-
Notifications
You must be signed in to change notification settings - Fork 18
139 lines (131 loc) · 5.45 KB
/
build-image.yml
File metadata and controls
139 lines (131 loc) · 5.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: "Build NethSecurity image"
on:
workflow_dispatch:
push:
branches:
- 'main'
paths:
- 'builder/**'
- 'config/**'
- 'files/**'
- 'packages/**'
- 'patches/**'
- 'build.conf.example'
- 'build-nethsec.sh'
tags:
- '*'
pull_request:
paths:
- 'builder/**'
- 'config/**'
- 'files/**'
- 'packages/**'
- 'patches/**'
- 'build.conf.example'
- 'build-nethsec.sh'
jobs:
publish_images:
name: 'Build NethSecurity image'
runs-on: self-hosted
outputs:
NETHSECURITY_VERSION: ${{ steps.build_vars.outputs.NETHSECURITY_VERSION }}
REPO_CHANNEL: ${{ steps.build_vars.outputs.REPO_CHANNEL }}
env:
USIGN_PUB_KEY: ${{ secrets.USIGN_PUB_KEY }}
USIGN_PRIV_KEY: ${{ secrets.USIGN_PRIV_KEY }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
steps:
- uses: actions/checkout@v6
- name: Generate build variables
id: build_vars
run: |
# export OWRT_VERSION from build.conf.example
echo "OWRT_VERSION=$(grep -oP 'OWRT_VERSION=\K.*' build.conf.example)" >> $GITHUB_OUTPUT
# export TARGET from build.conf.example
echo "TARGET=$(grep -oP 'TARGET=\K.*' build.conf.example)" >> $GITHUB_OUTPUT
# export NETHSECURITY_VERSION from build
echo "NETHSECURITY_VERSION=$(grep -oP 'NETHSECURITY_VERSION=\K.*' build.conf.example)" >> $GITHUB_OUTPUT
# When pushing a tag, set REPO_CHANNEL to stable
if [[ "${{ github.ref }}" == refs/tags/* ]]; then
echo "REPO_CHANNEL=stable" >> $GITHUB_OUTPUT
# save NETHSECURITY_VERSION to env
echo "NETHSECURITY_VERSION=$(grep -oP 'NETHSECURITY_VERSION=\K.*' build.conf.example)" >> $GITHUB_OUTPUT
# When pushing to main branch, set REPO_CHANNEL to dev
elif [[ "${{ github.ref }}" == refs/heads/main ]]; then
echo "REPO_CHANNEL=dev" >> $GITHUB_OUTPUT
# save NETHSECURITY_VERSION to env and append -dev to it
echo "NETHSECURITY_VERSION=$(grep -oP 'NETHSECURITY_VERSION=\K.*' build.conf.example)-dev+$(git rev-parse --short HEAD).$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
# Otherwise, get the branch name of the PR pushing if REPO_CHANNEL is not set
elif [[ "${{ github.event_name }}" == 'pull_request' && ! -v REPO_CHANNEL ]]; then
echo "REPO_CHANNEL=${{ github.head_ref }}" >> $GITHUB_OUTPUT
# save NETHSECURITY_VERSION to env and append last commit hash to it
echo "NETHSECURITY_VERSION=$(grep -oP 'NETHSECURITY_VERSION=\K.*' build.conf.example)-${{ github.head_ref }}+$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
fi
- name: Build the image
env:
OWRT_VERSION: ${{ steps.build_vars.outputs.OWRT_VERSION }}
NETHSECURITY_VERSION: ${{ steps.build_vars.outputs.NETHSECURITY_VERSION }}
REPO_CHANNEL: ${{ steps.build_vars.outputs.REPO_CHANNEL }}
TARGET: ${{ steps.build_vars.outputs.TARGET }}
run: ./build-nethsec.sh
- name: Update latest_release file
run: |
# Create release file pointing to 8-VERSION
echo "${{ steps.build_vars.outputs.NETHSECURITY_VERSION }}" > latest_release
echo "::notice title='Image published':: ${{ steps.build_vars.outputs.NETHSECURITY_VERSION }}"
- uses: actions/upload-artifact@v6
name: Upload image
with:
name: image
compression-level: 0
path: |
bin/targets/**/nethsecurity-*combined-efi.img.gz
- uses: actions/upload-artifact@v6
name: Upload manifest file
with:
name: manifest
path: bin/targets/**/nethsecurity-*.manifest
- uses: actions/upload-artifact@v6
name: Upload SBOM
with:
name: sbom
path: bin/targets/**/nethsecurity-*.bom.cdx.json
- uses: actions/upload-artifact@v6
if: always()
name: Upload logs
with:
name: build-logs
path: |
build-logs
- name: Setup rclone
uses: AnimMouse/setup-rclone@v1
- name: Copy Packages to repo
env:
RCLONE_CONFIG_REPO_PROVIDER: DigitalOcean
RCLONE_CONFIG_REPO_TYPE: s3
RCLONE_CONFIG_REPO_ENV_AUTH: true
RCLONE_CONFIG_REPO_ACL: public-read
RCLONE_CONFIG_REPO_ENDPOINT: ams3.digitaloceanspaces.com
RCLONE_CONFIG_REPO_ACCESS_KEY_ID: ${{ secrets.DO_SPACE_ACCESS_KEY }}
RCLONE_CONFIG_REPO_SECRET_ACCESS_KEY: ${{ secrets.DO_SPACE_SECRET_KEY }}
run: |
rclone sync bin/ repo:nethsecurity/${{ steps.build_vars.outputs.REPO_CHANNEL }}/${{ steps.build_vars.outputs.NETHSECURITY_VERSION }} --progress --create-empty-src-dirs
rclone copy latest_release repo:nethsecurity/${{ steps.build_vars.outputs.REPO_CHANNEL }}/ --progress --create-empty-src-dirs
tools:
name: 'Run tools'
runs-on: ubuntu-24.04
needs: publish_images
if: ${{ github.ref == 'refs/heads/main' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
steps:
- uses: actions/checkout@v6
- name: Run tools
env:
CDN_NAME: 'updates.nethsecurity.nethserver.org'
NETHSECURITY_VERSION: ${{ needs.publish_images.outputs.NETHSECURITY_VERSION }}
REPO_CHANNEL: ${{ needs.publish_images.outputs.REPO_CHANNEL }}
run: |
tools/issue-comment