Skip to content

NEOS-1612: adds separate public key pair for neosync cloud checks (#2… #935

NEOS-1612: adds separate public key pair for neosync cloud checks (#2…

NEOS-1612: adds separate public key pair for neosync cloud checks (#2… #935

name: Artifact Release
on:
push:
tags:
- "v*.*.*"
branches:
- main
paths: # path filters are not evaluated for pushes of tags
- backend/**
- cli/**
- worker/**
- frontend/**
- charts/**
- docker/**
jobs:
docker-backend:
name: Backend Docker Image
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Calculate Next Pre-release version
id: next_pre_version
uses: paulhatch/[email protected]
with:
version_format: "${major}.${minor}.${patch}-pre.${increment}"
- name: Get current time
id: current-time
run: echo "CURRENT_TIME=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
# list of Docker images to use as base name for tags
images: |
ghcr.io/nucleuscloud/neosync/api
# generate Docker tags based on the following events/attributes
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=semver,pattern={{raw}}
type=sha
type=raw,value=${{ steps.next_pre_version.outputs.version }},enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Depot CLI
uses: depot/setup-action@v1
- name: Build and push
uses: depot/build-push-action@v1
with:
context: .
file: docker/Dockerfile.backend
build-args: |
buildDate=${{ steps.current-time.outputs.CURRENT_TIME }}
gitCommit=${{ github.sha }}
gitVersion=${{ github.ref_name }}
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
docker-frontend:
name: Frontend Docker Image
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Calculate Next Pre-release version
id: next_pre_version
uses: paulhatch/[email protected]
with:
version_format: "${major}.${minor}.${patch}-pre.${increment}"
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
# list of Docker images to use as base name for tags
images: |
ghcr.io/nucleuscloud/neosync/app
# generate Docker tags based on the following events/attributes
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=semver,pattern={{raw}}
type=sha
type=raw,value=${{ steps.next_pre_version.outputs.version }},enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Depot CLI
uses: depot/setup-action@v1
- name: Build and push
uses: depot/build-push-action@v1
with:
file: docker/Dockerfile.frontend
context: frontend
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
docker-worker:
name: Worker Docker Image
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Calculate Next Pre-release version
id: next_pre_version
uses: paulhatch/[email protected]
with:
version_format: "${major}.${minor}.${patch}-pre.${increment}"
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
# list of Docker images to use as base name for tags
images: |
ghcr.io/nucleuscloud/neosync/worker
# generate Docker tags based on the following events/attributes
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=semver,pattern={{raw}}
type=sha
type=raw,value=${{ steps.next_pre_version.outputs.version }},enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Depot CLI
uses: depot/setup-action@v1
- name: Build and push
uses: depot/build-push-action@v1
with:
context: .
file: docker/Dockerfile.worker
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
helm-backend:
name: Backend Helm Chart
runs-on: ubuntu-latest
needs:
- docker-backend
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Calculate Next Pre-release version
id: next_pre_version
uses: paulhatch/[email protected]
with:
version_format: "${major}.${minor}.${patch}-pre.${increment}"
- name: Setup Trimmed Helm Version
run: |
if [[ $GITHUB_REF == refs/tags/* ]]; then
V_PREFIX="v"
VERSION="${{ github.ref_name }}"
TRIMMED_VERSION="${VERSION/#$V_PREFIX}"
echo "$TRIMMED_VERSION"
echo "CHART_VERSION=$TRIMMED_VERSION" >> $GITHUB_ENV
echo "IS_PRERELEASE=false" >> $GITHUB_ENV
else
VERSION="${{ steps.next_pre_version.outputs.version }}"
echo "$VERSION"
echo "CHART_VERSION=$VERSION" >> $GITHUB_ENV
echo "IS_PRERELEASE=true" >> $GITHUB_ENV
fi
- name: Setup Chart.yaml
uses: mikefarah/[email protected]
with:
cmd: |
# Recursively finds all Chart.yaml files and sets their version and appVersion to the github ref
for filepath in $(find backend/charts/** -type f -name 'Chart.yaml') ; do
echo "$filepath"
yq -i '.version = strenv(CHART_VERSION)' "$filepath"
yq -i '.appVersion = strenv(CHART_VERSION)' "$filepath"
yq -i '.annotations."artifacthub.io/prerelease" = strenv(IS_PRERELEASE)' "$filepath"
done
for filepath in $(find backend/charts/*/Chart.yaml -type f -name 'Chart.yaml') ; do
has_deps=$(yq -r '.dependencies[0].version' "$filepath")
if [ $has_deps != null ]; then
yq -i '.dependencies[].version = strenv(CHART_VERSION)' "$filepath"
fi
done
- name: Install Helm
uses: azure/setup-helm@v4
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Login to Helm Registry
run: |
echo ${{secrets.GITHUB_TOKEN}} | helm registry login ghcr.io -u ${{ github.repository_owner }} --password-stdin
- name: Package Helm Charts
shell: bash
run: |
# Finds all root charts and packages up their dependencies
find backend/charts/*/Chart.yaml -type f -name 'Chart.yaml' | sed -r 's|/[^/]+$||' | sort | uniq | xargs -L 1 helm dep up
# Runs through root charts and packages them
for filedir in backend/charts/*/ ; do
echo "$filedir"
helm package "$filedir"
done
- name: Helm | Publish
shell: bash
run: |
OCI_URL="oci://ghcr.io/$GITHUB_REPOSITORY/helm"
for d in ./*.tgz ; do
helm push "$d" "$OCI_URL"
done
helm-frontend:
name: Frontend Helm Chart
runs-on: ubuntu-latest
needs:
- docker-frontend
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Calculate Next Pre-release version
id: next_pre_version
uses: paulhatch/[email protected]
with:
version_format: "${major}.${minor}.${patch}-pre.${increment}"
- name: Setup Trimmed Helm Version
run: |
if [[ $GITHUB_REF == refs/tags/* ]]; then
V_PREFIX="v"
VERSION="${{ github.ref_name }}"
TRIMMED_VERSION="${VERSION/#$V_PREFIX}"
echo "$TRIMMED_VERSION"
echo "CHART_VERSION=$TRIMMED_VERSION" >> $GITHUB_ENV
echo "IS_PRERELEASE=false" >> $GITHUB_ENV
else
VERSION="${{ steps.next_pre_version.outputs.version }}"
echo "$VERSION"
echo "CHART_VERSION=$VERSION" >> $GITHUB_ENV
echo "IS_PRERELEASE=true" >> $GITHUB_ENV
fi
- name: Setup Chart.yaml
uses: mikefarah/[email protected]
with:
cmd: |
# Recursively finds all Chart.yaml files and sets their version and appVersion to the github ref
for filepath in $(find frontend/apps/web/charts/** -type f -name 'Chart.yaml') ; do
echo "$filepath"
yq -i '.version = strenv(CHART_VERSION)' "$filepath"
yq -i '.appVersion = strenv(CHART_VERSION)' "$filepath"
yq -i '.annotations."artifacthub.io/prerelease" = strenv(IS_PRERELEASE)' "$filepath"
done
for filepath in $(find frontend/apps/web/charts/*/Chart.yaml -type f -name 'Chart.yaml') ; do
has_deps=$(yq -r '.dependencies[0].version' "$filepath")
if [ $has_deps != null ]; then
yq -i '.dependencies[].version = strenv(CHART_VERSION)' "$filepath"
fi
done
- name: Install Helm
uses: azure/setup-helm@v4
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Login to Helm Registry
run: |
echo ${{secrets.GITHUB_TOKEN}} | helm registry login ghcr.io -u ${{ github.repository_owner }} --password-stdin
- name: Package Helm Charts
shell: bash
run: |
# Finds all root charts and packages up their dependencies
find frontend/apps/web/charts/*/Chart.yaml -type f -name 'Chart.yaml' | sed -r 's|/[^/]+$||' | sort | uniq | xargs -L 1 helm dep up
# Runs through root charts and packages them
for filedir in frontend/apps/web/charts/*/ ; do
echo "$filedir"
helm package "$filedir"
done
- name: Helm | Publish
shell: bash
run: |
OCI_URL="oci://ghcr.io/$GITHUB_REPOSITORY/helm"
for d in ./*.tgz ; do
helm push "$d" "$OCI_URL"
done
helm-worker:
name: Worker Helm Chart
runs-on: ubuntu-latest
needs:
- docker-worker
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Calculate Next Pre-release version
id: next_pre_version
uses: paulhatch/[email protected]
with:
version_format: "${major}.${minor}.${patch}-pre.${increment}"
- name: Setup Trimmed Helm Version
run: |
if [[ $GITHUB_REF == refs/tags/* ]]; then
V_PREFIX="v"
VERSION="${{ github.ref_name }}"
TRIMMED_VERSION="${VERSION/#$V_PREFIX}"
echo "$TRIMMED_VERSION"
echo "CHART_VERSION=$TRIMMED_VERSION" >> $GITHUB_ENV
echo "IS_PRERELEASE=false" >> $GITHUB_ENV
else
VERSION="${{ steps.next_pre_version.outputs.version }}"
echo "$VERSION"
echo "CHART_VERSION=$VERSION" >> $GITHUB_ENV
echo "IS_PRERELEASE=true" >> $GITHUB_ENV
fi
- name: Setup Chart.yaml
uses: mikefarah/[email protected]
with:
cmd: |
# Recursively finds all Chart.yaml files and sets their version and appVersion to the github ref
for filepath in $(find worker/charts/** -type f -name 'Chart.yaml') ; do
echo "$filepath"
yq -i '.version = strenv(CHART_VERSION)' "$filepath"
yq -i '.appVersion = strenv(CHART_VERSION)' "$filepath"
yq -i '.annotations."artifacthub.io/prerelease" = strenv(IS_PRERELEASE)' "$filepath"
done
for filepath in $(find worker/charts/*/Chart.yaml -type f -name 'Chart.yaml') ; do
has_deps=$(yq -r '.dependencies[0].version' "$filepath")
if [ $has_deps != null ]; then
yq -i '.dependencies[].version = strenv(CHART_VERSION)' "$filepath"
fi
done
- name: Install Helm
uses: azure/setup-helm@v4
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Login to Helm Registry
run: |
echo ${{secrets.GITHUB_TOKEN}} | helm registry login ghcr.io -u ${{ github.repository_owner }} --password-stdin
- name: Package Helm Charts
shell: bash
run: |
# Finds all root charts and packages up their dependencies
find worker/charts/*/Chart.yaml -type f -name 'Chart.yaml' | sed -r 's|/[^/]+$||' | sort | uniq | xargs -L 1 helm dep up
# Runs through root charts and packages them
for filedir in worker/charts/*/ ; do
echo "$filedir"
helm package "$filedir"
done
- name: Helm | Publish
shell: bash
run: |
OCI_URL="oci://ghcr.io/$GITHUB_REPOSITORY/helm"
for d in ./*.tgz ; do
helm push "$d" "$OCI_URL"
done
helm-top:
name: Umbrella Helm Chart
runs-on: ubuntu-latest
needs:
- helm-backend
- helm-frontend
- helm-worker
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Calculate Next Pre-release version
id: next_pre_version
uses: paulhatch/[email protected]
with:
version_format: "${major}.${minor}.${patch}-pre.${increment}"
- name: Setup Trimmed Helm Version
run: |
if [[ $GITHUB_REF == refs/tags/* ]]; then
V_PREFIX="v"
VERSION="${{ github.ref_name }}"
TRIMMED_VERSION="${VERSION/#$V_PREFIX}"
echo "$TRIMMED_VERSION"
echo "CHART_VERSION=$TRIMMED_VERSION" >> $GITHUB_ENV
echo "IS_PRERELEASE=false" >> $GITHUB_ENV
else
VERSION="${{ steps.next_pre_version.outputs.version }}"
echo "$VERSION"
echo "CHART_VERSION=$VERSION" >> $GITHUB_ENV
echo "IS_PRERELEASE=true" >> $GITHUB_ENV
fi
- name: Setup Chart.yaml
uses: mikefarah/[email protected]
with:
cmd: |
# Recursively finds all Chart.yaml files and sets their version and appVersion to the github ref
for filepath in $(find charts/** -type f -name 'Chart.yaml') ; do
echo "$filepath"
yq -i '.version = strenv(CHART_VERSION)' "$filepath"
yq -i '.appVersion = strenv(CHART_VERSION)' "$filepath"
yq -i '.annotations."artifacthub.io/prerelease" = strenv(IS_PRERELEASE)' "$filepath"
done
for filepath in $(find charts/*/Chart.yaml -type f -name 'Chart.yaml') ; do
has_deps=$(yq -r '.dependencies[0].version' "$filepath")
if [ $has_deps != null ]; then
yq -i '.dependencies[].version = strenv(CHART_VERSION)' "$filepath"
yq -i '.dependencies[].repository = "oci://ghcr.io/"+strenv(GITHUB_REPOSITORY)+"/helm"' "$filepath"
fi
done
- name: Install Helm
uses: azure/setup-helm@v4
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Login to Helm Registry
run: |
echo ${{secrets.GITHUB_TOKEN}} | helm registry login ghcr.io -u ${{ github.repository_owner }} --password-stdin
- name: Package Helm Charts
shell: bash
run: |
# Finds all root charts and packages up their dependencies
find charts/*/Chart.yaml -type f -name 'Chart.yaml' | sed -r 's|/[^/]+$||' | sort | uniq | xargs -L 1 helm dep up
# Runs through root charts and packages them
for filedir in charts/*/ ; do
echo "$filedir"
helm package "$filedir"
done
- name: Helm | Publish
shell: bash
run: |
OCI_URL="oci://ghcr.io/$GITHUB_REPOSITORY/helm"
for d in ./*.tgz ; do
helm push "$d" "$OCI_URL"
done
cli:
name: CLI
runs-on: ubuntu-latest
# for now, only build when we cut a new tag
if: startsWith(github.ref, 'refs/tags/')
defaults:
run:
working-directory: cli
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache-dependency-path: go.sum
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: linux/arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Fetch all tags
run: git fetch --force --tags
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
id: import_gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: latest
args: release --clean
workdir: cli
env:
GITHUB_TOKEN: ${{ secrets.PUBLISH_PAT }} # needs to be a non-action token because this also pushes to the homebrew repo
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
AUR_KEY: ${{ secrets.AUR_PRIVATE_KEY }}
DISABLE_CHANGELOG: false
NEOSYNC_BASE_URL: ${{ vars.DEFAULT_NEOSYNC_ENDPOINT }}
py-sdk-build:
name: Python SDK Build
runs-on: ubuntu-latest
# for now, only build when we cut a new tag
if: startsWith(github.ref, 'refs/tags/')
defaults:
run:
working-directory: python
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Package Version
id: package_version
run: |
V_PREFIX="v"
VERSION="${{ github.ref_name }}"
TRIMMED_VERSION="${VERSION/#$V_PREFIX}"
echo "$TRIMMED_VERSION"
echo "PACKAGE_VERSION=$TRIMMED_VERSION" >> $GITHUB_OUTPUT
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Build SDK
run: |
python -m pip install build
python -m build
env:
SETUPTOOLS_SCM_PRETEND_VERSION: ${{ steps.package_version.outputs.PACKAGE_VERSION }}
- uses: actions/upload-artifact@v4
with:
name: py-package
path: python/dist/
py-sdk-publish:
name: Python SDK Publish
runs-on: ubuntu-latest
needs:
- py-sdk-build
permissions:
id-token: write
steps:
- name: Retrieve release distributions
uses: actions/download-artifact@v4
with:
name: py-package
path: python/dist/
- name: Publish release distributions to PyPi
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: python/dist/
attestations: true
ts-sdk:
name: TypeScript SDK Release
runs-on: ubuntu-latest
# for now, only build when we cut a new tag
if: startsWith(github.ref, 'refs/tags/')
permissions:
contents: read
id-token: write
defaults:
run:
working-directory: frontend
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install jq
run: sudo apt-get install jq
- name: Set up Node
uses: actions/setup-node@v4
with:
registry-url: "https://registry.npmjs.org"
scope: "@neosync"
- name: Cache node modules
id: cache-npm
uses: actions/cache@v4
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: |
~/.npm
${{ github.workspace }}/.next/cache
key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**/*.js', '**/*.jsx', '**/*.ts', '**/*.tsx') }}
restore-keys: |
${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-
- run: npm install
- name: Build
run: npm run build
- name: Setup Trimmed package.json version
run: |
V_PREFIX="v"
VERSION="${{ github.ref_name }}"
TRIMMED_VERSION="${VERSION/#$V_PREFIX}"
echo "$TRIMMED_VERSION"
echo "NEW_PACKAGE_VERSION=$TRIMMED_VERSION" >> $GITHUB_ENV
- name: Update package.json version
working-directory: frontend/packages/sdk
run: |
jq '.version = "${{ env.NEW_PACKAGE_VERSION }}"' package.json > temp.json && mv temp.json package.json
- name: Publish SDK
working-directory: frontend/packages/sdk
run: npm publish --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_DEPLOY_KEY }}