name: Release on: push: tags: - "v*" permissions: contents: write env: CNB_REPOSITORY: "dbxio.com/dbx" CNB_USERNAME: "cnb" CNB_REGISTRY: "docker.cnb.cool" jobs: bump-jdbc-plugin-version: runs-on: ubuntu-latest outputs: changed: ${{ steps.bump.outputs.changed }} old_version: ${{ steps.bump.outputs.old_version }} new_version: ${{ steps.bump.outputs.new_version }} prev_tag: ${{ steps.prev-tag.outputs.prev_tag }} steps: - uses: actions/checkout@v5 with: fetch-depth: 0 - name: Find previous release tag id: prev-tag shell: bash run: | PREV_TAG=$(git tag --sort=-creatordate | grep '^v' | sed -n '2p') if [ -z "$PREV_TAG" ]; then PREV_TAG=$(git rev-list --max-parents=0 HEAD) fi echo "prev_tag=${PREV_TAG}" >> "$GITHUB_OUTPUT" echo "Comparing ${PREV_TAG}..HEAD" - name: Detect JDBC plugin changes and bump version id: bump shell: bash run: | BUMP_OUTPUT="$(node .github/scripts/bump-jdbc-plugin-version.mjs "${{ steps.prev-tag.outputs.prev_tag }}" HEAD --write)" echo "$BUMP_OUTPUT" echo "$BUMP_OUTPUT" >> "$GITHUB_OUTPUT" - name: Commit JDBC plugin version bump if: steps.bump.outputs.changed == 'true' shell: bash run: | TMP_DIR="$(mktemp -d)" cp plugins/jdbc/pom.xml "$TMP_DIR/pom.xml" cp plugins/jdbc/manifest.json "$TMP_DIR/manifest.json" git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" git fetch origin main git switch -C jdbc-plugin-version-bump origin/main cp "$TMP_DIR/pom.xml" plugins/jdbc/pom.xml cp "$TMP_DIR/manifest.json" plugins/jdbc/manifest.json git add plugins/jdbc/pom.xml plugins/jdbc/manifest.json if git diff --cached --quiet; then echo "JDBC plugin version ${{ steps.bump.outputs.new_version }} is already on main." exit 0 fi git commit -m "chore(jdbc): bump plugin version [skip ci]" git push origin HEAD:main build: strategy: fail-fast: false matrix: include: - platform: macos-latest target: aarch64-apple-darwin - platform: macos-15-intel target: x86_64-apple-darwin - platform: ubuntu-22.04 target: x86_64-unknown-linux-gnu - platform: ubuntu-22.04-arm target: aarch64-unknown-linux-gnu - platform: windows-2022 target: x86_64-pc-windows-msvc arch: x64 - platform: windows-2022 target: aarch64-pc-windows-msvc arch: arm64 runs-on: ${{ matrix.platform }} steps: - uses: actions/checkout@v5 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: 22 - name: Setup pnpm uses: pnpm/action-setup@v6 - name: Install frontend dependencies run: pnpm install - name: Setup Rust uses: dtolnay/rust-toolchain@stable with: targets: ${{ matrix.target }} - name: Compute Rust dependency hash id: deps-hash shell: bash run: | { find . -name Cargo.toml -not -path './target/*' -print0 \ | sort -z \ | xargs -0 sed -E '/^version = /d' grep -v '^version = ' Cargo.lock } | sha256sum | cut -d' ' -f1 | { read -r hash echo "hash=${hash:0:20}" >> "$GITHUB_OUTPUT" } - name: Rust cache uses: swatinem/rust-cache@v2 with: workspaces: "./ -> target" shared-key: release-${{ matrix.target }}-${{ steps.deps-hash.outputs.hash }} add-rust-environment-hash-key: false cache-on-failure: true - name: Install Apple certificate (macOS) if: startsWith(matrix.platform, 'macos') env: APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} run: | CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12 KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db echo -n "$APPLE_CERTIFICATE" | base64 --decode -o $CERTIFICATE_PATH security create-keychain -p "" $KEYCHAIN_PATH security set-keychain-settings -lut 21600 $KEYCHAIN_PATH security unlock-keychain -p "" $KEYCHAIN_PATH security import $CERTIFICATE_PATH -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH security set-key-partition-list -S apple-tool:,apple: -k "" $KEYCHAIN_PATH security list-keychains -d user -s $KEYCHAIN_PATH login.keychain-db - name: Install system dependencies (Linux) if: startsWith(matrix.platform, 'ubuntu') run: | sudo apt-get update sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libappindicator3-dev librsvg2-dev patchelf libssl-dev xdg-utils - name: Setup Tauri signing key shell: bash run: | echo "${{ secrets.TAURI_SIGNING_PRIVATE_KEY_BASE64 }}" | base64 --decode > "$RUNNER_TEMP/updater.key" KEY_B64=$(base64 < "$RUNNER_TEMP/updater.key" | tr -d '\r\n') echo "TAURI_SIGNING_PRIVATE_KEY=$KEY_B64" >> "$GITHUB_ENV" if [ -n "${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}" ]; then echo "TAURI_SIGNING_PRIVATE_KEY_PASSWORD=${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}" >> "$GITHUB_ENV" fi - name: Generate release notes id: release-notes shell: bash env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | BODY="$(gh api "repos/${GITHUB_REPOSITORY}/releases/generate-notes" \ -f tag_name="${GITHUB_REF_NAME}" \ --jq '.body')" if [ -z "$BODY" ]; then BODY="DBX ${GITHUB_REF_NAME}" fi DELIM="RELEASE_NOTES_$(date +%s%N)" { echo "body<<$DELIM" printf '%s\n' "$BODY" echo "$DELIM" } >> "$GITHUB_OUTPUT" - name: Build Tauri app uses: tauri-apps/tauri-action@v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} APPLE_SIGNING_IDENTITY: ${{ startsWith(matrix.platform, 'macos') && secrets.APPLE_SIGNING_IDENTITY || '' }} APPLE_ID: ${{ startsWith(matrix.platform, 'macos') && secrets.APPLE_ID || '' }} APPLE_PASSWORD: ${{ startsWith(matrix.platform, 'macos') && secrets.APPLE_PASSWORD || '' }} APPLE_TEAM_ID: ${{ startsWith(matrix.platform, 'macos') && secrets.APPLE_TEAM_ID || '' }} with: tagName: ${{ github.ref_name }} releaseName: "DBX ${{ github.ref_name }}" releaseBody: ${{ steps.release-notes.outputs.body }} releaseDraft: true prerelease: false args: --target ${{ matrix.target }} - name: Upload Windows portable ZIP if: matrix.arch == 'x64' || matrix.arch == 'arm64' shell: pwsh env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | $version = "${env:GITHUB_REF_NAME}".TrimStart("v") $arch = "${{ matrix.arch }}" $portableRoot = "portable" $portableDir = Join-Path $portableRoot "DBX_${version}_${arch}" $zipName = "DBX_${version}_${arch}-portable.zip" $exePath = "target/${{ matrix.target }}/release/dbx.exe" if (!(Test-Path $exePath)) { Write-Error "Missing Windows executable: $exePath" exit 1 } New-Item -ItemType Directory -Force -Path $portableDir | Out-Null Copy-Item $exePath (Join-Path $portableDir "DBX.exe") -Force Copy-Item "LICENSE" (Join-Path $portableDir "LICENSE") -Force Copy-Item "README.md" (Join-Path $portableDir "README.md") -Force Set-Content -Path (Join-Path $portableDir "portable.dbx") -Value "" -NoNewline Compress-Archive -Path (Join-Path $portableDir "*") -DestinationPath $zipName -Force gh release upload "${env:GITHUB_REF_NAME}" $zipName --repo "${env:GITHUB_REPOSITORY}" --clobber - name: Upload Windows WebView2 offline installer if: matrix.arch == 'x64' || matrix.arch == 'arm64' shell: pwsh env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | $version = "${env:GITHUB_REF_NAME}".TrimStart("v") $arch = "${{ matrix.arch }}" $bundleDir = "target/${{ matrix.target }}/release/bundle/nsis" $offlineName = "DBX_${version}_${arch}-webview2-offline-setup.exe" $before = @{} if (Test-Path $bundleDir) { Get-ChildItem $bundleDir -Filter "*.exe" | ForEach-Object { $before[$_.FullName] = $_.LastWriteTimeUtc } } pnpm tauri bundle --bundles nsis --target ${{ matrix.target }} --config src-tauri/tauri.webview2-offline.conf.json $installer = Get-ChildItem $bundleDir -Filter "*.exe" | Where-Object { !$before.ContainsKey($_.FullName) -or $_.LastWriteTimeUtc -gt $before[$_.FullName] } | Sort-Object LastWriteTimeUtc -Descending | Select-Object -First 1 if (!$installer) { Write-Error "Missing WebView2 offline installer in ${bundleDir}" exit 1 } Copy-Item $installer.FullName $offlineName -Force gh release upload "${env:GITHUB_REF_NAME}" $offlineName --repo "${env:GITHUB_REPOSITORY}" --clobber cleanup-release-signatures: needs: build runs-on: ubuntu-latest steps: - name: Remove standalone updater signature assets env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} shell: bash run: | mapfile -t SIG_ASSETS < <( gh release view "${GITHUB_REF_NAME}" \ --repo "${GITHUB_REPOSITORY}" \ --json assets \ --jq '.assets[].name | select(endswith(".sig"))' ) if [ "${#SIG_ASSETS[@]}" -eq 0 ]; then echo "No standalone .sig release assets found." exit 0 fi for ASSET in "${SIG_ASSETS[@]}"; do echo "Deleting release asset: ${ASSET}" gh release delete-asset "${GITHUB_REF_NAME}" "${ASSET}" \ --repo "${GITHUB_REPOSITORY}" \ --yes done jdbc-plugin: needs: [cleanup-release-signatures, bump-jdbc-plugin-version] runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 with: fetch-depth: 0 - name: Setup Java uses: actions/setup-java@v5 with: distribution: temurin java-version: "17" cache: maven - name: Apply automatic JDBC plugin version bump shell: bash run: node .github/scripts/bump-jdbc-plugin-version.mjs "${{ needs.bump-jdbc-plugin-version.outputs.prev_tag }}" HEAD --write - name: Read JDBC plugin version id: jdbc-plugin shell: bash run: | VERSION="$(grep -m1 '' plugins/jdbc/pom.xml | sed -E 's/.*([^<]+)<.*/\1/')" echo "version=${VERSION}" >> "$GITHUB_OUTPUT" - name: Package JDBC plugin run: ./plugins/jdbc/package.sh - name: Upload JDBC plugin asset env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | gh release upload "${GITHUB_REF_NAME}" \ "plugins/jdbc/dist/dbx-jdbc-plugin-${{ steps.jdbc-plugin.outputs.version }}.zip" \ "plugins/jdbc/dist/dbx-jdbc-plugin-latest.zip" \ --repo "${GITHUB_REPOSITORY}" \ --clobber - name: Add JDBC plugin metadata to latest.json env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} shell: bash run: | mkdir -p "$RUNNER_TEMP/latest-json" gh release download "${GITHUB_REF_NAME}" \ --repo "${GITHUB_REPOSITORY}" \ --pattern latest.json \ --dir "$RUNNER_TEMP/latest-json" node .github/scripts/augment-latest-json-jdbc-plugin.mjs \ "$RUNNER_TEMP/latest-json/latest.json" \ "${{ steps.jdbc-plugin.outputs.version }}" \ "1" \ "https://github.com/t8y2/dbx/releases/latest/download/dbx-jdbc-plugin-latest.zip" gh release upload "${GITHUB_REF_NAME}" \ "$RUNNER_TEMP/latest-json/latest.json" \ --repo "${GITHUB_REPOSITORY}" \ --clobber publish: needs: [cleanup-release-signatures, docker-manifest, jdbc-plugin] runs-on: ubuntu-latest steps: - name: Publish draft release env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: gh release edit ${{ github.ref_name }} --repo ${{ github.repository }} --draft=false --prerelease sync-release-to-cnb: name: Sync release to CNB needs: publish runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v5 - name: Download GitHub release assets env: TAG_NAME: ${{ github.ref_name }} GITHUB_REPOSITORY: ${{ github.repository }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -euo pipefail mkdir -p "$RUNNER_TEMP/github-release" "$RUNNER_TEMP/release-assets" gh release view "$TAG_NAME" \ --repo "$GITHUB_REPOSITORY" \ --json tagName,name,body,targetCommitish,isPrerelease,isDraft,assets \ > "$RUNNER_TEMP/github-release/release.json" gh release download "$TAG_NAME" \ --repo "$GITHUB_REPOSITORY" \ --dir "$RUNNER_TEMP/release-assets" \ --clobber - name: Sync release assets to CNB env: CNB_TOKEN: ${{ secrets.CNB_TOKEN }} CNB_UPLOAD_CONCURRENCY: "3" run: | node .github/scripts/sync-cnb-release.mjs \ --github-release "$RUNNER_TEMP/github-release/release.json" \ --assets-dir "$RUNNER_TEMP/release-assets" sync-release-to-atomgit: name: Sync release to AtomGit needs: publish runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v5 with: fetch-depth: 0 - name: Ensure AtomGit tag exists env: TAG_NAME: ${{ github.ref_name }} ATOMGIT_TOKEN: ${{ secrets.ATOMGIT_TOKEN }} run: | set -euo pipefail git fetch origin "refs/tags/${TAG_NAME}:refs/tags/${TAG_NAME}" --force git remote add atomgit "https://t8y2:${ATOMGIT_TOKEN}@atomgit.com/t8y2/dbx.git" git push atomgit "refs/tags/${TAG_NAME}:refs/tags/${TAG_NAME}" --force - name: Download GitHub release assets env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAG_NAME: ${{ github.ref_name }} GITHUB_REPOSITORY: ${{ github.repository }} run: | set -euo pipefail mkdir -p "$RUNNER_TEMP/github-release" "$RUNNER_TEMP/release-assets" gh release view "$TAG_NAME" \ --repo "$GITHUB_REPOSITORY" \ --json tagName,name,body,targetCommitish,isPrerelease,isDraft,assets \ > "$RUNNER_TEMP/github-release/release.json" gh release download "$TAG_NAME" \ --repo "$GITHUB_REPOSITORY" \ --dir "$RUNNER_TEMP/release-assets" \ --clobber - name: Sync release assets to AtomGit env: ATOMGIT_TOKEN: ${{ secrets.ATOMGIT_TOKEN }} ATOMGIT_REPOSITORY: "t8y2/dbx" # AtomGit throttles concurrent large-asset uploads, which can expire their temporary upload URLs. ATOMGIT_UPLOAD_CONCURRENCY: "1" run: | set -euo pipefail node .github/scripts/sync-atomgit-release.mjs \ --github-release "$RUNNER_TEMP/github-release/release.json" \ --assets-dir "$RUNNER_TEMP/release-assets" docker: runs-on: ubuntu-latest strategy: fail-fast: false matrix: platform: [linux/amd64, linux/arm64] steps: - uses: actions/checkout@v5 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to CNB Registry uses: docker/login-action@v3 with: registry: ${{ env.CNB_REGISTRY }} username: cnb password: ${{ secrets.CNB_TOKEN }} - name: Build and push Docker Hub by digest id: build-dockerhub uses: docker/build-push-action@v6 with: context: . file: deploy/Dockerfile platforms: ${{ matrix.platform }} outputs: type=image,name=${{ secrets.DOCKERHUB_USERNAME }}/dbx,push-by-digest=true,name-canonical=true,push=true cache-from: type=gha,scope=${{ matrix.platform }} cache-to: type=gha,scope=${{ matrix.platform }},mode=max - name: Build and push CNB by digest id: build-cnb uses: docker/build-push-action@v6 with: context: . file: deploy/Dockerfile platforms: ${{ matrix.platform }} outputs: type=image,name=${{ env.CNB_REGISTRY }}/${{ env.CNB_REPOSITORY }},push-by-digest=true,name-canonical=true,push=true cache-from: type=gha,scope=${{ matrix.platform }} - name: Export digests run: | mkdir -p /tmp/digests/dockerhub /tmp/digests/cnb dockerhub_digest="${{ steps.build-dockerhub.outputs.digest }}" cnb_digest="${{ steps.build-cnb.outputs.digest }}" touch "/tmp/digests/dockerhub/${dockerhub_digest#sha256:}" touch "/tmp/digests/cnb/${cnb_digest#sha256:}" - name: Upload Docker Hub digest uses: actions/upload-artifact@v7 with: name: dockerhub-digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }} path: /tmp/digests/dockerhub/* if-no-files-found: error retention-days: 1 - name: Upload CNB digest uses: actions/upload-artifact@v7 with: name: cnb-digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }} path: /tmp/digests/cnb/* if-no-files-found: error retention-days: 1 docker-manifest: needs: docker runs-on: ubuntu-latest steps: - name: Download Docker Hub digests uses: actions/download-artifact@v8 with: path: /tmp/digests/dockerhub pattern: dockerhub-digests-* merge-multiple: true - name: Download CNB digests uses: actions/download-artifact@v8 with: path: /tmp/digests/cnb pattern: cnb-digests-* merge-multiple: true - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to CNB Registry uses: docker/login-action@v3 with: registry: ${{ env.CNB_REGISTRY }} username: cnb password: ${{ secrets.CNB_TOKEN }} - name: Extract version from tag id: version run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" - name: Create manifest list and push run: | docker buildx imagetools create \ -t ${{ secrets.DOCKERHUB_USERNAME }}/dbx:${{ steps.version.outputs.version }} \ -t ${{ secrets.DOCKERHUB_USERNAME }}/dbx:latest \ $(cd /tmp/digests/dockerhub && printf '${{ secrets.DOCKERHUB_USERNAME }}/dbx@sha256:%s ' *) docker buildx imagetools create \ -t ${{ env.CNB_REGISTRY }}/${{ env.CNB_REPOSITORY }}:${{ steps.version.outputs.version }} \ -t ${{ env.CNB_REGISTRY }}/${{ env.CNB_REPOSITORY }}:latest \ $(cd /tmp/digests/cnb && printf '${{ env.CNB_REGISTRY }}/${{ env.CNB_REPOSITORY }}@sha256:%s ' *)