refactoring release

gear-tech · Mar 7, 2024 · 3c919e7 · 3c919e7
1 parent f9e03ae
commit 3c919e7
Show file tree

Hide file tree

Showing 4 changed files with 134 additions and 20 deletions.
diff --git a/.github/workflows/CI-docker-gear.yml b/.github/workflows/CI-docker-gear.yml
@@ -1,12 +1,21 @@
-name: CI | docker-gear release version
+name: Release (docker)
 
 on:
   workflow_dispatch:
     inputs:
       release_version:
-        description: 'Release version from https://get.gear.rs Example: v1.0.0. *Null = latest'
-        required: false
+        description: 'Release version. Example: v1.0.0, latest'
+        required: true
         default: ''
+      latest:
+        description: 'Tag as latest ?'
+        type: boolean
+        required: false
+        default: false
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 env:
   RELEASE_VERSION: ${{ github.event.inputs.release_version }}
@@ -15,35 +24,87 @@ jobs:
   build:
     runs-on: [kuberunner]
     steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-buildx-action@v3
+      - name: Validate Release Version
+        run: |
+          if [[ ! "${{ env.RELEASE_VERSION }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]] && [[ "${{ env.RELEASE_VERSION }}" != "latest" ]]; then
+            echo "Release version format is incorrect. It should be 'latest' or 'v*.*.*'."
+            exit 1
+          fi
 
-      - uses: actions/cache@v4
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v4
         with:
           path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-gear-${{ github.sha }}
+          key: ${{ runner.os }}-buildx-gear
           restore-keys: |
             ${{ runner.os }}-buildx-gear
-
-      - uses: docker/login-action@v3
+            ${{ runner.os }}
+      
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
-      - run: |
-          if [ -z "${{ env.RELEASE_VERSION }}" ]; then
-            echo "DOCKER_TAGS=ghcr.io/gear-tech/node:latest" >> $GITHUB_ENV
+
+      - name: Prepare Docker Tags
+        run: |
+          if [[ "${{ github.event.inputs.latest }}" == "true" ]]; then
+            echo "DOCKER_TAGS=ghcr.io/gear-tech/node:${{ env.RELEASE_VERSION }},ghcr.io/gear-tech/node:latest" >> $GITHUB_ENV
           else
-            echo "DOCKER_TAGS=ghcr.io/gear-tech/node:latest,ghcr.io/gear-tech/node:${{ env.RELEASE_VERSION }}" >> $GITHUB_ENV
+            echo "DOCKER_TAGS=ghcr.io/gear-tech/node:${{ env.RELEASE_VERSION }}" >> $GITHUB_ENV
           fi
 
-      - uses: docker/build-push-action@v5
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
         with:
           file: ./docker/Dockerfile-release
           push: true
           tags: ${{ env.DOCKER_TAGS }}
-          build-args: |
-            RELEASE_VERSION=${{ env.RELEASE_VERSION }}
+          build-args: RELEASE_VERSION=${{ env.RELEASE_VERSION }}
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache
+
+      - name: Scan the Docker image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: 'ghcr.io/gear-tech/node:${{ env.RELEASE_VERSION }}'
+          format: 'table'
+          output: 'trivy-results.txt'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          hide-progress: true
+
+      - name: Notify Trivy scan result in Telegram
+        uses: appleboy/telegram-action@master
+        with:
+          to: ${{ secrets.TELEGRAM_DEVOPS_CHAT }}
+          token: ${{ secrets.TELEGRAM_DEVOPS_TOKEN }}
+          format: markdown
+          disable_web_page_preview: true
+          message: |
+            *Status*: ℹ️
+            *Details:* Trivy scan completed for ${{ env.DOCKER_TAGS }}
+          document: trivy-results.txt
+
+      - name: Notify build failure in Telegram
+        if: failure()
+        uses: appleboy/telegram-action@master
+        with:
+          to: ${{ secrets.TELEGRAM_DEVOPS_CHAT }}
+          token: ${{ secrets.TELEGRAM_DEVOPS_TOKEN }}
+          format: markdown
+          disable_web_page_preview: true
+          message: |
+            *Status:* 🔥
+            *Problem:* Build failed
+            *Details:* https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,6 +8,7 @@ env:
   CARGO_INCREMENTAL: 0
   CARGO_TERM_COLOR: always
   TERM: xterm-256color
+  GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
 
 jobs:
   changelog:

diff --git a/.github/workflows/release_listener.yml b/.github/workflows/release_listener.yml
@@ -0,0 +1,50 @@
+name: Release Listener
+
+on:
+  release:
+    types: [published]
+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+
+jobs:
+  trigger-multiplatform-build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dispatch Multiplatform Build Workflow
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ env.GITHUB_TOKEN }}
+          script: |
+            github.rest.actions.createWorkflowDispatch({
+              owner: 'gear-tech',
+              repo: 'builds',
+              workflow_id: 'nightly.yml',
+              ref: 'master',
+              inputs: {
+                release_version: '${{ github.event.release.tag_name }}'
+              }
+            });
+
+  trigger-docker-build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dispatch Docker Build Workflow
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ env.GITHUB_TOKEN }}
+          script: |
+            github.rest.actions.createWorkflowDispatch({
+              owner: 'gear-tech',
+              repo: 'gear',
+              workflow_id: 'CI-docker-gear.yml',
+              ref: 'master',
+              inputs: {
+                release_version: '${{ github.event.release.tag_name }}',
+                latest: 'true'
+              }
+            });
diff --git a/docker/Dockerfile-release b/docker/Dockerfile-release
@@ -6,10 +6,12 @@ RUN apt-get update && \
     apt-get install -y curl sudo xz-utils && \
     rm -rf /var/lib/apt/lists/*
 
-RUN if [ -z "$RELEASE_VERSION" ]; then \
-        curl --proto '=https' --tlsv1.2 -sSf https://get.gear.rs/install.sh | bash -s -- --to /usr/local/bin/ ; \
+RUN if [ "$RELEASE_VERSION" = "latest" ]; then \
+        curl -L https://github.com/gear-tech/gear/releases/latest/download/gear -o /usr/local/bin/gear && \
+        chmod +x /usr/local/bin/gear ; \
     else \
-        curl --proto '=https' --tlsv1.2 -sSf https://get.gear.rs/install.sh | bash -s -- --tag ${RELEASE_VERSION} --to /usr/local/bin/ ; \
+        curl -L https://github.com/gear-tech/gear/releases/download/$RELEASE_VERSION/gear -o /usr/local/bin/gear && \
+        chmod +x /usr/local/bin/gear ; \
     fi
 
 RUN gear --version