name: CI/CD Pipeline # CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries. # Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events. permissions: contents: read packages: write # for GHCR push id-token: write # for Cosign Keyless (OIDC) Signing # Required secrets: # - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN: push to Docker Hub # - GITHUB_TOKEN: used for GHCR login and OIDC keyless signing # - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY: for key-based signing on: push: tags: - "[0-9]+.[0-9]+.[0-9]+" - "[0-9]+.[0-9]+.[0-9]+.rc.[0-9]+" concurrency: group: ${{ github.ref }} cancel-in-progress: true jobs: release: name: Build and Release runs-on: [self-hosted, linux, x64] # Job-level timeout to avoid runaway or stuck runs timeout-minutes: 120 env: # Target images DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }} GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }} steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Log in to Docker Hub uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: docker.io username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Extract tag name id: get-tag run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV shell: bash - name: Install Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: 1.24 - name: Update version in package.json run: | TAG=${{ env.TAG }} sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts cat server/lib/consts.ts shell: bash - name: Pull latest Gerbil version id: get-gerbil-tag run: | LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name') echo "LATEST_GERBIL_TAG=$LATEST_TAG" >> $GITHUB_ENV shell: bash - name: Pull latest Badger version id: get-badger-tag run: | LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name') echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV shell: bash - name: Update install/main.go run: | PANGOLIN_VERSION=${{ env.TAG }} GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }} BADGER_VERSION=${{ env.LATEST_BADGER_TAG }} sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$PANGOLIN_VERSION\"/" install/main.go sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$GERBIL_VERSION\"/" install/main.go sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION" cat install/main.go shell: bash - name: Build installer working-directory: install run: | make go-build-release - name: Upload artifacts from /install/bin uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: install-bin path: install/bin/ - name: Build and push Docker images (Docker Hub) run: | TAG=${{ env.TAG }} make build-release tag=$TAG echo "Built & pushed to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}" shell: bash - name: Install skopeo + jq # skopeo: copy/inspect images between registries # jq: JSON parsing tool used to extract digest values run: | sudo apt-get update -y sudo apt-get install -y skopeo jq skopeo --version shell: bash - name: Login to GHCR run: | skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}" shell: bash - name: Copy tag from Docker Hub to GHCR # Mirror the already-built image (all architectures) to GHCR so we can sign it run: | set -euo pipefail TAG=${{ env.TAG }} echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}" skopeo copy --all --retry-times 3 \ docker://$DOCKERHUB_IMAGE:$TAG \ docker://$GHCR_IMAGE:$TAG shell: bash - name: Install cosign # cosign is used to sign and verify container images (key and keyless) uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Dual-sign and verify (GHCR & Docker Hub) # Sign each image by digest using keyless (OIDC) and key-based signing, # then verify both the public key signature and the keyless OIDC signature. env: TAG: ${{ env.TAG }} COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} COSIGN_YES: "true" run: | set -euo pipefail issuer="https://token.actions.githubusercontent.com" id_regex="^https://github.com/${{ github.repository }}/.+" # accept this repo (all workflows/refs) for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do echo "Processing ${IMAGE}:${TAG}" DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')" REF="${IMAGE}@${DIGEST}" echo "Resolved digest: ${REF}" echo "==> cosign sign (keyless) --recursive ${REF}" cosign sign --recursive "${REF}" echo "==> cosign sign (key) --recursive ${REF}" cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}" echo "==> cosign verify (public key) ${REF}" cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text echo "==> cosign verify (keyless policy) ${REF}" cosign verify \ --certificate-oidc-issuer "${issuer}" \ --certificate-identity-regexp "${id_regex}" \ "${REF}" -o text done shell: bash