name: Release on: push: tags: - 'v*.*.*' jobs: build: runs-on: ubuntu-latest permissions: contents: write packages: write attestations: write id-token: write steps: - name: Checkout code uses: actions/checkout@v3 - name: Setup pnpm uses: pnpm/action-setup@v4 with: version: 10 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: 22 cache: 'pnpm' cache-dependency-path: pnpm-lock.yaml - uses: actions/setup-go@v5 with: go-version-file: 'backend/go.mod' - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Set DOCKER_IMAGE_NAME run: | # Lowercase REPO_OWNER which is required for containers REPO_OWNER=${{ github.repository_owner }} DOCKER_IMAGE_NAME="ghcr.io/${REPO_OWNER,,}/pocket-id" echo "DOCKER_IMAGE_NAME=${DOCKER_IMAGE_NAME}" >>${GITHUB_ENV} - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{github.repository_owner}} password: ${{secrets.GITHUB_TOKEN}} - name: Docker metadata id: meta uses: docker/metadata-action@v5 with: images: | ${{ env.DOCKER_IMAGE_NAME }} tags: | type=semver,pattern={{version}},prefix=v type=semver,pattern={{major}}.{{minor}},prefix=v type=semver,pattern={{major}},prefix=v - name: Docker metadata (distroless) id: meta-distroless uses: docker/metadata-action@v5 with: images: | ${{ env.DOCKER_IMAGE_NAME }} flavor: | suffix=-distroless,onlatest=true tags: | type=semver,pattern={{version}},prefix=v type=semver,pattern={{major}}.{{minor}},prefix=v type=semver,pattern={{major}},prefix=v - name: Install frontend dependencies run: pnpm --filter pocket-id-frontend install --frozen-lockfile - name: Build frontend run: pnpm --filter pocket-id-frontend build - name: Build binaries run: sh scripts/development/build-binaries.sh - name: Build and push container image uses: docker/build-push-action@v6 id: container-build-push with: context: . platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} file: Dockerfile-prebuilt - name: Build and push container image (distroless) uses: docker/build-push-action@v6 id: container-build-push-distroless with: context: . platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta-distroless.outputs.tags }} labels: ${{ steps.meta-distroless.outputs.labels }} file: Dockerfile-distroless - name: Binary attestation uses: actions/attest-build-provenance@v2 with: subject-path: 'backend/.bin/pocket-id-**' - name: Container image attestation uses: actions/attest-build-provenance@v2 with: subject-name: '${{ env.DOCKER_IMAGE_NAME }}' subject-digest: ${{ steps.container-build-push.outputs.digest }} push-to-registry: true - name: Container image attestation (distroless) uses: actions/attest-build-provenance@v2 with: subject-name: '${{ env.DOCKER_IMAGE_NAME }}' subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }} push-to-registry: true - name: Upload binaries to release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: gh release upload ${{ github.ref_name }} backend/.bin/* publish-release: runs-on: ubuntu-latest needs: [build] permissions: contents: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout code uses: actions/checkout@v4 - name: Mark release as published run: gh release edit ${{ github.ref_name }} --draft=false