gts-spec/.github/workflows/release-tests-image.yml at main · GlobalTypeSystem/gts-spec · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: Release Tests Image

# Publishes the gts-spec test runner image to GHCR on every semver tag.
# Tag format: vMAJOR.MINOR.PATCH (e.g. v0.11.3).
# MAJOR.MINOR must match the spec version declared in README.md.
on:
  push:
    tags:
      - 'v*.*.*'

permissions:
  contents: write   # create GitHub Release
  packages: write   # push to ghcr.io

jobs:
  release:
    runs-on: ubuntu-latest
    # Only publish from the canonical repository, never from forks.
    if: github.repository == 'GlobalTypeSystem/gts-spec'
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          # Defense in depth: don't leave the GITHUB_TOKEN in .git/config.
          # The workflow doesn't currently upload artifacts or cache .git,
          # but this guards against future modifications that might.
          persist-credentials: false

      - name: Verify spec version matches tag
        run: |
          set -euo pipefail
          TAG="${GITHUB_REF#refs/tags/}"          # v0.11.3 or v0.11.3-rc.1
          VERSION="${TAG#v}"                      # 0.11.3   or 0.11.3-rc.1
          # Extract leading "MAJOR.MINOR" — anchored at the start so any patch
          # and/or prerelease suffix is ignored (e.g. 0.11.3-rc.1 -> 0.11).
          MAJOR_MINOR=$(printf '%s' "$VERSION" | grep -oE '^[0-9]+\.[0-9]+' || true)
          if [ -z "${MAJOR_MINOR:-}" ]; then
            echo "::error::Tag $TAG does not start with MAJOR.MINOR"
            exit 1
          fi

          # The canonical spec version is the machine-readable marker in README.md:
          #   <!-- gts-spec-version: X.Y -->
          # The human-readable "**VERSION**" line below it is for readers only and
          # may be reworded freely.
          SPEC_VERSION=$(grep -oE '<!-- gts-spec-version: [0-9]+\.[0-9]+ -->' README.md \
            | grep -oE '[0-9]+\.[0-9]+')

          if [ -z "${SPEC_VERSION:-}" ]; then
            echo "::error file=README.md::Missing or malformed '<!-- gts-spec-version: X.Y -->' marker in README.md"
            exit 1
          fi

          MARKER_COUNT=$(grep -cE '<!-- gts-spec-version: [0-9]+\.[0-9]+ -->' README.md)
          if [ "$MARKER_COUNT" -ne 1 ]; then
            echo "::error file=README.md::Expected exactly one gts-spec-version marker in README.md, found $MARKER_COUNT"
            exit 1
          fi

          echo "Tag:                  $TAG"
          echo "Tag major.minor:      $MAJOR_MINOR"
          echo "README spec version:  $SPEC_VERSION"

          if [ "$MAJOR_MINOR" != "$SPEC_VERSION" ]; then
            echo "::error::Tag $TAG (major.minor=$MAJOR_MINOR) does not match README spec version $SPEC_VERSION"
            exit 1
          fi

      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4.0.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5  # v4.1.0

      - name: Log in to GHCR
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee  # v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Compute image tags
        id: meta
        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9  # v6.1.0
        with:
          images: ghcr.io/globaltypesystem/gts-spec-tests
          # `latest` is intentionally NOT set automatically: backport patches to
          # older spec lines (e.g. v0.9.4 cut from release/v0.9 while main is at
          # 0.11) would otherwise silently move `latest` backwards. Consumers
          # should pin to `vX.Y.Z` for reproducibility or use the rolling
          # `vX.Y` tag for the freshest patch of a given spec version.
          tags: |
            type=semver,pattern=v{{version}}
            type=semver,pattern=v{{major}}.{{minor}}

      - name: Build and push image
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf  # v7.2.0
        with:
          context: tests
          file: tests/Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

      - name: Create GitHub Release
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda  # v3.0.0
        with:
          name: ${{ github.ref_name }}
          generate_release_notes: true
          body: |
            Docker image for the GTS specification e2e test runner.

            ```
            docker pull ghcr.io/globaltypesystem/gts-spec-tests:${{ github.ref_name }}
            ```

            Run against a server reachable from the container (Mac/Docker Desktop):
            ```
            docker run --rm ghcr.io/globaltypesystem/gts-spec-tests:${{ github.ref_name }} \
              --gts-base-url http://host.docker.internal:8000
            ```

            Linux hosts:
            ```
            docker run --rm --add-host=host.docker.internal:host-gateway \
              ghcr.io/globaltypesystem/gts-spec-tests:${{ github.ref_name }} \
              --gts-base-url http://host.docker.internal:8000
            ```