aquasecurity/trivy-action@master + with: + scan-type: image + image-ref: 'ghcr.io/gear-tech/node:${{ env.RELEASE_VERSION }}' + format: 'table' + output: 'trivy-results.txt' + exit-code: '0' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + hide-progress: true + + - name: Notify Trivy scan result in Telegram + uses: appleboy/telegram-action@master + with: + to: ${{ secrets.TELEGRAM_DEVOPS_CHAT }} + token: ${{ secrets.TELEGRAM_DEVOPS_TOKEN }} + format: markdown + disable_web_page_preview: true + message: | + *Status*: ℹ️ + *Details:* Trivy scan completed for ${{ env.DOCKER_TAGS }} + document: trivy-results.txt + + - name: Notify build failure in Telegram + if: failure() + uses: appleboy/telegram-action@master + with: + to: ${{ secrets.TELEGRAM_DEVOPS_CHAT }} + token: ${{ secrets.TELEGRAM_DEVOPS_TOKEN }} + format: markdown + disable_web_page_preview: true + message: | + *Status:* 🔥 + *Problem:* Build failed + *Details:* https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a0813812ee3..342eb9f9133 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,7 @@ env: CARGO_INCREMENTAL: 0 CARGO_TERM_COLOR: always TERM: xterm-256color + GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} jobs: changelog: diff --git a/.github/workflows/release_listener.yml b/.github/workflows/release_listener.yml new file mode 100644 index 00000000000..baf65968bc5 --- /dev/null +++ b/.github/workflows/release_listener.yml @@ -0,0 +1,50 @@ +name: Release Listener + +on: + release: + types: [published] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +env: + GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} + +jobs: + trigger-multiplatform-build: + runs-on: ubuntu-latest + steps: + - name: Dispatch Multiplatform Build Workflow + uses: actions/github-script@v7 + with: + github-token: ${{ env.GITHUB_TOKEN }} + script: | + github.rest.actions.createWorkflowDispatch({ + owner: 'gear-tech', + repo: 'builds', + workflow_id: 'nightly.yml', + ref: 'master', + inputs: { + release_version: '${{ github.event.release.tag_name }}' + } + }); + + trigger-docker-build: + runs-on: ubuntu-latest + steps: + - name: Dispatch Docker Build Workflow + uses: actions/github-script@v7 + with: + github-token: ${{ env.GITHUB_TOKEN }} + script: | + github.rest.actions.createWorkflowDispatch({ + owner: 'gear-tech', + repo: 'gear', + workflow_id: 'CI-docker-gear.yml', + ref: 'master', + inputs: { + release_version: '${{ github.event.release.tag_name }}', + latest: 'true' + } + }); diff --git a/docker/Dockerfile-release b/docker/Dockerfile-release index d5181c2092c..dcce72a6c20 100644 --- a/docker/Dockerfile-release +++ b/docker/Dockerfile-release @@ -6,10 +6,12 @@ RUN apt-get update && \ apt-get install -y curl sudo xz-utils && \ rm -rf /var/lib/apt/lists/* -RUN if [ -z "$RELEASE_VERSION" ]; then \ - curl --proto '=https' --tlsv1.2 -sSf https://get.gear.rs/install.sh | bash -s -- --to /usr/local/bin/ ; \ +RUN if [ "$RELEASE_VERSION" = "latest" ]; then \ + curl -L https://github.com/gear-tech/gear/releases/latest/download/gear -o /usr/local/bin/gear && \ + chmod +x /usr/local/bin/gear ; \ else \ - curl --proto '=https' --tlsv1.2 -sSf https://get.gear.rs/install.sh | bash -s -- --tag ${RELEASE_VERSION} --to /usr/local/bin/ ; \ + curl -L https://github.com/gear-tech/gear/releases/download/$RELEASE_VERSION/gear -o /usr/local/bin/gear && \ + chmod +x /usr/local/bin/gear ; \ fi RUN gear --version