name: Release Artifacts on: release: types: - published permissions: contents: write packages: write jobs: build-and-upload: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Go uses: actions/setup-go@v5 with: go-version: "1.24.x" - name: Setup Node uses: actions/setup-node@v4 with: node-version: "20" cache: "npm" cache-dependency-path: webui/package-lock.json - name: Release Blocking Gates run: | ./tests/scripts/check-stage6-manual-smoke.sh ./tests/scripts/check-refactor-line-gate.sh ./tests/scripts/run-unit-all.sh - name: Build WebUI run: | npm ci --prefix webui npm run build --prefix webui - name: Build Multi-Platform Archives run: | set -euo pipefail TAG="${{ github.event.release.tag_name }}" mkdir -p dist targets=( "linux/amd64" "linux/arm64" "darwin/amd64" "darwin/arm64" "windows/amd64" ) for target in "${targets[@]}"; do GOOS="${target%/*}" GOARCH="${target#*/}" PKG="ds2api_${TAG}_${GOOS}_${GOARCH}" STAGE="dist/${PKG}" BIN="ds2api" if [ "${GOOS}" = "windows" ]; then BIN="ds2api.exe" fi mkdir -p "${STAGE}/static" CGO_ENABLED=0 GOOS="${GOOS}" GOARCH="${GOARCH}" \ go build -trimpath -ldflags="-s -w" -o "${STAGE}/${BIN}" ./cmd/ds2api cp config.example.json .env.example sha3_wasm_bg.7b9ca65ddd.wasm LICENSE README.MD README.en.md "${STAGE}/" cp -R static/admin "${STAGE}/static/admin" if [ "${GOOS}" = "windows" ]; then (cd dist && zip -rq "${PKG}.zip" "${PKG}") else tar -C dist -czf "dist/${PKG}.tar.gz" "${PKG}" fi rm -rf "${STAGE}" done - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Wait for GHCR endpoint run: | set -euo pipefail for i in {1..6}; do code="$(curl -sS -o /dev/null -w '%{http_code}' --max-time 15 https://ghcr.io/v2/ || true)" if [ "${code}" = "200" ] || [ "${code}" = "401" ] || [ "${code}" = "405" ]; then exit 0 fi sleep "$((i * 10))" done echo "GHCR endpoint is unreachable after multiple retries (last status: ${code:-unknown})." >&2 exit 1 - name: Log in to GHCR (with retry) run: | set -euo pipefail for i in {1..6}; do if echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin; then exit 0 fi sleep "$((i * 10))" done echo "Failed to login to GHCR after multiple retries." >&2 exit 1 - name: Extract Docker metadata id: meta_release uses: docker/metadata-action@v5 with: images: | ghcr.io/${{ github.repository }} tags: | type=raw,value=${{ github.event.release.tag_name }} type=raw,value=latest - name: Build and Push Docker Image uses: docker/build-push-action@v6 env: DOCKER_BUILD_RECORD_UPLOAD: "false" DOCKER_BUILD_SUMMARY: "false" with: context: . file: ./Dockerfile push: true platforms: linux/amd64,linux/arm64 tags: ${{ steps.meta_release.outputs.tags }} labels: ${{ steps.meta_release.outputs.labels }} - name: Export Docker image archives for release assets run: | set -euo pipefail TAG="${{ github.event.release.tag_name }}" docker buildx build \ --platform linux/amd64 \ --output type=docker,dest="dist/ds2api_${TAG}_docker_linux_amd64.tar" \ . docker buildx build \ --platform linux/arm64 \ --output type=docker,dest="dist/ds2api_${TAG}_docker_linux_arm64.tar" \ . gzip -f "dist/ds2api_${TAG}_docker_linux_amd64.tar" gzip -f "dist/ds2api_${TAG}_docker_linux_arm64.tar" - name: Generate checksums run: | set -euo pipefail (cd dist && sha256sum *.tar.gz *.zip > sha256sums.txt) - name: Validate release tag run: | set -euo pipefail TAG="${{ github.event.release.tag_name }}" if [ -z "${TAG}" ]; then echo "release.tag_name is empty; this workflow must run from a published GitHub Release." >&2 exit 1 fi - name: Upload Release Assets uses: softprops/action-gh-release@v2 with: tag_name: ${{ github.event.release.tag_name }} files: | dist/*.tar.gz dist/*.zip dist/sha256sums.txt