Add ability to upload full set of assets for tagged releases #10

Workflow file for this run

	name: "virtualmin.dev: virtualmin/jailkit"

	on:
	push:
	branches:
	- main
	release:
	types:
	- prereleased
	- released

	permissions:
	contents: write

	env:
	TZ: Europe/Nicosia
	JK_SHA256: "aa27dc1b2dbbbfcec2b970731f44ced7079afc973dc066757cea1beb4e8ce59c"

	PKG_RELEASE: ${{ github.run_attempt }}
	IS_RELEASE: ${{ github.event_name == 'release' }}
	IS_PRERELEASE: ${{ github.event.release.prerelease \|\| false }}

	BUILD_BOOTSTRAP: "https://raw.githubusercontent.com/webmin/webmin-ci-cd/main/build/bootstrap.bash"
	BUILD_DEPS: "git tar curl gzip coreutils openssh-client gnupg"

	jobs:
	build-x86_64:
	name: Build (x86_64)
	runs-on: ubuntu-latest
	container:
	image: rockylinux:8
	if: ${{ !contains(github.event.head_commit.message, '[no-build]') }}

	steps:
	- uses: actions/checkout@v4

	- name: Install build deps
	run: \|
	dnf -y install rpm-build make gcc autoconf automake \
	glibc-devel libcap-devel python3 \
	curl tar bzip2 patch findutils
	ln -sf /usr/bin/python3 /usr/bin/python \|\| true
	ln -snf /usr/share/zoneinfo/$TZ /etc/localtime \|\| true

	- name: Parse release tag into upstream version + pkgrel (release only)
	if: ${{ env.IS_RELEASE == 'true' }}
	shell: bash
	run: \|
	rel="${{ github.event.release.tag_name }}"

	# Spec is source of truth for upstream version
	SPEC_VER="$(rpmspec -q --qf '%{VERSION}\n' SPECS/jailkit.spec \| head -n1)"

	# Accept: 2.23, v2.23, 2.23-4, v2.23-4
	if [[ "$rel" =~ ^v?([0-9]+(\.[0-9]+)+)(-([0-9]+))?$ ]]; then
	TAG_VER="${BASH_REMATCH[1]}"
	PKGREL="${BASH_REMATCH[4]}"
	[ -n "$PKGREL" ] \|\| PKGREL=1
	else
	echo "Bad release tag '$rel' (expected like ${SPEC_VER} or ${SPEC_VER}-2)" >&2
	exit 1
	fi

	if [ "$TAG_VER" != "$SPEC_VER" ]; then
	echo "Tag version '$TAG_VER' does not match spec version '$SPEC_VER'" >&2
	exit 1
	fi

	echo "UPSTREAM_VER=$SPEC_VER" >> "$GITHUB_ENV"
	echo "PKG_RELEASE=$PKGREL" >> "$GITHUB_ENV"
	echo "BUILD_NUMBER=" >> "$GITHUB_ENV"

	grep -E '^(UPSTREAM_VER\|PKG_RELEASE\|BUILD_NUMBER)=' "$GITHUB_ENV" \|\| true

	- name: Compute build number (non-release only)
	if: ${{ env.IS_RELEASE != 'true' }}
	run: \|
	echo "BUILD_NUMBER=.$(date +%Y%m%d%H%M)" >> "$GITHUB_ENV"
	grep '^BUILD_NUMBER=' "$GITHUB_ENV" \|\| true

	- name: Read upstream version from spec (non-release only)
	if: ${{ env.IS_RELEASE != 'true' }}
	run: \|
	UPSTREAM_VER="$(rpmspec -q --qf '%{VERSION}\n' SPECS/jailkit.spec \| head -n1)"
	echo "UPSTREAM_VER=$UPSTREAM_VER" >> "$GITHUB_ENV"
	grep '^UPSTREAM_VER=' "$GITHUB_ENV" \|\| true

	- name: Prepare rpmbuild tree
	run: \|
	mkdir -p rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
	cp -v SPECS/jailkit.spec rpmbuild/SPECS/
	cp -v SOURCES/* rpmbuild/SOURCES/ 2>/dev/null \|\| true

	- name: Fetch upstream tarball + verify sha256
	run: \|
	curl -fsSL -o rpmbuild/SOURCES/jailkit-${UPSTREAM_VER}.tar.bz2 \
	"https://olivier.sessink.nl/jailkit/jailkit-${UPSTREAM_VER}.tar.bz2"
	echo "${JK_SHA256} rpmbuild/SOURCES/jailkit-${UPSTREAM_VER}.tar.bz2" \| sha256sum -c -

	- name: Build
	shell: bash
	run: \|
	args=(
	--define "_topdir $PWD/rpmbuild"
	--define "dist %{nil}"
	--define "pkgrel ${PKG_RELEASE}"
	)

	if [ -n "${BUILD_NUMBER:-}" ]; then
	args+=( --define "build_number ${BUILD_NUMBER}" )
	fi

	rpmbuild "${args[@]}" -ba rpmbuild/SPECS/jailkit.spec

	- uses: actions/upload-artifact@v4
	with:
	name: jailkit-rpm-x86_64
	path: \|
	rpmbuild/RPMS/*/.rpm
	rpmbuild/SRPMS/*.src.rpm

	build-aarch64:
	name: Build (aarch64)
	runs-on: ubuntu-24.04-arm
	container:
	image: rockylinux:8
	if: ${{ !contains(github.event.head_commit.message, '[no-build]') }}

	steps:
	- uses: actions/checkout@v4

	- name: Install build deps
	run: \|
	dnf -y install rpm-build make gcc autoconf automake \
	glibc-devel libcap-devel python3 \
	curl tar bzip2 patch findutils
	ln -sf /usr/bin/python3 /usr/bin/python \|\| true
	ln -snf /usr/share/zoneinfo/$TZ /etc/localtime \|\| true

	- name: Parse release tag into upstream version + pkgrel (release only)
	if: ${{ env.IS_RELEASE == 'true' }}
	shell: bash
	run: \|
	rel="${{ github.event.release.tag_name }}"

	# Spec is source of truth for upstream version
	SPEC_VER="$(rpmspec -q --qf '%{VERSION}\n' SPECS/jailkit.spec \| head -n1)"

	# Accept: 2.23, v2.23, 2.23-4, v2.23-4
	if [[ "$rel" =~ ^v?([0-9]+(\.[0-9]+)+)(-([0-9]+))?$ ]]; then
	TAG_VER="${BASH_REMATCH[1]}"
	PKGREL="${BASH_REMATCH[4]}"
	[ -n "$PKGREL" ] \|\| PKGREL=1
	else
	echo "Bad release tag '$rel' (expected like ${SPEC_VER} or ${SPEC_VER}-2)" >&2
	exit 1
	fi

	if [ "$TAG_VER" != "$SPEC_VER" ]; then
	echo "Tag version '$TAG_VER' does not match spec version '$SPEC_VER'" >&2
	exit 1
	fi

	echo "UPSTREAM_VER=$SPEC_VER" >> "$GITHUB_ENV"
	echo "PKG_RELEASE=$PKGREL" >> "$GITHUB_ENV"
	echo "BUILD_NUMBER=" >> "$GITHUB_ENV"

	grep -E '^(UPSTREAM_VER\|PKG_RELEASE\|BUILD_NUMBER)=' "$GITHUB_ENV" \|\| true

	- name: Compute build number (non-release only)
	if: ${{ env.IS_RELEASE != 'true' }}
	run: \|
	echo "BUILD_NUMBER=.$(date +%Y%m%d%H%M)" >> "$GITHUB_ENV"
	grep '^BUILD_NUMBER=' "$GITHUB_ENV" \|\| true

	- name: Read upstream version from spec (non-release only)
	if: ${{ env.IS_RELEASE != 'true' }}
	run: \|
	UPSTREAM_VER="$(rpmspec -q --qf '%{VERSION}\n' SPECS/jailkit.spec \| head -n1)"
	echo "UPSTREAM_VER=$UPSTREAM_VER" >> "$GITHUB_ENV"
	grep '^UPSTREAM_VER=' "$GITHUB_ENV" \|\| true

	- name: Prepare rpmbuild tree
	run: \|
	mkdir -p rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
	cp -v SPECS/jailkit.spec rpmbuild/SPECS/
	cp -v SOURCES/* rpmbuild/SOURCES/ 2>/dev/null \|\| true

	- name: Fetch upstream tarball + verify sha256
	run: \|
	curl -fsSL -o rpmbuild/SOURCES/jailkit-${UPSTREAM_VER}.tar.bz2 \
	"https://olivier.sessink.nl/jailkit/jailkit-${UPSTREAM_VER}.tar.bz2"
	echo "${JK_SHA256} rpmbuild/SOURCES/jailkit-${UPSTREAM_VER}.tar.bz2" \| sha256sum -c -

	- name: Build
	shell: bash
	run: \|
	args=(
	--define "_topdir $PWD/rpmbuild"
	--define "dist %{nil}"
	--define "pkgrel ${PKG_RELEASE}"
	)

	if [ -n "${BUILD_NUMBER:-}" ]; then
	args+=( --define "build_number ${BUILD_NUMBER}" )
	fi

	rpmbuild "${args[@]}" -ba rpmbuild/SPECS/jailkit.spec

	- uses: actions/upload-artifact@v4
	with:
	name: jailkit-rpm-aarch64
	path: \|
	rpmbuild/RPMS/*/.rpm
	rpmbuild/SRPMS/*.src.rpm

	collect:
	name: Collect
	needs: [build-x86_64, build-aarch64]
	runs-on: ubuntu-latest
	if: ${{ !contains(github.event.head_commit.message, '[no-build]') }}

	steps:
	- uses: actions/download-artifact@v4
	with:
	path: packages
	merge-multiple: true

	- run: find packages -type f -name "jailkit-[0-9]..rpm" \| sort

	- uses: actions/upload-artifact@v4
	with:
	name: jailkit-packages
	path: packages
	retention-days: 3

	publish:
	name: Publish using Webmin CI/CD
	needs: [collect]
	runs-on: ubuntu-latest
	if: ${{ github.event_name != 'pull_request' && !contains(github.event.head_commit.message, '[no-build]') }}

	steps:
	- name: Install deps
	run: \|
	sudo apt-get update
	sudo apt-get install -y ${{ env.BUILD_DEPS }}
	sudo timedatectl set-timezone ${{ env.TZ }}

	- name: Download packages
	uses: actions/download-artifact@v4
	with:
	name: jailkit-packages
	path: packages

	- name: Fetch bootstrap
	run: curl -fsSLO ${{ env.BUILD_BOOTSTRAP }}

	- name: Upload only main packages + sign + rebuild repos
	env:
	CLOUD__IP_ADDR: ${{ secrets.DEV_IP_ADDR }}
	CLOUD__IP_KNOWN_HOSTS: ${{ secrets.DEV_IP_KNOWN_HOSTS }}
	CLOUD__UPLOAD_SSH_USER: ${{ secrets.DEV_UPLOAD_SSH_USER }}
	CLOUD__UPLOAD_SSH_DIR: ${{ env.IS_RELEASE == 'true' && secrets.PRERELEASE_UPLOAD_SSH_DIR \|\| secrets.DEV_UPLOAD_SSH_DIR }}
	CLOUD__SSH_PRV_KEY: ${{ secrets.DEV_SSH_PRV_KEY }}
	CLOUD__GPG_PH2: ${{ secrets.ALL_GPG_PH2 }}
	CLOUD__GH_TOKEN: ${{ github.token }}
	run: \|-
	source bootstrap.bash \
	$([[ "${{ env.IS_RELEASE }}" == "true" ]] && echo "--release" \|\| echo "--testing") \
	$([[ "${{ env.IS_PRERELEASE }}" == "true" ]] && echo "--prerelease")

	mkdir -p "$ROOT_REPOS"

	find packages -type f -name 'jailkit-*.rpm' \
	! -name '*.src.rpm' \
	! -name 'debuginfo' \
	! -name 'debugsource' \
	-exec cp -v {} "$ROOT_REPOS/" \;

	upload_list=("$ROOT_REPOS/"*)
	cloud_upload upload_list
	cloud_sign_and_build_repos_auto virtualmin.dev

	upload-release-assets:
	name: Upload release assets (GA only)
	needs: [build-x86_64, build-aarch64]
	runs-on: ubuntu-latest
	if: ${{ github.event_name == 'release' && github.event.release.prerelease == false }}

	steps:
	- name: Download build artifacts
	uses: actions/download-artifact@v4
	with:
	path: dist
	merge-multiple: true

	- name: List files
	run: \|
	find dist -type f -maxdepth 5 -print \| sort

	- name: Install GitHub CLI
	run: \|
	sudo apt-get update
	sudo apt-get install -y gh

	- name: Upload assets to GitHub Release
	env:
	GH_TOKEN: ${{ github.token }}
	run: \|
	tag="${{ github.event.release.tag_name }}"
	# Upload everything you built: main RPMs, debuginfo, debugsource, and SRPMs
	gh release upload "$tag" dist/*/.rpm dist/*/.src.rpm --clobber

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add ability to upload full set of assets for tagged releases #10

Workflow file

Add ability to upload full set of assets for tagged releases #10

Uh oh!

Workflow file for this run