starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-11 07:42:58 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

[PR #541] [MERGED] feat: Update release pipelines (1.0) #757

New Issue
Closed
opened 2025-10-08 00:16:38 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2025-10-08 00:16:38 +03:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/541
Author: @ItalyPaleAle
Created: 5/17/2025
Status: Merged
Merged: 5/17/2025
Merged by: @stonith404

Base: v1.0.0Head: release-pipeline

📝 Commits (6)

  • 41a1481 feat: Update release pipelines
  • 0dd66d5 Revert accidental change
  • da40b20 Update per review
  • 7126ba6 Add comment explaining the use of sed
  • d3fb8d8 Forgot to export DOCKER_IMAGE_NAME
  • a07f720 Actually fix it

📊 Changes

7 files changed (+84 additions, -38 deletions)

View changed files

📝 .github/workflows/release.yml (+56 -34)
📝 Dockerfile (+4 -1)
Dockerfile-prebuilt (+20 -0)
📝 scripts/development/build-binaries.sh (+4 -3)
📝 scripts/development/create-release.sh (+0 -0)
📝 scripts/development/deploy-development-image.sh (+0 -0)
📝 scripts/docker/entrypoint.sh (+0 -0)

📄 Description

Various updates to the release pipeline to make builds fully reproducible, publish attestations, and speed-up container builds.

  1. Create an additional Dockerfile-prebuilt which includes binaries pre-built in the pipeline, rather than re-building the binary for each arch (which can be very slow when running under emulation with QEMU)
  2. Ensure the release pipeline builds binaries with CGo disabled
  3. Pass the ldflag -buildid with the version. In addition to -trimpath (already present) makes builds fully reproducible
  4. Publish provenance attestation for the binaries (attestation is published as a pipeline artifact) and container images (pushed to the container registry) using SLSA (see: https://github.com/actions/attest-build-provenance/)
    • Provenance attestation allows users to check that the binary they are running is exactly the same that was built by the pipeline, and had not been tampered with. A very nice thing for a security-related app like this!
  5. Run chmod +x on the .sh files so it doesn't need to be done when building containers (and they can run locally without issues)

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/541 **Author:** [@ItalyPaleAle](https://github.com/ItalyPaleAle) **Created:** 5/17/2025 **Status:** ✅ Merged **Merged:** 5/17/2025 **Merged by:** [@stonith404](https://github.com/stonith404) **Base:** `v1.0.0` ← **Head:** `release-pipeline` --- ### 📝 Commits (6) - [`41a1481`](https://github.com/pocket-id/pocket-id/commit/41a148184ad9d7b414602face238696749833402) feat: Update release pipelines - [`0dd66d5`](https://github.com/pocket-id/pocket-id/commit/0dd66d5684b241f61351eec0125d41129c6e1424) Revert accidental change - [`da40b20`](https://github.com/pocket-id/pocket-id/commit/da40b209eec288dfa93a6aac046b9b6f288f91d4) Update per review - [`7126ba6`](https://github.com/pocket-id/pocket-id/commit/7126ba6bcf369b40a91547247ca4db06ae16df8c) Add comment explaining the use of sed - [`d3fb8d8`](https://github.com/pocket-id/pocket-id/commit/d3fb8d89fbf45bb3fbbcae2f5e1edd7528391642) Forgot to export DOCKER_IMAGE_NAME - [`a07f720`](https://github.com/pocket-id/pocket-id/commit/a07f72019e3733386c77822fde9691db0452472e) Actually fix it ### 📊 Changes **7 files changed** (+84 additions, -38 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/release.yml` (+56 -34) 📝 `Dockerfile` (+4 -1) ➕ `Dockerfile-prebuilt` (+20 -0) 📝 `scripts/development/build-binaries.sh` (+4 -3) 📝 `scripts/development/create-release.sh` (+0 -0) 📝 `scripts/development/deploy-development-image.sh` (+0 -0) 📝 `scripts/docker/entrypoint.sh` (+0 -0) </details> ### 📄 Description Various updates to the release pipeline to make builds fully reproducible, publish attestations, and speed-up container builds. 1. Create an additional `Dockerfile-prebuilt` which includes binaries pre-built in the pipeline, rather than re-building the binary for each arch (which can be very slow when running under emulation with QEMU) 2. Ensure the release pipeline builds binaries with CGo disabled 3. Pass the ldflag `-buildid` with the version. In addition to `-trimpath` (already present) makes builds fully reproducible 4. Publish provenance attestation for the binaries (attestation is published as a pipeline artifact) and container images (pushed to the container registry) using SLSA (see: https://github.com/actions/attest-build-provenance/) - Provenance attestation allows users to check that the binary they are running is exactly the same that was built by the pipeline, and had not been tampered with. A very nice thing for a security-related app like this! 5. Run `chmod +x` on the `.sh` files so it doesn't need to be done when building containers (and they can run locally without issues) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2025-10-08 00:16:38 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#757
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?