chore: import upstream snapshot with attribution
ci / test (macos-latest) (push) Has been cancelled
ci / test (ubuntu-latest) (push) Has been cancelled
ci / lint (push) Has been cancelled
ci / govulncheck (push) Has been cancelled
ci / tidy (push) Has been cancelled
ci / webview (push) Has been cancelled
ci / windows-gui (push) Has been cancelled
release / check (push) Has been cancelled
release / release (push) Has been cancelled
Docs / build (push) Has been cancelled
Docs / deploy-pages (push) Has been cancelled
Docs / deploy-cloudflare (push) Has been cancelled
ci / test (macos-latest) (push) Has been cancelled
ci / test (ubuntu-latest) (push) Has been cancelled
ci / lint (push) Has been cancelled
ci / govulncheck (push) Has been cancelled
ci / tidy (push) Has been cancelled
ci / webview (push) Has been cancelled
ci / windows-gui (push) Has been cancelled
release / check (push) Has been cancelled
release / release (push) Has been cancelled
Docs / build (push) Has been cancelled
Docs / deploy-pages (push) Has been cancelled
Docs / deploy-cloudflare (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,146 @@
|
||||
name: ci
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
pull_request:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
# Cancel an in-flight run when a branch is pushed again.
|
||||
concurrency:
|
||||
group: ci-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
# Build and test on Linux and macOS with the race detector on. gofmt and vet
|
||||
# run here too so a formatting slip fails fast on both platforms. The full
|
||||
# suite includes Chrome-driven end-to-end tests, so the runners install a
|
||||
# browser first; tests that find none skip themselves, so the job still passes
|
||||
# if a future runner image drops Chrome.
|
||||
test:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
os: [ubuntu-latest, macos-latest]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@v7.0.0
|
||||
- uses: actions/setup-go@v6
|
||||
with:
|
||||
go-version-file: go.mod
|
||||
check-latest: true
|
||||
cache: true
|
||||
- name: install chromium (linux)
|
||||
if: matrix.os == 'ubuntu-latest'
|
||||
uses: browser-actions/setup-chrome@v2.1.2
|
||||
id: chrome
|
||||
- name: gofmt
|
||||
run: |
|
||||
unformatted=$(gofmt -s -l .)
|
||||
if [ -n "$unformatted" ]; then
|
||||
echo "These files need gofmt -s -w:"
|
||||
echo "$unformatted"
|
||||
exit 1
|
||||
fi
|
||||
- name: go vet
|
||||
run: go vet ./...
|
||||
- name: build
|
||||
run: go build ./...
|
||||
# The GitHub Ubuntu runner disables unprivileged user namespaces (AppArmor),
|
||||
# so Chrome's sandbox cannot initialize there and the secure default would
|
||||
# make it refuse to start. IN_DOCKER is kage's documented escape hatch for
|
||||
# exactly that case, and setting it here also exercises the container path.
|
||||
# macOS does not need it, so it stays empty on that leg.
|
||||
- name: test
|
||||
env:
|
||||
KAGE_CHROME: ${{ steps.chrome.outputs.chrome-path }}
|
||||
IN_DOCKER: ${{ matrix.os == 'ubuntu-latest' && '1' || '' }}
|
||||
run: go test -race -count=1 -coverprofile=coverage.out ./...
|
||||
- name: coverage summary
|
||||
if: matrix.os == 'ubuntu-latest'
|
||||
run: go tool cover -func=coverage.out | tail -1
|
||||
|
||||
# golangci-lint bundles staticcheck, govet, ineffassign, errcheck, unused and
|
||||
# more, so it is the main quality gate.
|
||||
lint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v7.0.0
|
||||
- uses: actions/setup-go@v6
|
||||
with:
|
||||
go-version-file: go.mod
|
||||
check-latest: true
|
||||
cache: true
|
||||
- uses: golangci/golangci-lint-action@v9.2.1
|
||||
with:
|
||||
version: latest
|
||||
|
||||
# Scan the module and its dependencies for known vulnerabilities.
|
||||
govulncheck:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v7.0.0
|
||||
- uses: actions/setup-go@v6
|
||||
with:
|
||||
go-version-file: go.mod
|
||||
check-latest: true
|
||||
cache: true
|
||||
- name: govulncheck
|
||||
run: |
|
||||
go install golang.org/x/vuln/cmd/govulncheck@latest
|
||||
govulncheck ./...
|
||||
|
||||
# Confirm go.mod and go.sum are tidy: a PR that adds an import without running
|
||||
# go mod tidy fails here instead of breaking a later release.
|
||||
tidy:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v7.0.0
|
||||
- uses: actions/setup-go@v6
|
||||
with:
|
||||
go-version-file: go.mod
|
||||
check-latest: true
|
||||
cache: true
|
||||
- name: go mod tidy is clean
|
||||
run: |
|
||||
go mod tidy
|
||||
git diff --exit-code -- go.mod go.sum
|
||||
|
||||
# Compile the optional native-window viewer (-tags webview, cgo) so that path
|
||||
# keeps building. The default CI build is pure Go and never touches it. The
|
||||
# viewer code is the same Go on every OS, only the system WebView library
|
||||
# differs, so a macOS compile (WebKit ships in the SDK) catches our
|
||||
# regressions without the WebKitGTK version juggling Linux runners need. It is
|
||||
# build-only: actually opening a window needs a display.
|
||||
webview:
|
||||
runs-on: macos-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v7.0.0
|
||||
- uses: actions/setup-go@v6
|
||||
with:
|
||||
go-version-file: go.mod
|
||||
check-latest: true
|
||||
cache: true
|
||||
- name: build webview viewer
|
||||
run: CGO_ENABLED=1 go build -tags webview ./cmd/kage
|
||||
|
||||
# Cross-compile the GUI-subsystem Windows base the release ships for
|
||||
# double-click viewers (kage pack --base). A change that breaks the
|
||||
# -H windowsgui link is caught here instead of at release time. Pure Go, so it
|
||||
# cross-compiles from Linux with no extra toolchain.
|
||||
windows-gui:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v7.0.0
|
||||
- uses: actions/setup-go@v6
|
||||
with:
|
||||
go-version-file: go.mod
|
||||
check-latest: true
|
||||
cache: true
|
||||
- name: build windowsgui base
|
||||
env:
|
||||
GOOS: windows
|
||||
CGO_ENABLED: "0"
|
||||
run: go build -ldflags "-H=windowsgui" -o kage-windowsgui.exe ./cmd/kage
|
||||
@@ -0,0 +1,135 @@
|
||||
name: Docs
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
paths:
|
||||
- "docs/**"
|
||||
- ".github/workflows/docs.yml"
|
||||
- "scripts/ensure_cloudflare_pages.py"
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
pages: write
|
||||
id-token: write
|
||||
deployments: write
|
||||
|
||||
env:
|
||||
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
||||
|
||||
concurrency:
|
||||
group: docs-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v7.0.0
|
||||
with:
|
||||
submodules: true
|
||||
# Sitemap lastmod comes from the latest content commit.
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Checkout tago
|
||||
uses: actions/checkout@v7.0.0
|
||||
with:
|
||||
repository: tamnd/tago
|
||||
path: .tago-src
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@v6.4.0
|
||||
with:
|
||||
go-version-file: .tago-src/go.mod
|
||||
cache: false
|
||||
|
||||
- name: Cache tago binary
|
||||
id: tago-bin-cache
|
||||
uses: actions/cache@v5.0.5
|
||||
with:
|
||||
path: /usr/local/bin/tago
|
||||
key: tago-bin-${{ runner.os }}-${{ hashFiles('.tago-src/go.sum', '.tago-src/**/*.go') }}
|
||||
|
||||
- name: Build tago
|
||||
if: steps.tago-bin-cache.outputs.cache-hit != 'true'
|
||||
run: |
|
||||
cd .tago-src
|
||||
go build -o /usr/local/bin/tago ./cmd/tago/
|
||||
|
||||
# Two builds, one per deploy target. The theme links every page and asset
|
||||
# with absURL, so each output carries its own base path: the Pages build
|
||||
# gets the /kage/ sub-path, the Cloudflare build gets the domain root.
|
||||
- name: Build for GitHub Pages
|
||||
working-directory: docs
|
||||
run: tago build --base-url "https://tamnd.github.io/kage/" --output public-pages
|
||||
|
||||
# tago absURLs theme links but passes markdown content links through, so
|
||||
# root-relative links in content need the sub-path prefixed for the Pages
|
||||
# mirror. The Cloudflare build serves from the root and needs none.
|
||||
- name: Rewrite content links for the Pages sub-path
|
||||
run: |
|
||||
find docs/public-pages -name '*.html' -print0 |
|
||||
xargs -0 perl -pi -e 's|(href=")/(?!/)|${1}/kage/|g; s|(src=")/(?!/)|${1}/kage/|g'
|
||||
|
||||
- name: Upload Pages artifact
|
||||
uses: actions/upload-pages-artifact@v5.0.0
|
||||
with:
|
||||
path: docs/public-pages
|
||||
|
||||
- name: Build for Cloudflare Pages
|
||||
working-directory: docs
|
||||
run: tago build --base-url "https://kage.tamnd.com/" --output public-cf
|
||||
|
||||
- name: Upload Cloudflare artifact
|
||||
uses: actions/upload-artifact@v7.0.1
|
||||
with:
|
||||
name: public-cf
|
||||
path: docs/public-cf
|
||||
retention-days: 1
|
||||
|
||||
deploy-pages:
|
||||
runs-on: ubuntu-latest
|
||||
needs: build
|
||||
environment:
|
||||
name: github-pages
|
||||
url: ${{ steps.deployment.outputs.page_url }}
|
||||
steps:
|
||||
- name: Deploy to GitHub Pages
|
||||
id: deployment
|
||||
uses: actions/deploy-pages@v5.0.0
|
||||
|
||||
deploy-cloudflare:
|
||||
runs-on: ubuntu-latest
|
||||
needs: build
|
||||
concurrency:
|
||||
group: cloudflare-pages-kage
|
||||
cancel-in-progress: true
|
||||
steps:
|
||||
- uses: actions/checkout@v7.0.0
|
||||
with:
|
||||
fetch-depth: 1
|
||||
sparse-checkout: scripts/
|
||||
|
||||
- name: Download Cloudflare artifact
|
||||
uses: actions/download-artifact@v8.0.1
|
||||
with:
|
||||
name: public-cf
|
||||
path: public-cf
|
||||
|
||||
- name: Ensure Cloudflare Pages config
|
||||
env:
|
||||
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
|
||||
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
|
||||
run: python3 scripts/ensure_cloudflare_pages.py --project kage --domain kage.tamnd.com --zone tamnd.com
|
||||
|
||||
- name: Deploy to Cloudflare Pages
|
||||
env:
|
||||
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
|
||||
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
|
||||
run: |
|
||||
npx -y wrangler@4 pages deploy public-cf \
|
||||
--project-name=kage \
|
||||
--branch=main \
|
||||
--commit-dirty=true
|
||||
@@ -0,0 +1,112 @@
|
||||
name: release
|
||||
|
||||
# Pushing a version tag turns the GoReleaser config (.goreleaser.yaml) into a
|
||||
# GitHub release with the archives, Linux packages (deb, rpm, apk), checksums,
|
||||
# SBOMs and a cosign signature, and pushes the multi-arch container image to
|
||||
# GHCR. Pull requests and pushes to main run `goreleaser check` only, so a
|
||||
# config that would fail a real release is caught long before the tag.
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
tags: ["v*"]
|
||||
pull_request:
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
concurrency:
|
||||
group: release-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
# Fast gate on every PR and push: the config parses and is valid for the
|
||||
# installed GoReleaser version. No artifacts are built here.
|
||||
check:
|
||||
if: github.ref_type != 'tag'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v7.0.0
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: actions/setup-go@v6.4.0
|
||||
with:
|
||||
go-version-file: go.mod
|
||||
check-latest: true
|
||||
cache: true
|
||||
- uses: goreleaser/goreleaser-action@v7.2.2
|
||||
with:
|
||||
distribution: goreleaser
|
||||
version: "~> v2"
|
||||
args: check
|
||||
|
||||
# The real release, only on a version tag.
|
||||
release:
|
||||
if: github.ref_type == 'tag'
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write # create the GitHub release
|
||||
packages: write # push the image to ghcr.io
|
||||
id-token: write # keyless cosign signing
|
||||
env:
|
||||
LINUX_REPO_DISPATCH_TOKEN: ${{ secrets.LINUX_REPO_DISPATCH_TOKEN }}
|
||||
steps:
|
||||
- uses: actions/checkout@v7.0.0
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: actions/setup-go@v6.4.0
|
||||
with:
|
||||
go-version-file: go.mod
|
||||
check-latest: true
|
||||
cache: true
|
||||
|
||||
# Build and ship the linux/arm64 image from the amd64 runner.
|
||||
- uses: docker/setup-qemu-action@v4.1.0
|
||||
- uses: docker/setup-buildx-action@v4.1.0
|
||||
- uses: docker/login-action@v4.2.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# Tools GoReleaser shells out to for signing and SBOMs.
|
||||
# Pin cosign to the 2.x line. cosign 3.x makes the new bundle format the
|
||||
# default, which ignores the --output-signature/--output-certificate flags
|
||||
# the signs block uses and aborts. Pinning keeps the .sig/.pem outputs and
|
||||
# stops the release tool from floating to a breaking latest.
|
||||
- uses: sigstore/cosign-installer@v4.1.2
|
||||
with:
|
||||
cosign-release: "v2.6.3"
|
||||
- uses: anchore/sbom-action/download-syft@v0.24.0
|
||||
|
||||
- uses: goreleaser/goreleaser-action@v7.2.2
|
||||
with:
|
||||
distribution: goreleaser
|
||||
version: "~> v2"
|
||||
args: release --clean
|
||||
env:
|
||||
# Creating the release and pushing the GHCR image use the built-in
|
||||
# token. The package-manager publish steps each read their own secret;
|
||||
# any that is unset leaves that manager skipped (the artifact is still
|
||||
# produced), so the release never fails for a tap that is not set up.
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
|
||||
SCOOP_BUCKET_GITHUB_TOKEN: ${{ secrets.SCOOP_BUCKET_GITHUB_TOKEN }}
|
||||
|
||||
# Rebuild the Linux apt/dnf repository with the packages just released.
|
||||
# Skipped when the dispatch token is unset, so the release never depends
|
||||
# on it being configured.
|
||||
- name: Refresh the Linux package repository
|
||||
if: env.LINUX_REPO_DISPATCH_TOKEN != ''
|
||||
run: |
|
||||
code=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \
|
||||
-H "Authorization: Bearer $LINUX_REPO_DISPATCH_TOKEN" \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
https://api.github.com/repos/tamnd/linux-repo/dispatches \
|
||||
-d '{"event_type":"package-released"}' || true)
|
||||
if [ "$code" = "204" ]; then
|
||||
echo "Linux repo refresh triggered"
|
||||
else
|
||||
echo "Linux repo refresh not accepted (HTTP $code); skipping"
|
||||
fi
|
||||
Reference in New Issue
Block a user