-
Notifications
You must be signed in to change notification settings - Fork 0
126 lines (114 loc) · 4.75 KB
/
Copy pathdocker.yml
File metadata and controls
126 lines (114 loc) · 4.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: Docker
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
BLINDJOIN_REQUIRE_BITCOIND: "1"
on:
push:
tags: ['v*']
# workflow_dispatch rehearses the check job without pushing images.
workflow_dispatch:
permissions:
contents: read
jobs:
check:
name: Check (test + clippy)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # stable
with:
toolchain: "1.95.0"
components: clippy
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: Install pinned bitcoind
uses: ./.github/actions/install-bitcoind
- name: Run tests
run: cargo test --workspace --all-targets
- name: Run clippy
run: cargo clippy --workspace --all-targets -- -D warnings
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Run audit
run: cargo audit
release-gate:
name: Release gate (tag format + CHANGELOG entry)
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
# Catches the two silent foot-guns: a 2-part tag (docker/metadata-action
# produces zero image tags, build-push then fails late with a confusing
# error — v1.0, v1.1, v1.3 all silently failed this way), and a release
# tag pushed without moving CHANGELOG.md '[Unreleased]' bullets into a
# versioned section.
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Enforce vMAJOR.MINOR.PATCH tag and CHANGELOG entry
run: |
set -eu
if ! printf '%s' "${GITHUB_REF_NAME}" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
echo "ERROR: Tag '${GITHUB_REF_NAME}' must match vMAJOR.MINOR.PATCH (e.g. v1.7.0)." >&2
echo " docker/metadata-action silently produces zero image tags for 2-part tags." >&2
exit 1
fi
VERSION="${GITHUB_REF_NAME#v}"
if ! grep -qE "^## \[${VERSION}\]" CHANGELOG.md; then
echo "ERROR: CHANGELOG.md has no '## [${VERSION}]' section for tag ${GITHUB_REF_NAME}." >&2
echo " Move bullets from [Unreleased] into '## [${VERSION}] — YYYY-MM-DD' before pushing." >&2
exit 1
fi
docker:
name: Docker ${{ matrix.image }}
needs: [check, release-gate]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
permissions:
contents: read
packages: write # push image + attestation to ghcr.io
id-token: write # OIDC for Sigstore/Fulcio cert exchange (attest-build-provenance)
attestations: write # actions/attest-build-provenance writes to the attestations API
strategy:
fail-fast: false
matrix:
include:
- image: coordinator
target: coordinator
- image: client
target: client
- image: liquidity-bot
target: liquidity-bot
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
# type=semver requires 3-part tags (vX.Y.Z). Two-part tags produce zero image
# tags and fail the push step. Always tag vMAJOR.MINOR.PATCH.
- uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
id: meta
with:
images: ghcr.io/${{ github.repository_owner }}/blindjoin-${{ matrix.image }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest
- uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
id: build
with:
context: .
file: docker/Dockerfile
target: ${{ matrix.target }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
# attest-build-provenance v3.2.0 is the last self-contained release; v4.x is
# a deprecation wrapper around actions/attest.
- name: Attest build provenance
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
with:
subject-name: ghcr.io/${{ github.repository_owner }}/blindjoin-${{ matrix.image }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true