mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-01-03 19:13:25 -05:00
34e00e1478
- Updated Rust to v1.74.0 - Updated all crates (where possible) - Changed release profile to use * fat lto * 1 codegen-unit This should optimize a bit for speed and a lot for size ~15MB smaller - Updated Github actions to use caching for the bake process - Added a schedule to clean the cache every week to prevent stale Debian/Alpine base images - During the release action, the Alpine/static binaries are added as artifects. Later we could also automatically add them to the releases maybe. - Added CODEWONERS to prevent unchecked changes to github actions workflows
269 lines
11 KiB
YAML
269 lines
11 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
paths:
|
|
- ".github/workflows/release.yml"
|
|
- "src/**"
|
|
- "migrations/**"
|
|
- "docker/**"
|
|
- "Cargo.*"
|
|
- "build.rs"
|
|
- "diesel.toml"
|
|
- "rust-toolchain.toml"
|
|
|
|
branches: # Only on paths above
|
|
- main
|
|
|
|
tags: # Always, regardless of paths above
|
|
- '*'
|
|
|
|
jobs:
|
|
# https://github.com/marketplace/actions/skip-duplicate-actions
|
|
# Some checks to determine if we need to continue with building a new docker.
|
|
# We will skip this check if we are creating a tag, because that has the same hash as a previous run already.
|
|
skip_check:
|
|
runs-on: ubuntu-22.04
|
|
if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
|
|
outputs:
|
|
should_skip: ${{ steps.skip_check.outputs.should_skip }}
|
|
steps:
|
|
- name: Skip Duplicates Actions
|
|
id: skip_check
|
|
uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
|
|
with:
|
|
cancel_others: 'true'
|
|
# Only run this when not creating a tag
|
|
if: ${{ github.ref_type == 'branch' }}
|
|
|
|
docker-build:
|
|
runs-on: ubuntu-22.04
|
|
timeout-minutes: 120
|
|
needs: skip_check
|
|
if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
|
|
# Start a local docker registry to extract the final Alpine static build binaries
|
|
services:
|
|
registry:
|
|
image: registry:2
|
|
ports:
|
|
- 5000:5000
|
|
env:
|
|
SOURCE_COMMIT: ${{ github.sha }}
|
|
SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
|
|
# The *_REPO variables need to be configured as repository variables
|
|
# Append `/settings/variables/actions` to your repo url
|
|
# DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
|
|
# Check for Docker hub credentials in secrets
|
|
HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
|
|
# GHCR_REPO needs to be 'ghcr.io/<user>/<repo>'
|
|
# Check for Github credentials in secrets
|
|
HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
|
|
# QUAY_REPO needs to be 'quay.io/<user>/<repo>'
|
|
# Check for Quay.io credentials in secrets
|
|
HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
|
|
strategy:
|
|
matrix:
|
|
base_image: ["debian","alpine"]
|
|
|
|
steps:
|
|
# Checkout the repo
|
|
- name: Checkout
|
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Initialize QEMU binfmt support
|
|
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
|
|
with:
|
|
platforms: "arm64,arm"
|
|
|
|
# Start Docker Buildx
|
|
- name: Setup Docker Buildx
|
|
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
|
|
# https://github.com/moby/buildkit/issues/3969
|
|
# Also set max parallelism to 2, the default of 4 breaks GitHub Actions
|
|
with:
|
|
config-inline: |
|
|
[worker.oci]
|
|
max-parallelism = 2
|
|
driver-opts: |
|
|
network=host
|
|
|
|
# Determine Base Tags and Source Version
|
|
- name: Determine Base Tags and Source Version
|
|
shell: bash
|
|
run: |
|
|
# Check which main tag we are going to build determined by github.ref_type
|
|
if [[ "${{ github.ref_type }}" == "tag" ]]; then
|
|
echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
|
|
elif [[ "${{ github.ref_type }}" == "branch" ]]; then
|
|
echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
|
|
fi
|
|
|
|
# Get the Source Version for this release
|
|
GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)"
|
|
if [[ -n "${GIT_EXACT_TAG}" ]]; then
|
|
echo "SOURCE_VERSION=${GIT_EXACT_TAG}" | tee -a "${GITHUB_ENV}"
|
|
else
|
|
GIT_LAST_TAG="$(git describe --tags --abbrev=0)"
|
|
echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
|
|
fi
|
|
# End Determine Base Tags
|
|
|
|
# Login to Docker Hub
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
|
|
|
|
- name: Add registry for DockerHub
|
|
if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
|
|
shell: bash
|
|
run: |
|
|
echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}"
|
|
|
|
# Login to GitHub Container Registry
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
|
|
|
|
- name: Add registry for ghcr.io
|
|
if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
|
|
shell: bash
|
|
run: |
|
|
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"
|
|
|
|
- name: Add registry for ghcr.io
|
|
if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
|
|
shell: bash
|
|
run: |
|
|
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"
|
|
|
|
# Login to Quay.io
|
|
- name: Login to Quay.io
|
|
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
|
|
with:
|
|
registry: quay.io
|
|
username: ${{ secrets.QUAY_USERNAME }}
|
|
password: ${{ secrets.QUAY_TOKEN }}
|
|
if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
|
|
|
|
- name: Add registry for Quay.io
|
|
if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
|
|
shell: bash
|
|
run: |
|
|
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}"
|
|
|
|
- name: Configure build cache from/to
|
|
shell: bash
|
|
run: |
|
|
#
|
|
# Check if there is a GitHub Container Registry Login and use it for caching
|
|
if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
|
|
echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}"
|
|
echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},mode=max" | tee -a "${GITHUB_ENV}"
|
|
else
|
|
echo "BAKE_CACHE_FROM="
|
|
echo "BAKE_CACHE_TO="
|
|
fi
|
|
#
|
|
|
|
- name: Add localhost registry
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
shell: bash
|
|
run: |
|
|
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"
|
|
|
|
- name: Bake ${{ matrix.base_image }} containers
|
|
uses: docker/bake-action@849707117b03d39aba7924c50a10376a69e88d7d # v4.1.0
|
|
env:
|
|
BASE_TAGS: "${{ env.BASE_TAGS }}"
|
|
SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
|
|
SOURCE_VERSION: "${{ env.SOURCE_VERSION }}"
|
|
SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}"
|
|
CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
|
|
with:
|
|
pull: true
|
|
push: true
|
|
files: docker/docker-bake.hcl
|
|
targets: "${{ matrix.base_image }}-multi"
|
|
set: |
|
|
*.cache-from=${{ env.BAKE_CACHE_FROM }}
|
|
*.cache-to=${{ env.BAKE_CACHE_TO }}
|
|
|
|
|
|
# Extract the Alpine binaries from the containers
|
|
- name: Extract binaries
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
shell: bash
|
|
run: |
|
|
# Check which main tag we are going to build determined by github.ref_type
|
|
if [[ "${{ github.ref_type }}" == "tag" ]]; then
|
|
EXTRACT_TAG="latest"
|
|
elif [[ "${{ github.ref_type }}" == "branch" ]]; then
|
|
EXTRACT_TAG="testing"
|
|
fi
|
|
|
|
# After each extraction the image is removed.
|
|
# This is needed because using different platforms doesn't trigger a new pull/download
|
|
|
|
# Extract amd64 binary
|
|
docker create --name amd64 --platform=linux/amd64 "vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
docker cp amd64:/vaultwarden vaultwarden-amd64
|
|
docker rm --force amd64
|
|
docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
|
|
# Extract arm64 binary
|
|
docker create --name arm64 --platform=linux/arm64 "vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
docker cp arm64:/vaultwarden vaultwarden-arm64
|
|
docker rm --force arm64
|
|
docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
|
|
# Extract armv7 binary
|
|
docker create --name armv7 --platform=linux/arm/v7 "vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
docker cp armv7:/vaultwarden vaultwarden-armv7
|
|
docker rm --force armv7
|
|
docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
|
|
# Extract armv6 binary
|
|
docker create --name armv6 --platform=linux/arm/v6 "vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
docker cp armv6:/vaultwarden vaultwarden-armv6
|
|
docker rm --force armv6
|
|
docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
|
|
# Upload artifacts to Github Actions
|
|
- name: "Upload amd64 artifact"
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
with:
|
|
name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64
|
|
path: vaultwarden-amd64
|
|
|
|
- name: "Upload arm64 artifact"
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
with:
|
|
name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64
|
|
path: vaultwarden-arm64
|
|
|
|
- name: "Upload armv7 artifact"
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
with:
|
|
name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7
|
|
path: vaultwarden-armv7
|
|
|
|
- name: "Upload armv6 artifact"
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
with:
|
|
name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6
|
|
path: vaultwarden-armv6
|
|
# End Upload artifacts to Github Actions
|