boulder/.github/workflows/release.yml at main · letsencrypt/boulder · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# Build the Boulder Debian package on tag push, and attach it to a GitHub
# release.
#
# Keep the GO_VERSION matrix and the container-building steps in sync with
# try-release.yml.
name: Build release
on:
  push:
    tags:
      - '**'

jobs:
  draft-release:
    runs-on: ubuntu-24.04
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: '0' # Needed for verify-release-ancestry.sh to see origin/main

      - name: Verify release ancestry
        run: ./tools/verify-release-ancestry.sh "$GITHUB_SHA"

      - name: Create draft release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        # https://cli.github.com/manual/gh_release_create
        run: gh release create --draft --generate-notes "${GITHUB_REF_NAME}"

  push-release:
    needs: draft-release
    strategy:
      fail-fast: false
      matrix:
        GO_VERSION:
          - "1.26.2"
    runs-on: ubuntu-24.04
    permissions:
      contents: write
      packages: write
    steps:
      - uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: '0' # Needed for verify-release-ancestry.sh to see origin/main

      - name: Build Boulder container and .deb
        id: build
        env:
          GO_VERSION: ${{ matrix.GO_VERSION }}
        run: ./tools/container-build.sh

      - name: Tag Boulder container
        run: docker tag boulder "ghcr.io/letsencrypt/boulder:${GITHUB_REF_NAME}-go${{ matrix.GO_VERSION }}"

      - name: Compute checksums
        id: checksums
        # The files listed on this line must be identical to the files uploaded
        # in the last step.
        run: sha256sum boulder*.deb boulder*.tar.gz >| boulder-${{ matrix.GO_VERSION }}.$(date +%s)-$(git rev-parse --short=8 HEAD).checksums.txt

      - name: Upload release files
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        # https://cli.github.com/manual/gh_release_upload
        run: gh release upload "${GITHUB_REF_NAME}" boulder*.deb boulder*.tar.gz boulder*.checksums.txt

      - name: Build ct-test-srv container
        run: docker buildx build . --build-arg "GO_VERSION=${{ matrix.GO_VERSION }}" -f test/ct-test-srv/Dockerfile -t "ghcr.io/letsencrypt/ct-test-srv:${GITHUB_REF_NAME}-go${{ matrix.GO_VERSION }}"

      - name: Login to GitHub Container Registry
        run: printenv GITHUB_TOKEN | docker login -u "$GITHUB_ACTOR" --password-stdin ghcr.io
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Push Boulder container
        run: docker push "ghcr.io/letsencrypt/boulder:${GITHUB_REF_NAME}-go${{ matrix.GO_VERSION }}"

      - name: Push ct-test-srv container
        run: docker push "ghcr.io/letsencrypt/ct-test-srv:${GITHUB_REF_NAME}-go${{ matrix.GO_VERSION }}"

  publish-release:
    needs: push-release
    runs-on: ubuntu-24.04
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v6
        with:
          persist-credentials: false

      - name: Publish release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        # https://cli.github.com/manual/gh_release_edit
        run: gh release edit --draft=false "${GITHUB_REF_NAME}"