Release Packages #69
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Packages | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'versions/*' | |
| workflow_dispatch: | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| jobs: | |
| BuildPackages: | |
| runs-on: ${{ matrix.runner }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - target: debian11 | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - target: debian12 | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - target: debian13 | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - target: ubuntu20.04 | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - target: ubuntu22.04 | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - target: ubuntu24.04 | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - target: ubuntu26.04 | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - target: debian11 | |
| arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| - target: debian12 | |
| arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| - target: debian13 | |
| arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| - target: ubuntu20.04 | |
| arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| - target: ubuntu22.04 | |
| arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| - target: ubuntu24.04 | |
| arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| - target: ubuntu26.04 | |
| arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| steps: | |
| - name: Git checkout | |
| uses: actions/checkout@v6 | |
| - name: Restore source archive cache | |
| uses: actions/cache@v5 | |
| with: | |
| path: .imei-cache/sources | |
| key: imei-sources-v1-${{ hashFiles('versions/*') }} | |
| restore-keys: | | |
| imei-sources-v1- | |
| - name: Build packages in container | |
| run: | | |
| mkdir -p .imei-cache/sources | |
| image="$(bash -lc '. ./scripts/common.sh; target_container_image "${{ matrix.target }}"')" | |
| docker run --rm \ | |
| -v "$PWD:/workspace" \ | |
| -w /workspace \ | |
| -e IMEI_SOURCE_CACHE_DIR=/workspace/.imei-cache/sources \ | |
| "$image" \ | |
| bash -lc ' | |
| bash ./scripts/install-build-deps.sh && | |
| bash ./scripts/build-packages.sh --target "${{ matrix.target }}" --output-dir "/workspace/dist/${{ matrix.target }}" | |
| ' | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: packages-${{ matrix.target }}-${{ matrix.arch }} | |
| path: dist/${{ matrix.target }}/*.deb | |
| if-no-files-found: error | |
| PublishRelease: | |
| needs: BuildPackages | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Git checkout | |
| uses: actions/checkout@v6 | |
| - name: Download package artifacts | |
| uses: actions/download-artifact@v8 | |
| with: | |
| path: dist | |
| pattern: packages-* | |
| merge-multiple: false | |
| - name: Normalize artifact layout | |
| run: | | |
| shopt -s nullglob | |
| for artifact_dir in dist/packages-*; do | |
| artifact_name="${artifact_dir#dist/packages-}" | |
| arch="${artifact_name##*-}" | |
| target="${artifact_name%-${arch}}" | |
| mkdir -p "dist/$target" | |
| mv "$artifact_dir"/*.deb "dist/$target/" | |
| rmdir "$artifact_dir" | |
| done | |
| - name: Normalize release asset filenames | |
| run: | | |
| find dist -type f -name '*.deb' -print0 | while IFS= read -r -d '' package_path; do | |
| package_dir="$(dirname "$package_path")" | |
| package_name="$(basename "$package_path")" | |
| normalized_name="${package_name//\~/\.}" | |
| if [[ "$normalized_name" != "$package_name" ]]; then | |
| mv "$package_path" "$package_dir/$normalized_name" | |
| fi | |
| done | |
| - name: Generate release metadata | |
| run: | | |
| bash ./scripts/generate-release-manifest.sh dist dist/release-manifest.env dist/SHA256SUMS | |
| echo "RELEASE_TAG=$(bash ./scripts/stack-release-tag.sh)" >>"$GITHUB_ENV" | |
| echo "SIGNING_KEY_ID=$(tr -d '\n' < keys/active.key)" >>"$GITHUB_ENV" | |
| - name: Build self-update bundle | |
| run: | | |
| tar \ | |
| --exclude='keys/private-*.pem' \ | |
| -czf dist/imei-update.tar.gz \ | |
| imei.sh \ | |
| imei.sh.sig \ | |
| imei.sh.sig.key \ | |
| imei.sh.pem \ | |
| update_version_info.sh \ | |
| README.md \ | |
| LICENSE.md \ | |
| scripts \ | |
| keys \ | |
| versions | |
| - name: Generate one-step bootstrap launcher | |
| run: | | |
| bash ./scripts/generate-bootstrap.sh dist/imei-bootstrap.sh | |
| - name: Sign release assets and metadata | |
| env: | |
| PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }} | |
| run: | | |
| echo "$PRIVATE_KEY" > private.pem | |
| openssl dgst -sha512 -sign private.pem -out dist/imei-bootstrap.sh.sig dist/imei-bootstrap.sh | |
| openssl dgst -sha512 -sign private.pem -out dist/imei-update.tar.gz.sig dist/imei-update.tar.gz | |
| openssl dgst -sha512 -sign private.pem -out dist/release-manifest.env.sig dist/release-manifest.env | |
| openssl dgst -sha512 -sign private.pem -out dist/SHA256SUMS.sig dist/SHA256SUMS | |
| printf '%s\n' "${{ env.SIGNING_KEY_ID }}" > dist/imei-bootstrap.sh.sig.key | |
| printf '%s\n' "${{ env.SIGNING_KEY_ID }}" > dist/imei-update.tar.gz.sig.key | |
| printf '%s\n' "${{ env.SIGNING_KEY_ID }}" > dist/release-manifest.env.sig.key | |
| printf '%s\n' "${{ env.SIGNING_KEY_ID }}" > dist/SHA256SUMS.sig.key | |
| rm private.pem | |
| - name: Verify release asset signatures | |
| run: | | |
| openssl dgst -sha512 -verify "keys/${{ env.SIGNING_KEY_ID }}.pem" -signature dist/imei-bootstrap.sh.sig dist/imei-bootstrap.sh | |
| openssl dgst -sha512 -verify "keys/${{ env.SIGNING_KEY_ID }}.pem" -signature dist/imei-update.tar.gz.sig dist/imei-update.tar.gz | |
| openssl dgst -sha512 -verify "keys/${{ env.SIGNING_KEY_ID }}.pem" -signature dist/release-manifest.env.sig dist/release-manifest.env | |
| openssl dgst -sha512 -verify "keys/${{ env.SIGNING_KEY_ID }}.pem" -signature dist/SHA256SUMS.sig dist/SHA256SUMS | |
| - name: Publish GitHub release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ env.RELEASE_TAG }} | |
| name: ${{ env.RELEASE_TAG }} | |
| generate_release_notes: true | |
| files: | | |
| imei.sh | |
| dist/imei-bootstrap.sh | |
| dist/imei-bootstrap.sh.sig | |
| dist/imei-bootstrap.sh.sig.key | |
| dist/*/*.deb | |
| dist/imei-update.tar.gz | |
| dist/imei-update.tar.gz.sig | |
| dist/imei-update.tar.gz.sig.key | |
| imei.sh.sig | |
| imei.sh.sig.key | |
| imei.sh.pem | |
| keys/*.pem | |
| keys/active.key | |
| dist/release-manifest.env | |
| dist/release-manifest.env.sig | |
| dist/release-manifest.env.sig.key | |
| dist/SHA256SUMS | |
| dist/SHA256SUMS.sig | |
| dist/SHA256SUMS.sig.key | |
| overwrite_files: true | |
| - name: Refresh committed bootstrap launcher | |
| run: | | |
| bash ./scripts/generate-bootstrap.sh imei-bootstrap.sh | |
| - name: Commit updated bootstrap launcher | |
| run: | | |
| if git diff --quiet -- imei-bootstrap.sh; then | |
| exit 0 | |
| fi | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git config user.name "github-actions[bot]" | |
| git add imei-bootstrap.sh | |
| git commit -m "Update bootstrap launcher" | |
| git push | |
| PublishRuntimeImage: | |
| needs: PublishRelease | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Git checkout | |
| uses: actions/checkout@v6 | |
| - name: Download ubuntu24.04 package artifacts | |
| uses: actions/download-artifact@v8 | |
| with: | |
| path: dist | |
| pattern: packages-ubuntu24.04-* | |
| merge-multiple: false | |
| - name: Normalize artifact layout | |
| run: | | |
| shopt -s nullglob | |
| mkdir -p dist/ubuntu24.04 | |
| for artifact_dir in dist/packages-ubuntu24.04-*; do | |
| mv "$artifact_dir"/*.deb dist/ubuntu24.04/ | |
| rmdir "$artifact_dir" | |
| done | |
| - name: Normalize release asset filenames | |
| run: | | |
| find dist -type f -name '*.deb' -print0 | while IFS= read -r -d '' package_path; do | |
| package_dir="$(dirname "$package_path")" | |
| package_name="$(basename "$package_path")" | |
| normalized_name="${package_name//\~/\.}" | |
| if [[ "$normalized_name" != "$package_name" ]]; then | |
| mv "$package_path" "$package_dir/$normalized_name" | |
| fi | |
| done | |
| - name: Compute image metadata | |
| run: | | |
| echo "RELEASE_TAG=$(bash ./scripts/stack-release-tag.sh)" >>"$GITHUB_ENV" | |
| echo "IMAGE_NAME=ghcr.io/${GITHUB_REPOSITORY,,}-imagemagick" >>"$GITHUB_ENV" | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v4 | |
| - name: Set up Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - name: Build and push runtime image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Dockerfile.runtime | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| provenance: false | |
| tags: | | |
| ${{ env.IMAGE_NAME }}:${{ env.RELEASE_TAG }} | |
| ${{ env.IMAGE_NAME }}:ubuntu24.04 | |
| ${{ env.IMAGE_NAME }}:latest | |
| labels: | | |
| org.opencontainers.image.title=IMEI ImageMagick Runtime | |
| org.opencontainers.image.description=Small Ubuntu 24.04 runtime image built from IMEI packages. | |
| org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| org.opencontainers.image.version=${{ env.RELEASE_TAG }} |