name: Release on: push: tags: - "v*" workflow_dispatch: permissions: contents: write jobs: release: runs-on: docker container: image: docker.io/library/golang:1.25 steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Install build deps (bash, curl, jq, ffmpeg fetch deps) run: | apt-get update apt-get install -y --no-install-recommends bash curl ca-certificates jq xz-utils unzip - name: Install goreleaser run: | curl -sSfL https://github.com/goreleaser/goreleaser/releases/latest/download/goreleaser_Linux_x86_64.tar.gz \ | tar -xz -C /usr/local/bin goreleaser - name: Run goreleaser env: # Forgejo runner injects GITHUB_TOKEN — but goreleaser uses it to talk to # the *Forgejo* API thanks to the gitea_urls override in .goreleaser.yml. GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }} SENTRY_DSN: ${{ secrets.SENTRY_DSN }} # Empty when RELEASE_SIGNING_PUBKEY variable is unset — goreleaser # accepts it and the resulting binary disables signature checks # (back-compat: pre-signing releases continue to update). Set # RELEASE_SIGNING_PUBKEY (variable) + RELEASE_SIGNING_KEY (secret) # to turn verification on. RELEASE_SIGNING_PUBKEY: ${{ vars.RELEASE_SIGNING_PUBKEY }} run: goreleaser release --clean - name: Sign checksums.txt with ed25519 if: ${{ vars.RELEASE_SIGNING_PUBKEY != '' && secrets.RELEASE_SIGNING_KEY != '' }} env: RELEASE_SIGNING_KEY: ${{ secrets.RELEASE_SIGNING_KEY }} RELEASE_TAG: ${{ github.ref_name }} FORGEJO_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Tailscale IP — domain-agnostic; the runner shares the dokploy-network with # forgejo (hostname `forgejo`), so the in-cluster hostname is fastest, but the # Tailscale IP is the documented fallback. FORGEJO_API: http://forgejo:3000/api/v1 REPO: deivid/unarr run: | set -euo pipefail go run ./scripts/sign-checksums \ -key "$RELEASE_SIGNING_KEY" \ -in dist/checksums.txt \ -out dist/checksums.txt.sig # Find the release ID for this tag, then upload the sig as an asset. rel_id=$(curl -sSf "$FORGEJO_API/repos/$REPO/releases/tags/$RELEASE_TAG" \ -H "Authorization: token $FORGEJO_TOKEN" | jq -r '.id') curl -sSf -X POST \ "$FORGEJO_API/repos/$REPO/releases/$rel_id/assets?name=checksums.txt.sig" \ -H "Authorization: token $FORGEJO_TOKEN" \ -F "attachment=@dist/checksums.txt.sig" docker: needs: release runs-on: docker container: # Docker-in-Docker capable image — buildx + qemu pre-installed. image: docker.io/library/docker:27-cli steps: - uses: actions/checkout@v4 - name: Install buildx run: | apk add --no-cache curl mkdir -p ~/.docker/cli-plugins curl -sSL https://github.com/docker/buildx/releases/latest/download/buildx-linux-amd64 \ -o ~/.docker/cli-plugins/docker-buildx chmod +x ~/.docker/cli-plugins/docker-buildx - name: Login to Docker Hub env: DH_USER: ${{ secrets.DOCKERHUB_USERNAME }} DH_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: echo "$DH_TOKEN" | docker login -u "$DH_USER" --password-stdin - name: Set up qemu run: docker run --rm --privileged tonistiigi/binfmt --install all - name: Build + push multi-arch image env: VERSION: ${{ github.ref_name }} run: | set -euo pipefail VERSION_SEMVER="${VERSION#v}" MAJOR_MINOR="${VERSION_SEMVER%.*}" docker buildx create --name builder --use --driver docker-container docker buildx build \ --platform linux/amd64,linux/arm64 \ --build-arg "VERSION=$VERSION" \ --tag "torrentclaw/unarr:$VERSION_SEMVER" \ --tag "torrentclaw/unarr:$MAJOR_MINOR" \ --tag "torrentclaw/unarr:latest" \ --push \ .