This repository has been archived by the owner on Sep 10, 2024. It is now read-only.
Document the new account-management options #1686
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
push: | |
branches: [ main ] | |
tags: | |
- 'v*' | |
# Only run for pull requests if relevant files were changed | |
pull_request: | |
branches: [ main ] | |
paths: | |
- Dockerfile | |
- docker-bake.hcl | |
- .github/workflows/build.yaml | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
CARGO_TERM_COLOR: always | |
CARGO_NET_GIT_FETCH_WITH_CLI: "true" | |
SCCACHE_GHA_ENABLED: "true" | |
RUSTC_WRAPPER: "sccache" | |
IMAGE: ghcr.io/matrix-org/matrix-authentication-service | |
IMAGE_SYN2MAS: ghcr.io/matrix-org/matrix-authentication-service/syn2mas | |
BUILDCACHE: ghcr.io/matrix-org/matrix-authentication-service/buildcache | |
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index | |
jobs: | |
build-binaries: | |
name: Build binaries | |
runs-on: ubuntu-22.04 | |
env: | |
SDKROOT: /opt/MacOSX11.3.sdk | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout the code | |
uses: actions/[email protected] | |
- name: Setup OPA | |
uses: open-policy-agent/[email protected] | |
with: | |
version: 0.64.1 | |
- name: Install Rust toolchain | |
uses: dtolnay/rust-toolchain@stable | |
with: | |
targets: | | |
x86_64-unknown-linux-gnu | |
aarch64-unknown-linux-gnu | |
x86_64-apple-darwin | |
aarch64-apple-darwin | |
- name: Setup sccache | |
uses: mozilla-actions/[email protected] | |
- name: Install zig | |
uses: goto-bus-stop/setup-zig@v2 | |
with: | |
version: 0.11.0 | |
- name: Install cargo-zigbuild | |
run: curl -L https://github.com/rust-cross/cargo-zigbuild/releases/download/v0.18.4/cargo-zigbuild-v0.18.4.x86_64-unknown-linux-musl.tar.gz | tar -z -x -C /usr/local/bin | |
- name: Download the macOS SDK | |
run: curl -L "https://github.com/phracker/MacOSX-SDKs/releases/download/11.3/MacOSX11.3.sdk.tar.xz" | tar -J -x -C /opt | |
- name: Install frontend Node | |
uses: actions/[email protected] | |
with: | |
node-version: 20 | |
- name: Install frontend Node dependencies | |
working-directory: ./frontend | |
run: npm ci | |
- name: Build frontend | |
working-directory: ./frontend | |
run: npm run build | |
- name: Build policies | |
working-directory: ./policies | |
run: make | |
- name: Force Cargo to create the target directory | |
# Run `cargo clean` with an empty package name to force it to create the target directory | |
# This fails because there is no package with an empty name, but the target directory is created | |
# See https://github.com/rust-lang/cargo/issues/12441 | |
# This is needed because `cargo-zigbuild` sometimes (wrongly) creates the target directory | |
# See https://github.com/rust-cross/cargo-zigbuild/issues/165 | |
run: | | |
cargo clean -p '' \ | |
--target x86_64-unknown-linux-gnu \ | |
--target aarch64-unknown-linux-gnu \ | |
--target x86_64-apple-darwin \ | |
--target aarch64-apple-darwin \ | |
|| true | |
- name: Build the binary | |
run: | | |
cargo zigbuild \ | |
--release \ | |
--target x86_64-unknown-linux-gnu.2.17 \ | |
--target aarch64-unknown-linux-gnu.2.17 \ | |
--target x86_64-apple-darwin \ | |
--target aarch64-apple-darwin \ | |
--no-default-features \ | |
--features dist \ | |
-p mas-cli | |
- name: Upload the artifacts | |
uses: actions/[email protected] | |
with: | |
name: binaries | |
path: | | |
target/*/release/mas-cli | |
frontend/dist/ | |
policies/policy.wasm | |
templates/ | |
translations/ | |
LICENSE | |
build-image: | |
name: Build and push Docker image | |
runs-on: ubuntu-latest | |
outputs: | |
metadata: ${{ steps.output.outputs.metadata }} | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
steps: | |
- name: Checkout the code | |
uses: actions/[email protected] | |
- name: Docker meta | |
id: meta | |
uses: docker/[email protected] | |
with: | |
images: "${{ env.IMAGE }}" | |
bake-target: docker-metadata-action | |
flavor: | | |
latest=auto | |
tags: | | |
type=ref,event=branch | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}} | |
type=sha | |
- name: Docker meta (debug variant) | |
id: meta-debug | |
uses: docker/[email protected] | |
with: | |
images: "${{ env.IMAGE }}" | |
bake-target: docker-metadata-action-debug | |
flavor: | | |
latest=auto | |
suffix=-debug,onlatest=true | |
tags: | | |
type=ref,event=branch | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}} | |
type=sha | |
- name: Docker meta (syn2mas) | |
id: meta-syn2mas | |
uses: docker/[email protected] | |
with: | |
images: "${{ env.IMAGE_SYN2MAS }}" | |
bake-target: docker-metadata-action-syn2mas | |
flavor: | | |
latest=auto | |
tags: | | |
type=ref,event=branch | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}} | |
type=sha | |
- name: Setup Cosign | |
uses: sigstore/[email protected] | |
- name: Set up Docker Buildx | |
uses: docker/[email protected] | |
with: | |
buildkitd-config-inline: | | |
[registry."docker.io"] | |
mirrors = ["mirror.gcr.io"] | |
- name: Login to GitHub Container Registry | |
if: github.event_name != 'pull_request' | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# For pull-requests, only read from the cache, do not try to push to the | |
# cache or the image itself | |
- name: Build | |
uses: docker/[email protected] | |
if: github.event_name == 'pull_request' | |
with: | |
files: | | |
docker-bake.hcl | |
${{ steps.meta.outputs.bake-file }} | |
${{ steps.meta-debug.outputs.bake-file }} | |
${{ steps.meta-syn2mas.outputs.bake-file }} | |
set: | | |
base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }} | |
syn2mas.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}:tools/syn2mas/ | |
base.cache-from=type=registry,ref=${{ env.BUILDCACHE }}:buildcache | |
- name: Build and push | |
id: bake | |
uses: docker/[email protected] | |
if: github.event_name != 'pull_request' | |
with: | |
files: | | |
docker-bake.hcl | |
${{ steps.meta.outputs.bake-file }} | |
${{ steps.meta-debug.outputs.bake-file }} | |
${{ steps.meta-syn2mas.outputs.bake-file }} | |
set: | | |
base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }} | |
syn2mas.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}:tools/syn2mas/ | |
base.output=type=image,push=true | |
base.cache-from=type=registry,ref=${{ env.BUILDCACHE }}:buildcache | |
base.cache-to=type=registry,ref=${{ env.BUILDCACHE }}:buildcache,mode=max | |
- name: Transform bake output | |
# This transforms the ouput to an object which looks like this: | |
# { reguar: { digest: "…", tags: ["…", "…"] }, debug: { digest: "…", tags: ["…"] }, … } | |
id: output | |
if: github.event_name != 'pull_request' | |
run: | | |
echo 'metadata<<EOF' >> $GITHUB_OUTPUT | |
echo '${{ steps.bake.outputs.metadata }}' | jq -c 'map_values({ digest: .["containerimage.digest"], tags: (.["image.name"] | split(",")) })' >> $GITHUB_OUTPUT | |
echo 'EOF' >> $GITHUB_OUTPUT | |
- name: Sign the images with GitHub Actions provided token | |
# Only sign on tags and on commits on main branch | |
if: | | |
github.event_name != 'pull_request' | |
&& (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main') | |
run: |- | |
cosign sign --yes \ | |
"${{ env.IMAGE }}@${{ fromJSON(steps.output.outputs.metadata).regular.digest }}" \ | |
"${{ env.IMAGE }}@${{ fromJSON(steps.output.outputs.metadata).debug.digest }}" \ | |
"${{ env.IMAGE_SYN2MAS }}@${{ fromJSON(steps.output.outputs.metadata).syn2mas.digest }}" | |
syn2mas: | |
name: Release syn2mas on NPM | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Checkout the code | |
uses: actions/[email protected] | |
- name: Install Node | |
uses: actions/[email protected] | |
with: | |
node-version-file: ./tools/syn2mas/.nvmrc | |
- name: Install Node dependencies | |
working-directory: ./tools/syn2mas | |
run: npm ci | |
- name: Publish | |
uses: JS-DevTools/npm-publish@v3 | |
with: | |
package: ./tools/syn2mas | |
token: ${{ secrets.NPM_TOKEN }} | |
provenance: true | |
dry-run: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
release: | |
name: Release | |
if: startsWith(github.ref, 'refs/tags/') | |
runs-on: ubuntu-latest | |
needs: | |
- build-binaries | |
- build-image | |
- syn2mas | |
steps: | |
- name: Download the artifacts from the previous job | |
uses: actions/download-artifact@v4 | |
with: | |
name: binaries | |
path: artifacts | |
- name: Prepare the archive directory | |
run: | | |
mkdir -p dist/share/ | |
mv artifacts/policies/policy.wasm dist/share/policy.wasm | |
mv artifacts/frontend/dist/manifest.json dist/share/manifest.json | |
mv artifacts/frontend/dist/ dist/share/assets | |
mv artifacts/templates/ dist/share/templates | |
mv artifacts/translations/ dist/share/translations | |
mv artifacts/LICENSE dist/LICENSE | |
chmod -R u=rwX,go=rX dist/ | |
- name: Create the archives | |
run: | | |
for arch in x86_64 aarch64; do | |
mv artifacts/target/${arch}-unknown-linux-gnu/release/mas-cli dist/mas-cli | |
chmod u=rwx,go=rx dist/mas-cli | |
tar -czvf mas-cli-${arch}-linux.tar.gz --owner=0 --group=0 -C dist/ . | |
mv artifacts/target/${arch}-apple-darwin/release/mas-cli dist/mas-cli | |
chmod u=rwx,go=rx dist/mas-cli | |
tar -czvf mas-cli-${arch}-macos.tar.gz --owner=0 --group=0 -C dist/ . | |
done | |
- name: Prepare a release | |
uses: softprops/action-gh-release@v2 | |
with: | |
body: | | |
### Docker image | |
Regular image: | |
- Digest: | |
``` | |
${{ env.IMAGE }}@${{ fromJSON(needs.build-image.outputs.metadata).regular.digest }} | |
``` | |
- Tags: | |
``` | |
${{ join(fromJSON(needs.build-image.outputs.metadata).regular.tags, ' | |
') }} | |
``` | |
Debug variant: | |
- Digest: | |
``` | |
${{ env.IMAGE }}@${{ fromJSON(needs.build-image.outputs.metadata).debug.digest }} | |
``` | |
- Tags: | |
``` | |
${{ join(fromJSON(needs.build-image.outputs.metadata).debug.tags, ' | |
') }} | |
``` | |
`syn2mas` migration tool: | |
- Digest: | |
``` | |
${{ env.IMAGE_SYN2MAS }}@${{ fromJSON(needs.build-image.outputs.metadata).syn2mas.digest }} | |
``` | |
- Tags: | |
``` | |
${{ join(fromJSON(needs.build-image.outputs.metadata).syn2mas.tags, ' | |
') }} | |
``` | |
files: | | |
mas-cli-aarch64-linux.tar.gz | |
mas-cli-aarch64-macos.tar.gz | |
mas-cli-x86_64-linux.tar.gz | |
mas-cli-x86_64-macos.tar.gz | |
draft: true |