chore: import upstream snapshot with attribution
Build and Push Docker Images / create_manifest (web, surfsense-web, , cpu) (push) Has been cancelled
Build and Push Docker Images / finalize_release (push) Has been cancelled
Obsidian Plugin Lint / lint (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_web, cpu, ./surfsense_web/Dockerfile, web, surfsense-web, ubuntu-24.04-arm, linux/arm64, arm64, , runner, false, cpu) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_web, cpu, ./surfsense_web/Dockerfile, web, surfsense-web, ubuntu-latest, linux/amd64, amd64, , runner, false, cpu) (push) Has been cancelled
Build and Push Docker Images / compute_version (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cpu, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-24.04-arm, linux/arm64, arm64, , production, false, cpu) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cpu, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-latest, linux/amd64, amd64, , production, false, cpu) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cu126, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-24.04-arm, linux/arm64, arm64, -cuda126, production, true, cuda126) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cu126, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-latest, linux/amd64, amd64, -cuda126, production, true, cuda126) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cu128, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-24.04-arm, linux/arm64, arm64, -cuda, production, true, cuda) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cu128, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-latest, linux/amd64, amd64, -cuda, production, true, cuda) (push) Has been cancelled
Build and Push Docker Images / verify_digests (push) Has been cancelled
Build and Push Docker Images / create_manifest (backend, surfsense-backend, , cpu) (push) Has been cancelled
Build and Push Docker Images / create_manifest (backend, surfsense-backend, -cuda, cuda) (push) Has been cancelled
Build and Push Docker Images / create_manifest (backend, surfsense-backend, -cuda126, cuda126) (push) Has been cancelled
Build and Push Docker Images / create_manifest (web, surfsense-web, , cpu) (push) Has been cancelled
Build and Push Docker Images / finalize_release (push) Has been cancelled
Obsidian Plugin Lint / lint (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_web, cpu, ./surfsense_web/Dockerfile, web, surfsense-web, ubuntu-24.04-arm, linux/arm64, arm64, , runner, false, cpu) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_web, cpu, ./surfsense_web/Dockerfile, web, surfsense-web, ubuntu-latest, linux/amd64, amd64, , runner, false, cpu) (push) Has been cancelled
Build and Push Docker Images / compute_version (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cpu, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-24.04-arm, linux/arm64, arm64, , production, false, cpu) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cpu, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-latest, linux/amd64, amd64, , production, false, cpu) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cu126, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-24.04-arm, linux/arm64, arm64, -cuda126, production, true, cuda126) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cu126, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-latest, linux/amd64, amd64, -cuda126, production, true, cuda126) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cu128, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-24.04-arm, linux/arm64, arm64, -cuda, production, true, cuda) (push) Has been cancelled
Build and Push Docker Images / build (./surfsense_backend, cu128, ./surfsense_backend/Dockerfile, backend, surfsense-backend, ubuntu-latest, linux/amd64, amd64, -cuda, production, true, cuda) (push) Has been cancelled
Build and Push Docker Images / verify_digests (push) Has been cancelled
Build and Push Docker Images / create_manifest (backend, surfsense-backend, , cpu) (push) Has been cancelled
Build and Push Docker Images / create_manifest (backend, surfsense-backend, -cuda, cuda) (push) Has been cancelled
Build and Push Docker Images / create_manifest (backend, surfsense-backend, -cuda126, cuda126) (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,136 @@
|
||||
name: Backend Tests
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [main, dev]
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
paths:
|
||||
- 'surfsense_backend/**'
|
||||
- '.github/workflows/backend-tests.yml'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
unit-tests:
|
||||
name: Unit Tests
|
||||
runs-on: ubuntu-latest
|
||||
if: github.event.pull_request.draft == false
|
||||
env:
|
||||
EMBEDDING_MODEL: sentence-transformers/all-MiniLM-L6-v2
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: '3.12'
|
||||
|
||||
- name: Install UV
|
||||
uses: astral-sh/setup-uv@v8.1.0
|
||||
|
||||
- name: Cache dependencies
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: |
|
||||
~/.cache/uv
|
||||
surfsense_backend/.venv
|
||||
key: python-deps-${{ hashFiles('surfsense_backend/uv.lock') }}
|
||||
restore-keys: |
|
||||
python-deps-
|
||||
|
||||
- name: Cache HuggingFace models
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: ~/.cache/huggingface
|
||||
key: hf-models-${{ env.EMBEDDING_MODEL }}
|
||||
|
||||
- name: Install dependencies
|
||||
working-directory: surfsense_backend
|
||||
run: uv sync
|
||||
|
||||
- name: Run unit tests
|
||||
working-directory: surfsense_backend
|
||||
run: uv run pytest -m unit
|
||||
|
||||
integration-tests:
|
||||
name: Integration Tests
|
||||
runs-on: ubuntu-latest
|
||||
if: github.event.pull_request.draft == false
|
||||
env:
|
||||
EMBEDDING_MODEL: sentence-transformers/all-MiniLM-L6-v2
|
||||
|
||||
services:
|
||||
postgres:
|
||||
image: pgvector/pgvector:pg17
|
||||
env:
|
||||
POSTGRES_USER: postgres
|
||||
POSTGRES_PASSWORD: postgres
|
||||
POSTGRES_DB: surfsense_test
|
||||
ports:
|
||||
- 5432:5432
|
||||
options: >-
|
||||
--health-cmd "pg_isready -U postgres -d surfsense_test"
|
||||
--health-interval 10s
|
||||
--health-timeout 5s
|
||||
--health-retries 5
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: '3.12'
|
||||
|
||||
- name: Install UV
|
||||
uses: astral-sh/setup-uv@v8.1.0
|
||||
|
||||
- name: Cache dependencies
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: |
|
||||
~/.cache/uv
|
||||
surfsense_backend/.venv
|
||||
key: python-deps-${{ hashFiles('surfsense_backend/uv.lock') }}
|
||||
restore-keys: |
|
||||
python-deps-
|
||||
|
||||
- name: Cache HuggingFace models
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: ~/.cache/huggingface
|
||||
key: hf-models-${{ env.EMBEDDING_MODEL }}
|
||||
|
||||
- name: Install dependencies
|
||||
working-directory: surfsense_backend
|
||||
run: uv sync
|
||||
|
||||
- name: Run integration tests
|
||||
working-directory: surfsense_backend
|
||||
env:
|
||||
TEST_DATABASE_URL: postgresql+asyncpg://postgres:postgres@localhost:5432/surfsense_test
|
||||
SECRET_KEY: ci-test-secret-key-not-for-production
|
||||
ETL_SERVICE: DOCLING
|
||||
run: uv run pytest -m integration
|
||||
|
||||
test-gate:
|
||||
name: Test Gate
|
||||
runs-on: ubuntu-latest
|
||||
needs: [unit-tests, integration-tests]
|
||||
if: always()
|
||||
|
||||
steps:
|
||||
- name: Check all test jobs
|
||||
run: |
|
||||
if [[ "${{ needs.unit-tests.result }}" == "failure" ||
|
||||
"${{ needs.integration-tests.result }}" == "failure" ]]; then
|
||||
echo "Backend tests failed"
|
||||
exit 1
|
||||
else
|
||||
echo "All backend tests passed"
|
||||
fi
|
||||
@@ -0,0 +1,308 @@
|
||||
name: Code Quality Checks
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [main, dev]
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
file-quality:
|
||||
name: File Quality
|
||||
runs-on: ubuntu-latest
|
||||
if: github.event.pull_request.draft == false
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Fetch base branch
|
||||
run: |
|
||||
# Ensure we have the base branch reference for comparison
|
||||
git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} 2>/dev/null || git fetch origin ${{ github.base_ref }} 2>/dev/null || true
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: '3.12'
|
||||
|
||||
- name: Install pre-commit
|
||||
run: pip install pre-commit
|
||||
|
||||
- name: Cache pre-commit hooks
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: ~/.cache/pre-commit
|
||||
key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
|
||||
restore-keys: |
|
||||
pre-commit-
|
||||
|
||||
- name: Install hook environments (cache)
|
||||
run: pre-commit install-hooks
|
||||
|
||||
- name: Run file quality checks on changed files
|
||||
run: |
|
||||
# Get list of changed files and run specific hooks on them
|
||||
if git show-ref --verify --quiet refs/heads/${{ github.base_ref }}; then
|
||||
BASE_REF="${{ github.base_ref }}"
|
||||
elif git show-ref --verify --quiet refs/remotes/origin/${{ github.base_ref }}; then
|
||||
BASE_REF="origin/${{ github.base_ref }}"
|
||||
else
|
||||
echo "Base branch reference not found, running file quality hooks on all files"
|
||||
pre-commit run --all-files check-yaml check-json check-toml check-merge-conflict check-added-large-files debug-statements check-case-conflict
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Running file quality hooks on changed files against $BASE_REF"
|
||||
|
||||
# Run each hook individually on changed files
|
||||
SKIP=detect-secrets,bandit,ruff,ruff-format,biome-check-web,biome-check-extension,commitizen \
|
||||
pre-commit run --from-ref $BASE_REF --to-ref HEAD || exit_code=$?
|
||||
|
||||
# Exit with the same code as pre-commit
|
||||
exit ${exit_code:-0}
|
||||
|
||||
security-scan:
|
||||
name: Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
if: github.event.pull_request.draft == false
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Fetch base branch
|
||||
run: |
|
||||
git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} 2>/dev/null || git fetch origin ${{ github.base_ref }} 2>/dev/null || true
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: '3.12'
|
||||
|
||||
- name: Install pre-commit
|
||||
run: pip install pre-commit
|
||||
|
||||
- name: Cache pre-commit hooks
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: ~/.cache/pre-commit
|
||||
key: pre-commit-security-${{ hashFiles('.pre-commit-config.yaml') }}
|
||||
restore-keys: |
|
||||
pre-commit-security-
|
||||
|
||||
- name: Install hook environments (cache)
|
||||
run: pre-commit install-hooks
|
||||
|
||||
- name: Run security scans on changed files
|
||||
run: |
|
||||
# Get base ref for comparison
|
||||
if git show-ref --verify --quiet refs/heads/${{ github.base_ref }}; then
|
||||
BASE_REF="${{ github.base_ref }}"
|
||||
elif git show-ref --verify --quiet refs/remotes/origin/${{ github.base_ref }}; then
|
||||
BASE_REF="origin/${{ github.base_ref }}"
|
||||
else
|
||||
echo "Base branch reference not found, running security scans on all files"
|
||||
echo "⚠️ This may take longer than normal"
|
||||
pre-commit run --all-files detect-secrets bandit
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Running security scans on changed files against $BASE_REF"
|
||||
|
||||
# Run only security hooks on changed files
|
||||
SKIP=check-yaml,check-json,check-toml,check-merge-conflict,check-added-large-files,debug-statements,check-case-conflict,ruff,ruff-format,biome-check-web,biome-check-extension,commitizen \
|
||||
pre-commit run --from-ref $BASE_REF --to-ref HEAD || exit_code=$?
|
||||
|
||||
# Exit with the same code as pre-commit
|
||||
exit ${exit_code:-0}
|
||||
|
||||
python-backend:
|
||||
name: Backend Quality
|
||||
runs-on: ubuntu-latest
|
||||
if: github.event.pull_request.draft == false
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: '3.12'
|
||||
|
||||
- name: Install UV
|
||||
uses: astral-sh/setup-uv@v8.1.0
|
||||
|
||||
- name: Check if backend files changed
|
||||
id: backend-changes
|
||||
uses: dorny/paths-filter@v4
|
||||
with:
|
||||
filters: |
|
||||
backend:
|
||||
- 'surfsense_backend/**'
|
||||
- '.github/workflows/code-quality.yml'
|
||||
|
||||
- name: Cache dependencies
|
||||
if: steps.backend-changes.outputs.backend == 'true'
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: |
|
||||
~/.cache/uv
|
||||
surfsense_backend/.venv
|
||||
key: python-deps-${{ hashFiles('surfsense_backend/uv.lock') }}
|
||||
|
||||
- name: Install dependencies
|
||||
if: steps.backend-changes.outputs.backend == 'true'
|
||||
working-directory: surfsense_backend
|
||||
run: uv sync
|
||||
|
||||
- name: Install pre-commit for backend checks
|
||||
if: steps.backend-changes.outputs.backend == 'true'
|
||||
run: pip install pre-commit
|
||||
|
||||
- name: Cache pre-commit hooks
|
||||
if: steps.backend-changes.outputs.backend == 'true'
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: ~/.cache/pre-commit
|
||||
key: pre-commit-backend-${{ hashFiles('.pre-commit-config.yaml') }}
|
||||
restore-keys: |
|
||||
pre-commit-backend-
|
||||
|
||||
- name: Install hook environments (cache)
|
||||
if: steps.backend-changes.outputs.backend == 'true'
|
||||
run: pre-commit install-hooks
|
||||
|
||||
- name: Run Python backend quality checks
|
||||
if: steps.backend-changes.outputs.backend == 'true'
|
||||
run: |
|
||||
# Get base ref for comparison
|
||||
if git show-ref --verify --quiet refs/heads/${{ github.base_ref }}; then
|
||||
BASE_REF="${{ github.base_ref }}"
|
||||
elif git show-ref --verify --quiet refs/remotes/origin/${{ github.base_ref }}; then
|
||||
BASE_REF="origin/${{ github.base_ref }}"
|
||||
else
|
||||
echo "Base branch reference not found, running Python backend checks on all files"
|
||||
pre-commit run --all-files ruff ruff-format
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Running Python backend checks on changed files against $BASE_REF"
|
||||
|
||||
# Run only ruff hooks on changed Python files
|
||||
SKIP=detect-secrets,bandit,check-yaml,check-json,check-toml,check-merge-conflict,check-added-large-files,debug-statements,check-case-conflict,biome-check-web,biome-check-extension,commitizen \
|
||||
pre-commit run --from-ref $BASE_REF --to-ref HEAD || exit_code=$?
|
||||
|
||||
# Exit with the same code as pre-commit
|
||||
exit ${exit_code:-0}
|
||||
|
||||
typescript-frontend:
|
||||
name: Frontend Quality
|
||||
runs-on: ubuntu-latest
|
||||
if: github.event.pull_request.draft == false
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Fetch base branch
|
||||
run: |
|
||||
git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} 2>/dev/null || git fetch origin ${{ github.base_ref }} 2>/dev/null || true
|
||||
|
||||
- name: Setup Node.js
|
||||
uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version: '20'
|
||||
|
||||
- name: Install pnpm
|
||||
uses: pnpm/action-setup@v6
|
||||
|
||||
- name: Check if frontend files changed
|
||||
id: frontend-changes
|
||||
uses: dorny/paths-filter@v4
|
||||
with:
|
||||
filters: |
|
||||
web:
|
||||
- 'surfsense_web/**'
|
||||
- '.github/workflows/code-quality.yml'
|
||||
extension:
|
||||
- 'surfsense_browser_extension/**'
|
||||
- '.github/workflows/code-quality.yml'
|
||||
|
||||
- name: Install dependencies for web
|
||||
if: steps.frontend-changes.outputs.web == 'true'
|
||||
working-directory: surfsense_web
|
||||
run: pnpm install --frozen-lockfile
|
||||
|
||||
- name: Install dependencies for extension
|
||||
if: steps.frontend-changes.outputs.extension == 'true'
|
||||
working-directory: surfsense_browser_extension
|
||||
run: pnpm install --frozen-lockfile
|
||||
|
||||
- name: Install pre-commit
|
||||
run: pip install pre-commit
|
||||
|
||||
- name: Cache pre-commit hooks
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: ~/.cache/pre-commit
|
||||
key: pre-commit-frontend-${{ hashFiles('.pre-commit-config.yaml') }}
|
||||
restore-keys: |
|
||||
pre-commit-frontend-
|
||||
|
||||
- name: Install hook environments (cache)
|
||||
run: pre-commit install-hooks
|
||||
|
||||
- name: Run TypeScript/JavaScript quality checks
|
||||
run: |
|
||||
# Get base ref for comparison
|
||||
if git show-ref --verify --quiet refs/heads/${{ github.base_ref }}; then
|
||||
BASE_REF="${{ github.base_ref }}"
|
||||
elif git show-ref --verify --quiet refs/remotes/origin/${{ github.base_ref }}; then
|
||||
BASE_REF="origin/${{ github.base_ref }}"
|
||||
else
|
||||
echo "Base branch reference not found, running TypeScript/JavaScript checks on all files"
|
||||
pre-commit run --all-files biome-check-web biome-check-extension
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Running TypeScript/JavaScript checks on changed files against $BASE_REF"
|
||||
|
||||
# Run only Biome hooks on changed TypeScript/JavaScript files
|
||||
# Biome hooks use --diagnostic-level=error to only fail on errors, not warnings
|
||||
SKIP=detect-secrets,bandit,check-yaml,check-json,check-toml,check-merge-conflict,check-added-large-files,debug-statements,check-case-conflict,ruff,ruff-format,commitizen \
|
||||
pre-commit run --from-ref $BASE_REF --to-ref HEAD || exit_code=$?
|
||||
|
||||
# Exit with the same code as pre-commit
|
||||
exit ${exit_code:-0}
|
||||
|
||||
quality-gate:
|
||||
name: Quality Gate
|
||||
runs-on: ubuntu-latest
|
||||
needs: [file-quality, security-scan, python-backend, typescript-frontend]
|
||||
if: always()
|
||||
|
||||
steps:
|
||||
- name: Check all jobs status
|
||||
run: |
|
||||
if [[ "${{ needs.file-quality.result }}" == "failure" ||
|
||||
"${{ needs.security-scan.result }}" == "failure" ||
|
||||
"${{ needs.python-backend.result }}" == "failure" ||
|
||||
"${{ needs.typescript-frontend.result }}" == "failure" ]]; then
|
||||
echo "❌ Code quality checks failed"
|
||||
exit 1
|
||||
else
|
||||
echo "✅ All code quality checks passed"
|
||||
fi
|
||||
@@ -0,0 +1,171 @@
|
||||
name: Desktop Release
|
||||
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- 'v*'
|
||||
- 'beta-v*'
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
version:
|
||||
description: 'Version number (e.g. 0.0.15) — used for dry-run testing without a tag'
|
||||
required: true
|
||||
default: '0.0.0-test'
|
||||
publish:
|
||||
description: 'Publish to GitHub Releases'
|
||||
required: true
|
||||
type: choice
|
||||
options:
|
||||
- never
|
||||
- always
|
||||
default: 'never'
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
id-token: write
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ${{ matrix.os }}
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
include:
|
||||
- os: macos-latest
|
||||
platform: --mac
|
||||
- os: ubuntu-latest
|
||||
platform: --linux
|
||||
- os: windows-latest
|
||||
platform: --win
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v5
|
||||
|
||||
- name: Extract version
|
||||
id: version
|
||||
shell: bash
|
||||
run: |
|
||||
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
|
||||
VERSION="${{ inputs.version }}"
|
||||
else
|
||||
TAG=${GITHUB_REF#refs/tags/}
|
||||
VERSION=${TAG#beta-}
|
||||
VERSION=${VERSION#v}
|
||||
fi
|
||||
if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
|
||||
echo "::error::Version '$VERSION' is not valid semver (expected X.Y.Z). Fix your tag name."
|
||||
exit 1
|
||||
fi
|
||||
echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Detect Windows signing eligibility
|
||||
id: sign
|
||||
shell: bash
|
||||
run: |
|
||||
# Sign Windows builds only on production v* tags (not beta-v*, not workflow_dispatch).
|
||||
# This matches the single OIDC federated credential configured in Entra ID.
|
||||
if [ "${{ matrix.os }}" = "windows-latest" ] \
|
||||
&& [ "${{ github.event_name }}" = "push" ] \
|
||||
&& [[ "$GITHUB_REF" == refs/tags/v* ]]; then
|
||||
echo "enabled=true" >> "$GITHUB_OUTPUT"
|
||||
echo "Windows signing: ENABLED (v* tag on windows-latest)"
|
||||
else
|
||||
echo "enabled=false" >> "$GITHUB_OUTPUT"
|
||||
echo "Windows signing: skipped"
|
||||
fi
|
||||
|
||||
- name: Setup pnpm
|
||||
uses: pnpm/action-setup@v5
|
||||
|
||||
- name: Setup Node.js
|
||||
uses: actions/setup-node@v5
|
||||
with:
|
||||
node-version: 22
|
||||
cache: 'pnpm'
|
||||
cache-dependency-path: |
|
||||
surfsense_web/pnpm-lock.yaml
|
||||
surfsense_desktop/pnpm-lock.yaml
|
||||
|
||||
- name: Install web dependencies
|
||||
run: pnpm install
|
||||
working-directory: surfsense_web
|
||||
|
||||
- name: Build Next.js standalone
|
||||
run: pnpm build
|
||||
working-directory: surfsense_web
|
||||
env:
|
||||
NEXT_PUBLIC_FASTAPI_BACKEND_URL: ${{ vars.HOSTED_BACKEND_URL }}
|
||||
SURFSENSE_BACKEND_INTERNAL_URL: ${{ vars.HOSTED_BACKEND_URL }}
|
||||
NEXT_PUBLIC_ZERO_CACHE_URL: ${{ vars.NEXT_PUBLIC_ZERO_CACHE_URL }}
|
||||
NEXT_PUBLIC_DEPLOYMENT_MODE: ${{ vars.NEXT_PUBLIC_DEPLOYMENT_MODE }}
|
||||
NEXT_PUBLIC_AUTH_TYPE: ${{ vars.NEXT_PUBLIC_AUTH_TYPE }}
|
||||
NEXT_PUBLIC_ETL_SERVICE: ${{ vars.NEXT_PUBLIC_ETL_SERVICE }}
|
||||
NEXT_PUBLIC_POSTHOG_KEY: ${{ secrets.NEXT_PUBLIC_POSTHOG_KEY }}
|
||||
|
||||
- name: Install desktop dependencies
|
||||
run: pnpm install
|
||||
working-directory: surfsense_desktop
|
||||
|
||||
- name: Build Electron
|
||||
run: pnpm build
|
||||
working-directory: surfsense_desktop
|
||||
env:
|
||||
HOSTED_BACKEND_URL: ${{ vars.HOSTED_BACKEND_URL }}
|
||||
HOSTED_FRONTEND_URL: ${{ vars.HOSTED_FRONTEND_URL }}
|
||||
GOOGLE_DESKTOP_CLIENT_ID: ${{ vars.GOOGLE_DESKTOP_CLIENT_ID }}
|
||||
POSTHOG_KEY: ${{ secrets.POSTHOG_KEY }}
|
||||
POSTHOG_HOST: ${{ vars.POSTHOG_HOST }}
|
||||
|
||||
- name: Package & Publish
|
||||
shell: bash
|
||||
run: |
|
||||
CMD=(pnpm exec electron-builder ${{ matrix.platform }} \
|
||||
--config electron-builder.yml \
|
||||
--publish "${{ inputs.publish || 'always' }}" \
|
||||
-c.extraMetadata.version="${{ steps.version.outputs.VERSION }}")
|
||||
|
||||
# node-mac-permissions is the only native dependency and is darwin-only.
|
||||
# electron-builder's internal rebuild would try to node-gyp compile it on
|
||||
# Windows (no Visual Studio) and Linux, so skip the rebuild there. On macOS
|
||||
# the rebuild must stay enabled for per-arch (x64/arm64) builds.
|
||||
if [ "${{ matrix.platform }}" != "--mac" ]; then
|
||||
CMD+=(-c.npmRebuild=false)
|
||||
fi
|
||||
|
||||
if [ "${{ steps.sign.outputs.enabled }}" = "true" ]; then
|
||||
CMD+=(-c.win.azureSignOptions.publisherName="$WINDOWS_PUBLISHER_NAME")
|
||||
CMD+=(-c.win.azureSignOptions.endpoint="$AZURE_CODESIGN_ENDPOINT")
|
||||
CMD+=(-c.win.azureSignOptions.codeSigningAccountName="$AZURE_CODESIGN_ACCOUNT")
|
||||
CMD+=(-c.win.azureSignOptions.certificateProfileName="$AZURE_CODESIGN_PROFILE")
|
||||
fi
|
||||
|
||||
"${CMD[@]}"
|
||||
working-directory: surfsense_desktop
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
GOOGLE_DESKTOP_CLIENT_ID: ${{ vars.GOOGLE_DESKTOP_CLIENT_ID }}
|
||||
WINDOWS_PUBLISHER_NAME: ${{ vars.WINDOWS_PUBLISHER_NAME }}
|
||||
AZURE_CODESIGN_ENDPOINT: ${{ vars.AZURE_CODESIGN_ENDPOINT }}
|
||||
AZURE_CODESIGN_ACCOUNT: ${{ vars.AZURE_CODESIGN_ACCOUNT }}
|
||||
AZURE_CODESIGN_PROFILE: ${{ vars.AZURE_CODESIGN_PROFILE }}
|
||||
# macOS Developer ID signing + notarization. Only the macos-latest runner
|
||||
# consumes these; Windows/Linux runners ignore them. CSC_LINK accepts either
|
||||
# a file path or a base64-encoded .p12 blob — electron-builder auto-detects.
|
||||
CSC_LINK: ${{ secrets.MAC_CERT_P12_BASE64 }}
|
||||
CSC_KEY_PASSWORD: ${{ secrets.MAC_CERT_PASSWORD }}
|
||||
APPLE_ID: ${{ secrets.APPLE_ID }}
|
||||
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
# TEMP DEBUG — remove once the codesign hang on macos-latest is diagnosed.
|
||||
# Surfaces the exact codesign / notarize commands electron-builder spawns,
|
||||
# so we can see which subprocess hangs.
|
||||
DEBUG: electron-builder,electron-osx-sign*,@electron/notarize*
|
||||
ELECTRON_BUILDER_ALLOW_UNRESOLVED_DEPENDENCIES: "true"
|
||||
# Service principal credentials for Azure.Identity EnvironmentCredential used by the
|
||||
# TrustedSigning PowerShell module. Only populated when signing is enabled.
|
||||
# electron-builder 26 does not yet support OIDC federated tokens for Azure signing,
|
||||
# so we fall back to client-secret auth. Rotate AZURE_CLIENT_SECRET before expiry.
|
||||
AZURE_TENANT_ID: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_TENANT_ID || '' }}
|
||||
AZURE_CLIENT_ID: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_CLIENT_ID || '' }}
|
||||
AZURE_CLIENT_SECRET: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_CLIENT_SECRET || '' }}
|
||||
@@ -0,0 +1,395 @@
|
||||
name: Build and Push Docker Images
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- dev
|
||||
tags:
|
||||
- 'v*'
|
||||
- 'beta-v*'
|
||||
paths:
|
||||
- 'surfsense_backend/**'
|
||||
- 'surfsense_web/**'
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
branch:
|
||||
description: 'Branch to build from (leave empty for default branch)'
|
||||
required: false
|
||||
default: ''
|
||||
|
||||
concurrency:
|
||||
group: docker-build
|
||||
cancel-in-progress: false
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
packages: write
|
||||
|
||||
jobs:
|
||||
compute_version:
|
||||
runs-on: ubuntu-latest
|
||||
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/tags/beta-v')
|
||||
outputs:
|
||||
new_tag: ${{ steps.tag_version.outputs.next_version }}
|
||||
commit_sha: ${{ steps.tag_version.outputs.commit_sha }}
|
||||
is_release_tag: ${{ steps.tag_version.outputs.is_release_tag }}
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ github.event.inputs.branch }}
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# Compute-only: tag is pushed by finalize_release after everything succeeds.
|
||||
- name: Read app version and calculate next Docker build version
|
||||
id: tag_version
|
||||
run: |
|
||||
if [[ "$GITHUB_REF" == refs/tags/beta-v* ]]; then
|
||||
VERSION="${GITHUB_REF#refs/tags/beta-v}"
|
||||
NEXT_VERSION="beta-${VERSION}"
|
||||
IS_RELEASE_TAG="true"
|
||||
|
||||
if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
|
||||
echo "::error::Version '$VERSION' is not valid semver (expected X.Y.Z). Fix your tag name."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Docker beta release version from git tag: $NEXT_VERSION"
|
||||
elif [[ "$GITHUB_REF" == refs/tags/v* ]]; then
|
||||
NEXT_VERSION="${GITHUB_REF#refs/tags/v}"
|
||||
IS_RELEASE_TAG="true"
|
||||
|
||||
if ! echo "$NEXT_VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
|
||||
echo "::error::Version '$NEXT_VERSION' is not valid semver (expected X.Y.Z). Fix your tag name."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Docker release version from git tag: $NEXT_VERSION"
|
||||
else
|
||||
APP_VERSION=$(tr -d '[:space:]' < VERSION)
|
||||
echo "App version from VERSION file: $APP_VERSION"
|
||||
|
||||
if [ -z "$APP_VERSION" ]; then
|
||||
echo "Error: Could not read version from VERSION file"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
git fetch --tags
|
||||
|
||||
LATEST_BUILD_TAG=$(git tag --list "${APP_VERSION}.*" --sort='-v:refname' | head -n 1)
|
||||
|
||||
if [ -z "$LATEST_BUILD_TAG" ]; then
|
||||
echo "No previous Docker build tag found for version ${APP_VERSION}. Starting with ${APP_VERSION}.1"
|
||||
NEXT_VERSION="${APP_VERSION}.1"
|
||||
else
|
||||
echo "Latest Docker build tag found: $LATEST_BUILD_TAG"
|
||||
BUILD_NUMBER=$(echo "$LATEST_BUILD_TAG" | rev | cut -d. -f1 | rev)
|
||||
NEXT_BUILD=$((BUILD_NUMBER + 1))
|
||||
NEXT_VERSION="${APP_VERSION}.${NEXT_BUILD}"
|
||||
fi
|
||||
|
||||
IS_RELEASE_TAG="false"
|
||||
echo "Calculated next Docker version: $NEXT_VERSION"
|
||||
fi
|
||||
|
||||
echo "next_version=$NEXT_VERSION" >> $GITHUB_OUTPUT
|
||||
echo "commit_sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
|
||||
echo "is_release_tag=$IS_RELEASE_TAG" >> $GITHUB_OUTPUT
|
||||
|
||||
build:
|
||||
needs: compute_version
|
||||
if: always() && (needs.compute_version.result == 'success' || needs.compute_version.result == 'skipped')
|
||||
runs-on: ${{ matrix.os }}
|
||||
permissions:
|
||||
packages: write
|
||||
contents: read
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
platform: [linux/amd64, linux/arm64]
|
||||
image: [backend, web]
|
||||
variant: [cpu, cuda, cuda126]
|
||||
exclude:
|
||||
- image: web
|
||||
variant: cuda
|
||||
- image: web
|
||||
variant: cuda126
|
||||
include:
|
||||
- platform: linux/amd64
|
||||
suffix: amd64
|
||||
os: ubuntu-latest
|
||||
- platform: linux/arm64
|
||||
suffix: arm64
|
||||
os: ubuntu-24.04-arm
|
||||
- image: backend
|
||||
name: surfsense-backend
|
||||
context: ./surfsense_backend
|
||||
file: ./surfsense_backend/Dockerfile
|
||||
target: production
|
||||
- image: web
|
||||
name: surfsense-web
|
||||
context: ./surfsense_web
|
||||
file: ./surfsense_web/Dockerfile
|
||||
target: runner
|
||||
- variant: cpu
|
||||
tag_suffix: ""
|
||||
use_cuda: "false"
|
||||
cuda_extra: cpu
|
||||
- variant: cuda
|
||||
tag_suffix: "-cuda"
|
||||
use_cuda: "true"
|
||||
cuda_extra: cu128
|
||||
- variant: cuda126
|
||||
tag_suffix: "-cuda126"
|
||||
use_cuda: "true"
|
||||
cuda_extra: cu126
|
||||
env:
|
||||
REGISTRY_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ matrix.name }}
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Set lowercase image name
|
||||
id: image
|
||||
run: echo "name=${REGISTRY_IMAGE,,}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Docker meta
|
||||
id: meta
|
||||
uses: docker/metadata-action@v6
|
||||
with:
|
||||
images: ${{ steps.image.outputs.name }}
|
||||
|
||||
- name: Login to GitHub Container Registry
|
||||
uses: docker/login-action@v4
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v4
|
||||
|
||||
- name: Free up disk space
|
||||
run: |
|
||||
sudo rm -rf /usr/share/dotnet
|
||||
sudo rm -rf /opt/ghc
|
||||
sudo rm -rf /usr/local/share/boost
|
||||
sudo rm -rf "$AGENT_TOOLSDIRECTORY" || true
|
||||
docker system prune -af
|
||||
|
||||
- name: Build and push by digest ${{ matrix.name }} (${{ matrix.variant }}, ${{ matrix.suffix }})
|
||||
id: build
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
context: ${{ matrix.context }}
|
||||
file: ${{ matrix.file }}
|
||||
target: ${{ matrix.target }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
tags: ${{ steps.image.outputs.name }}
|
||||
outputs: type=image,push-by-digest=true,name-canonical=true,push=true
|
||||
platforms: ${{ matrix.platform }}
|
||||
cache-from: type=registry,ref=${{ steps.image.outputs.name }}:buildcache-${{ matrix.variant }}-${{ matrix.suffix }}
|
||||
cache-to: type=registry,ref=${{ steps.image.outputs.name }}:buildcache-${{ matrix.variant }}-${{ matrix.suffix }},mode=max,image-manifest=true,oci-mediatypes=true
|
||||
secrets: |
|
||||
HF_TOKEN=${{ secrets.HF_TOKEN }}
|
||||
provenance: false
|
||||
build-args: |
|
||||
${{ matrix.image == 'backend' && format('USE_CUDA={0}', matrix.use_cuda) || '' }}
|
||||
${{ matrix.image == 'backend' && format('CUDA_EXTRA={0}', matrix.cuda_extra) || '' }}
|
||||
|
||||
- name: Export digest
|
||||
run: |
|
||||
mkdir -p /tmp/digests
|
||||
digest="${{ steps.build.outputs.digest }}"
|
||||
touch "/tmp/digests/${digest#sha256:}"
|
||||
|
||||
- name: Upload digest
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: digests-${{ matrix.image }}-${{ matrix.variant }}-${{ matrix.suffix }}
|
||||
path: /tmp/digests/*
|
||||
if-no-files-found: error
|
||||
retention-days: 1
|
||||
|
||||
# Release gate: require both arches for every variant, else block publishing.
|
||||
# Release-only; skipped on dev so the tolerant create_manifest path is kept.
|
||||
verify_digests:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [compute_version, build]
|
||||
if: ${{ always() && needs.compute_version.result == 'success' && needs.compute_version.outputs.new_tag != '' }}
|
||||
steps:
|
||||
- name: Download all digests
|
||||
uses: actions/download-artifact@v8
|
||||
with:
|
||||
pattern: digests-*
|
||||
path: /tmp/digests
|
||||
merge-multiple: false
|
||||
|
||||
- name: Require both arches for every required variant
|
||||
run: |
|
||||
fail=0
|
||||
check() {
|
||||
c=$(find /tmp/digests -type f -path "*/digests-$1-*/*" 2>/dev/null | wc -l | tr -d ' ')
|
||||
if [ "$c" -lt 2 ]; then
|
||||
echo "::error::$1 has $c/2 arch digests — blocking release"
|
||||
fail=1
|
||||
else
|
||||
echo "OK: $1 ($c/2)"
|
||||
fi
|
||||
}
|
||||
check backend-cpu
|
||||
check backend-cuda
|
||||
check backend-cuda126
|
||||
check web-cpu
|
||||
[ "$fail" -eq 0 ] || exit 1
|
||||
|
||||
create_manifest:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [compute_version, build, verify_digests]
|
||||
if: ${{ !cancelled() && needs.verify_digests.result != 'failure' }}
|
||||
permissions:
|
||||
packages: write
|
||||
contents: read
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
include:
|
||||
- name: surfsense-backend
|
||||
image: backend
|
||||
variant: cpu
|
||||
tag_suffix: ""
|
||||
- name: surfsense-backend
|
||||
image: backend
|
||||
variant: cuda
|
||||
tag_suffix: "-cuda"
|
||||
- name: surfsense-backend
|
||||
image: backend
|
||||
variant: cuda126
|
||||
tag_suffix: "-cuda126"
|
||||
- name: surfsense-web
|
||||
image: web
|
||||
variant: cpu
|
||||
tag_suffix: ""
|
||||
env:
|
||||
REGISTRY_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ matrix.name }}
|
||||
|
||||
steps:
|
||||
- name: Set lowercase image name
|
||||
id: image
|
||||
run: echo "name=${REGISTRY_IMAGE,,}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Download digests
|
||||
id: download
|
||||
uses: actions/download-artifact@v8
|
||||
with:
|
||||
pattern: digests-${{ matrix.image }}-${{ matrix.variant }}-*
|
||||
path: /tmp/digests
|
||||
merge-multiple: true
|
||||
continue-on-error: true
|
||||
|
||||
- name: Check digests
|
||||
id: check
|
||||
run: |
|
||||
count=$(find /tmp/digests -type f 2>/dev/null | wc -l | tr -d ' ')
|
||||
echo "digest_count=$count" >> $GITHUB_OUTPUT
|
||||
if [ "$count" -lt 2 ]; then
|
||||
echo "::warning::${{ matrix.variant }}: $count/2 digests, skipping merge"
|
||||
echo "skip=true" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "skip=false" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
if: steps.check.outputs.skip != 'true'
|
||||
uses: docker/setup-buildx-action@v4
|
||||
|
||||
- name: Login to GitHub Container Registry
|
||||
if: steps.check.outputs.skip != 'true'
|
||||
uses: docker/login-action@v4
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Compute app version
|
||||
if: steps.check.outputs.skip != 'true'
|
||||
id: appver
|
||||
run: |
|
||||
VERSION_TAG="${{ needs.compute_version.outputs.new_tag }}"
|
||||
if [ -n "$VERSION_TAG" ]; then
|
||||
APP_VERSION=$(echo "$VERSION_TAG" | rev | cut -d. -f2- | rev)
|
||||
else
|
||||
APP_VERSION=""
|
||||
fi
|
||||
echo "app_version=$APP_VERSION" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Docker meta
|
||||
if: steps.check.outputs.skip != 'true'
|
||||
id: meta
|
||||
uses: docker/metadata-action@v6
|
||||
with:
|
||||
images: ${{ steps.image.outputs.name }}
|
||||
tags: |
|
||||
type=raw,value=${{ needs.compute_version.outputs.new_tag }},enable=${{ needs.compute_version.outputs.new_tag != '' }}
|
||||
type=raw,value=${{ steps.appver.outputs.app_version }},enable=${{ needs.compute_version.outputs.new_tag != '' && needs.compute_version.outputs.is_release_tag != 'true' && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || github.event.inputs.branch == github.event.repository.default_branch) }}
|
||||
type=ref,event=branch
|
||||
type=sha,prefix=git-
|
||||
flavor: |
|
||||
latest=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || github.event.inputs.branch == github.event.repository.default_branch || startsWith(github.ref, 'refs/tags/v') }}
|
||||
${{ matrix.tag_suffix != '' && format('suffix={0},onlatest=true', matrix.tag_suffix) || '' }}
|
||||
|
||||
- name: Create manifest list and push
|
||||
if: steps.check.outputs.skip != 'true'
|
||||
working-directory: /tmp/digests
|
||||
run: |
|
||||
docker buildx imagetools create \
|
||||
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
|
||||
$(printf '${{ steps.image.outputs.name }}@sha256:%s ' *)
|
||||
- name: Inspect image
|
||||
if: steps.check.outputs.skip != 'true'
|
||||
run: |
|
||||
docker buildx imagetools inspect ${{ steps.image.outputs.name }}:${{ steps.meta.outputs.version }}
|
||||
|
||||
- name: Summary
|
||||
if: steps.check.outputs.skip != 'true'
|
||||
run: |
|
||||
echo "Multi-arch manifest created for ${{ matrix.name }}!"
|
||||
echo "Tags: $(jq -cr '.tags | join(", ")' <<< "$DOCKER_METADATA_OUTPUT_JSON")"
|
||||
|
||||
# Push the git tag only after build, gate, and manifest publish all succeed.
|
||||
finalize_release:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [compute_version, create_manifest]
|
||||
if: ${{ success() && needs.compute_version.outputs.new_tag != '' && needs.compute_version.outputs.is_release_tag != 'true' }}
|
||||
permissions:
|
||||
contents: write
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ github.event.inputs.branch }}
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Create and push git tag
|
||||
run: |
|
||||
git config --global user.name 'github-actions[bot]'
|
||||
git config --global user.email 'github-actions[bot]@users.noreply.github.com'
|
||||
|
||||
NEXT_TAG="${{ needs.compute_version.outputs.new_tag }}"
|
||||
COMMIT_SHA="${{ needs.compute_version.outputs.commit_sha }}"
|
||||
echo "Tagging commit $COMMIT_SHA with $NEXT_TAG"
|
||||
|
||||
git tag -a "$NEXT_TAG" "$COMMIT_SHA" -m "Docker build $NEXT_TAG"
|
||||
echo "Pushing tag $NEXT_TAG to origin"
|
||||
git push origin "$NEXT_TAG"
|
||||
|
||||
- name: Verify tag push
|
||||
run: |
|
||||
echo "Checking if tag ${{ needs.compute_version.outputs.new_tag }} exists remotely..."
|
||||
sleep 5
|
||||
git ls-remote --tags origin | grep "refs/tags/${{ needs.compute_version.outputs.new_tag }}" || (echo "Tag push verification failed!" && exit 1)
|
||||
echo "Tag successfully pushed."
|
||||
@@ -0,0 +1,175 @@
|
||||
name: E2E Tests
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [main, dev]
|
||||
types: [opened, synchronize, reopened, ready_for_review]
|
||||
paths:
|
||||
- 'surfsense_web/**'
|
||||
- 'surfsense_backend/**'
|
||||
- 'docker/docker-compose.e2e.yml'
|
||||
- '.github/workflows/e2e-tests.yml'
|
||||
workflow_dispatch:
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
e2e:
|
||||
name: Journey
|
||||
runs-on: ubuntu-latest
|
||||
if: github.event.pull_request.draft == false
|
||||
timeout-minutes: 30
|
||||
|
||||
env:
|
||||
# Test user that the backend creates via /auth/register before Playwright runs.
|
||||
PLAYWRIGHT_TEST_EMAIL: e2e-test@surfsense.net
|
||||
PLAYWRIGHT_TEST_PASSWORD: E2eTestPassword123!
|
||||
# Frontend env: Playwright's webServer (surfsense_web/playwright.config.ts)
|
||||
# spawns `pnpm build && pnpm start` in CI.
|
||||
NEXT_PUBLIC_FASTAPI_BACKEND_URL: http://localhost:8000
|
||||
SURFSENSE_BACKEND_INTERNAL_URL: http://localhost:8000
|
||||
AUTH_TYPE: LOCAL
|
||||
# Shared secret for the test-only POST /__e2e__/auth/token endpoint.
|
||||
# Must match docker-compose.e2e.yml's backend env (x-backend-env).
|
||||
E2E_MINT_SECRET: e2e-mint-secret-not-for-production
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v4
|
||||
|
||||
# ─── Backend stack ─────────────────────────────────────────────────
|
||||
# Builds the e2e image (multi-stage, deps cached via GHA), brings up
|
||||
# db + redis + backend + celery_worker, blocks until every healthcheck
|
||||
# is green. No `uv` invocation on the runner; no PID files; no curl
|
||||
# polling loops; readiness is gated by Docker healthchecks.
|
||||
- name: Build & start backend stack
|
||||
run: |
|
||||
docker compose -f docker/docker-compose.e2e.yml \
|
||||
up -d --build --wait --wait-timeout 300
|
||||
|
||||
- name: Show backend stack status
|
||||
if: always()
|
||||
run: docker compose -f docker/docker-compose.e2e.yml ps
|
||||
|
||||
- name: Register E2E test user
|
||||
run: |
|
||||
# 200/201 = created, 400 = already exists (idempotent across reruns).
|
||||
STATUS=$(curl -s -o /tmp/register.json -w "%{http_code}" \
|
||||
-X POST http://localhost:8000/auth/register \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{\"email\":\"${PLAYWRIGHT_TEST_EMAIL}\",\"password\":\"${PLAYWRIGHT_TEST_PASSWORD}\"}")
|
||||
echo "Register status: ${STATUS}"
|
||||
cat /tmp/register.json
|
||||
if [ "${STATUS}" != "200" ] && [ "${STATUS}" != "201" ] && [ "${STATUS}" != "400" ]; then
|
||||
echo "::error::Failed to register test user (status ${STATUS})"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Flush auth rate-limit counters so Playwright starts clean.
|
||||
docker compose -f docker/docker-compose.e2e.yml exec -T redis \
|
||||
sh -c "redis-cli --scan --pattern 'surfsense:auth_rate_limit:*' \
|
||||
| xargs -r redis-cli DEL" || true
|
||||
|
||||
# ─── Frontend (host-side) ──────────────────────────────────────────
|
||||
# Playwright's webServer block in playwright.config.ts spawns
|
||||
# `pnpm build && pnpm start` in CI mode and waits for :3000.
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version: '20'
|
||||
|
||||
- uses: pnpm/action-setup@v6
|
||||
|
||||
- name: Get pnpm store directory
|
||||
id: pnpm-cache
|
||||
shell: bash
|
||||
run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Cache pnpm store
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
|
||||
key: pnpm-${{ runner.os }}-${{ hashFiles('surfsense_web/pnpm-lock.yaml') }}
|
||||
restore-keys: pnpm-${{ runner.os }}-
|
||||
|
||||
- name: Install web dependencies
|
||||
working-directory: surfsense_web
|
||||
run: pnpm install --frozen-lockfile
|
||||
|
||||
- name: Cache Playwright browsers
|
||||
id: playwright-cache
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: ~/.cache/ms-playwright
|
||||
key: playwright-${{ runner.os }}-${{ hashFiles('surfsense_web/pnpm-lock.yaml') }}
|
||||
|
||||
- name: Install Playwright browsers
|
||||
if: steps.playwright-cache.outputs.cache-hit != 'true'
|
||||
working-directory: surfsense_web
|
||||
run: pnpm exec playwright install --with-deps chromium
|
||||
|
||||
- name: Install Playwright system deps (cache hit)
|
||||
if: steps.playwright-cache.outputs.cache-hit == 'true'
|
||||
working-directory: surfsense_web
|
||||
run: pnpm exec playwright install-deps chromium
|
||||
|
||||
- name: Cache Next.js build
|
||||
uses: actions/cache@v5
|
||||
with:
|
||||
path: surfsense_web/.next/cache
|
||||
key: nextjs-${{ runner.os }}-${{ hashFiles('surfsense_web/pnpm-lock.yaml') }}-${{ github.sha }}
|
||||
restore-keys: |
|
||||
nextjs-${{ runner.os }}-${{ hashFiles('surfsense_web/pnpm-lock.yaml') }}-
|
||||
nextjs-${{ runner.os }}-
|
||||
|
||||
# ─── Tests ─────────────────────────────────────────────────────────
|
||||
- name: Run Playwright tests
|
||||
working-directory: surfsense_web
|
||||
run: pnpm test:e2e:prod
|
||||
|
||||
# ─── Failure diagnostics ───────────────────────────────────────────
|
||||
- name: Dump backend stack logs on failure
|
||||
if: ${{ failure() || cancelled() }}
|
||||
run: |
|
||||
mkdir -p ./compose-logs
|
||||
docker compose -f docker/docker-compose.e2e.yml logs --no-color --timestamps \
|
||||
> ./compose-logs/all-services.log 2>&1 || true
|
||||
for svc in db redis backend celery_worker; do
|
||||
docker compose -f docker/docker-compose.e2e.yml logs --no-color --timestamps "$svc" \
|
||||
> "./compose-logs/${svc}.log" 2>&1 || true
|
||||
done
|
||||
docker compose -f docker/docker-compose.e2e.yml ps \
|
||||
> ./compose-logs/ps.txt 2>&1 || true
|
||||
|
||||
# ─── Artifacts ─────────────────────────────────────────────────────
|
||||
- name: Upload Playwright HTML report
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: playwright-report
|
||||
path: surfsense_web/playwright-report/
|
||||
retention-days: 14
|
||||
|
||||
- name: Upload Playwright traces
|
||||
if: failure()
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: playwright-traces
|
||||
path: surfsense_web/test-results/
|
||||
retention-days: 14
|
||||
|
||||
- name: Upload backend stack logs
|
||||
if: ${{ failure() || cancelled() }}
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: backend-stack-logs
|
||||
path: ./compose-logs/
|
||||
retention-days: 7
|
||||
|
||||
# ─── Teardown ──────────────────────────────────────────────────────
|
||||
- name: Tear down backend stack
|
||||
if: always()
|
||||
run: docker compose -f docker/docker-compose.e2e.yml down -v --remove-orphans
|
||||
@@ -0,0 +1,60 @@
|
||||
name: Notary status check
|
||||
|
||||
# One-off diagnostic workflow. Queries Apple's notary service to see if your
|
||||
# submissions are queued, in progress, accepted, or rejected. Useful when a
|
||||
# notarization seems "hung" — most often the queue itself, especially on a
|
||||
# brand-new Apple Developer account.
|
||||
#
|
||||
# Run via: Actions tab -> "Notary status check" -> Run workflow.
|
||||
# Inputs are optional; if you provide a submission ID, it also fetches that
|
||||
# submission's full Apple log.
|
||||
#
|
||||
# Safe to delete after diagnosis.
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
submission_id:
|
||||
description: 'Optional: submission UUID to fetch full Apple log for'
|
||||
required: false
|
||||
default: ''
|
||||
|
||||
jobs:
|
||||
status:
|
||||
runs-on: macos-latest
|
||||
steps:
|
||||
- name: List recent notarization submissions
|
||||
env:
|
||||
APPLE_ID: ${{ secrets.APPLE_ID }}
|
||||
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "::group::Submission history (most recent first)"
|
||||
xcrun notarytool history \
|
||||
--apple-id "$APPLE_ID" \
|
||||
--password "$APPLE_APP_SPECIFIC_PASSWORD" \
|
||||
--team-id "$APPLE_TEAM_ID"
|
||||
echo "::endgroup::"
|
||||
|
||||
- name: Inspect specific submission (if id provided)
|
||||
if: ${{ inputs.submission_id != '' }}
|
||||
env:
|
||||
APPLE_ID: ${{ secrets.APPLE_ID }}
|
||||
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
SUBMISSION_ID: ${{ inputs.submission_id }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
echo "::group::Submission info"
|
||||
xcrun notarytool info "$SUBMISSION_ID" \
|
||||
--apple-id "$APPLE_ID" \
|
||||
--password "$APPLE_APP_SPECIFIC_PASSWORD" \
|
||||
--team-id "$APPLE_TEAM_ID"
|
||||
echo "::endgroup::"
|
||||
echo "::group::Apple's processing log for this submission"
|
||||
xcrun notarytool log "$SUBMISSION_ID" \
|
||||
--apple-id "$APPLE_ID" \
|
||||
--password "$APPLE_APP_SPECIFIC_PASSWORD" \
|
||||
--team-id "$APPLE_TEAM_ID" || true
|
||||
echo "::endgroup::"
|
||||
@@ -0,0 +1,39 @@
|
||||
name: Obsidian Plugin Lint
|
||||
|
||||
# Lints + type-checks + builds the Obsidian plugin on every push/PR that
|
||||
# touches its sources. The official obsidian-sample-plugin template ships
|
||||
# its own ESLint+esbuild setup; we run that here instead of folding the
|
||||
# plugin into the monorepo's Biome-based code-quality.yml so the tooling
|
||||
# stays aligned with what `obsidianmd/eslint-plugin-obsidianmd` checks
|
||||
# against.
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: ["**"]
|
||||
paths:
|
||||
- "surfsense_obsidian/**"
|
||||
- ".github/workflows/obsidian-plugin-lint.yml"
|
||||
pull_request:
|
||||
branches: ["**"]
|
||||
paths:
|
||||
- "surfsense_obsidian/**"
|
||||
- ".github/workflows/obsidian-plugin-lint.yml"
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
runs-on: ubuntu-latest
|
||||
defaults:
|
||||
run:
|
||||
working-directory: surfsense_obsidian
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version: 22.x
|
||||
cache: npm
|
||||
cache-dependency-path: surfsense_obsidian/package-lock.json
|
||||
|
||||
- run: npm ci
|
||||
- run: npm run lint
|
||||
- run: npm run build
|
||||
@@ -0,0 +1,119 @@
|
||||
name: Release Obsidian Plugin
|
||||
|
||||
# Tag format: `obsidian-v<version>` and `<version>` must match `surfsense_obsidian/manifest.json` exactly.
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
- "obsidian-v*"
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
publish:
|
||||
description: "Publish to GitHub Releases"
|
||||
required: true
|
||||
type: choice
|
||||
options:
|
||||
- never
|
||||
- always
|
||||
default: "never"
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
build-and-release:
|
||||
runs-on: ubuntu-latest
|
||||
defaults:
|
||||
run:
|
||||
working-directory: surfsense_obsidian
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
# Need write access for the manifest/versions.json mirror commit
|
||||
# back to main further down.
|
||||
fetch-depth: 0
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version: 22.x
|
||||
cache: npm
|
||||
cache-dependency-path: surfsense_obsidian/package-lock.json
|
||||
|
||||
- name: Resolve plugin version
|
||||
id: version
|
||||
run: |
|
||||
manifest_version=$(node -p "require('./manifest.json').version")
|
||||
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
|
||||
# Manual runs derive the release version from manifest.json.
|
||||
version="$manifest_version"
|
||||
tag="obsidian-v$version"
|
||||
else
|
||||
tag="${GITHUB_REF_NAME}"
|
||||
if [ -z "$tag" ] || [[ "$tag" != obsidian-v* ]]; then
|
||||
echo "::error::Invalid tag '$tag'. Expected format: obsidian-v<version>"
|
||||
exit 1
|
||||
fi
|
||||
version="${tag#obsidian-v}"
|
||||
if [ "$version" != "$manifest_version" ]; then
|
||||
echo "::error::Tag version '$version' does not match manifest version '$manifest_version'"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
echo "tag=$tag" >> "$GITHUB_OUTPUT"
|
||||
echo "version=$version" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Resolve publish mode
|
||||
id: release_mode
|
||||
run: |
|
||||
if [ "${{ github.event_name }}" = "push" ] || [ "${{ inputs.publish }}" = "always" ]; then
|
||||
echo "should_publish=true" >> "$GITHUB_OUTPUT"
|
||||
else
|
||||
echo "should_publish=false" >> "$GITHUB_OUTPUT"
|
||||
fi
|
||||
|
||||
- run: npm ci
|
||||
|
||||
- run: npm run lint
|
||||
|
||||
- run: npm run build
|
||||
|
||||
- name: Verify build artifacts
|
||||
run: |
|
||||
for f in main.js manifest.json styles.css; do
|
||||
test -f "$f" || (echo "::error::Missing release artifact: $f" && exit 1)
|
||||
done
|
||||
|
||||
- name: Mirror manifest.json + versions.json to repo root
|
||||
if: steps.release_mode.outputs.should_publish == 'true'
|
||||
working-directory: ${{ github.workspace }}
|
||||
run: |
|
||||
cp surfsense_obsidian/manifest.json manifest.json
|
||||
cp surfsense_obsidian/versions.json versions.json
|
||||
if git diff --quiet manifest.json versions.json; then
|
||||
echo "Root manifest/versions already up to date."
|
||||
exit 0
|
||||
fi
|
||||
git config user.name "github-actions[bot]"
|
||||
git config user.email "github-actions[bot]@users.noreply.github.com"
|
||||
git add manifest.json versions.json
|
||||
git commit -m "chore(obsidian-plugin): mirror manifest+versions for ${{ steps.version.outputs.tag }}"
|
||||
# Push to the default branch so Obsidian can fetch raw files from HEAD.
|
||||
if ! git push origin HEAD:${{ github.event.repository.default_branch }}; then
|
||||
echo "::warning::Failed to push mirrored manifest/versions to default branch (likely branch protection). Continuing release."
|
||||
fi
|
||||
|
||||
# Publish release under bare `manifest.json` version (no `obsidian-v` prefix) for BRAT/store compatibility.
|
||||
# `make_latest: "false"` keeps the desktop app's `v*` release headlined since Obsidian and BRAT resolve plugins via getReleaseByTag, not the latest flag.
|
||||
- name: Create GitHub release
|
||||
if: steps.release_mode.outputs.should_publish == 'true'
|
||||
uses: softprops/action-gh-release@v3
|
||||
with:
|
||||
tag_name: ${{ steps.version.outputs.version }}
|
||||
name: SurfSense Obsidian Plugin ${{ steps.version.outputs.version }}
|
||||
generate_release_notes: true
|
||||
make_latest: "false"
|
||||
files: |
|
||||
surfsense_obsidian/main.js
|
||||
surfsense_obsidian/manifest.json
|
||||
surfsense_obsidian/styles.css
|
||||
Reference in New Issue
Block a user