Go package #2646
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Go package | |
| on: | |
| push: | |
| tags: | |
| - "v*" # push events to tagged commits | |
| branches: | |
| - "**" | |
| schedule: # nightly release | |
| - cron: "15 9 * * 2-6" # Tuesday to Saturday at 2:15 AM | |
| permissions: | |
| contents: read | |
| id-token: write # for GitHub id-token auth | |
| jobs: | |
| go-test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: src/go.mod | |
| cache-dependency-path: src/go.sum | |
| - name: Run Go unit tests | |
| run: go test -test.short -v ./... | |
| working-directory: src | |
| - name: Verify Go modules | |
| working-directory: src | |
| run: | | |
| go mod tidy | |
| git diff --exit-code go.mod go.sum || { echo "Go modules are not up to date"; exit 1; } | |
| - name: Verify Proto files | |
| working-directory: src | |
| run: | | |
| go run github.com/bufbuild/buf/cmd/[email protected] generate protos | |
| git diff --exit-code protos || { echo "Proto files are not up to date"; exit 1; } | |
| - name: Build MacOS binary | |
| run: GOOS=darwin go build ./cmd/cli | |
| working-directory: src | |
| - name: Build Windows binary | |
| run: GOOS=windows go build ./cmd/cli | |
| working-directory: src | |
| nix-shell-test: | |
| runs-on: ubuntu-latest | |
| needs: go-test | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@v26 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-unstable | |
| - name: Check nix-shell default.nix | |
| run: | | |
| set -o pipefail | |
| nix-shell --pure -E 'with import <nixpkgs> {}; mkShell { buildInputs = [ (import ./default.nix {}) ]; }' --run defang 2>&1 | sed -u 's|\s\+got:|::error file=pkgs/defang/cli.nix,line=9::Replace the vendorHash with the correct value:|' | |
| # go-byoc-test: | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - name: Configure AWS Credentials for CI | |
| # uses: aws-actions/configure-aws-credentials@v4 | |
| # with: | |
| # aws-region: us-west-2 | |
| # output-credentials: true | |
| # role-to-assume: arn:aws:iam::488659951590:role/ci-role-d4fe904 # ciRoleArn from defang-io/infrastructure stack | |
| # - name: Configure AWS Credentials for Staging | |
| # uses: aws-actions/configure-aws-credentials@v4 | |
| # with: | |
| # aws-region: us-west-2 | |
| # role-duration-seconds: 1200 | |
| # role-chaining: true | |
| # role-to-assume: arn:aws:iam::426819183542:role/admin # adminUserRoleArn from defang-io/bootstrap stack | |
| # - uses: actions/checkout@v4 | |
| # - name: Set up Go | |
| # uses: actions/setup-go@v5 | |
| # with: | |
| # go-version-file: src/go.mod | |
| # cache-dependency-path: src/go.sum | |
| # - name: Run sanity tests | |
| # run: go run ./cmd/cli compose up -f testdata/compose.yaml | |
| # working-directory: src | |
| go-playground-test: | |
| runs-on: ubuntu-latest | |
| needs: go-test | |
| env: | |
| COMPOSE_PROJECT_NAME: ${{ github.run_id }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: src/go.mod | |
| cache-dependency-path: src/go.sum | |
| - name: Login using GitHub token | |
| run: go run ./cmd/cli login --debug | |
| working-directory: src | |
| - name: Add dummy config | |
| run: echo blah | go run ./cmd/cli config set -n dummy -f testdata/sanity/compose.yaml --debug | |
| working-directory: src | |
| - name: Run sanity tests UP | |
| continue-on-error: true # until we have multi-project support in playground | |
| run: go run ./cmd/cli compose up -f testdata/sanity/compose.yaml --debug | |
| working-directory: src | |
| - name: Run sanity tests DOWN | |
| continue-on-error: true # until we have multi-project support in playground | |
| run: go run ./cmd/cli compose down --detach -f testdata/sanity/compose.yaml --debug | |
| working-directory: src | |
| build-and-sign: | |
| name: Build app and sign files (with Trusted Signing) | |
| if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' # only run this step on tagged commits or the main branch | |
| environment: release # must use environment to be able to authenticate with Azure Federated Identity for Trusted Signing | |
| needs: go-test | |
| runs-on: windows-latest | |
| env: # from https://github.com/spiffe/spire/pull/5158 | |
| GOPATH: 'D:\golang\go' | |
| GOCACHE: 'D:\golang\cache' | |
| GOMODCACHE: 'D:\golang\modcache' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: src/go.mod | |
| cache-dependency-path: src/go.sum | |
| - name: Download Go dependencies | |
| run: go mod download | |
| working-directory: src | |
| - name: Run GoReleaser (Linux) | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' | |
| # version: latest | |
| args: release --split ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' || '' }} ${{ github.event_name == 'schedule' && '--nightly' || ''}} | |
| workdir: src | |
| env: | |
| GGOOS: linux | |
| GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
| - name: Run GoReleaser (Windows) | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' | |
| # version: latest | |
| args: release --split ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' || '' }} ${{ github.event_name == 'schedule' && '--nightly' || ''}} | |
| workdir: src | |
| env: | |
| GGOOS: windows | |
| GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
| # From https://github.com/Azure/trusted-signing-action/pull/37 | |
| - name: Azure login | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Trusted Signing | |
| uses: Azure/[email protected] | |
| with: | |
| endpoint: https://wus2.codesigning.azure.net/ # from Azure portal | |
| trusted-signing-account-name: DefangLabs # from Azure portal | |
| certificate-profile-name: signed-binary${{ !startsWith(github.ref, 'refs/tags/v') && '-test' || '' }} # from Azure portal | |
| files-folder: ${{ github.workspace }}\src\dist | |
| files-folder-filter: exe # no dll | |
| files-folder-recurse: true | |
| file-digest: SHA256 | |
| timestamp-rfc3161: http://timestamp.acs.microsoft.com | |
| timestamp-digest: SHA256 | |
| exclude-environment-credential: true | |
| exclude-workload-identity-credential: true | |
| exclude-managed-identity-credential: true | |
| exclude-shared-token-cache-credential: true | |
| exclude-visual-studio-credential: true | |
| exclude-visual-studio-code-credential: true | |
| exclude-azure-cli-credential: false | |
| exclude-azure-powershell-credential: true | |
| exclude-azure-developer-cli-credential: true | |
| exclude-interactive-browser-credential: true | |
| - name: Update archives | |
| if: startsWith(github.ref, 'refs/tags/v') # skip this step for snapshots because we don't know the name of the archive | |
| env: | |
| GITHUB_REF_NAME: ${{ github.ref_name }} | |
| run: | | |
| $version = $env:GITHUB_REF_NAME -replace '^v', '' | |
| Compress-Archive -Path defang-cli_windows_amd64_v1\* -DestinationPath "defang_${version}_windows_amd64.zip" -Update | |
| Compress-Archive -Path defang-cli_windows_arm64*\* -DestinationPath "defang_${version}_windows_arm64.zip" -Update | |
| shell: pwsh | |
| working-directory: src\dist\windows | |
| - name: Upload dist-win folder | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist-win | |
| path: src/dist | |
| if-no-files-found: error | |
| build-and-sign-mac: | |
| name: Build app and sign (MacOS) | |
| if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' # only run this step on tagged commits or the main branch | |
| needs: go-test | |
| runs-on: macos-latest # for codesign and notarytool | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: src/go.mod | |
| cache-dependency-path: src/go.sum | |
| # - name: Download Go dependencies | |
| # run: go mod download | |
| # working-directory: src | |
| - name: Run GoReleaser (macOS) | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' | |
| # version: latest | |
| args: release --split ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' || '' }} ${{ github.event_name == 'schedule' && '--nightly' || ''}} | |
| workdir: src | |
| env: | |
| GGOOS: darwin | |
| GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
| MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }} | |
| MACOS_P12_BASE64: ${{ secrets.MACOS_P12_BASE64 }} | |
| MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }} | |
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
| MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} | |
| MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} | |
| MACOS_NOTARIZATION_APP_PW: ${{ secrets.MACOS_NOTARIZATION_APP_PW }} | |
| - name: Upload dist-mac folder | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist-mac | |
| path: src/dist | |
| if-no-files-found: error | |
| go-release: | |
| if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits | |
| environment: release | |
| needs: | |
| - build-and-sign-mac | |
| - build-and-sign | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # to upload archives as GitHub Releases | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # for release notes | |
| - name: Install Nix (for nix-prefetch-url) | |
| uses: cachix/install-nix-action@v26 | |
| - name: Download dist-mac folder | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist-mac | |
| path: src/dist | |
| - name: Download dist-win folder | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist-win | |
| path: src/dist | |
| - name: List files | |
| run: ls -lR src/dist | |
| - name: Set up Go # not sure why this is needed for release | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: src/go.mod | |
| cache-dependency-path: src/go.sum | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' | |
| # version: latest | |
| args: continue --merge | |
| workdir: src | |
| env: | |
| GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
| GH_PAT_WINGET: ${{ secrets.GH_PAT_WINGET }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository | |
| DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }} | |
| DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }} | |
| nighly-release: | |
| if: ${{ github.event_name == 'schedule' }} | |
| environment: release | |
| needs: | |
| - build-and-sign-mac | |
| - build-and-sign | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # to upload archives as GitHub Releases | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # for release notes | |
| - name: Install Nix (for nix-prefetch-url) | |
| uses: cachix/install-nix-action@v26 | |
| - name: Download dist-mac folder | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist-mac | |
| path: src/dist | |
| - name: Download dist-win folder | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist-win | |
| path: src/dist | |
| - name: List files | |
| run: ls -lR src/dist | |
| - name: Set up Go # not sure why this is needed for release | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: src/go.mod | |
| cache-dependency-path: src/go.sum | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' | |
| # version: latest | |
| args: continue --merge --skip announce | |
| workdir: src | |
| env: | |
| GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
| GH_PAT_WINGET: ${{ secrets.GH_PAT_WINGET }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository | |
| post-release: | |
| runs-on: ubuntu-latest | |
| needs: go-release | |
| steps: | |
| # - name: Update Windows s.defang.io/defang_win_amd64.zip short link | |
| # run: | | |
| # curl --request POST \ | |
| # --url https://api.short.io/links/$DEFANG_WIN_AMD64_LNK \ | |
| # --header "Authorization: $SHORTIO_PK" \ | |
| # --header 'accept: application/json' \ | |
| # --header 'content-type: application/json' \ | |
| # --data "{\"originalURL\":\"https://github.com/DefangLabs/defang/releases/download/${TAG}/defang_${TAG#v}_windows_amd64.zip\"}" | |
| # env: | |
| # SHORTIO_PK: ${{ secrets.SHORTIO_PK }} | |
| # TAG: ${{ github.ref_name }} | |
| # DEFANG_WIN_AMD64_LNK: "lnk_4vSQ_CDukZ5POEE4o0mMDysr2U" | |
| - name: Trigger CLI Autodoc | |
| uses: peter-evans/repository-dispatch@v3 | |
| with: | |
| token: ${{ secrets.DOCS_ACTION_TRIGGER_TOKEN }} | |
| repository: DefangLabs/defang-docs | |
| event-type: cli-autodoc | |
| client-payload: '{"version": "${{ github.ref_name }}"}' | |
| - name: Trigger Homebrew Formula Update | |
| uses: peter-evans/repository-dispatch@v3 | |
| with: | |
| token: ${{ secrets.HOMEBREW_ACTION_TRIGGER_TOKEN }} | |
| repository: DefangLabs/homebrew-defang | |
| event-type: update-homebrew-formula | |
| client-payload: '{"version": "${{ github.ref_name }}"}' | |
| - name: Checkout tag | |
| uses: actions/checkout@v4 | |
| - name: Install node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" # same as the version in flake.nix | |
| registry-url: https://registry.npmjs.org | |
| - name: Build npm package | |
| shell: bash | |
| working-directory: ./pkgs/npm | |
| run: | | |
| # Get version number without the 'v' | |
| export version_number=`echo "${{ github.ref_name }}" | cut -c2- ` | |
| echo "Setting version number to ${version_number}" | |
| # update version placeholder in package.json with version matching binary. | |
| npm version ${version_number} | |
| # install dependencies | |
| npm ci --ignore-scripts | |
| # build | |
| npm run build | |
| - run: npm publish --access public | |
| shell: bash | |
| working-directory: ./pkgs/npm | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }} | |
| cleanup-nightly: | |
| runs-on: ubuntu-latest | |
| needs: nighly-release | |
| steps: | |
| - name: "Clean up nightly releases" | |
| uses: dev-drprasad/[email protected] | |
| with: | |
| keep_latest: 5 | |
| delete_tags: true | |
| delete_tag_pattern: nightly | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository |