name: Release Workflow on: push: tags: - "v*.*.*" - "v*.*.*-beta.*" - "v*.*.*-alpha.*" permissions: contents: write packages: write security-events: write jobs: determine-release-type: runs-on: ubuntu-latest outputs: release_type: ${{ steps.set-type.outputs.release_type }} tagname: ${{ github.ref_name }} steps: - name: Set release type id: set-type run: | TAG=${GITHUB_REF#refs/tags/} if [[ $TAG == *-alpha* ]]; then echo "release_type=alpha" >> $GITHUB_OUTPUT elif [[ $TAG == *-beta* ]]; then echo "release_type=beta" >> $GITHUB_OUTPUT else echo "release_type=release" >> $GITHUB_OUTPUT fi checks: uses: ./.github/workflows/checks.yml e2e-tests: uses: ./.github/workflows/e2e.yml build-images: timeout-minutes: 15 needs: [determine-release-type, checks, e2e-tests] runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v6 with: fetch-depth: 0 ref: ${{ github.ref }} - name: Log in to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: driver: cloud endpoint: "meienberger/runtipi-builder" install: true - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build docker image uses: docker/build-push-action@v6 with: context: . target: production platforms: linux/amd64 push: false load: true tags: local/zerobyte:ci build-args: | APP_VERSION=${{ needs.determine-release-type.outputs.tagname }} - name: Scan new image for vulnerabilities if: needs.determine-release-type.outputs.release_type == 'release' uses: anchore/scan-action@v7 id: scan with: image: local/zerobyte:ci fail-build: true only-fixed: true severity-cutoff: critical - name: upload Anchore scan report if: needs.determine-release-type.outputs.release_type == 'release' uses: github/codeql-action/upload-sarif@v4 with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: ghcr.io/${{ github.repository_owner }}/zerobyte tags: | type=semver,pattern={{version}},prefix=v type=semver,pattern={{major}},prefix=v,enable=${{ needs.determine-release-type.outputs.release_type == 'release' }} type=semver,pattern={{major}}.{{minor}},prefix=v,enable=${{ needs.determine-release-type.outputs.release_type == 'release' }} type=semver,pattern={{major}}.{{minor}}.{{patch}},prefix=v,enable=${{ needs.determine-release-type.outputs.release_type == 'release' }} flavor: | latest=${{ needs.determine-release-type.outputs.release_type == 'release' }} - name: Push images to GitHub Container Registry uses: docker/build-push-action@v6 with: context: . target: production platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build-args: | APP_VERSION=${{ needs.determine-release-type.outputs.tagname }} publish-release: runs-on: ubuntu-latest needs: [build-images, determine-release-type] if: needs.determine-release-type.outputs.release_type == 'release' outputs: id: ${{ steps.create_release.outputs.id }} steps: - name: Create GitHub release id: create_release uses: softprops/action-gh-release@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: body: | **${{ needs.determine-release-type.outputs.tagname }}** tag_name: ${{ needs.determine-release-type.outputs.tagname }} name: ${{ needs.determine-release-type.outputs.tagname }} draft: false prerelease: true files: cli/runtipi-cli-*