From d49df1e44cb9364cc8e9254ee69e4070c0fad924 Mon Sep 17 00:00:00 2001 From: Jakob Borg Date: Sat, 31 May 2025 09:07:17 +0200 Subject: [PATCH] build: refactor builds for forks/PRs Make sure as much as possible runs for forks and PRs as well, while keeping the release specific stuff out of the way. --- .github/regsync.yml | 52 +++++++++++++ .github/workflows/build-syncthing.yaml | 102 +++++++++++++++++++------ .github/workflows/pr-linters.yaml | 49 ------------ 3 files changed, 130 insertions(+), 73 deletions(-) create mode 100644 .github/regsync.yml delete mode 100644 .github/workflows/pr-linters.yaml diff --git a/.github/regsync.yml b/.github/regsync.yml new file mode 100644 index 000000000..56d5f176e --- /dev/null +++ b/.github/regsync.yml @@ -0,0 +1,52 @@ + version: 1 + creds: + - registry: docker.io + user: "{{env \"DOCKERHUB_USERNAME\"}}" + pass: "{{env \"DOCKERHUB_TOKEN\"}}" + + defaults: + ratelimit: + min: 100 + retry: 1m + parallel: 4 + + sync: + + - source: ghcr.io/syncthing/syncthing + target: docker.io/syncthing/syncthing + type: repository + tags: + allow: + - latest + - rc + - edge + - \d+ + - \d+\.\d+ + - \d+\.\d+\.\d+ + - \d+\.\d+\.\d+-rc\.\d+ + + - source: ghcr.io/syncthing/relaysrv + target: docker.io/syncthing/relaysrv + type: repository + tags: + allow: + - latest + - rc + - edge + - \d+ + - \d+\.\d+ + - \d+\.\d+\.\d+ + - \d+\.\d+\.\d+-rc\.\d+ + + - source: ghcr.io/syncthing/discosrv + target: docker.io/syncthing/discosrv + type: repository + tags: + allow: + - latest + - rc + - edge + - \d+ + - \d+\.\d+ + - \d+\.\d+\.\d+ + - \d+\.\d+\.\d+-rc\.\d+ diff --git a/.github/workflows/build-syncthing.yaml b/.github/workflows/build-syncthing.yaml index 3a4a21640..0970d0064 100644 --- a/.github/workflows/build-syncthing.yaml +++ b/.github/workflows/build-syncthing.yaml @@ -111,6 +111,8 @@ jobs: - package-debian - package-windows - govulncheck + - golangci + - meta steps: - uses: actions/checkout@v4 @@ -163,6 +165,12 @@ jobs: name: unsigned-packages-windows path: "*.zip" + # + # Codesign binaries for Windows. This job runs only when called in the + # Syncthing repo for release branches and tags, as it requires our + # specific code signing keys etc. + # + codesign-windows: name: Codesign for Windows if: github.repository_owner == 'syncthing' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/release-nightly' || startsWith(github.ref, 'refs/tags/v')) @@ -280,12 +288,14 @@ jobs: compat.json # - # macOS + # macOS. The entire build runs in the release environment because code + # signing is part of the build process, so it is limited to release + # branches on the Syncthing repo. # package-macos: name: Package for macOS - if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/release-nightly' || startsWith(github.ref, 'refs/tags/v')) + if: github.repository_owner == 'syncthing' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/release-nightly' || startsWith(github.ref, 'refs/tags/v')) environment: release env: CODESIGN_IDENTITY: ${{ secrets.CODESIGN_IDENTITY }} @@ -899,16 +909,12 @@ jobs: args: sync -v dists objstore:apt/dists # - # Build and push to Docker Hub + # Build and push (except for PRs) to GHCR. # - docker-syncthing: - name: Build and push Docker images + docker-ghcr: + name: Build and push Docker images (GHCR) runs-on: ubuntu-latest - if: github.repository_owner == 'syncthing' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/release-nightly' || github.ref == 'refs/heads/infrastructure' || startsWith(github.ref, 'refs/tags/v')) - environment: docker - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} permissions: contents: read packages: write @@ -972,14 +978,6 @@ jobs: BUILD_USER: docker EXTRA_LDFLAGS: "-linkmode=external -extldflags=-static" - - name: Login to Docker Hub - uses: docker/login-action@v3 - if: env.DOCKERHUB_USERNAME != '' - with: - registry: docker.io - username: ${{ env.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to GHCR uses: docker/login-action@v3 with: @@ -1011,12 +1009,6 @@ jobs: tags=$repo:$ref fi - # If we have a Docker Hub secret, also push to there. - if [[ $DOCKERHUB_USERNAME != "" ]] ; then - dockerhubtags="${tags//ghcr.io\/syncthing/docker.io\/syncthing}" - tags="$tags,$dockerhubtags" - fi - echo Pushing to $tags echo "DOCKER_TAGS=$tags" >> $GITHUB_ENV @@ -1029,11 +1021,35 @@ jobs: file: ${{ matrix.dockerfile }} platforms: linux/amd64,linux/arm64,linux/arm/7 tags: ${{ env.DOCKER_TAGS }} - push: true + push: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }} labels: | org.opencontainers.image.version=${{ env.VERSION }} org.opencontainers.image.revision=${{ github.sha }} + # + # Sync images to Docker hub. This takes the images already pushed to GHCR + # and copies them to Docker hub. Runs for releases only. + # + + docker-hub: + name: Sync images to Docker hub + if: github.repository_owner == 'syncthing' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/release-nightly' || github.ref == 'refs/heads/infrastructure' || startsWith(github.ref, 'refs/tags/v')) + runs-on: ubuntu-latest + needs: + - docker-ghcr + environment: docker + env: + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} + steps: + - uses: actions/checkout@v4 + - name: Sync images + uses: docker://docker.io/regclient/regsync:latest + with: + args: + -c ./.github/regsync.yml + once + # # Check for known vulnerabilities in Go dependencies # @@ -1055,3 +1071,41 @@ jobs: go run build.go assets go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... + + # + # golangci-lint runs a suite of static analysis checks on the code + # + + golangci: + runs-on: ubuntu-latest + name: Run golangci-lint + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: 'stable' + + - name: ensure asset generation + run: go run build.go assets + + - name: golangci-lint + uses: golangci/golangci-lint-action@v8 + with: + only-new-issues: true + + # + # Meta checks for formatting, copyright, etc + # + + meta: + name: Run meta checks + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: 'stable' + + - run: | + go run build.go assets + go test -v ./meta diff --git a/.github/workflows/pr-linters.yaml b/.github/workflows/pr-linters.yaml deleted file mode 100644 index 6eda16c17..000000000 --- a/.github/workflows/pr-linters.yaml +++ /dev/null @@ -1,49 +0,0 @@ -name: Run PR linters - -on: - pull_request: - workflow_dispatch: - -permissions: - contents: read - pull-requests: read - -jobs: - - # - # golangci-lint runs a suite of static analysis checks on the code - # - - golangci: - runs-on: ubuntu-latest - name: Golangci-lint - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 - with: - go-version: 'stable' - - - name: ensure asset generation - run: go run build.go assets - - - name: golangci-lint - uses: golangci/golangci-lint-action@v8 - with: - only-new-issues: true - - # - # Meta checks for formatting, copyright, etc - # - - meta: - name: Meta checks - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 - with: - go-version: 'stable' - - - run: | - go run build.go assets - go test -v ./meta