flashduty-cli/.github/workflows/release.yml at main · flashcatcloud/flashduty-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: GoReleaser Release

on:
  push:
    tags:
      - "v*"

permissions:
  contents: write
  id-token: write
  attestations: write

jobs:
  release:
    runs-on: ubuntu-latest

    steps:
      - name: Check out code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: "go.mod"

      - name: Download dependencies
        run: go mod download

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          distribution: goreleaser
          version: "~> v2"
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Generate signed build provenance attestations
        uses: actions/attest-build-provenance@v4
        with:
          subject-path: |
            dist/*.tar.gz
            dist/*.zip
            dist/*.txt

      - name: Mirror release assets to S3-compatible storage
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.MIRROR_S3_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.MIRROR_S3_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ${{ secrets.MIRROR_S3_REGION }}
          BUCKET: ${{ secrets.MIRROR_S3_BUCKET }}
          ENDPOINT: ${{ secrets.MIRROR_S3_ENDPOINT }}
          PREFIX: ${{ secrets.MIRROR_S3_PATH_PREFIX }}
          MIRROR_PUBLIC_URL: ${{ secrets.MIRROR_PUBLIC_URL }}
          VERSION: ${{ github.ref_name }}
        run: |
          set -eu
          if [ -z "${BUCKET:-}" ] || [ -z "${ENDPOINT:-}" ]; then
            echo "Mirror not configured (need MIRROR_S3_BUCKET + MIRROR_S3_ENDPOINT). Skipping."
            exit 0
          fi

          # Aliyun OSS rejects path-style requests (SecondLevelDomainForbidden);
          # AWS CLI defaults to path-style for custom endpoints, so force
          # virtual-hosted style. Harmless for endpoints that accept either.
          aws configure set default.s3.addressing_style virtual
          # AWS CLI v2.23+ enabled default integrity protections that add
          # `aws-chunked` request encoding, which OSS rejects with
          # InvalidArgument. Restore the pre-2.23 behavior.
          aws configure set default.request_checksum_calculation when_required
          aws configure set default.response_checksum_validation when_required

          # Normalize PREFIX: strip both leading and trailing slashes so a
          # value of "/" or "/foo/" doesn't produce a doubled or leading slash
          # in the resulting key.
          PREFIX="${PREFIX#/}"; PREFIX="${PREFIX%/}"
          base="${PREFIX:+${PREFIX}/}releases/download/${VERSION}"
          uploaded=0
          for f in dist/*.tar.gz dist/*.zip dist/checksums.txt; do
            [ -f "$f" ] || continue
            name=$(basename "$f")
            echo "Uploading $f -> s3://${BUCKET}/${base}/${name}"
            aws --endpoint-url="$ENDPOINT" s3 cp "$f" "s3://${BUCKET}/${base}/${name}" \
              --cache-control "public, max-age=31536000, immutable"
            uploaded=$((uploaded + 1))
          done
          if [ "$uploaded" -eq 0 ]; then
            echo "No release artifacts found in dist/ — refusing to update latest pointer."
            exit 1
          fi

          # Latest pointer used by install.sh resolve_version when MIRROR_URL is set.
          # Updated last so a partial upload doesn't make the mirror advertise a broken version.
          latest_key="${PREFIX:+${PREFIX}/}releases/latest"
          printf '%s\n' "$VERSION" > /tmp/latest
          aws --endpoint-url="$ENDPOINT" s3 cp /tmp/latest "s3://${BUCKET}/${latest_key}" \
            --cache-control "public, max-age=60" \
            --content-type "text/plain; charset=utf-8"

          # Refresh the install scripts on every release so the mirror never
          # ships a stale/missing installer (install-scripts.yml only fires when
          # install.sh/.ps1 change on main; the scripts are version-agnostic, so
          # re-uploading the current copy here is the belt-and-suspenders guarantee).
          # Bake the CDN as the default MIRROR_URL into the served copy so
          # `curl <cdn>/install.sh | sh` pulls binaries from the CDN with no
          # MIRROR_URL arg. The repo / GitHub copy stays generic (GitHub default).
          src_sh=install.sh
          if [ -n "${MIRROR_PUBLIC_URL:-}" ]; then
            pub="${MIRROR_PUBLIC_URL%/}${PREFIX:+/${PREFIX}}"
            sed "s#MIRROR_URL=\"\${MIRROR_URL:-}\"#MIRROR_URL=\"\${MIRROR_URL:-${pub}}\"#" install.sh > /tmp/install.sh
            grep -q "MIRROR_URL:-${pub}" /tmp/install.sh || { echo "ERROR: MIRROR_URL default not injected (install.sh default line changed?)" >&2; exit 1; }
            src_sh=/tmp/install.sh
          fi
          sh_key="${PREFIX:+${PREFIX}/}install.sh"
          aws --endpoint-url="$ENDPOINT" s3 cp "$src_sh" "s3://${BUCKET}/${sh_key}" \
            --cache-control "public, max-age=300" \
            --content-type "text/x-shellscript; charset=utf-8"
          ps1_key="${PREFIX:+${PREFIX}/}install.ps1"
          aws --endpoint-url="$ENDPOINT" s3 cp install.ps1 "s3://${BUCKET}/${ps1_key}" \
            --cache-control "public, max-age=300" \
            --content-type "text/plain; charset=utf-8"