|
1 | 1 | name: Release |
2 | 2 |
|
3 | 3 | on: |
4 | | - release: |
5 | | - types: [published] |
6 | | - |
7 | | -env: |
8 | | - REGISTRY_DOCKERHUB: wgtechlabs/unthread-webhook-server |
9 | | - REGISTRY_GHCR: ghcr.io/wgtechlabs/unthread-webhook-server |
| 4 | + push: |
| 5 | + branches: [main] |
10 | 6 |
|
11 | 7 | jobs: |
12 | | - build-production: |
13 | | - name: Build Production Images |
| 8 | + release: |
| 9 | + name: Create Release |
14 | 10 | runs-on: ubuntu-latest |
15 | | - if: startsWith(github.ref, 'refs/tags/') |
16 | 11 | permissions: |
17 | | - contents: read |
18 | | - packages: write |
19 | | - security-events: write |
20 | | - |
| 12 | + contents: write |
| 13 | + |
21 | 14 | steps: |
22 | 15 | - name: Checkout code |
23 | 16 | uses: actions/checkout@v4 |
24 | | - |
25 | | - - name: Login to Docker Hub |
26 | | - uses: docker/login-action@v3 |
27 | | - with: |
28 | | - username: ${{ secrets.DOCKER_HUB_USERNAME }} |
29 | | - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} |
30 | | - |
31 | | - - name: Setup Docker Buildx |
32 | | - uses: docker/setup-buildx-action@v3 |
33 | 17 | with: |
34 | | - driver: cloud |
35 | | - endpoint: "wgtechlabs/unthread-bot-builder" |
36 | | - install: true |
37 | | - |
38 | | - - name: Login to GitHub Container Registry |
39 | | - uses: docker/login-action@v3 |
40 | | - with: |
41 | | - registry: ghcr.io |
42 | | - username: ${{ github.actor }} |
43 | | - password: ${{ secrets.GITHUB_TOKEN }} |
44 | | - |
45 | | - - name: Extract version from package.json |
46 | | - id: version |
47 | | - run: | |
48 | | - VERSION=$(node -p "require('./package.json').version") |
49 | | - echo "version=$VERSION" >> $GITHUB_OUTPUT |
50 | | - echo "major=$(echo $VERSION | cut -d. -f1)" >> $GITHUB_OUTPUT |
51 | | - echo "minor=$(echo $VERSION | cut -d. -f1-2)" >> $GITHUB_OUTPUT |
52 | | - echo "patch=$(echo $VERSION | cut -d. -f1-3)" >> $GITHUB_OUTPUT |
53 | | - echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT |
54 | | - |
55 | | - - name: Generate Docker tags |
56 | | - id: tags |
57 | | - run: | |
58 | | - VERSION="${{ steps.version.outputs.version }}" |
59 | | - MAJOR="${{ steps.version.outputs.major }}" |
60 | | - MINOR="${{ steps.version.outputs.minor }}" |
61 | | - PATCH="${{ steps.version.outputs.patch }}" |
62 | | - |
63 | | - # Docker Hub tags (no 'v' prefix) |
64 | | - DOCKERHUB_TAGS="${{ env.REGISTRY_DOCKERHUB }}:latest" |
65 | | - DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$VERSION" |
66 | | - DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$PATCH" |
67 | | - DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$MINOR" |
68 | | - DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$MAJOR" |
69 | | - |
70 | | - # GitHub Container Registry tags (with 'v' prefix) |
71 | | - GHCR_TAGS="${{ env.REGISTRY_GHCR }}:latest" |
72 | | - GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$VERSION" |
73 | | - GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$PATCH" |
74 | | - GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$MINOR" |
75 | | - GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$MAJOR" |
76 | | - |
77 | | - # Combine all tags |
78 | | - ALL_TAGS="$DOCKERHUB_TAGS,$GHCR_TAGS" |
79 | | - echo "tags=$ALL_TAGS" >> $GITHUB_OUTPUT |
80 | | - |
81 | | - - name: Build and push production images |
82 | | - uses: docker/build-push-action@v5 |
83 | | - with: |
84 | | - context: . |
85 | | - push: true |
86 | | - platforms: linux/amd64,linux/arm64 |
87 | | - tags: ${{ steps.tags.outputs.tags }} |
88 | | - labels: | |
89 | | - org.opencontainers.image.title=Unthread Webhook Server |
90 | | - org.opencontainers.image.description=A reliable, production-ready Node.js server for processing Unthread.io webhooks with signature verification and smart platform handling. |
91 | | - org.opencontainers.image.version=${{ steps.version.outputs.version }} |
92 | | - org.opencontainers.image.created=${{ steps.version.outputs.build_date }} |
93 | | - org.opencontainers.image.revision=${{ github.sha }} |
94 | | - org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} |
95 | | - org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }} |
96 | | - org.opencontainers.image.licenses=GPL-3.0 |
97 | | - cache-from: type=gha |
98 | | - cache-to: type=gha,mode=max |
99 | | - |
100 | | - - name: Run Trivy vulnerability scanner |
101 | | - uses: aquasecurity/trivy-action@0.28.0 |
102 | | - continue-on-error: true |
103 | | - with: |
104 | | - image-ref: ${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.version }} |
105 | | - format: 'sarif' |
106 | | - output: 'trivy-results.sarif' |
107 | | - |
108 | | - - name: Upload Trivy scan results to GitHub Security tab |
109 | | - uses: github/codeql-action/upload-sarif@v3 |
110 | | - if: always() && hashFiles('trivy-results.sarif') != '' |
| 18 | + fetch-depth: 0 |
| 19 | + |
| 20 | + - name: Create Release |
| 21 | + id: release |
| 22 | + uses: wgtechlabs/release-build-flow-action@v1.6.0 |
111 | 23 | with: |
112 | | - sarif_file: 'trivy-results.sarif' |
113 | | - |
114 | | - - name: Production release summary |
115 | | - run: | |
116 | | - echo "## 🚀 Production Release Complete" >> $GITHUB_STEP_SUMMARY |
117 | | - echo "**Version:** \`${{ steps.version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY |
118 | | - echo "**Release:** \`${{ github.event.release.tag_name }}\`" >> $GITHUB_STEP_SUMMARY |
119 | | - echo "" >> $GITHUB_STEP_SUMMARY |
120 | | - echo "**Docker Hub Images:**" >> $GITHUB_STEP_SUMMARY |
121 | | - echo "- \`${{ env.REGISTRY_DOCKERHUB }}:latest\`" >> $GITHUB_STEP_SUMMARY |
122 | | - echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY |
123 | | - echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.patch }}\`" >> $GITHUB_STEP_SUMMARY |
124 | | - echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.minor }}\`" >> $GITHUB_STEP_SUMMARY |
125 | | - echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.major }}\`" >> $GITHUB_STEP_SUMMARY |
126 | | - echo "" >> $GITHUB_STEP_SUMMARY |
127 | | - echo "**GitHub Container Registry Images:**" >> $GITHUB_STEP_SUMMARY |
128 | | - echo "- \`${{ env.REGISTRY_GHCR }}:latest\`" >> $GITHUB_STEP_SUMMARY |
129 | | - echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY |
130 | | - echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.patch }}\`" >> $GITHUB_STEP_SUMMARY |
131 | | - echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.minor }}\`" >> $GITHUB_STEP_SUMMARY |
132 | | - echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.major }}\`" >> $GITHUB_STEP_SUMMARY |
133 | | - echo "" >> $GITHUB_STEP_SUMMARY |
134 | | - echo "**Deploy with:**" >> $GITHUB_STEP_SUMMARY |
135 | | - echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY |
136 | | - echo "docker pull ${{ env.REGISTRY_DOCKERHUB }}:latest" >> $GITHUB_STEP_SUMMARY |
137 | | - echo "# OR" >> $GITHUB_STEP_SUMMARY |
138 | | - echo "docker pull ${{ env.REGISTRY_GHCR }}:latest" >> $GITHUB_STEP_SUMMARY |
139 | | - echo "\`\`\`" >> $GITHUB_STEP_SUMMARY |
| 24 | + # Use PAT so the release event triggers downstream workflows |
| 25 | + # (e.g., container build flow) |
| 26 | + github-token: ${{ secrets.GH_PAT }} |
0 commit comments