8205924917
Forgejo runner auto-injects GITHUB_TOKEN; combined with the GITEA_TOKEN we set explicitly, goreleaser errors with 'multiple tokens'. Unset the GitHub one inside the run step so goreleaser follows the Gitea/Forgejo release path defined by .goreleaser.yml's gitea_urls block.
118 lines
4.4 KiB
YAML
118 lines
4.4 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "v*"
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
release:
|
|
runs-on: docker
|
|
container:
|
|
image: docker.io/library/golang:1.25
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Install build deps (bash, curl, jq, ffmpeg fetch deps)
|
|
run: |
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends bash curl ca-certificates jq xz-utils unzip
|
|
|
|
- name: Install goreleaser
|
|
run: |
|
|
curl -sSfL https://github.com/goreleaser/goreleaser/releases/latest/download/goreleaser_Linux_x86_64.tar.gz \
|
|
| tar -xz -C /usr/local/bin goreleaser
|
|
|
|
- name: Run goreleaser
|
|
env:
|
|
# Forgejo runner auto-injects GITHUB_TOKEN (a per-job, instance-scoped
|
|
# token usable against the Forgejo REST API). goreleaser only accepts
|
|
# one token; with both GITHUB_TOKEN + GITEA_TOKEN set it errors out
|
|
# ("multiple tokens"). Unset GITHUB_TOKEN before invoking goreleaser so
|
|
# it picks the Gitea code path + the gitea_urls block in .goreleaser.yml.
|
|
GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
|
|
# Empty when RELEASE_SIGNING_PUBKEY variable is unset — goreleaser
|
|
# accepts it and the resulting binary disables signature checks
|
|
# (back-compat: pre-signing releases continue to update). Set
|
|
# RELEASE_SIGNING_PUBKEY (variable) + RELEASE_SIGNING_KEY (secret)
|
|
# to turn verification on.
|
|
RELEASE_SIGNING_PUBKEY: ${{ vars.RELEASE_SIGNING_PUBKEY }}
|
|
run: |
|
|
unset GITHUB_TOKEN
|
|
goreleaser release --clean
|
|
|
|
- name: Sign checksums.txt with ed25519
|
|
if: ${{ vars.RELEASE_SIGNING_PUBKEY != '' && secrets.RELEASE_SIGNING_KEY != '' }}
|
|
env:
|
|
RELEASE_SIGNING_KEY: ${{ secrets.RELEASE_SIGNING_KEY }}
|
|
RELEASE_TAG: ${{ github.ref_name }}
|
|
FORGEJO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
# Tailscale IP — domain-agnostic; the runner shares the dokploy-network with
|
|
# forgejo (hostname `forgejo`), so the in-cluster hostname is fastest, but the
|
|
# Tailscale IP is the documented fallback.
|
|
FORGEJO_API: http://forgejo:3000/api/v1
|
|
REPO: torrentclaw/unarr
|
|
run: |
|
|
set -euo pipefail
|
|
go run ./scripts/sign-checksums \
|
|
-key "$RELEASE_SIGNING_KEY" \
|
|
-in dist/checksums.txt \
|
|
-out dist/checksums.txt.sig
|
|
|
|
# Find the release ID for this tag, then upload the sig as an asset.
|
|
rel_id=$(curl -sSf "$FORGEJO_API/repos/$REPO/releases/tags/$RELEASE_TAG" \
|
|
-H "Authorization: token $FORGEJO_TOKEN" | jq -r '.id')
|
|
curl -sSf -X POST \
|
|
"$FORGEJO_API/repos/$REPO/releases/$rel_id/assets?name=checksums.txt.sig" \
|
|
-H "Authorization: token $FORGEJO_TOKEN" \
|
|
-F "attachment=@dist/checksums.txt.sig"
|
|
|
|
docker:
|
|
needs: release
|
|
runs-on: docker
|
|
container:
|
|
# Docker-in-Docker capable image — buildx + qemu pre-installed.
|
|
image: docker.io/library/docker:27-cli
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install buildx
|
|
run: |
|
|
apk add --no-cache curl
|
|
mkdir -p ~/.docker/cli-plugins
|
|
curl -sSL https://github.com/docker/buildx/releases/latest/download/buildx-linux-amd64 \
|
|
-o ~/.docker/cli-plugins/docker-buildx
|
|
chmod +x ~/.docker/cli-plugins/docker-buildx
|
|
|
|
- name: Login to Docker Hub
|
|
env:
|
|
DH_USER: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
DH_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
run: echo "$DH_TOKEN" | docker login -u "$DH_USER" --password-stdin
|
|
|
|
- name: Set up qemu
|
|
run: docker run --rm --privileged tonistiigi/binfmt --install all
|
|
|
|
- name: Build + push multi-arch image
|
|
env:
|
|
VERSION: ${{ github.ref_name }}
|
|
run: |
|
|
set -euo pipefail
|
|
VERSION_SEMVER="${VERSION#v}"
|
|
MAJOR_MINOR="${VERSION_SEMVER%.*}"
|
|
docker buildx create --name builder --use --driver docker-container
|
|
docker buildx build \
|
|
--platform linux/amd64,linux/arm64 \
|
|
--build-arg "VERSION=$VERSION" \
|
|
--tag "torrentclaw/unarr:$VERSION_SEMVER" \
|
|
--tag "torrentclaw/unarr:$MAJOR_MINOR" \
|
|
--tag "torrentclaw/unarr:latest" \
|
|
--push \
|
|
.
|