clone/vikunja
1
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-04-24 14:15:18 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
vikunja/.github/workflows/release.yml
kolaente 0b45cff583 feat(ci): sign archlinux packages with GPG for pacman verification 
Pacman verifies individual package signatures (.sig files). Add GPG
setup and detach-sign step for archlinux packages in the os-package
job. The .sig is uploaded alongside the package to S3.
2026-04-14 19:35:23 +02:00

585 lines
21 KiB
YAML
Raw Permalink Blame History

name: Release
on:
workflow_call:
jobs:
docker:
runs-on: namespace-profile-default
steps:
- name: Git describe
id: ghd
uses: proudust/gh-describe@v2
- name: Login to Docker Hub
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }}
- name: Login to GHCR
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker meta version
if: ${{ github.ref_type == 'tag' }}
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: |
vikunja/vikunja
ghcr.io/go-vikunja/vikunja
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=raw,value=latest
- name: Build and push unstable
if: ${{ github.ref_type != 'tag' }}
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8
push: true
tags: |
vikunja/vikunja:unstable
ghcr.io/go-vikunja/vikunja:unstable
build-args: |
RELEASE_VERSION=${{ steps.ghd.outputs.describe }}
- name: Build and push version
if: ${{ github.ref_type == 'tag' }}
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
RELEASE_VERSION=${{ steps.ghd.outputs.describe }}
binaries:
runs-on: blacksmith-8vcpu-ubuntu-2204
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
- name: Git describe
id: ghd
uses: proudust/gh-describe@v2
- uses: useblacksmith/setup-go@647ac649bd5b480f2a262e3e3e5f4d150ed452ad # v6
with:
go-version: stable
- name: Download Mage Binary
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: mage_bin
- name: get frontend
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: frontend_dist
path: frontend/dist
- run: chmod +x ./mage-static
- name: install upx
run: |
wget https://github.com/upx/upx/releases/download/v5.0.0/upx-5.0.0-amd64_linux.tar.xz
echo 'b32abf118d721358a50f1aa60eacdbf3298df379c431c3a86f139173ab8289a1 upx-5.0.0-amd64_linux.tar.xz' > upx-5.0.0-amd64_linux.tar.xz.sha256
sha256sum -c upx-5.0.0-amd64_linux.tar.xz.sha256
tar xf upx-5.0.0-amd64_linux.tar.xz
mv upx-5.0.0-amd64_linux/upx /usr/local/bin
- name: setup xgo cache
uses: useblacksmith/cache@71c7c918062ba3861252d84b07fe5ab2a6b467a6 # v5
with:
path: /home/runner/.xgo-cache
key: ${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: build and release
env:
RELEASE_VERSION: ${{ steps.ghd.outputs.describe }}
XGO_OUT_NAME: vikunja-${{ github.ref_type == 'tag' && steps.ghd.outputs.describe || 'unstable' }}
run: |
export PATH=$PATH:$GOPATH/bin
./mage-static release
- name: GPG setup
uses: kolaente/action-gpg@main
with:
gpg-passphrase: "${{ secrets.RELEASE_GPG_PASSPHRASE }}"
gpg-sign-key: "${{ secrets.RELEASE_GPG_SIGN_KEY }}"
- name: sign
run: |
echo "=== GPG agent status ==="
gpg-connect-agent 'keyinfo --list' /bye || true
echo "=== GPG secret keys ==="
gpg -K --with-keygrip
echo "=== GPG public keys ==="
gpg --list-keys
echo "=== GNUPG directory contents ==="
ls -la ~/.gnupg/
ls -la ~/.gnupg/private-keys-v1.d/ || true
echo "=== Signing files ==="
ls -hal dist/zip/*
for file in dist/zip/*; do
gpg -v --default-key 7D061A4AA61436B40713D42EFF054DACD908493A -b --batch --yes --passphrase "${{ secrets.RELEASE_GPG_PASSPHRASE }}" --pinentry-mode loopback --sign "$file"
done
- name: Upload
uses: kolaente/s3-action@main
with:
s3-access-key-id: ${{ secrets.S3_ACCESS_KEY }}
s3-secret-access-key: ${{ secrets.S3_SECRET_KEY }}
s3-endpoint: ${{ secrets.S3_ENDPOINT }}
s3-bucket: ${{ secrets.S3_BUCKET }}
s3-region: ${{ secrets.S3_REGION }}
target-path: /vikunja/${{ github.ref_type == 'tag' && steps.ghd.outputs.describe || 'unstable' }}
files: "dist/zip/*"
strip-path-prefix: dist/zip/
- name: Store Binaries
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: vikunja_bins
path: ./dist/binaries/*
- name: Store Binary Packages
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
if: ${{ github.ref_type == 'tag' }}
with:
name: vikunja_bin_packages
path: ./dist/zip/*
os-package:
runs-on: ubuntu-latest
needs:
- binaries
strategy:
matrix:
package:
- rpm
- deb
- apk
- archlinux
arch:
- go_name: linux-amd64
nfpm: amd64
pkg: x86_64
- go_name: linux-arm64
nfpm: arm64
pkg: aarch64
- go_name: linux-arm-7
nfpm: arm7
pkg: armv7
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
- name: Download Vikunja Binary
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: vikunja_bins
- name: Git describe
id: ghd
uses: proudust/gh-describe@v2
- name: Download Mage Binary
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: mage_bin
- name: Write GPG key for nfpm
if: matrix.package == 'rpm'
run: echo -n "${{ secrets.RELEASE_GPG_SIGN_KEY }}" > /tmp/nfpm-signing-key.gpg
- name: GPG setup for package signing
if: matrix.package == 'archlinux'
uses: kolaente/action-gpg@main
with:
gpg-passphrase: "${{ secrets.RELEASE_GPG_PASSPHRASE }}"
gpg-sign-key: "${{ secrets.RELEASE_GPG_SIGN_KEY }}"
- name: Prepare
env:
RELEASE_VERSION: ${{ steps.ghd.outputs.describe }}
NFPM_ARCH: ${{ matrix.arch.nfpm }}
run: |
chmod +x ./mage-static
./mage-static release:prepare-nfpm-config
mkdir -p ./dist/os-packages
mv ./vikunja-*-${{ matrix.arch.go_name }} ./vikunja
chmod +x ./vikunja
- name: Create package
id: nfpm
uses: kolaente/action-gh-nfpm@master
with:
packager: ${{ matrix.package }}
target: ./dist/os-packages/vikunja-${{ github.ref_type == 'tag' && steps.ghd.outputs.describe || 'unstable' }}-${{ matrix.arch.pkg }}.${{ matrix.package }}
config: ./nfpm.yaml
env:
NFPM_GPG_KEY_FILE: ${{ (matrix.package == 'rpm') && '/tmp/nfpm-signing-key.gpg' || '' }}
NFPM_PASSPHRASE: ${{ (matrix.package == 'rpm') && secrets.RELEASE_GPG_PASSPHRASE || '' }}
- name: Sign package
if: matrix.package == 'archlinux'
run: |
gpg --default-key 7D061A4AA61436B40713D42EFF054DACD908493A \
--batch --yes \
--passphrase "${{ secrets.RELEASE_GPG_PASSPHRASE }}" \
--pinentry-mode loopback \
--detach-sign \
./dist/os-packages/vikunja-${{ github.ref_type == 'tag' && steps.ghd.outputs.describe || 'unstable' }}-${{ matrix.arch.pkg }}.${{ matrix.package }}
- name: Upload
uses: kolaente/s3-action@main
with:
s3-access-key-id: ${{ secrets.S3_ACCESS_KEY }}
s3-secret-access-key: ${{ secrets.S3_SECRET_KEY }}
s3-endpoint: ${{ secrets.S3_ENDPOINT }}
s3-bucket: ${{ secrets.S3_BUCKET }}
s3-region: ${{ secrets.S3_REGION }}
target-path: /vikunja/${{ github.ref_type == 'tag' && steps.ghd.outputs.describe || 'unstable' }}
files: "dist/os-packages/*"
strip-path-prefix: dist/os-packages/
- name: Store OS Packages
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: vikunja_os_package_${{ matrix.package }}_${{ matrix.arch.pkg }}
path: ./dist/os-packages/*
publish-repos:
runs-on: ubuntu-latest
needs:
- os-package
- desktop
strategy:
fail-fast: false
matrix:
include:
- format: apt
image: ubuntu:noble
mage_target: release:repo-apt
- format: rpm
image: fedora:latest
mage_target: release:repo-rpm
- format: pacman
image: archlinux:latest
mage_target: release:repo-pacman
- format: apk
image: alpine:latest
mage_target: release:repo-apk
container:
image: ${{ matrix.image }}
env:
REPO_SUITE: ${{ github.ref_type == 'tag' && 'stable' || 'unstable' }}
RELEASE_VERSION: unstable
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
- name: Download Mage Binary
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: mage_bin
- name: Download all server OS packages
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
pattern: vikunja_os_package_*
merge-multiple: true
path: dist/repo-work/incoming
- name: Download desktop packages (Linux)
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: vikunja_desktop_packages_ubuntu-latest
path: dist/repo-work/incoming-desktop
- name: Copy desktop packages to incoming
run: |
cd dist/repo-work/incoming-desktop
case "${{ matrix.format }}" in
apt)
cp *.deb ../incoming/ 2>/dev/null || true
;;
rpm)
# Add arch suffix so the mage target's *-x86_64.rpm glob matches
for f in *.rpm; do
[ -f "$f" ] && cp "$f" "../incoming/${f%.rpm}-x86_64.rpm"
done
;;
pacman)
# Rename .pacman to .archlinux with arch suffix
for f in *.pacman; do
[ -f "$f" ] && cp "$f" "../incoming/${f%.pacman}-x86_64.archlinux"
done
;;
apk)
# Desktop .apk is not an Alpine package, skip
;;
esac
- name: Install tools (apt)
if: matrix.format == 'apt'
run: |
apt-get update
apt-get install -y --no-install-recommends reprepro
- name: Install tools (rpm)
if: matrix.format == 'rpm'
run: dnf install -y createrepo_c
- name: Install tools (apk)
if: matrix.format == 'apk'
run: apk add --no-cache abuild libc6-compat
- name: GPG setup
if: matrix.format != 'apk'
uses: kolaente/action-gpg@main
with:
gpg-passphrase: "${{ secrets.RELEASE_GPG_PASSPHRASE }}"
gpg-sign-key: "${{ secrets.RELEASE_GPG_SIGN_KEY }}"
- name: Export GPG public key
if: matrix.format == 'apt'
run: |
mkdir -p dist/repo-output
gpg --export --armor 7D061A4AA61436B40713D42EFF054DACD908493A > dist/repo-output/gpg.key
- name: Setup APK signing key
if: matrix.format == 'apk'
run: |
mkdir -p ~/.abuild
echo "${{ secrets.APK_SIGNING_KEY }}" > ~/.abuild/vikunja-apk.rsa
echo "PACKAGER_PRIVKEY=$HOME/.abuild/vikunja-apk.rsa" > ~/.abuild/abuild.conf
- name: Generate repo metadata
if: matrix.format != 'apk'
env:
RELEASE_GPG_KEY: 7D061A4AA61436B40713D42EFF054DACD908493A
RELEASE_GPG_PASSPHRASE: ${{ secrets.RELEASE_GPG_PASSPHRASE }}
run: |
chmod +x ./mage-static
./mage-static ${{ matrix.mage_target }}
- name: Generate APK repo metadata
if: matrix.format == 'apk'
run: |
incoming=dist/repo-work/incoming
output_base=dist/repo-output/apk/$REPO_SUITE/main
signing_key=~/.abuild/vikunja-apk.rsa
for arch in x86_64 aarch64 armv7; do
repo_dir="$output_base/$arch"
mkdir -p "$repo_dir"
# Symlink matching packages
found=false
for pkg in "$incoming"/*-"$arch".apk; do
[ -f "$pkg" ] || continue
found=true
ln -sf "$(realpath "$pkg")" "$repo_dir/$(basename "$pkg")"
done
$found || continue
# Create index and sign
apk index --allow-untrusted -o "$repo_dir/APKINDEX.tar.gz" "$repo_dir"/*.apk
abuild-sign -k "$signing_key" "$repo_dir/APKINDEX.tar.gz"
done
echo "APK repo metadata generated in $output_base"
- name: Debug - repo output structure
run: find dist/repo-output -type f 2>/dev/null || ls -laR dist/repo-output/ || true
- name: Remove packages and internal state from repo output
run: |
# Remove reprepro internal state (not needed for serving)
rm -rf dist/repo-output/apt/db dist/repo-output/apt/conf 2>/dev/null || true
# Resolve symlinks into real files (S3 can't store symlinks)
find dist/repo-output -type l | while IFS= read -r link; do
target=$(readlink -f "$link")
if [ -f "$target" ]; then
rm "$link"
cp "$target" "$link"
else
rm "$link"
fi
done
# Remove actual package files — the worker redirects these to the
# existing artifacts so we don't need to store them twice.
find dist/repo-output -type f \( -name '*.deb' -o -name '*.rpm' -o -name '*.apk' -o -name '*.archlinux' -o -name '*.pacman' -o -name '*.pkg.tar.zst' \) -delete 2>/dev/null || true
# Remove now-empty directories
find dist/repo-output -type d -empty -delete 2>/dev/null || true
- name: Upload to R2
uses: kolaente/s3-action@main
with:
s3-access-key-id: ${{ secrets.S3_ACCESS_KEY }}
s3-secret-access-key: ${{ secrets.S3_SECRET_KEY }}
s3-endpoint: ${{ secrets.S3_ENDPOINT }}
s3-bucket: ${{ secrets.S3_BUCKET }}
s3-region: ${{ secrets.S3_REGION }}
target-path: /repos
files: "dist/repo-output/**/*"
strip-path-prefix: dist/repo-output/
config-yaml:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
- name: Git describe
id: ghd
uses: proudust/gh-describe@v2
- name: Download Mage Binary
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: mage_bin
- name: generate
run: |
chmod +x ./mage-static
./mage-static generate:config-yaml 1
- name: Upload to S3
uses: kolaente/s3-action@main
with:
s3-access-key-id: ${{ secrets.S3_ACCESS_KEY }}
s3-secret-access-key: ${{ secrets.S3_SECRET_KEY }}
s3-endpoint: ${{ secrets.S3_ENDPOINT }}
s3-bucket: ${{ secrets.S3_BUCKET }}
s3-region: ${{ secrets.S3_REGION }}
target-path: /vikunja/${{ github.ref_type == 'tag' && steps.ghd.outputs.describe || 'unstable' }}
files: "config.yml.sample"
desktop:
strategy:
matrix:
os:
- ubuntu-latest
- windows-latest
- macos-latest
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
- name: Git describe
id: ghd
uses: proudust/gh-describe@v2
- name: Install pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
with:
package_json_file: desktop/package.json
- name: Setup Node
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
with:
node-version-file: frontend/.nvmrc
cache: pnpm
cache-dependency-path: desktop/pnpm-lock.yaml
- name: Install Linux dependencies
if: ${{ runner.os == 'Linux' }}
run: |
sudo apt-get update
sudo apt-get install --no-install-recommends -y libopenjp2-tools rpm libarchive-tools
- name: get frontend
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: frontend_dist
path: frontend/dist
- name: Build desktop app
working-directory: desktop
run: |
pnpm install --frozen-lockfile --prefer-offline --fetch-timeout 100000
node build.js "${{ steps.ghd.outputs.describe }}" ${{ github.ref_type == 'tag' }}
- name: Upload to S3
uses: kolaente/s3-action@main
with:
s3-access-key-id: ${{ secrets.S3_ACCESS_KEY }}
s3-secret-access-key: ${{ secrets.S3_SECRET_KEY }}
s3-endpoint: ${{ secrets.S3_ENDPOINT }}
s3-bucket: ${{ secrets.S3_BUCKET }}
s3-region: ${{ secrets.S3_REGION }}
files: "desktop/dist/Vikunja*"
target-path: /desktop/${{ github.ref_type == 'tag' && steps.ghd.outputs.describe || 'unstable' }}
strip-path-prefix: desktop/dist/
exclude: "desktop/dist/*.blockmap"
- name: Store Desktop Package
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: vikunja_desktop_packages_${{ matrix.os }}
path: |
./desktop/dist/Vikunja*
!./desktop/dist/*.blockmap
generate-swagger-docs:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
with:
ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}
persist-credentials: true
- name: Download Mage Binary
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: mage_bin
- name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
with:
go-version: stable
- name: generate
run: |
export PATH=$PATH:$GOPATH/bin
go install github.com/swaggo/swag/cmd/swag
chmod +x ./mage-static
./mage-static generate:swagger-docs
- name: Check for changes
id: check_changes
run: |
if git diff --quiet; then
echo "changes_exist=0" >> "$GITHUB_OUTPUT"
else
echo "changes_exist=1" >> "$GITHUB_OUTPUT"
fi
- name: Commit files
if: steps.check_changes.outputs.changes_exist != '0'
run: |
git config --local user.email "bot@vikunja.io"
git config --local user.name "Frederick [Bot]"
git commit -am "[skip ci] Updated swagger docs"
- name: Push changes
if: steps.check_changes.outputs.changes_exist != '0'
uses: ad-m/github-push-action@master
with:
ssh: true
branch: ${{ github.ref }}
create-release:
runs-on: ubuntu-latest
needs:
- binaries
- os-package
- desktop
- publish-repos
if: ${{ github.ref_type == 'tag' }}
permissions:
contents: write
steps:
- name: Download Binaries
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: vikunja_bin_packages
- name: Download OS Packages
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
pattern: vikunja_os_package_*
merge-multiple: true
- name: Download Desktop Package Linux
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: vikunja_desktop_packages_ubuntu-latest
- name: Download Desktop Package MacOS
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: vikunja_desktop_packages_macos-latest
- name: Download Desktop Package Windows
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
with:
name: vikunja_desktop_packages_windows-latest
- name: Release
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
if: github.ref_type == 'tag'
with:
draft: true
files: |
vikunja*.zip
vikunja*.rpm
vikunja*.deb
vikunja*.apk
vikunja*.archlinux
Vikunja Desktop*
Reference in New Issue View Git Blame Copy Permalink