Forgejo/.forgejo/workflows/build-release.yml

name: Build release

on:
  push:
    tags: 'v*'

jobs:
  release:
    runs-on: self-hosted
    # root is used for testing, allow it
    if: secrets.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
    steps:
      - uses: actions/checkout@v3

      - name: Increase the verbosity when there are no secrets
        id: verbose
        run: |
          if test -z "${{ secrets.TOKEN }}"; then
            value=true
          else
            value=false
          fi
          echo "value=$value" >> "$GITHUB_OUTPUT"

      - name: Sanitize the name of the repository
        id: repository
        run: |
          set -x # comment out
          repository="${{ github.repository }}"
          echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"

      - name: When in a test environment, create a token
        id: token
        if: ${{ secrets.TOKEN == '' }}
        run: |
          apt-get -qq install -y jq
          url="${{ env.GITHUB_SERVER_URL }}"
          hostport=${url##http*://}
          hostport=${hostport%%/}
          doer=root
          api=http://$doer:admin1234@$hostport/api/v1/users/$doer/tokens
          curl -sS -X DELETE $api/release
          token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api | jq --raw-output .sha1)
          echo "value=${token}" >> "$GITHUB_OUTPUT"

      - uses: https://code.forgejo.org/actions/setup-go@v4
        with:
          go-version: ">=1.20"
          check-latest: true

      - name: Create the version from ref_name
        id: tag-version
        run: |
          version="${{ github.ref_name }}"
          version=${version##*v}
          echo "value=$version" >> "$GITHUB_OUTPUT"

      - name: Create the release notes
        id: release-notes
        run: |
          cat >> "$GITHUB_OUTPUT" <<EOF
          value<<ENDVAR
          See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#${{ steps.tag-version.outputs.value }}
          ENDVAR
          EOF

      - name: Build sources
        run: |
          set -x
          apt-get -qq install -y make
          version=${{ steps.tag-version.outputs.value }}
          #
          # Make sure all files are owned by the current user.
          # When run as root `npx webpack` will assume the identity
          # of the owner of the current working directory and may
          # fail to create files if some sub-directories are not owned
          # by the same user.
          #
          #   Binaries:
          #   Node: 18.17.0 - /usr/local/node-v18.17.0-linux-x64/bin/node
          #   npm: 9.6.7 - /usr/local/node-v18.17.0-linux-x64/bin/npm
          # Packages:
          #   add-asset-webpack-plugin: 2.0.1 => 2.0.1
          #   css-loader: 6.8.1 => 6.8.1
          #   esbuild-loader: 3.0.1 => 3.0.1
          #   license-checker-webpack-plugin: 0.2.1 => 0.2.1
          #   monaco-editor-webpack-plugin: 7.0.1 => 7.0.1
          #   vue-loader: 17.2.2 => 17.2.2
          #   webpack: 5.87.0 => 5.87.0
          #   webpack-cli: 5.1.4 => 5.1.4
          #
          chown -R $(id -u) .
          make VERSION=$version TAGS=bindata sources-tarbal
          mv dist/release release

          (
            tmp=$(mktemp -d)
            tar --directory $tmp -zxvf release/*$version*.tar.gz
            cd $tmp/*
            #
            # Verify `make frontend` files are available
            #
            test -d public/assets/css
            test -d public/assets/fonts
            test -d public/assets/js
            #
            # Verify `make generate` files are available
            #
            test -f modules/public/bindata.go
            #
            # Sanity check to verify that the source tarbal knows the
            # version and is able to rebuild itself from it.
            #
            # When in sources the version is determined with git.
            # When in the tarbal the version is determined from a VERSION file.
            #
            make sources-tarbal
            tarbal=$(echo dist/release/*$version*.tar.gz)
            if ! test -f $tarbal ; then
              echo $tarbal does not exist
              find dist release
              exit 1
            fi
          )

      - name: build container & release (when TOKEN secret is not set)
        if: ${{ secrets.TOKEN == '' }}
        uses: ./.forgejo/actions/build-release
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
          repository: "${{ steps.repository.outputs.value }}"
          doer: root
          tag-version: "${{ steps.tag-version.outputs.value }}"
          token: ${{ steps.token.outputs.value }}
          platforms: linux/amd64,linux/arm64,linux/arm/v6
          release-notes: "${{ steps.release-notes.outputs.value }}"
          binary-name: forgejo
          binary-path: /app/gitea/gitea
          verbose: ${{ steps.verbose.outputs.value }}

      - name: build rootless container (when TOKEN secret is not set)
        if: ${{ secrets.TOKEN == '' }}
        uses: ./.forgejo/actions/build-release
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
          repository: "${{ steps.repository.outputs.value }}"
          doer: root
          tag-version: "${{ steps.tag-version.outputs.value }}"
          token: ${{ steps.token.outputs.value }}
          platforms: linux/amd64,linux/arm64,linux/arm/v6
          suffix: -rootless
          dockerfile: Dockerfile.rootless
          verbose: ${{ steps.verbose.outputs.value }}

      - name: build container & release (when TOKEN secret is set)
        if: ${{ secrets.TOKEN != '' }}
        uses: ./.forgejo/actions/build-release
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
          repository: "${{ steps.repository.outputs.value }}"
          doer: "${{ secrets.DOER }}"
          tag-version: "${{ steps.tag-version.outputs.value }}"
          token: "${{ secrets.TOKEN }}"
          platforms: linux/amd64,linux/arm64,linux/arm/v6
          release-notes: "${{ steps.release-notes.outputs.value }}"
          binary-name: forgejo
          binary-path: /app/gitea/gitea
          verbose: ${{ steps.verbose.outputs.value }}

      - name: build rootless container (when TOKEN secret is set)
        if: ${{ secrets.TOKEN != '' }}
        uses: ./.forgejo/actions/build-release
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
          repository: "${{ steps.repository.outputs.value }}"
          doer: "${{ secrets.DOER }}"
          tag-version: "${{ steps.tag-version.outputs.value }}"
          token: "${{ secrets.TOKEN }}"
          platforms: linux/amd64,linux/arm64,linux/arm/v6
          suffix: -rootless
          dockerfile: Dockerfile.rootless
          verbose: ${{ steps.verbose.outputs.value }}
[CI] Forgejo Actions based release process Refs: https://codeberg.org/forgejo/website/pulls/230 (cherry picked from commit 87d56bf6c73d726dae8aafbc7e147969f1899931) [CI] Forgejo Actions based release process (squash) base64 -w0 to avoid wrapping when the doer name is long as it creates a broken config.json (cherry picked from commit 9efdc27e49bdfb3e62401baf27b224385f9f3e5e) [CI] Forgejo Actions based release process (squash) generate .xz files and sources Generate .xz files Check .sha256 Generate the source tarbal (cherry picked from commit 7afec520c4b1032d7e67a05a41e4e2913bcd9312) [CI] Forgejo Actions based release process (squash) release notes (cherry picked from commit d8f4f4807b28297b318d2f555a76d0efef762cf7) [CI] Forgejo Actions based release process (squash) publish and sign release (cherry picked from commit a52778c74785fe57cdee3b64b4c6c8a326471532) (cherry picked from commit cf2ec6274094ac7aebda71d54c64581f528df00a) [CI] Forgejo Actions based release process (squash) version use Actions environment variables in Makefile (#25319) (#25318) uses Actions variable to determine the version. But Forgejo builds happen in a container where they are not available. Do not use them. Also verify the version of the binary is as expected for sanity check. (cherry picked from commit 6decf111a132a869f9e5c6f4d20e368b8f74309f) (cherry picked from commit 206d0b3886b2d56b585bf552e53d952b35f07284) [CI] read STORED_VERSION_FILE if available (cherry picked from commit af74085ebf51c91a51db865a66667fca511838d5) [CI] backward compatible executable compilation Add a new static-executable target to use in Dockerfiles and restore the $(EXECUTABLE) target to what it was before to for backward compatibility. The release process now builds static executables instead of dynamically linked ones which makes them more portable. It changes the requirements at compile time and is not backward compatible. In particular it may break packaging that rely on the target that currently creates a dynamically linked executable. (cherry picked from commit 84d02a174a4398b1f8ee62e08db5483a9859650f) (cherry picked from commit 854be47328cc0283119dfb78f9ba0b8306c85f75) [CI] Forgejo Actions based release process (squash) doc / ca / verbosity - Document workflow - Increase verbosity if VERBOSE=true - Download the Certificate Authority if behind the VPN (cherry picked from commit 168d5d586904835762d213b2b8815b458a38c78f) (cherry picked from commit 8756c9a72a40830441124256b7382f900a1052f8) (cherry picked from commit 2dad7ef20f3bf9ebe2425e2e28b66a4ca21c6786) [CI] Forgejo Actions based release process (squash) add assets sources-tarbal Refs: https://codeberg.org/forgejo/forgejo/issues/1115 (cherry picked from commit 5531d01f1981df665f5b8f642e9241e8ea4f4578) [CI] Forgejo Actions based release process (squash) add assets sources-tarbal bindata.go is a file, not a directory Refs: https://codeberg.org/forgejo/forgejo/issues/1115 (cherry picked from commit bd88a4477817be34ea86ebb2f460b9fe8ab5f1b7) (cherry picked from commit b408085138c578dfaacafbd4b7719ca926456855) [CI] Forgejo Actions based release process (squash) public/assets moved (cherry picked from commit d8c921d5a643ed05f2935348531996fe4d08c654) 2023-06-14 13:32:20 +02:00			`name: Build release`

			`on:`
			`push:`
			`tags: 'v*'`

			`jobs:`
			`release:`
			`runs-on: self-hosted`
			`# root is used for testing, allow it`
			`if: secrets.ROLE == 'forgejo-integration' \|\| github.repository_owner == 'root'`
			`steps:`
			`- uses: actions/checkout@v3`

			`- name: Increase the verbosity when there are no secrets`
			`id: verbose`
			`run: \|`
			`if test -z "${{ secrets.TOKEN }}"; then`
			`value=true`
			`else`
			`value=false`
			`fi`
			`echo "value=$value" >> "$GITHUB_OUTPUT"`

			`- name: Sanitize the name of the repository`
			`id: repository`
			`run: \|`
			`set -x # comment out`
			`repository="${{ github.repository }}"`
			`echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"`

			`- name: When in a test environment, create a token`
			`id: token`
			`if: ${{ secrets.TOKEN == '' }}`
			`run: \|`
			`apt-get -qq install -y jq`
			`url="${{ env.GITHUB_SERVER_URL }}"`
			`hostport=${url##http*://}`
			`hostport=${hostport%%/}`
			`doer=root`
			`api=http://$doer:admin1234@$hostport/api/v1/users/$doer/tokens`
			`curl -sS -X DELETE $api/release`
			`token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api \| jq --raw-output .sha1)`
			`echo "value=${token}" >> "$GITHUB_OUTPUT"`

			`- uses: https://code.forgejo.org/actions/setup-go@v4`
			`with:`
			`go-version: ">=1.20"`
			`check-latest: true`

			`- name: Create the version from ref_name`
			`id: tag-version`
			`run: \|`
			`version="${{ github.ref_name }}"`
			`version=${version##*v}`
			`echo "value=$version" >> "$GITHUB_OUTPUT"`

			`- name: Create the release notes`
			`id: release-notes`
			`run: \|`
			`cat >> "$GITHUB_OUTPUT" <<EOF`
			`value<<ENDVAR`
			`See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#${{ steps.tag-version.outputs.value }}`
			`ENDVAR`
			`EOF`

			`- name: Build sources`
			`run: \|`
			`set -x`
			`apt-get -qq install -y make`
			`version=${{ steps.tag-version.outputs.value }}`
			`#`
			`# Make sure all files are owned by the current user.`
			# When run as root `npx webpack` will assume the identity
			`# of the owner of the current working directory and may`
			`# fail to create files if some sub-directories are not owned`
			`# by the same user.`
			`#`
			`# Binaries:`
			`# Node: 18.17.0 - /usr/local/node-v18.17.0-linux-x64/bin/node`
			`# npm: 9.6.7 - /usr/local/node-v18.17.0-linux-x64/bin/npm`
			`# Packages:`
			`# add-asset-webpack-plugin: 2.0.1 => 2.0.1`
			`# css-loader: 6.8.1 => 6.8.1`
			`# esbuild-loader: 3.0.1 => 3.0.1`
			`# license-checker-webpack-plugin: 0.2.1 => 0.2.1`
			`# monaco-editor-webpack-plugin: 7.0.1 => 7.0.1`
			`# vue-loader: 17.2.2 => 17.2.2`
			`# webpack: 5.87.0 => 5.87.0`
			`# webpack-cli: 5.1.4 => 5.1.4`
			`#`
			`chown -R $(id -u) .`
			`make VERSION=$version TAGS=bindata sources-tarbal`
			`mv dist/release release`

			`(`
			`tmp=$(mktemp -d)`
			`tar --directory $tmp -zxvf release/$version.tar.gz`
			`cd $tmp/*`
			`#`
			# Verify `make frontend` files are available
			`#`
			`test -d public/assets/css`
			`test -d public/assets/fonts`
			`test -d public/assets/js`
			`#`
			# Verify `make generate` files are available
			`#`
			`test -f modules/public/bindata.go`
			`#`
			`# Sanity check to verify that the source tarbal knows the`
			`# version and is able to rebuild itself from it.`
			`#`
			`# When in sources the version is determined with git.`
			`# When in the tarbal the version is determined from a VERSION file.`
			`#`
			`make sources-tarbal`
			`tarbal=$(echo dist/release/$version.tar.gz)`
			`if ! test -f $tarbal ; then`
			`echo $tarbal does not exist`
			`find dist release`
			`exit 1`
			`fi`
			`)`

			`- name: build container & release (when TOKEN secret is not set)`
			`if: ${{ secrets.TOKEN == '' }}`
			`uses: ./.forgejo/actions/build-release`
			`with:`
			`forgejo: "${{ env.GITHUB_SERVER_URL }}"`
			`owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"`
			`repository: "${{ steps.repository.outputs.value }}"`
			`doer: root`
			`tag-version: "${{ steps.tag-version.outputs.value }}"`
			`token: ${{ steps.token.outputs.value }}`
			`platforms: linux/amd64,linux/arm64,linux/arm/v6`
			`release-notes: "${{ steps.release-notes.outputs.value }}"`
			`binary-name: forgejo`
			`binary-path: /app/gitea/gitea`
			`verbose: ${{ steps.verbose.outputs.value }}`

			`- name: build rootless container (when TOKEN secret is not set)`
			`if: ${{ secrets.TOKEN == '' }}`
			`uses: ./.forgejo/actions/build-release`
			`with:`
			`forgejo: "${{ env.GITHUB_SERVER_URL }}"`
			`owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"`
			`repository: "${{ steps.repository.outputs.value }}"`
			`doer: root`
			`tag-version: "${{ steps.tag-version.outputs.value }}"`
			`token: ${{ steps.token.outputs.value }}`
			`platforms: linux/amd64,linux/arm64,linux/arm/v6`
			`suffix: -rootless`
			`dockerfile: Dockerfile.rootless`
			`verbose: ${{ steps.verbose.outputs.value }}`

			`- name: build container & release (when TOKEN secret is set)`
			`if: ${{ secrets.TOKEN != '' }}`
			`uses: ./.forgejo/actions/build-release`
			`with:`
			`forgejo: "${{ env.GITHUB_SERVER_URL }}"`
			`owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"`
			`repository: "${{ steps.repository.outputs.value }}"`
			`doer: "${{ secrets.DOER }}"`
			`tag-version: "${{ steps.tag-version.outputs.value }}"`
			`token: "${{ secrets.TOKEN }}"`
			`platforms: linux/amd64,linux/arm64,linux/arm/v6`
			`release-notes: "${{ steps.release-notes.outputs.value }}"`
			`binary-name: forgejo`
			`binary-path: /app/gitea/gitea`
			`verbose: ${{ steps.verbose.outputs.value }}`

			`- name: build rootless container (when TOKEN secret is set)`
			`if: ${{ secrets.TOKEN != '' }}`
			`uses: ./.forgejo/actions/build-release`
			`with:`
			`forgejo: "${{ env.GITHUB_SERVER_URL }}"`
			`owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"`
			`repository: "${{ steps.repository.outputs.value }}"`
			`doer: "${{ secrets.DOER }}"`
			`tag-version: "${{ steps.tag-version.outputs.value }}"`
			`token: "${{ secrets.TOKEN }}"`
			`platforms: linux/amd64,linux/arm64,linux/arm/v6`
			`suffix: -rootless`
			`dockerfile: Dockerfile.rootless`
			`verbose: ${{ steps.verbose.outputs.value }}`