Chris Farhood
d4fa1674dc
Repository transferred from cpfarhood to privilegedescalation organization.
Updated all references in:
- Configuration files (package.json, artifacthub-pkg.yml)
- Documentation (README, CONTRIBUTING, SECURITY, docs/)
- Workflow files
GitHub Actions workflows will continue to work as they use
${{ github.repository }} which auto-updates.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
174 lines
8.1 KiB
YAML
174 lines
8.1 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
|
|
jobs:
|
|
release:
|
|
runs-on: ubuntu-latest
|
|
container: node:20
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Check if release is already finalized
|
|
run: |
|
|
VERSION=${GITHUB_REF_NAME#v}
|
|
TARBALL_URL="https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/${GITHUB_REF_NAME}/headlamp-polaris-plugin-${VERSION}.tar.gz"
|
|
HTTP_CODE=$(curl -sL -o /tmp/release.tar.gz -w "%{http_code}" "$TARBALL_URL" 2>/dev/null)
|
|
if [ "$HTTP_CODE" = "200" ]; then
|
|
ACTUAL="sha256:$(sha256sum /tmp/release.tar.gz | awk '{print $1}')"
|
|
EXPECTED=$(grep 'archive-checksum' artifacthub-pkg.yml | awk '{print $2}')
|
|
echo "Release tarball checksum: $ACTUAL"
|
|
echo "Metadata checksum: $EXPECTED"
|
|
if [ "$ACTUAL" = "$EXPECTED" ]; then
|
|
echo "SKIP_BUILD=true" >> $GITHUB_ENV
|
|
echo "Checksums match - release is finalized, nothing to do"
|
|
fi
|
|
else
|
|
echo "No existing release (HTTP $HTTP_CODE) - will build"
|
|
fi
|
|
rm -f /tmp/release.tar.gz
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
[ "$SKIP_BUILD" = "true" ] && exit 0
|
|
npm ci
|
|
|
|
- name: Build plugin
|
|
run: |
|
|
[ "$SKIP_BUILD" = "true" ] && exit 0
|
|
npx @kinvolk/headlamp-plugin build
|
|
|
|
- name: Package tarball
|
|
run: |
|
|
[ "$SKIP_BUILD" = "true" ] && exit 0
|
|
npx @kinvolk/headlamp-plugin package
|
|
|
|
- name: Compute tarball checksum
|
|
run: |
|
|
[ "$SKIP_BUILD" = "true" ] && exit 0
|
|
TARBALL=$(ls *.tar.gz)
|
|
CHECKSUM=$(sha256sum "$TARBALL" | awk '{print $1}')
|
|
echo "TARBALL=$TARBALL" >> $GITHUB_ENV
|
|
echo "CHECKSUM=$CHECKSUM" >> $GITHUB_ENV
|
|
echo "Tarball: $TARBALL"
|
|
echo "Checksum: sha256:$CHECKSUM"
|
|
|
|
- name: Install Docker CLI
|
|
run: |
|
|
[ "$SKIP_BUILD" = "true" ] && exit 0
|
|
apt-get update && apt-get install -y docker.io
|
|
|
|
- name: Build and push Docker image
|
|
run: |
|
|
[ "$SKIP_BUILD" = "true" ] && exit 0
|
|
docker build -t git.farh.net/${{ github.repository }}:${{ github.ref_name }} -t git.farh.net/${{ github.repository }}:latest .
|
|
echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin
|
|
docker push git.farh.net/${{ github.repository }}:${{ github.ref_name }}
|
|
docker push git.farh.net/${{ github.repository }}:latest
|
|
|
|
- name: Create Gitea release
|
|
run: |
|
|
[ "$SKIP_BUILD" = "true" ] && exit 0
|
|
API_URL="${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}"
|
|
# Create release (or get existing)
|
|
RELEASE=$(curl -s -X POST \
|
|
-H "Authorization: token ${{ github.token }}" \
|
|
-H "Content-Type: application/json" \
|
|
"${API_URL}/releases" \
|
|
-d "{\"tag_name\":\"${GITHUB_REF_NAME}\",\"name\":\"${GITHUB_REF_NAME}\"}")
|
|
RELEASE_ID=$(echo "$RELEASE" | node -e "process.stdin.resume();let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.parse(d).id))")
|
|
if [ "$RELEASE_ID" = "undefined" ]; then
|
|
RELEASE=$(curl -sf \
|
|
-H "Authorization: token ${{ github.token }}" \
|
|
"${API_URL}/releases/tags/${GITHUB_REF_NAME}")
|
|
RELEASE_ID=$(echo "$RELEASE" | node -e "process.stdin.resume();let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.parse(d).id))")
|
|
fi
|
|
echo "Gitea Release ID: $RELEASE_ID"
|
|
# Delete existing assets
|
|
ASSETS=$(curl -sf \
|
|
-H "Authorization: token ${{ github.token }}" \
|
|
"${API_URL}/releases/${RELEASE_ID}/assets")
|
|
echo "$ASSETS" | node -e "
|
|
process.stdin.resume();let d='';
|
|
process.stdin.on('data',c=>d+=c);
|
|
process.stdin.on('end',()=>{
|
|
JSON.parse(d).forEach(a=>console.log(a.id));
|
|
})" | while read -r ASSET_ID; do
|
|
curl -sf -X DELETE \
|
|
-H "Authorization: token ${{ github.token }}" \
|
|
"${API_URL}/releases/${RELEASE_ID}/assets/${ASSET_ID}"
|
|
done
|
|
# Upload tarball
|
|
curl -sf -X POST \
|
|
-H "Authorization: token ${{ github.token }}" \
|
|
-F "attachment=@${TARBALL}" \
|
|
"${API_URL}/releases/${RELEASE_ID}/assets?name=${TARBALL}"
|
|
echo "Gitea release updated"
|
|
|
|
- name: Create GitHub release
|
|
run: |
|
|
[ "$SKIP_BUILD" = "true" ] && exit 0
|
|
# GitHub API to create/update release
|
|
GITHUB_API="https://api.github.com/repos/privilegedescalation/headlamp-polaris-plugin"
|
|
# Check if release exists
|
|
RELEASE_DATA=$(curl -sf \
|
|
-H "Authorization: token ${{ secrets.GH_TOKEN }}" \
|
|
"${GITHUB_API}/releases/tags/${GITHUB_REF_NAME}" || echo "{}")
|
|
RELEASE_ID=$(echo "$RELEASE_DATA" | node -e "process.stdin.resume();let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.parse(d).id||''))")
|
|
|
|
if [ -z "$RELEASE_ID" ]; then
|
|
# Create new release
|
|
RELEASE_DATA=$(curl -sf -X POST \
|
|
-H "Authorization: token ${{ secrets.GH_TOKEN }}" \
|
|
-H "Content-Type: application/json" \
|
|
"${GITHUB_API}/releases" \
|
|
-d "{\"tag_name\":\"${GITHUB_REF_NAME}\",\"name\":\"${GITHUB_REF_NAME}\",\"draft\":false,\"prerelease\":false}")
|
|
RELEASE_ID=$(echo "$RELEASE_DATA" | node -e "process.stdin.resume();let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>console.log(JSON.parse(d).id))")
|
|
fi
|
|
|
|
echo "GitHub Release ID: $RELEASE_ID"
|
|
# Upload tarball to GitHub
|
|
UPLOAD_URL=$(echo "$RELEASE_DATA" | node -e "process.stdin.resume();let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>{const r=JSON.parse(d);console.log(r.upload_url||'https://uploads.github.com/repos/privilegedescalation/headlamp-polaris-plugin/releases/${RELEASE_ID}/assets')})" | sed 's/{.*}//')
|
|
curl -sf -X POST \
|
|
-H "Authorization: token ${{ secrets.GH_TOKEN }}" \
|
|
-H "Content-Type: application/gzip" \
|
|
--data-binary "@${TARBALL}" \
|
|
"${UPLOAD_URL}?name=${TARBALL}"
|
|
echo "GitHub release updated"
|
|
|
|
- name: Update metadata and align tag
|
|
run: |
|
|
[ "$SKIP_BUILD" = "true" ] && exit 0
|
|
VERSION=${GITHUB_REF_NAME#v}
|
|
git config user.name "gitea-actions[bot]"
|
|
git config user.email "gitea-actions[bot]@git.farh.net"
|
|
# Determine which Gitea branch to update based on version suffix
|
|
if [[ "$VERSION" == *"-dev."* ]]; then
|
|
GITEA_BRANCH="dev"
|
|
else
|
|
GITEA_BRANCH="main"
|
|
fi
|
|
git fetch origin ${GITEA_BRANCH}
|
|
git checkout origin/${GITEA_BRANCH} -B temp-update
|
|
sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
|
|
sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/${GITHUB_REF_NAME}/headlamp-polaris-plugin-${VERSION}.tar.gz\"|" artifacthub-pkg.yml
|
|
sed -i "s|^version:.*|version: ${VERSION}|" artifacthub-pkg.yml
|
|
git add artifacthub-pkg.yml
|
|
git diff --cached --quiet || {
|
|
git commit -m "ci: update artifact hub metadata for ${GITHUB_REF_NAME}"
|
|
git push origin temp-update:${GITEA_BRANCH}
|
|
}
|
|
# Force-move tag to the commit with correct checksum.
|
|
# This triggers a new CI run, but the guard step will detect
|
|
# that the release checksum already matches and skip the build.
|
|
git tag -f ${GITHUB_REF_NAME}
|
|
git push -f origin ${GITHUB_REF_NAME}
|
|
echo "Tag ${GITHUB_REF_NAME} aligned with updated metadata"
|
|
echo "Note: GitHub sync handled by Gitea mirror configuration"
|