Files
2026-07-13 13:09:14 +08:00

558 lines
20 KiB
YAML

name: Release
on:
push:
tags:
- "v*"
permissions:
contents: write
env:
CNB_REPOSITORY: "dbxio.com/dbx"
CNB_USERNAME: "cnb"
CNB_REGISTRY: "docker.cnb.cool"
jobs:
bump-jdbc-plugin-version:
runs-on: ubuntu-latest
outputs:
changed: ${{ steps.bump.outputs.changed }}
old_version: ${{ steps.bump.outputs.old_version }}
new_version: ${{ steps.bump.outputs.new_version }}
prev_tag: ${{ steps.prev-tag.outputs.prev_tag }}
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Find previous release tag
id: prev-tag
shell: bash
run: |
PREV_TAG=$(git tag --sort=-creatordate | grep '^v' | sed -n '2p')
if [ -z "$PREV_TAG" ]; then
PREV_TAG=$(git rev-list --max-parents=0 HEAD)
fi
echo "prev_tag=${PREV_TAG}" >> "$GITHUB_OUTPUT"
echo "Comparing ${PREV_TAG}..HEAD"
- name: Detect JDBC plugin changes and bump version
id: bump
shell: bash
run: |
BUMP_OUTPUT="$(node .github/scripts/bump-jdbc-plugin-version.mjs "${{ steps.prev-tag.outputs.prev_tag }}" HEAD --write)"
echo "$BUMP_OUTPUT"
echo "$BUMP_OUTPUT" >> "$GITHUB_OUTPUT"
- name: Commit JDBC plugin version bump
if: steps.bump.outputs.changed == 'true'
shell: bash
run: |
TMP_DIR="$(mktemp -d)"
cp plugins/jdbc/pom.xml "$TMP_DIR/pom.xml"
cp plugins/jdbc/manifest.json "$TMP_DIR/manifest.json"
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git fetch origin main
git switch -C jdbc-plugin-version-bump origin/main
cp "$TMP_DIR/pom.xml" plugins/jdbc/pom.xml
cp "$TMP_DIR/manifest.json" plugins/jdbc/manifest.json
git add plugins/jdbc/pom.xml plugins/jdbc/manifest.json
if git diff --cached --quiet; then
echo "JDBC plugin version ${{ steps.bump.outputs.new_version }} is already on main."
exit 0
fi
git commit -m "chore(jdbc): bump plugin version [skip ci]"
git push origin HEAD:main
build:
strategy:
fail-fast: false
matrix:
include:
- platform: macos-latest
target: aarch64-apple-darwin
- platform: macos-15-intel
target: x86_64-apple-darwin
- platform: ubuntu-22.04
target: x86_64-unknown-linux-gnu
- platform: ubuntu-22.04-arm
target: aarch64-unknown-linux-gnu
- platform: windows-2022
target: x86_64-pc-windows-msvc
arch: x64
- platform: windows-2022
target: aarch64-pc-windows-msvc
arch: arm64
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/checkout@v5
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 22
- name: Setup pnpm
uses: pnpm/action-setup@v6
- name: Install frontend dependencies
run: pnpm install
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- name: Compute Rust dependency hash
id: deps-hash
shell: bash
run: |
{
find . -name Cargo.toml -not -path './target/*' -print0 \
| sort -z \
| xargs -0 sed -E '/^version = /d'
grep -v '^version = ' Cargo.lock
} | sha256sum | cut -d' ' -f1 | {
read -r hash
echo "hash=${hash:0:20}" >> "$GITHUB_OUTPUT"
}
- name: Rust cache
uses: swatinem/rust-cache@v2
with:
workspaces: "./ -> target"
shared-key: release-${{ matrix.target }}-${{ steps.deps-hash.outputs.hash }}
add-rust-environment-hash-key: false
cache-on-failure: true
- name: Install Apple certificate (macOS)
if: startsWith(matrix.platform, 'macos')
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
echo -n "$APPLE_CERTIFICATE" | base64 --decode -o $CERTIFICATE_PATH
security create-keychain -p "" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "" $KEYCHAIN_PATH
security import $CERTIFICATE_PATH -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "" $KEYCHAIN_PATH
security list-keychains -d user -s $KEYCHAIN_PATH login.keychain-db
- name: Install system dependencies (Linux)
if: startsWith(matrix.platform, 'ubuntu')
run: |
sudo apt-get update
sudo apt-get install -y libwebkit2gtk-4.1-dev libgtk-3-dev libappindicator3-dev librsvg2-dev patchelf libssl-dev xdg-utils
- name: Setup Tauri signing key
shell: bash
run: |
echo "${{ secrets.TAURI_SIGNING_PRIVATE_KEY_BASE64 }}" | base64 --decode > "$RUNNER_TEMP/updater.key"
KEY_B64=$(base64 < "$RUNNER_TEMP/updater.key" | tr -d '\r\n')
echo "TAURI_SIGNING_PRIVATE_KEY=$KEY_B64" >> "$GITHUB_ENV"
if [ -n "${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}" ]; then
echo "TAURI_SIGNING_PRIVATE_KEY_PASSWORD=${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}" >> "$GITHUB_ENV"
fi
- name: Generate release notes
id: release-notes
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
BODY="$(gh api "repos/${GITHUB_REPOSITORY}/releases/generate-notes" \
-f tag_name="${GITHUB_REF_NAME}" \
--jq '.body')"
if [ -z "$BODY" ]; then
BODY="DBX ${GITHUB_REF_NAME}"
fi
DELIM="RELEASE_NOTES_$(date +%s%N)"
{
echo "body<<$DELIM"
printf '%s\n' "$BODY"
echo "$DELIM"
} >> "$GITHUB_OUTPUT"
- name: Build Tauri app
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_SIGNING_IDENTITY: ${{ startsWith(matrix.platform, 'macos') && secrets.APPLE_SIGNING_IDENTITY || '' }}
APPLE_ID: ${{ startsWith(matrix.platform, 'macos') && secrets.APPLE_ID || '' }}
APPLE_PASSWORD: ${{ startsWith(matrix.platform, 'macos') && secrets.APPLE_PASSWORD || '' }}
APPLE_TEAM_ID: ${{ startsWith(matrix.platform, 'macos') && secrets.APPLE_TEAM_ID || '' }}
with:
tagName: ${{ github.ref_name }}
releaseName: "DBX ${{ github.ref_name }}"
releaseBody: ${{ steps.release-notes.outputs.body }}
releaseDraft: true
prerelease: false
args: --target ${{ matrix.target }}
- name: Upload Windows portable ZIP
if: matrix.arch == 'x64' || matrix.arch == 'arm64'
shell: pwsh
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
$version = "${env:GITHUB_REF_NAME}".TrimStart("v")
$arch = "${{ matrix.arch }}"
$portableRoot = "portable"
$portableDir = Join-Path $portableRoot "DBX_${version}_${arch}"
$zipName = "DBX_${version}_${arch}-portable.zip"
$exePath = "target/${{ matrix.target }}/release/dbx.exe"
if (!(Test-Path $exePath)) {
Write-Error "Missing Windows executable: $exePath"
exit 1
}
New-Item -ItemType Directory -Force -Path $portableDir | Out-Null
Copy-Item $exePath (Join-Path $portableDir "DBX.exe") -Force
Copy-Item "LICENSE" (Join-Path $portableDir "LICENSE") -Force
Copy-Item "README.md" (Join-Path $portableDir "README.md") -Force
Set-Content -Path (Join-Path $portableDir "portable.dbx") -Value "" -NoNewline
Compress-Archive -Path (Join-Path $portableDir "*") -DestinationPath $zipName -Force
gh release upload "${env:GITHUB_REF_NAME}" $zipName --repo "${env:GITHUB_REPOSITORY}" --clobber
- name: Upload Windows WebView2 offline installer
if: matrix.arch == 'x64' || matrix.arch == 'arm64'
shell: pwsh
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
$version = "${env:GITHUB_REF_NAME}".TrimStart("v")
$arch = "${{ matrix.arch }}"
$bundleDir = "target/${{ matrix.target }}/release/bundle/nsis"
$offlineName = "DBX_${version}_${arch}-webview2-offline-setup.exe"
$before = @{}
if (Test-Path $bundleDir) {
Get-ChildItem $bundleDir -Filter "*.exe" | ForEach-Object { $before[$_.FullName] = $_.LastWriteTimeUtc }
}
pnpm tauri bundle --bundles nsis --target ${{ matrix.target }} --config src-tauri/tauri.webview2-offline.conf.json
$installer = Get-ChildItem $bundleDir -Filter "*.exe" |
Where-Object { !$before.ContainsKey($_.FullName) -or $_.LastWriteTimeUtc -gt $before[$_.FullName] } |
Sort-Object LastWriteTimeUtc -Descending |
Select-Object -First 1
if (!$installer) {
Write-Error "Missing WebView2 offline installer in ${bundleDir}"
exit 1
}
Copy-Item $installer.FullName $offlineName -Force
gh release upload "${env:GITHUB_REF_NAME}" $offlineName --repo "${env:GITHUB_REPOSITORY}" --clobber
cleanup-release-signatures:
needs: build
runs-on: ubuntu-latest
steps:
- name: Remove standalone updater signature assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
mapfile -t SIG_ASSETS < <(
gh release view "${GITHUB_REF_NAME}" \
--repo "${GITHUB_REPOSITORY}" \
--json assets \
--jq '.assets[].name | select(endswith(".sig"))'
)
if [ "${#SIG_ASSETS[@]}" -eq 0 ]; then
echo "No standalone .sig release assets found."
exit 0
fi
for ASSET in "${SIG_ASSETS[@]}"; do
echo "Deleting release asset: ${ASSET}"
gh release delete-asset "${GITHUB_REF_NAME}" "${ASSET}" \
--repo "${GITHUB_REPOSITORY}" \
--yes
done
jdbc-plugin:
needs: [cleanup-release-signatures, bump-jdbc-plugin-version]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Setup Java
uses: actions/setup-java@v5
with:
distribution: temurin
java-version: "17"
cache: maven
- name: Apply automatic JDBC plugin version bump
shell: bash
run: node .github/scripts/bump-jdbc-plugin-version.mjs "${{ needs.bump-jdbc-plugin-version.outputs.prev_tag }}" HEAD --write
- name: Read JDBC plugin version
id: jdbc-plugin
shell: bash
run: |
VERSION="$(grep -m1 '<version>' plugins/jdbc/pom.xml | sed -E 's/.*<version>([^<]+)<.*/\1/')"
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
- name: Package JDBC plugin
run: ./plugins/jdbc/package.sh
- name: Upload JDBC plugin asset
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release upload "${GITHUB_REF_NAME}" \
"plugins/jdbc/dist/dbx-jdbc-plugin-${{ steps.jdbc-plugin.outputs.version }}.zip" \
"plugins/jdbc/dist/dbx-jdbc-plugin-latest.zip" \
--repo "${GITHUB_REPOSITORY}" \
--clobber
- name: Add JDBC plugin metadata to latest.json
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
mkdir -p "$RUNNER_TEMP/latest-json"
gh release download "${GITHUB_REF_NAME}" \
--repo "${GITHUB_REPOSITORY}" \
--pattern latest.json \
--dir "$RUNNER_TEMP/latest-json"
node .github/scripts/augment-latest-json-jdbc-plugin.mjs \
"$RUNNER_TEMP/latest-json/latest.json" \
"${{ steps.jdbc-plugin.outputs.version }}" \
"1" \
"https://github.com/t8y2/dbx/releases/latest/download/dbx-jdbc-plugin-latest.zip"
gh release upload "${GITHUB_REF_NAME}" \
"$RUNNER_TEMP/latest-json/latest.json" \
--repo "${GITHUB_REPOSITORY}" \
--clobber
publish:
needs: [cleanup-release-signatures, docker-manifest, jdbc-plugin]
runs-on: ubuntu-latest
steps:
- name: Publish draft release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release edit ${{ github.ref_name }} --repo ${{ github.repository }} --draft=false --prerelease
sync-release-to-cnb:
name: Sync release to CNB
needs: publish
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v5
- name: Download GitHub release assets
env:
TAG_NAME: ${{ github.ref_name }}
GITHUB_REPOSITORY: ${{ github.repository }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
mkdir -p "$RUNNER_TEMP/github-release" "$RUNNER_TEMP/release-assets"
gh release view "$TAG_NAME" \
--repo "$GITHUB_REPOSITORY" \
--json tagName,name,body,targetCommitish,isPrerelease,isDraft,assets \
> "$RUNNER_TEMP/github-release/release.json"
gh release download "$TAG_NAME" \
--repo "$GITHUB_REPOSITORY" \
--dir "$RUNNER_TEMP/release-assets" \
--clobber
- name: Sync release assets to CNB
env:
CNB_TOKEN: ${{ secrets.CNB_TOKEN }}
CNB_UPLOAD_CONCURRENCY: "3"
run: |
node .github/scripts/sync-cnb-release.mjs \
--github-release "$RUNNER_TEMP/github-release/release.json" \
--assets-dir "$RUNNER_TEMP/release-assets"
sync-release-to-atomgit:
name: Sync release to AtomGit
needs: publish
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Ensure AtomGit tag exists
env:
TAG_NAME: ${{ github.ref_name }}
ATOMGIT_TOKEN: ${{ secrets.ATOMGIT_TOKEN }}
run: |
set -euo pipefail
git fetch origin "refs/tags/${TAG_NAME}:refs/tags/${TAG_NAME}" --force
git remote add atomgit "https://t8y2:${ATOMGIT_TOKEN}@atomgit.com/t8y2/dbx.git"
git push atomgit "refs/tags/${TAG_NAME}:refs/tags/${TAG_NAME}" --force
- name: Download GitHub release assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG_NAME: ${{ github.ref_name }}
GITHUB_REPOSITORY: ${{ github.repository }}
run: |
set -euo pipefail
mkdir -p "$RUNNER_TEMP/github-release" "$RUNNER_TEMP/release-assets"
gh release view "$TAG_NAME" \
--repo "$GITHUB_REPOSITORY" \
--json tagName,name,body,targetCommitish,isPrerelease,isDraft,assets \
> "$RUNNER_TEMP/github-release/release.json"
gh release download "$TAG_NAME" \
--repo "$GITHUB_REPOSITORY" \
--dir "$RUNNER_TEMP/release-assets" \
--clobber
- name: Sync release assets to AtomGit
env:
ATOMGIT_TOKEN: ${{ secrets.ATOMGIT_TOKEN }}
ATOMGIT_REPOSITORY: "t8y2/dbx"
# AtomGit throttles concurrent large-asset uploads, which can expire their temporary upload URLs.
ATOMGIT_UPLOAD_CONCURRENCY: "1"
run: |
set -euo pipefail
node .github/scripts/sync-atomgit-release.mjs \
--github-release "$RUNNER_TEMP/github-release/release.json" \
--assets-dir "$RUNNER_TEMP/release-assets"
docker:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
platform: [linux/amd64, linux/arm64]
steps:
- uses: actions/checkout@v5
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to CNB Registry
uses: docker/login-action@v3
with:
registry: ${{ env.CNB_REGISTRY }}
username: cnb
password: ${{ secrets.CNB_TOKEN }}
- name: Build and push Docker Hub by digest
id: build-dockerhub
uses: docker/build-push-action@v6
with:
context: .
file: deploy/Dockerfile
platforms: ${{ matrix.platform }}
outputs: type=image,name=${{ secrets.DOCKERHUB_USERNAME }}/dbx,push-by-digest=true,name-canonical=true,push=true
cache-from: type=gha,scope=${{ matrix.platform }}
cache-to: type=gha,scope=${{ matrix.platform }},mode=max
- name: Build and push CNB by digest
id: build-cnb
uses: docker/build-push-action@v6
with:
context: .
file: deploy/Dockerfile
platforms: ${{ matrix.platform }}
outputs: type=image,name=${{ env.CNB_REGISTRY }}/${{ env.CNB_REPOSITORY }},push-by-digest=true,name-canonical=true,push=true
cache-from: type=gha,scope=${{ matrix.platform }}
- name: Export digests
run: |
mkdir -p /tmp/digests/dockerhub /tmp/digests/cnb
dockerhub_digest="${{ steps.build-dockerhub.outputs.digest }}"
cnb_digest="${{ steps.build-cnb.outputs.digest }}"
touch "/tmp/digests/dockerhub/${dockerhub_digest#sha256:}"
touch "/tmp/digests/cnb/${cnb_digest#sha256:}"
- name: Upload Docker Hub digest
uses: actions/upload-artifact@v7
with:
name: dockerhub-digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }}
path: /tmp/digests/dockerhub/*
if-no-files-found: error
retention-days: 1
- name: Upload CNB digest
uses: actions/upload-artifact@v7
with:
name: cnb-digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }}
path: /tmp/digests/cnb/*
if-no-files-found: error
retention-days: 1
docker-manifest:
needs: docker
runs-on: ubuntu-latest
steps:
- name: Download Docker Hub digests
uses: actions/download-artifact@v8
with:
path: /tmp/digests/dockerhub
pattern: dockerhub-digests-*
merge-multiple: true
- name: Download CNB digests
uses: actions/download-artifact@v8
with:
path: /tmp/digests/cnb
pattern: cnb-digests-*
merge-multiple: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to CNB Registry
uses: docker/login-action@v3
with:
registry: ${{ env.CNB_REGISTRY }}
username: cnb
password: ${{ secrets.CNB_TOKEN }}
- name: Extract version from tag
id: version
run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
- name: Create manifest list and push
run: |
docker buildx imagetools create \
-t ${{ secrets.DOCKERHUB_USERNAME }}/dbx:${{ steps.version.outputs.version }} \
-t ${{ secrets.DOCKERHUB_USERNAME }}/dbx:latest \
$(cd /tmp/digests/dockerhub && printf '${{ secrets.DOCKERHUB_USERNAME }}/dbx@sha256:%s ' *)
docker buildx imagetools create \
-t ${{ env.CNB_REGISTRY }}/${{ env.CNB_REPOSITORY }}:${{ steps.version.outputs.version }} \
-t ${{ env.CNB_REGISTRY }}/${{ env.CNB_REPOSITORY }}:latest \
$(cd /tmp/digests/cnb && printf '${{ env.CNB_REGISTRY }}/${{ env.CNB_REPOSITORY }}@sha256:%s ' *)