Documentation for rootless preview (#109) #169
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# yamllint disable rule:line-length | |
--- | |
name: Sign and prerelease | |
# Run the workflow on when code or a semver tag is pushed to main branch, | |
# and on pull requests towards main branch | |
on: | |
push: | |
branches: | |
- 'main' | |
- 'rootless-preview' | |
tags: | |
# semver, e.g. 1.2.0 (does not match 0.1.2) | |
- '[1-9]+.[0-9]+.[0-9]+' | |
# semver with prerelease info, e.g. 1.0.2-beta.1 or 1.2.3-rc.10 | |
- '[1-9]+.[0-9]+.[0-9]+-[a-z]+.[0-9]+' | |
# do not match prerelease starting w/ 0, e.g. 1.0.2-beta.0 or 1.2.3-rc.01 | |
- '![1-9]+.[0-9]+.[0-9]+-[a-z]+.[0]*' | |
# semver with date info, e.g. 1.0.2-20221125 | |
- '[1-9]+.[0-9]+.[0-9]+-[0-9]+' | |
# do not match date starting w/ 0, e.g. 1.0.2-01232023 | |
- '![1-9]+.[0-9]+.[0-9]+-[0]*' | |
pull_request: | |
branches: | |
- 'main' | |
- 'rootless-preview' | |
jobs: | |
# Builds docker ACAP using the build.sh script, then signs the eap-file in | |
# ACAP Portal and stores it as a build artifact. | |
# This job runs for all triggers of the workflow | |
build: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: ["armv7hf", "aarch64"] | |
outputs: | |
EAP_FILE_ARMV7HF: ${{ steps.save_full_file_name.outputs.EAP_FILE_ARMV7HF }} | |
EAP_FILE_AARCH64: ${{ steps.save_full_file_name.outputs.EAP_FILE_AARCH64 }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Create base image metadata | |
id: meta | |
uses: ./.github/actions/metadata-action | |
with: | |
suffix: -${{ matrix.arch }} | |
repository: 'docker-acap' | |
get_version: 'true' | |
- name: Update manifest file | |
if: ( github.ref_type == 'tag') | |
uses: ./.github/actions/update-acap-manifest-action | |
with: | |
manifest_file: ./app/manifest.json | |
value: ${{ steps.meta.outputs.version }} | |
- name: Build ${{ env.example }} application | |
uses: ./.github/actions/docker-build-action | |
with: | |
dockerfile: Dockerfile | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
build-args: ACAPARCH=${{ matrix.arch }} | |
- name: Set name of EAP-file | |
id: get_eap_file_name | |
run: | | |
docker cp $(docker create "${{ steps.meta.outputs.full_name }}"):/opt/app build | |
export EAP_FILE=$(find build -type f -name "*.eap" -printf "%f\n") | |
delimiter="$(openssl rand -hex 8)" | |
echo "EAP_FILE<<${delimiter}" >> ${GITHUB_ENV} | |
echo "${EAP_FILE}" >> ${GITHUB_ENV} | |
echo "${delimiter}" >> ${GITHUB_ENV} | |
- name: Refactor naming of EAP-file for signed output | |
run: | | |
signed_output=$(echo "${{ env.EAP_FILE }}" | sed 's/\.eap/_signed.eap/') | |
echo "SIGNED_EAP_FILE=${signed_output}" >> $GITHUB_ENV | |
- name: Sign eap-file | |
run: | | |
cd build | |
RESPONSE=$(curl -XPOST -H 'accept: */*' -H 'Content-Type: multipart/form-data' -H 'Authorization: Bearer ${{secrets.ACAP_PORTAL_SIGNING_BEARER_TOKEN}}' \ | |
'${{ vars.ACAP_PORTAL_URL }}/${{secrets.ACAP_PORTAL_SIGNING_ID}}/sign/binary' -F uploadedFile=@"${{ env.EAP_FILE }}" --output ${{ env.SIGNED_EAP_FILE }} \ | |
-w "%{http_code}\n" -o /dev/null) | |
echo "HTTP_RESPONSE=$RESPONSE" >> $GITHUB_ENV | |
- name: Check that acap has been signed | |
run: | | |
if [[ -n "$HTTP_RESPONSE" && "$HTTP_RESPONSE" =~ ^[0-9]+$ ]]; then | |
if [ "$HTTP_RESPONSE" -eq 200 ]; then | |
echo "HTTP response code is 200, signing was successful" | |
else | |
echo "HTTP response code is: $HTTP_RESPONSE, signing was not successful" | |
exit 1 | |
fi | |
else | |
echo "HTTP_RESPONSE is empty or not a valid integer: $HTTP_RESPONSE" | |
fi | |
- name: Upload artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ env.SIGNED_EAP_FILE }} | |
path: build/${{ env.SIGNED_EAP_FILE }} | |
- name: Save full file name | |
id: save_full_file_name | |
run: | | |
if [ ${{ matrix.arch }} = armv7hf ] | |
then | |
echo "EAP_FILE_ARMV7HF=${{ env.SIGNED_EAP_FILE }}" >> $GITHUB_OUTPUT | |
elif [ ${{ matrix.arch }} = aarch64 ] | |
then | |
echo "EAP_FILE_AARCH64=${{ env.SIGNED_EAP_FILE }}" >> $GITHUB_OUTPUT | |
else | |
echo "::error::Non valid architecture '${{ matrix.arch }}' encountered" | |
fi | |
# Creates a pre-release in the repository. | |
# This job runs if the workflow is triggered by a tag and the build job was successful. | |
create_prerelease: | |
if: (github.ref_type == 'tag') | |
permissions: | |
contents: write | |
runs-on: ubuntu-latest | |
needs: build | |
outputs: | |
RELEASE_ID: ${{ steps.prerelease.outputs.RELEASE_ID }} | |
steps: | |
- name: Set TAG | |
id: vars | |
run: echo "TAG=${GITHUB_REF#refs/*/}" >> ${GITHUB_ENV} | |
- name: Create prerelease | |
uses: actions/github-script@v6 | |
id: prerelease | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
script: | | |
try { | |
const response = await github.rest.repos.createRelease({ | |
draft: false, | |
generate_release_notes: true, | |
name: '${{ env.TAG }}', | |
owner: context.repo.owner, | |
prerelease: true, | |
repo: context.repo.repo, | |
tag_name: '${{ env.TAG }}', | |
}); | |
core.setOutput('RELEASE_ID', response.data.id); | |
} catch (error) { | |
core.setFailed(error.message); | |
} | |
# Uploads the signed eap files from artifacts to the pre-release. | |
# This job runs if the create_prerelease job | |
download-and-upload-artifacts: | |
if: (github.ref_type == 'tag') | |
permissions: | |
contents: write | |
runs-on: ubuntu-latest | |
needs: [create_prerelease, build] | |
strategy: | |
matrix: | |
arch: [armv7hf, aarch64] | |
env: | |
RELEASE_ID: ${{ needs.create_prerelease.outputs.RELEASE_ID }} | |
EAP_FILE_AARCH64: ${{ needs.build.outputs.EAP_FILE_AARCH64 }} | |
EAP_FILE_ARMV7HF: ${{ needs.build.outputs.EAP_FILE_ARMV7HF }} | |
steps: | |
- name: Get EAP file name | |
id: full_eap_name | |
run: | | |
if [ ${{ matrix.arch }} = armv7hf ] | |
then | |
echo "EAP_FILE=${{ needs.build.outputs.EAP_FILE_ARMV7HF }}" >> $GITHUB_ENV | |
elif [ ${{ matrix.arch }} = aarch64 ] | |
then | |
echo "EAP_FILE=${{ needs.build.outputs.EAP_FILE_AARCH64 }}" >> $GITHUB_ENV | |
else | |
echo "::error::Non valid architecture '${{ matrix.arch }}' encountered" | |
fi | |
- name: Download artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: ${{ env.EAP_FILE }} | |
path: ./ | |
- name: Upload file to GitHub release | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
RESPONSE=$(curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
-H "Accept: application/vnd.github.manifold-preview" \ | |
-H "Content-Type: application/zip" \ | |
--data-binary @${{ env.EAP_FILE }} \ | |
"https://uploads.github.com/repos/$GITHUB_REPOSITORY/releases/${{env.RELEASE_ID}}/assets?name=${{ env.EAP_FILE }}" \ | |
-w "%{http_code}\n" -o /dev/null) | |
echo "HTTP_RESPONSE=$RESPONSE" >> $GITHUB_ENV | |
- name: Check that asset has been uploaded correctly | |
run: | | |
if [[ -n "$HTTP_RESPONSE" && "$HTTP_RESPONSE" =~ ^[0-9]+$ ]]; then | |
if [ "$HTTP_RESPONSE" -eq 201 ]; then | |
echo "HTTP response code is 201, upload was successful" | |
else | |
echo "HTTP response code is: $HTTP_RESPONSE, upload was not successful" | |
exit 1 | |
fi | |
else | |
echo "HTTP_RESPONSE is empty or not a valid integer: $HTTP_RESPONSE" | |
fi |