|
1 | 1 | name: Release |
2 | 2 | on: |
3 | | - push: |
| 3 | + push: # publish to `main` tag on Docker Hub on merge to main: https://hub.docker.com/layers/cipherstash/proxy/main |
4 | 4 | branches: |
5 | 5 | - main |
6 | | - release: |
| 6 | + pull_request: # run the release workflow when changes are made to it in PRs |
| 7 | + branches: |
| 8 | + - main |
| 9 | + paths: |
| 10 | + - '.github/workflows/release.yml' |
| 11 | + release: # for cutting a numbered release (e.g. v2.1.9) |
7 | 12 | types: [published] |
8 | | - workflow_dispatch: |
| 13 | + workflow_dispatch: # for running the workflow on an arbitrary branch or commit |
9 | 14 |
|
10 | 15 | env: |
11 | 16 | REGISTRY_IMAGE: cipherstash/proxy |
|
17 | 22 | fail-fast: false |
18 | 23 | matrix: |
19 | 24 | build: |
20 | | - - { os: blacksmith-16vcpu-ubuntu-2204, docker_platform: linux/amd64, rust_target: "x86_64-unknown-linux-gnu" } |
21 | | - - { os: blacksmith-16vcpu-ubuntu-2404-arm, docker_platform: linux/arm64, rust_target: "aarch64-unknown-linux-gnu" } |
| 25 | + - { os: blacksmith-16vcpu-ubuntu-2404, docker_platform: linux/amd64, rust_target: "x86_64-unknown-linux-gnu" } |
| 26 | + - { os: linux-arm64-public, docker_platform: linux/arm64, rust_target: "aarch64-unknown-linux-gnu" } |
22 | 27 | env: |
23 | 28 | CS_ZEROKMS_HOST: https://us-east-1.aws.zerokms.cipherstashmanaged.net |
24 | 29 | CS_CTS_HOST: https://ap-southeast-2.aws.cts.cipherstashmanaged.net |
|
45 | 50 | cache-all-crates: true |
46 | 51 | - uses: jdx/mise-action@v2 |
47 | 52 | with: |
48 | | - version: 2025.1.6 # [default: latest] mise version to install |
49 | | - install: true # [default: true] run `mise install` |
| 53 | + version: 2026.1.6 # [default: latest] mise version to install |
| 54 | + install: false # [default: true] run `mise install` |
50 | 55 | cache: ${{ github.event_name != 'pull_request' }} # cache mise using GitHub's cache if running in a PR |
51 | 56 | - run: | |
52 | 57 | mise run build --platform ${{matrix.build.docker_platform}} --target ${{matrix.build.rust_target}} |
@@ -107,6 +112,8 @@ jobs: |
107 | 112 | timeout-minutes: 30 |
108 | 113 | needs: |
109 | 114 | - build |
| 115 | + env: |
| 116 | + publish: ${{contains(fromJSON('["push", "release"]'), github.event_name)}} |
110 | 117 | steps: |
111 | 118 | - uses: actions/checkout@v4 |
112 | 119 |
|
@@ -151,15 +158,19 @@ jobs: |
151 | 158 |
|
152 | 159 | - name: Create manifest list and push |
153 | 160 | working-directory: ${{ runner.temp }}/digests |
| 161 | + env: |
| 162 | + DRY_RUN: ${{case(fromJSON(env.publish),' ','--dry-run')}} # run the `docker buildx` command with --dry-run if we're not publishing a release |
154 | 163 | run: | |
155 | | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ |
| 164 | + docker buildx imagetools create ${{ env.DRY_RUN }} $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ |
156 | 165 | $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) |
157 | 166 |
|
158 | 167 | - name: Inspect image |
| 168 | + if: ${{ fromJSON(env.publish) }} |
159 | 169 | run: | |
160 | 170 | docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} |
161 | 171 |
|
162 | 172 | - name: Notify Multitudes |
| 173 | + if: ${{ fromJSON(env.publish) }} |
163 | 174 | run: | |
164 | 175 | curl --request POST \ |
165 | 176 | --fail-with-body \ |
|
0 commit comments