chore: import upstream snapshot with attribution
ci / test (macos-latest) (push) Has been cancelled
ci / test (ubuntu-latest) (push) Has been cancelled
ci / lint (push) Has been cancelled
ci / govulncheck (push) Has been cancelled
ci / tidy (push) Has been cancelled
ci / webview (push) Has been cancelled
ci / windows-gui (push) Has been cancelled
release / check (push) Has been cancelled
release / release (push) Has been cancelled
Docs / build (push) Has been cancelled
Docs / deploy-pages (push) Has been cancelled
Docs / deploy-cloudflare (push) Has been cancelled

This commit is contained in:
wehub-resource-sync
2026-07-14 10:24:05 +08:00
commit 9c9576b5b9
97 changed files with 12841 additions and 0 deletions
+146
View File
@@ -0,0 +1,146 @@
name: ci
on:
push:
branches: [main]
pull_request:
permissions:
contents: read
# Cancel an in-flight run when a branch is pushed again.
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
# Build and test on Linux and macOS with the race detector on. gofmt and vet
# run here too so a formatting slip fails fast on both platforms. The full
# suite includes Chrome-driven end-to-end tests, so the runners install a
# browser first; tests that find none skip themselves, so the job still passes
# if a future runner image drops Chrome.
test:
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v7.0.0
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: install chromium (linux)
if: matrix.os == 'ubuntu-latest'
uses: browser-actions/setup-chrome@v2.1.2
id: chrome
- name: gofmt
run: |
unformatted=$(gofmt -s -l .)
if [ -n "$unformatted" ]; then
echo "These files need gofmt -s -w:"
echo "$unformatted"
exit 1
fi
- name: go vet
run: go vet ./...
- name: build
run: go build ./...
# The GitHub Ubuntu runner disables unprivileged user namespaces (AppArmor),
# so Chrome's sandbox cannot initialize there and the secure default would
# make it refuse to start. IN_DOCKER is kage's documented escape hatch for
# exactly that case, and setting it here also exercises the container path.
# macOS does not need it, so it stays empty on that leg.
- name: test
env:
KAGE_CHROME: ${{ steps.chrome.outputs.chrome-path }}
IN_DOCKER: ${{ matrix.os == 'ubuntu-latest' && '1' || '' }}
run: go test -race -count=1 -coverprofile=coverage.out ./...
- name: coverage summary
if: matrix.os == 'ubuntu-latest'
run: go tool cover -func=coverage.out | tail -1
# golangci-lint bundles staticcheck, govet, ineffassign, errcheck, unused and
# more, so it is the main quality gate.
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
- uses: golangci/golangci-lint-action@v9.2.1
with:
version: latest
# Scan the module and its dependencies for known vulnerabilities.
govulncheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
# Confirm go.mod and go.sum are tidy: a PR that adds an import without running
# go mod tidy fails here instead of breaking a later release.
tidy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: go mod tidy is clean
run: |
go mod tidy
git diff --exit-code -- go.mod go.sum
# Compile the optional native-window viewer (-tags webview, cgo) so that path
# keeps building. The default CI build is pure Go and never touches it. The
# viewer code is the same Go on every OS, only the system WebView library
# differs, so a macOS compile (WebKit ships in the SDK) catches our
# regressions without the WebKitGTK version juggling Linux runners need. It is
# build-only: actually opening a window needs a display.
webview:
runs-on: macos-latest
steps:
- uses: actions/checkout@v7.0.0
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: build webview viewer
run: CGO_ENABLED=1 go build -tags webview ./cmd/kage
# Cross-compile the GUI-subsystem Windows base the release ships for
# double-click viewers (kage pack --base). A change that breaks the
# -H windowsgui link is caught here instead of at release time. Pure Go, so it
# cross-compiles from Linux with no extra toolchain.
windows-gui:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: build windowsgui base
env:
GOOS: windows
CGO_ENABLED: "0"
run: go build -ldflags "-H=windowsgui" -o kage-windowsgui.exe ./cmd/kage
+135
View File
@@ -0,0 +1,135 @@
name: Docs
on:
push:
branches: [main]
paths:
- "docs/**"
- ".github/workflows/docs.yml"
- "scripts/ensure_cloudflare_pages.py"
workflow_dispatch:
permissions:
contents: read
pages: write
id-token: write
deployments: write
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
concurrency:
group: docs-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0
with:
submodules: true
# Sitemap lastmod comes from the latest content commit.
fetch-depth: 0
- name: Checkout tago
uses: actions/checkout@v7.0.0
with:
repository: tamnd/tago
path: .tago-src
fetch-depth: 1
- name: Setup Go
uses: actions/setup-go@v6.4.0
with:
go-version-file: .tago-src/go.mod
cache: false
- name: Cache tago binary
id: tago-bin-cache
uses: actions/cache@v5.0.5
with:
path: /usr/local/bin/tago
key: tago-bin-${{ runner.os }}-${{ hashFiles('.tago-src/go.sum', '.tago-src/**/*.go') }}
- name: Build tago
if: steps.tago-bin-cache.outputs.cache-hit != 'true'
run: |
cd .tago-src
go build -o /usr/local/bin/tago ./cmd/tago/
# Two builds, one per deploy target. The theme links every page and asset
# with absURL, so each output carries its own base path: the Pages build
# gets the /kage/ sub-path, the Cloudflare build gets the domain root.
- name: Build for GitHub Pages
working-directory: docs
run: tago build --base-url "https://tamnd.github.io/kage/" --output public-pages
# tago absURLs theme links but passes markdown content links through, so
# root-relative links in content need the sub-path prefixed for the Pages
# mirror. The Cloudflare build serves from the root and needs none.
- name: Rewrite content links for the Pages sub-path
run: |
find docs/public-pages -name '*.html' -print0 |
xargs -0 perl -pi -e 's|(href=")/(?!/)|${1}/kage/|g; s|(src=")/(?!/)|${1}/kage/|g'
- name: Upload Pages artifact
uses: actions/upload-pages-artifact@v5.0.0
with:
path: docs/public-pages
- name: Build for Cloudflare Pages
working-directory: docs
run: tago build --base-url "https://kage.tamnd.com/" --output public-cf
- name: Upload Cloudflare artifact
uses: actions/upload-artifact@v7.0.1
with:
name: public-cf
path: docs/public-cf
retention-days: 1
deploy-pages:
runs-on: ubuntu-latest
needs: build
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v5.0.0
deploy-cloudflare:
runs-on: ubuntu-latest
needs: build
concurrency:
group: cloudflare-pages-kage
cancel-in-progress: true
steps:
- uses: actions/checkout@v7.0.0
with:
fetch-depth: 1
sparse-checkout: scripts/
- name: Download Cloudflare artifact
uses: actions/download-artifact@v8.0.1
with:
name: public-cf
path: public-cf
- name: Ensure Cloudflare Pages config
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
run: python3 scripts/ensure_cloudflare_pages.py --project kage --domain kage.tamnd.com --zone tamnd.com
- name: Deploy to Cloudflare Pages
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
run: |
npx -y wrangler@4 pages deploy public-cf \
--project-name=kage \
--branch=main \
--commit-dirty=true
+112
View File
@@ -0,0 +1,112 @@
name: release
# Pushing a version tag turns the GoReleaser config (.goreleaser.yaml) into a
# GitHub release with the archives, Linux packages (deb, rpm, apk), checksums,
# SBOMs and a cosign signature, and pushes the multi-arch container image to
# GHCR. Pull requests and pushes to main run `goreleaser check` only, so a
# config that would fail a real release is caught long before the tag.
on:
push:
branches: [main]
tags: ["v*"]
pull_request:
workflow_dispatch:
permissions:
contents: read
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: true
jobs:
# Fast gate on every PR and push: the config parses and is valid for the
# installed GoReleaser version. No artifacts are built here.
check:
if: github.ref_type != 'tag'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0
with:
fetch-depth: 0
- uses: actions/setup-go@v6.4.0
with:
go-version-file: go.mod
check-latest: true
cache: true
- uses: goreleaser/goreleaser-action@v7.2.2
with:
distribution: goreleaser
version: "~> v2"
args: check
# The real release, only on a version tag.
release:
if: github.ref_type == 'tag'
runs-on: ubuntu-latest
permissions:
contents: write # create the GitHub release
packages: write # push the image to ghcr.io
id-token: write # keyless cosign signing
env:
LINUX_REPO_DISPATCH_TOKEN: ${{ secrets.LINUX_REPO_DISPATCH_TOKEN }}
steps:
- uses: actions/checkout@v7.0.0
with:
fetch-depth: 0
- uses: actions/setup-go@v6.4.0
with:
go-version-file: go.mod
check-latest: true
cache: true
# Build and ship the linux/arm64 image from the amd64 runner.
- uses: docker/setup-qemu-action@v4.1.0
- uses: docker/setup-buildx-action@v4.1.0
- uses: docker/login-action@v4.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Tools GoReleaser shells out to for signing and SBOMs.
# Pin cosign to the 2.x line. cosign 3.x makes the new bundle format the
# default, which ignores the --output-signature/--output-certificate flags
# the signs block uses and aborts. Pinning keeps the .sig/.pem outputs and
# stops the release tool from floating to a breaking latest.
- uses: sigstore/cosign-installer@v4.1.2
with:
cosign-release: "v2.6.3"
- uses: anchore/sbom-action/download-syft@v0.24.0
- uses: goreleaser/goreleaser-action@v7.2.2
with:
distribution: goreleaser
version: "~> v2"
args: release --clean
env:
# Creating the release and pushing the GHCR image use the built-in
# token. The package-manager publish steps each read their own secret;
# any that is unset leaves that manager skipped (the artifact is still
# produced), so the release never fails for a tap that is not set up.
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
SCOOP_BUCKET_GITHUB_TOKEN: ${{ secrets.SCOOP_BUCKET_GITHUB_TOKEN }}
# Rebuild the Linux apt/dnf repository with the packages just released.
# Skipped when the dispatch token is unset, so the release never depends
# on it being configured.
- name: Refresh the Linux package repository
if: env.LINUX_REPO_DISPATCH_TOKEN != ''
run: |
code=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \
-H "Authorization: Bearer $LINUX_REPO_DISPATCH_TOKEN" \
-H "Accept: application/vnd.github+json" \
https://api.github.com/repos/tamnd/linux-repo/dispatches \
-d '{"event_type":"package-released"}' || true)
if [ "$code" = "204" ]; then
echo "Linux repo refresh triggered"
else
echo "Linux repo refresh not accepted (HTTP $code); skipping"
fi