name: Release Workflow on: push: tags: - "v*.*.*" - "v*.*.*-beta.*" - "v*.*.*-alpha.*" permissions: contents: write packages: write security-events: write jobs: determine-release-type: runs-on: ubuntu-latest outputs: release_type: ${{ steps.set-type.outputs.release_type }} tagname: ${{ github.ref_name }} steps: - name: Set release type id: set-type run: | TAG=${GITHUB_REF#refs/tags/} if [[ $TAG == *-alpha* ]]; then echo "release_type=alpha" >> $GITHUB_OUTPUT elif [[ $TAG == *-beta* ]]; then echo "release_type=beta" >> $GITHUB_OUTPUT else echo "release_type=release" >> $GITHUB_OUTPUT fi checks: uses: ./.github/workflows/checks.yml e2e-tests: uses: ./.github/workflows/e2e.yml build-images: environment: release timeout-minutes: 15 needs: [determine-release-type, checks, e2e-tests] runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 ref: ${{ github.ref }} - name: Log in to Docker Hub uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 with: driver: cloud endpoint: "meienberger/runtipi-builder" install: true - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build docker image uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 with: context: . target: production platforms: linux/amd64 push: false load: true tags: local/zerobyte:ci build-args: | APP_VERSION=${{ needs.determine-release-type.outputs.tagname }} - name: Scan new image for vulnerabilities if: needs.determine-release-type.outputs.release_type == 'release' uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7 id: scan with: image: local/zerobyte:ci fail-build: false only-fixed: true severity-cutoff: critical - name: upload Anchore scan report if: needs.determine-release-type.outputs.release_type == 'release' uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Docker meta id: meta uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 with: images: ghcr.io/${{ github.repository_owner }}/zerobyte tags: | type=semver,pattern={{version}},prefix=v type=semver,pattern={{major}},prefix=v,enable=${{ needs.determine-release-type.outputs.release_type == 'release' }} type=semver,pattern={{major}}.{{minor}},prefix=v,enable=${{ needs.determine-release-type.outputs.release_type == 'release' }} type=semver,pattern={{major}}.{{minor}}.{{patch}},prefix=v,enable=${{ needs.determine-release-type.outputs.release_type == 'release' }} flavor: | latest=${{ needs.determine-release-type.outputs.release_type == 'release' }} - name: Push images to GitHub Container Registry uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 with: context: . target: production platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build-args: | APP_VERSION=${{ needs.determine-release-type.outputs.tagname }} publish-release: runs-on: ubuntu-latest needs: [build-images, determine-release-type] if: needs.determine-release-type.outputs.release_type == 'release' outputs: id: ${{ steps.create_release.outputs.id }} steps: - name: Create GitHub release id: create_release uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: body: | **${{ needs.determine-release-type.outputs.tagname }}** tag_name: ${{ needs.determine-release-type.outputs.tagname }} name: ${{ needs.determine-release-type.outputs.tagname }} draft: false prerelease: true files: cli/runtipi-cli-*