chore: improvements to ci (#673)

Author: dbarrosop

.github/.kodiak.toml

@@ -3,7 +3,7 @@ on:
   pull_request_target:
     types: [opened]
 
-name: "pull_request_target_opened"
+name: "assign labels"
 jobs:
   # labeler will label pull requests based on their title.
   # the configuration is at .github/labeler.yml.
@@ -14,4 +14,4 @@ jobs:
         name: Label Pull Request
         uses: jimschubert/labeler-action@v2
         with:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/dependabot.yml

@@ -0,0 +1,20 @@
+---
+name: "check and build"
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  tests:
+    uses: ./.github/workflows/wf_check.yaml
+
+  build_artifacts:
+    uses: ./.github/workflows/wf_build_artifacts.yaml
+    with:
+      VERSION: ${{ github.sha }}
+    secrets:
+      CERT_FULL_CHAIN: ${{ secrets.CERT_FULL_CHAIN }}
+      CERT_PRIV_KEY: ${{ secrets.CERT_PRIV_KEY }}
+

.github/workflows/pull_request_target_opened.yml .github/workflows/assign_labels.yml

@@ -1,4 +1,4 @@
-# .github/workflows/release.yaml
+---
 on:
   release:
     types: [published]
@@ -11,17 +11,24 @@ jobs:
       id-token: write
       contents: write
     steps:
-      - uses: actions/[email protected]
-
-      - name: Get go.mod details
-        uses: Eun/[email protected]
-        id: go-mod-details
+      - uses: actions/checkout@v3
 
-      - name: Install Go
-        uses: actions/setup-go@v4
+      - uses: nixbuild/nix-quick-install-action@v22
+        with:
+          nix_version: 2.14.1
+          nix_conf: |
+            experimental-features = nix-command flakes
+            sandbox = false
+            substituters = https://cache.nixos.org/?priority=40
+            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+            builders-use-substitutes = true
+            extra-platforms = aarch64-linux
 
+      - name: Cache nix store
+        uses: actions/cache@v3
         with:
-          go-version: ${{ steps.go-mod-details.outputs.go_version }}
+          path: /nix
+          key: nix-build-${{ hashFiles('flake.nix', 'flake.lock', '**.nix') }}
 
       - name: place let's encrypt cert
         run: |
@@ -33,13 +40,10 @@ jobs:
           EOF
         shell: bash
 
-      - name: GoReleaser
-        uses: goreleaser/[email protected]
-        with:
-          version: latest
-          args: release --skip-validate
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Build artifact"
+        run: |
+          export GORELEASER_CURRENT_TAG=${{ steps.vars.outputs.VERSION }}
+          nix develop .\#cibuild -c goreleaser release --skip-validate
 
       - name: Upload assets
         shell: bash

.github/workflows/checks.yaml

@@ -0,0 +1,17 @@
+name: "release drafter"
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  # draft your next release notes as pull requests are merged into "master"
+  # the configuration is at /.github/release-drafter.yml.
+  update_release_draft:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: release-drafter/release-drafter@v5
+        with:
+          config-name: release-drafter.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/push.yml

@@ -0,0 +1,91 @@
+---
+on:
+  workflow_call:
+    inputs:
+      GIT_REF:
+        type: string
+        required: false
+      VERSION:
+        type: string
+        required: true
+    secrets:
+      CERT_FULL_CHAIN:
+        required: true
+      CERT_PRIV_KEY:
+        required: true
+
+jobs:
+  artifacts:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: "Check out repository"
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        ref: ${{ inputs.GIT_REF }}
+        submodules: true
+
+    - uses: nixbuild/nix-quick-install-action@v22
+      with:
+        nix_version: 2.14.1
+        nix_conf: |
+          experimental-features = nix-command flakes
+          sandbox = false
+          substituters = https://cache.nixos.org/?priority=40
+          trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+          builders-use-substitutes = true
+          extra-platforms = aarch64-linux
+
+    - name: Cache nix store
+      uses: actions/cache@v3
+      with:
+        path: /nix
+        key: nix-build-${{ hashFiles('flake.nix', 'flake.lock', '**.nix') }}
+    - name: Compute common env vars
+      id: vars
+      run: |
+        echo "VERSION=$(make get-version VERSION=v0.0.0-${{ inputs.VERSION }})" >> $GITHUB_OUTPUT
+
+    - name: place let's encrypt cert
+      run: |
+        cat <<EOF > ssl/.ssl/fullchain.pem
+        ${{ secrets.CERT_FULL_CHAIN }}
+        EOF
+        cat <<EOF > ssl/.ssl/privkey.pem
+        ${{ secrets.CERT_PRIV_KEY }}
+        EOF
+      shell: bash
+
+    - name: "Build artifact"
+      run: |
+        export GORELEASER_CURRENT_TAG=${{ steps.vars.outputs.VERSION }}
+        nix develop .\#cibuild -c goreleaser release --skip-validate
+
+    - name: "Push artifact to artifact repository"
+      uses: actions/upload-artifact@v3
+      with:
+        name: cli-${{ steps.vars.outputs.VERSION }}-darwin-arm64.tar.gz
+        path: dist/cli-${{ steps.vars.outputs.VERSION }}-darwin-arm64.tar.gz
+        retention-days: 7
+
+    - name: "Push artifact to artifact repository"
+      uses: actions/upload-artifact@v3
+      with:
+        name: cli-${{ steps.vars.outputs.VERSION }}-darwin-amd64.tar.gz
+        path: dist/cli-${{ steps.vars.outputs.VERSION }}-darwin-amd64.tar.gz
+        retention-days: 7
+
+    - name: "Push artifact to artifact repository"
+      uses: actions/upload-artifact@v3
+      with:
+        name: cli-${{ steps.vars.outputs.VERSION }}-linux-arm64.tar.gz
+        path: dist/cli-${{ steps.vars.outputs.VERSION }}-linux-arm64.tar.gz
+        retention-days: 7
+
+    - name: "Push artifact to artifact repository"
+      uses: actions/upload-artifact@v3
+      with:
+        name: cli-${{ steps.vars.outputs.VERSION }}-linux-amd64.tar.gz
+        path: dist/cli-${{ steps.vars.outputs.VERSION }}-linux-amd64.tar.gz
+        retention-days: 7

.github/workflows/release.yaml

@@ -0,0 +1,39 @@
+---
+on:
+  workflow_call:
+    inputs:
+      GIT_REF:
+        type: string
+        required: false
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: "Check out repository"
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        ref: ${{ inputs.GIT_REF }}
+        submodules: true
+
+    - uses: nixbuild/nix-quick-install-action@v22
+      with:
+        nix_version: 2.14.1
+        nix_conf: |
+          experimental-features = nix-command flakes
+          sandbox = false
+          substituters = https://cache.nixos.org/?priority=40
+          trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+          builders-use-substitutes = true
+          extra-platforms = aarch64-linux
+
+    - name: Cache nix store
+      uses: actions/cache@v3
+      with:
+        path: /nix
+        key: nix-${{ runner.os }}-${{ hashFiles('flake.nix', 'flake.lock', '**.nix') }}
+
+    - name: "Run checks"
+      run: make check

.github/workflows/release_drafter.yml

@@ -41,3 +41,5 @@ generate-changelog.sh
 /.idea
 /.vscode
 letsencrypt/*
+result
+dist/

.github/workflows/wf_build_artifacts.yaml

@@ -15,12 +15,7 @@ builds:
         goarch: arm64
 archives:
   - name_template: "{{ .ProjectName }}-v{{.Version}}-{{ .Os }}-{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}"
-    replacements:
-      darwin: "darwin"
-      linux: "linux"
-      windows: "windows"
-      386: "386"
-      amd64: "amd64"
+    rlcp: true
     format_overrides:
       - goos: "windows"
         format: "zip"