From 023b8e40f096b0dc5f9b7fd3f7de6b1a72d68d6a Mon Sep 17 00:00:00 2001 From: Nikolay Petrov Date: Thu, 7 May 2026 08:29:31 -0400 Subject: [PATCH 1/2] simplify ci and release --- .github/workflows/ci.yml | 6 +- .github/workflows/release.yml | 101 +++++++++++++++------------------- 2 files changed, 48 insertions(+), 59 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5e5a6999..c25fe191 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,7 +12,7 @@ jobs: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: DeterminateSystems/nix-installer-action@main with: determinate: true @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: DeterminateSystems/nix-installer-action@main with: determinate: true @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: DeterminateSystems/nix-installer-action@main with: determinate: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2399fdc4..b8a77ca0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,22 +3,8 @@ on: workflows: [ci] types: [completed] branches: [main] - workflow_dispatch: - inputs: - version: - description: "Version to release (format: vX.Y.Z)" - required: true - upload: - description: "Upload final artifacts to github" - default: false - workflow_call: - inputs: - version: - required: true - type: string push: - tags: - - "v[0-9]+.[0-9]+.[0-9]+" + branches: [main] concurrency: group: ${{ github.workflow }}-release @@ -30,39 +16,39 @@ permissions: id-token: write jobs: - setup: - name: Setup + version-change: + name: Detect version change runs-on: ubuntu-latest + permissions: + contents: read outputs: - version: ${{ steps.extract_version.outputs.version }} - publish: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.upload == 'true' || github.event_name == 'push' }} + version-changed: ${{ steps.filter.outputs.version }} + version: ${{ steps.extract-version.outputs.version }} steps: - - name: Exract the Version - id: extract_version + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 + name: Detect versions change + id: filter + with: + filters: | + version: + - 'VERSION' + - name: Extract Version + id: extract-version run: | - if [[ "${{ github.event_name }}" == "push" ]]; then - IN_VERSION=${{ inputs.version }} - # Remove the leading 'v' from the tag - GIT_VERSION=${GITHUB_REF#refs/tags/v} - VERSION=${IN_VERSION:-$GIT_VERSION} - echo "version=$VERSION" >> $GITHUB_OUTPUT - elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then - VERSION=${{ github.event.inputs.version }} - VERSION=${VERSION#v} - echo "version=$VERSION" >> $GITHUB_OUTPUT - else - echo "Error: Unsupported event type." - exit 1 - fi + echo "version=$(cat VERSION)" >> $GITHUB_OUTPUT - binary: - name: Binaries + release: + name: Release runs-on: ubuntu-latest - needs: [setup] + permissions: + contents: write + needs: [version-change] + if: ${{ needs.version-change.outputs.version-changed == 'true' }} env: - CONNET_VERSION: ${{ needs.setup.outputs.version }} + CONNET_VERSION: ${{ needs.version-change.outputs.version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: DeterminateSystems/nix-installer-action@main with: determinate: true @@ -71,7 +57,7 @@ jobs: - name: Build release run: nix develop --command make release - name: Upload release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 if: ${{ needs.setup.outputs.publish }} with: tag_name: v${{ env.CONNET_VERSION }} @@ -80,13 +66,14 @@ jobs: dist/archive/connet-${{ env.CONNET_VERSION }}-*.zip docker-x86: - name: Docker x86 + name: Release Docker x86 runs-on: ubuntu-latest - needs: [setup] + needs: [version-change] + if: ${{ needs.version-change.outputs.version-changed == 'true' }} env: - CONNET_VERSION: ${{ needs.setup.outputs.version }} + CONNET_VERSION: ${{ needs.version-change.outputs.version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: DeterminateSystems/nix-installer-action@main with: determinate: true @@ -95,7 +82,7 @@ jobs: - name: Docker build run: nix build .#docker - name: Docker login - uses: docker/login-action@v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -105,14 +92,15 @@ jobs: run: nix develop --command skopeo copy "docker-archive:result" "docker://ghcr.io/connet-dev/connet:${CONNET_VERSION}-amd64" docker-arm: - name: Docker arm + name: Release Docker arm runs-on: ubuntu-latest - needs: [setup] + needs: [version-change] + if: ${{ needs.version-change.outputs.version-changed == 'true' }} env: - CONNET_VERSION: ${{ needs.setup.outputs.version }} + CONNET_VERSION: ${{ needs.version-change.outputs.version }} steps: - - uses: actions/checkout@v4 - - uses: docker/setup-qemu-action@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - uses: DeterminateSystems/nix-installer-action@main with: determinate: true @@ -122,7 +110,7 @@ jobs: - name: Docker build run: nix build .#docker - name: Docker login - uses: docker/login-action@v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -134,18 +122,19 @@ jobs: docker-multiarch: name: Tag multi-arch runs-on: ubuntu-latest - needs: [setup, docker-x86, docker-arm] + needs: [version-change, docker-x86, docker-arm] + if: ${{ needs.version-change.outputs.version-changed == 'true' }} env: - CONNET_VERSION: ${{ needs.setup.outputs.version }} + CONNET_VERSION: ${{ needs.version-change.outputs.version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: DeterminateSystems/nix-installer-action@main with: determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} - uses: DeterminateSystems/flakehub-cache-action@main - name: Docker login - uses: docker/login-action@v3 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} From ca4840bc3eb6fbaefaa4740520a7a91866ad0bd6 Mon Sep 17 00:00:00 2001 From: Nikolay Petrov Date: Thu, 7 May 2026 08:48:02 -0400 Subject: [PATCH 2/2] further pin actions --- .github/workflows/ci.yml | 17 ++++----- .github/workflows/release-tag.yml | 61 ------------------------------- .github/workflows/release.yml | 31 +++++----------- .github/workflows/tip.yaml | 37 ++++++++----------- 4 files changed, 32 insertions(+), 114 deletions(-) delete mode 100644 .github/workflows/release-tag.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c25fe191..41c2689f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,11 +13,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/determinate-nix-action@7c4cc317e802185875512bfcb68259257279d767 # v3.19.1 with: - determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/flakehub-cache-action@main + - uses: DeterminateSystems/flakehub-cache-action@7085070a1431418586d7e5f65ffa0379d6dc5e9a # v3.19.1 - name: Build connet run: nix develop --command make build @@ -27,11 +26,10 @@ jobs: needs: [build] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/determinate-nix-action@7c4cc317e802185875512bfcb68259257279d767 # v3.19.1 with: - determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/flakehub-cache-action@main + - uses: DeterminateSystems/flakehub-cache-action@7085070a1431418586d7e5f65ffa0379d6dc5e9a # v3.19.1 - name: Run tests run: nix develop --command make test - name: Run lint @@ -49,12 +47,11 @@ jobs: needs: [build] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/determinate-nix-action@7c4cc317e802185875512bfcb68259257279d767 # v3.19.1 with: - determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/flakehub-cache-action@main - - uses: DeterminateSystems/flake-checker-action@main + - uses: DeterminateSystems/flakehub-cache-action@7085070a1431418586d7e5f65ffa0379d6dc5e9a # v3.19.1 + - uses: DeterminateSystems/flake-checker-action@3164002371bc90729c68af0e24d5aacf20d7c9f6 # v12 - name: Build default run: nix build . - name: Build docker diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml deleted file mode 100644 index 734f14b4..00000000 --- a/.github/workflows/release-tag.yml +++ /dev/null @@ -1,61 +0,0 @@ -on: - workflow_run: - workflows: [ci] - types: [completed] - branches: [main] - push: - branches: [main] - -concurrency: - group: ${{ github.workflow }}-tag - cancel-in-progress: false - -jobs: - changes: - name: Detect version change - runs-on: ubuntu-latest - permissions: - contents: read - outputs: - version: ${{ steps.filter.outputs.version }} - steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 - id: filter - with: - filters: | - version: - - 'VERSION' - - tag-release: - name: Tag release on version change - runs-on: ubuntu-latest - needs: changes - if: ${{ needs.changes.outputs.version == 'true' }} - permissions: - contents: write - outputs: - version: ${{ steps.extract_version.outputs.version }} - steps: - - uses: actions/checkout@v4 - - name: Extract Version - id: extract_version - run: | - echo "version=$(cat VERSION)" >> $GITHUB_OUTPUT - - name: Create release - uses: softprops/action-gh-release@v2 - with: - tag_name: v${{ steps.extract_version.outputs.version }} - draft: true - generate_release_notes: true - - perform-release: - name: Perform release - needs: tag-release - uses: ./.github/workflows/release.yml - with: - version: ${{ needs.tag-release.outputs.version }} - permissions: - contents: write - packages: write - id-token: write diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b8a77ca0..2e906bb3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,8 +19,6 @@ jobs: version-change: name: Detect version change runs-on: ubuntu-latest - permissions: - contents: read outputs: version-changed: ${{ steps.filter.outputs.version }} version: ${{ steps.extract-version.outputs.version }} @@ -41,26 +39,23 @@ jobs: release: name: Release runs-on: ubuntu-latest - permissions: - contents: write needs: [version-change] if: ${{ needs.version-change.outputs.version-changed == 'true' }} env: CONNET_VERSION: ${{ needs.version-change.outputs.version }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/determinate-nix-action@7c4cc317e802185875512bfcb68259257279d767 # v3.19.1 with: - determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/flakehub-cache-action@main + - uses: DeterminateSystems/flakehub-cache-action@7085070a1431418586d7e5f65ffa0379d6dc5e9a # v3.19.1 - name: Build release run: nix develop --command make release - - name: Upload release + - name: Publish release uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 - if: ${{ needs.setup.outputs.publish }} with: tag_name: v${{ env.CONNET_VERSION }} + generate_release_notes: true files: | dist/archive/connet-${{ env.CONNET_VERSION }}-*.tar.gz dist/archive/connet-${{ env.CONNET_VERSION }}-*.zip @@ -74,11 +69,10 @@ jobs: CONNET_VERSION: ${{ needs.version-change.outputs.version }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/determinate-nix-action@7c4cc317e802185875512bfcb68259257279d767 # v3.19.1 with: - determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/flakehub-cache-action@main + - uses: DeterminateSystems/flakehub-cache-action@7085070a1431418586d7e5f65ffa0379d6dc5e9a # v3.19.1 - name: Docker build run: nix build .#docker - name: Docker login @@ -88,7 +82,6 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker push - if: ${{ needs.setup.outputs.publish }} run: nix develop --command skopeo copy "docker-archive:result" "docker://ghcr.io/connet-dev/connet:${CONNET_VERSION}-amd64" docker-arm: @@ -101,12 +94,11 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/determinate-nix-action@7c4cc317e802185875512bfcb68259257279d767 # v3.19.1 with: - determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} extra-conf: system = aarch64-linux - - uses: DeterminateSystems/flakehub-cache-action@main + - uses: DeterminateSystems/flakehub-cache-action@7085070a1431418586d7e5f65ffa0379d6dc5e9a # v3.19.1 - name: Docker build run: nix build .#docker - name: Docker login @@ -116,7 +108,6 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker push - if: ${{ needs.setup.outputs.publish }} run: nix develop --command skopeo copy "docker-archive:result" "docker://ghcr.io/connet-dev/connet:${CONNET_VERSION}-arm64" docker-multiarch: @@ -128,11 +119,10 @@ jobs: CONNET_VERSION: ${{ needs.version-change.outputs.version }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/determinate-nix-action@7c4cc317e802185875512bfcb68259257279d767 # v3.19.1 with: - determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/flakehub-cache-action@main + - uses: DeterminateSystems/flakehub-cache-action@7085070a1431418586d7e5f65ffa0379d6dc5e9a # v3.19.1 - name: Docker login uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: @@ -140,5 +130,4 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker tag - if: ${{ needs.setup.outputs.publish }} run: nix develop --command manifest-tool push from-args --platforms linux/amd64,linux/arm64 --template ghcr.io/connet-dev/connet:${CONNET_VERSION}-ARCHVARIANT --target ghcr.io/connet-dev/connet:${CONNET_VERSION} diff --git a/.github/workflows/tip.yaml b/.github/workflows/tip.yaml index 940ae845..9cf9ff9d 100644 --- a/.github/workflows/tip.yaml +++ b/.github/workflows/tip.yaml @@ -12,12 +12,11 @@ jobs: name: Binaries runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: DeterminateSystems/determinate-nix-action@7c4cc317e802185875512bfcb68259257279d767 # v3.19.1 with: - determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/flakehub-cache-action@main + - uses: DeterminateSystems/flakehub-cache-action@7085070a1431418586d7e5f65ffa0379d6dc5e9a # v3.19.1 - name: Build release run: nix develop --command make release @@ -25,16 +24,14 @@ jobs: name: Build x86 image runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: DeterminateSystems/determinate-nix-action@7c4cc317e802185875512bfcb68259257279d767 # v3.19.1 with: - determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/flakehub-cache-action@main + - uses: DeterminateSystems/flakehub-cache-action@7085070a1431418586d7e5f65ffa0379d6dc5e9a # v3.19.1 - name: Docker build run: nix build .#docker - - name: Docker login - uses: docker/login-action@v3 + - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -46,18 +43,16 @@ jobs: name: Build arm image runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: docker/setup-qemu-action@v3 - - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/determinate-nix-action@7c4cc317e802185875512bfcb68259257279d767 # v3.19.1 with: - determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} extra-conf: system = aarch64-linux - - uses: DeterminateSystems/flakehub-cache-action@main + - uses: DeterminateSystems/flakehub-cache-action@7085070a1431418586d7e5f65ffa0379d6dc5e9a # v3.19.1 - name: Docker build run: nix build .#docker - - name: Docker login - uses: docker/login-action@v3 + - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -70,14 +65,12 @@ jobs: runs-on: ubuntu-latest needs: [docker-build-x86, docker-build-arm] steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: DeterminateSystems/determinate-nix-action@7c4cc317e802185875512bfcb68259257279d767 # v3.19.1 with: - determinate: true github-token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/flakehub-cache-action@main - - name: Docker login - uses: docker/login-action@v3 + - uses: DeterminateSystems/flakehub-cache-action@7085070a1431418586d7e5f65ffa0379d6dc5e9a # v3.19.1 + - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.actor }}