Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
129 changes: 129 additions & 0 deletions .github/workflows/build-ledo.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
name: Build & Push Ledo Fleet Image

on:
push:
branches: [aggregated]
tags:
- 'fleet-v*'
paths:
- 'cmd/**'
- 'ee/**'
- 'server/**'
- 'frontend/**'
- 'orbit/**'
- 'pkg/**'
- 'go.mod'
- 'go.sum'
- 'package.json'
- 'yarn.lock'
- 'webpack.config.js'
- 'Dockerfile'
- '.github/workflows/build-ledo.yml'
workflow_dispatch:

env:
REGISTRY: ghcr.io
IMAGE_NAME: ledoent/fleet

jobs:
build-and-push:
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true

- name: Derive Fleet version and image tag
id: version
run: |
if [[ "$GITHUB_REF" == refs/tags/fleet-v* ]]; then
BASE_TAG="${GITHUB_REF#refs/tags/}"
else
BASE_TAG=$(git describe --tags --match 'fleet-v*' --abbrev=0 2>/dev/null || echo "fleet-vdev")
fi
FLEET_VERSION="${BASE_TAG#fleet-}"
IMAGE_TAG="${FLEET_VERSION}-ledo"
echo "fleet_version=${FLEET_VERSION}" >> "$GITHUB_OUTPUT"
echo "image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
echo "Fleet version: ${FLEET_VERSION}, image tag: ${IMAGE_TAG}"

# Gate the publish on PG-compat checks passing on this exact SHA. The
# gate runs concurrently with the required workflows on a fresh push,
# so wait (with timeout) for each one to reach a terminal status before
# deciding. Refuse to publish on any non-success conclusion or if the
# required run never starts.
- name: Verify PG-compat checks passed on this SHA
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BUILD_SHA: ${{ github.sha }}
run: |
set -euo pipefail
required=("test-go-postgres.yaml" "validate-pg-compat.yml")
deadline=$(( $(date +%s) + 30 * 60 )) # 30 min total budget
for wf in "${required[@]}"; do
echo "⏳ Waiting for $wf on $BUILD_SHA..."
while :; do
run_json=$(gh run list \
--workflow "$wf" \
--limit 50 \
--json databaseId,headSha,status,conclusion \
--jq "[.[] | select(.headSha == \"$BUILD_SHA\")] | .[0]")
status=$(echo "$run_json" | jq -r '.status // "missing"')
conclusion=$(echo "$run_json" | jq -r '.conclusion // ""')
if [[ "$status" == "completed" ]]; then
if [[ "$conclusion" != "success" ]]; then
echo "❌ $wf concluded with $conclusion on $BUILD_SHA. Refusing to publish."
exit 1
fi
echo "✅ $wf: success on $BUILD_SHA"
break
fi
if (( $(date +%s) > deadline )); then
echo "❌ Timeout waiting for $wf on $BUILD_SHA (status=$status). Refusing to publish."
exit 1
fi
sleep 30
done
done

- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Log in to Zot registry
uses: docker/login-action@v3
with:
registry: ${{ secrets.ZOT_REGISTRY }}
username: ${{ secrets.ZOT_REGISTRY_USER }}
password: ${{ secrets.ZOT_REGISTRY_PASSWORD }}

- uses: docker/setup-buildx-action@v3

- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.image_tag }}
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
${{ secrets.ZOT_REGISTRY }}/ledoent/fleet:${{ steps.version.outputs.image_tag }}
${{ secrets.ZOT_REGISTRY }}/ledoent/fleet:latest
build-args: |
FLEET_VERSION=${{ steps.version.outputs.fleet_version }}
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Output image info
run: |
echo "## Build Complete" >> $GITHUB_STEP_SUMMARY
echo "Image: \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.image_tag }}\`" >> $GITHUB_STEP_SUMMARY
echo "Zot: \`${{ secrets.ZOT_REGISTRY }}/ledoent/fleet:${{ steps.version.outputs.image_tag }}\`" >> $GITHUB_STEP_SUMMARY
4 changes: 4 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ permissions:
jobs:
dependency-review:
runs-on: ubuntu-latest
# actions/dependency-review-action requires GitHub Advanced Security on
# private repos. Skip on private mirrors (e.g. ledoent/fleet); upstream
# public fleetdm/fleet still runs the check.
if: ${{ !github.event.repository.private }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
Expand Down
41 changes: 41 additions & 0 deletions .github/workflows/sync-upstream.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: Sync upstream main

on:
schedule:
- cron: '0 6 * * *'
workflow_dispatch:

permissions:
contents: write

jobs:
sync:
if: github.repository != 'fleetdm/fleet'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0
token: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}

- name: Sync from upstream
run: |
set -euo pipefail
git remote add upstream https://github.com/fleetdm/fleet.git || true
git fetch upstream main

# Paranoia: refuse to force-push if `main` has commits not in
# `upstream/main` from anyone other than github-actions[bot].
# Local work belongs on a feature branch, never on `main`.
unexpected=$(git log upstream/main..HEAD \
--pretty='%an <%ae>' \
| grep -v 'github-actions\[bot\]' || true)
if [[ -n "$unexpected" ]]; then
echo "❌ Refusing to force-push: main has non-bot commits not in upstream/main:"
echo "$unexpected"
exit 1
fi

git reset --hard upstream/main
git push --force-with-lease origin main
Loading
Loading