build(netifyd): upgrade to v5 #4279
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Build NethSecurity image" | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - 'main' | |
| paths: | |
| - 'builder/**' | |
| - 'config/**' | |
| - 'files/**' | |
| - 'packages/**' | |
| - 'patches/**' | |
| - 'build.conf.example' | |
| - 'build-nethsec.sh' | |
| tags: | |
| - '*' | |
| pull_request: | |
| paths: | |
| - 'builder/**' | |
| - 'config/**' | |
| - 'files/**' | |
| - 'packages/**' | |
| - 'patches/**' | |
| - 'build.conf.example' | |
| - 'build-nethsec.sh' | |
| jobs: | |
| publish_images: | |
| name: 'Build NethSecurity image' | |
| runs-on: self-hosted | |
| outputs: | |
| NETHSECURITY_VERSION: ${{ steps.build_vars.outputs.NETHSECURITY_VERSION }} | |
| REPO_CHANNEL: ${{ steps.build_vars.outputs.REPO_CHANNEL }} | |
| env: | |
| USIGN_PUB_KEY: ${{ secrets.USIGN_PUB_KEY }} | |
| USIGN_PRIV_KEY: ${{ secrets.USIGN_PRIV_KEY }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_REPO: ${{ github.repository }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Generate build variables | |
| id: build_vars | |
| run: | | |
| # export OWRT_VERSION from build.conf.example | |
| echo "OWRT_VERSION=$(grep -oP 'OWRT_VERSION=\K.*' build.conf.example)" >> $GITHUB_OUTPUT | |
| # export TARGET from build.conf.example | |
| echo "TARGET=$(grep -oP 'TARGET=\K.*' build.conf.example)" >> $GITHUB_OUTPUT | |
| # export NETHSECURITY_VERSION from build | |
| echo "NETHSECURITY_VERSION=$(grep -oP 'NETHSECURITY_VERSION=\K.*' build.conf.example)" >> $GITHUB_OUTPUT | |
| # When pushing a tag, set REPO_CHANNEL to stable | |
| if [[ "${{ github.ref }}" == refs/tags/* ]]; then | |
| echo "REPO_CHANNEL=stable" >> $GITHUB_OUTPUT | |
| # save NETHSECURITY_VERSION to env | |
| echo "NETHSECURITY_VERSION=$(grep -oP 'NETHSECURITY_VERSION=\K.*' build.conf.example)" >> $GITHUB_OUTPUT | |
| # When pushing to main branch, set REPO_CHANNEL to dev | |
| elif [[ "${{ github.ref }}" == refs/heads/main ]]; then | |
| echo "REPO_CHANNEL=dev" >> $GITHUB_OUTPUT | |
| # save NETHSECURITY_VERSION to env and append -dev to it | |
| echo "NETHSECURITY_VERSION=$(grep -oP 'NETHSECURITY_VERSION=\K.*' build.conf.example)-dev+$(git rev-parse --short HEAD).$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT | |
| # Otherwise, get the branch name of the PR pushing if REPO_CHANNEL is not set | |
| elif [[ "${{ github.event_name }}" == 'pull_request' && ! -v REPO_CHANNEL ]]; then | |
| echo "REPO_CHANNEL=${{ github.head_ref }}" >> $GITHUB_OUTPUT | |
| # save NETHSECURITY_VERSION to env and append last commit hash to it | |
| echo "NETHSECURITY_VERSION=$(grep -oP 'NETHSECURITY_VERSION=\K.*' build.conf.example)-${{ github.head_ref }}+$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Build the image | |
| env: | |
| OWRT_VERSION: ${{ steps.build_vars.outputs.OWRT_VERSION }} | |
| NETHSECURITY_VERSION: ${{ steps.build_vars.outputs.NETHSECURITY_VERSION }} | |
| REPO_CHANNEL: ${{ steps.build_vars.outputs.REPO_CHANNEL }} | |
| TARGET: ${{ steps.build_vars.outputs.TARGET }} | |
| run: ./build-nethsec.sh | |
| - name: Update latest_release file | |
| run: | | |
| # Create release file pointing to 8-VERSION | |
| echo "${{ steps.build_vars.outputs.NETHSECURITY_VERSION }}" > latest_release | |
| echo "::notice title='Image published':: ${{ steps.build_vars.outputs.NETHSECURITY_VERSION }}" | |
| - uses: actions/upload-artifact@v5 | |
| name: Upload image | |
| with: | |
| name: image | |
| compression-level: 0 | |
| path: | | |
| bin/targets/**/nethsecurity-*combined-efi.img.gz | |
| - uses: actions/upload-artifact@v5 | |
| name: Upload manifest file | |
| with: | |
| name: manifest | |
| path: bin/targets/**/nethsecurity-*.manifest | |
| - uses: actions/upload-artifact@v5 | |
| name: Upload SBOM | |
| with: | |
| name: sbom | |
| path: bin/targets/**/nethsecurity-*.bom.cdx.json | |
| - uses: actions/upload-artifact@v5 | |
| if: always() | |
| name: Upload logs | |
| with: | |
| name: build-logs | |
| path: | | |
| build-logs | |
| - name: Setup rclone | |
| uses: AnimMouse/setup-rclone@v1 | |
| - name: Copy Packages to repo | |
| env: | |
| RCLONE_CONFIG_REPO_PROVIDER: DigitalOcean | |
| RCLONE_CONFIG_REPO_TYPE: s3 | |
| RCLONE_CONFIG_REPO_ENV_AUTH: true | |
| RCLONE_CONFIG_REPO_ACL: public-read | |
| RCLONE_CONFIG_REPO_ENDPOINT: ams3.digitaloceanspaces.com | |
| RCLONE_CONFIG_REPO_ACCESS_KEY_ID: ${{ secrets.DO_SPACE_ACCESS_KEY }} | |
| RCLONE_CONFIG_REPO_SECRET_ACCESS_KEY: ${{ secrets.DO_SPACE_SECRET_KEY }} | |
| run: | | |
| rclone sync bin/ repo:nethsecurity/${{ steps.build_vars.outputs.REPO_CHANNEL }}/${{ steps.build_vars.outputs.NETHSECURITY_VERSION }} --progress --create-empty-src-dirs | |
| rclone copy latest_release repo:nethsecurity/${{ steps.build_vars.outputs.REPO_CHANNEL }}/ --progress --create-empty-src-dirs | |
| tools: | |
| name: 'Run tools' | |
| runs-on: ubuntu-24.04 | |
| needs: publish_images | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_REPO: ${{ github.repository }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Run tools | |
| env: | |
| CDN_NAME: 'updates.nethsecurity.nethserver.org' | |
| NETHSECURITY_VERSION: ${{ needs.publish_images.outputs.NETHSECURITY_VERSION }} | |
| REPO_CHANNEL: ${{ needs.publish_images.outputs.REPO_CHANNEL }} | |
| run: | | |
| tools/issue-comment |