From 39cb9e1d1387eac28870d6275104f1a25acff966 Mon Sep 17 00:00:00 2001 From: DecDuck Date: Fri, 6 Feb 2026 09:03:57 +1100 Subject: [PATCH 1/8] feat: use platform-specific runners --- .github/workflows/release.yml | 140 ++++++++++++++++++++++++---------- 1 file changed, 99 insertions(+), 41 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5f2c93b0..8b024bfd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,10 +9,17 @@ on: - cron: "0 2 * * *" # run at 2 AM UTC jobs: - web: + build: name: Build Docker image - # self-hosted runner to speed things up - runs-on: [self-hosted, linux] + strategy: + fail-fast: false + matrix: + include: + - platform: linux/amd64 + runner: ubuntu-latest + - platform: linux/arm64 + runner: ubuntu-24.04-arm + runs-on: ${{ matrix.runner }} permissions: packages: write contents: read @@ -26,26 +33,10 @@ jobs: ref: ${{ github.ref }} token: ${{ secrets.GITHUB_TOKEN }} - - name: Determine final version - id: get_final_ver + - name: Set platform run: | - BASE_VER=v$(jq -r '.version' package.json) - TODAY=$(date +'%Y.%m.%d') - - echo "Today will be: $TODAY" - echo "today=$TODAY" >> $GITHUB_OUTPUT - - if [[ "${{ github.event_name }}" == "release" ]]; then - FINAL_VER="$BASE_VER" - else - FINAL_VER="${BASE_VER}-nightly.$TODAY" - fi - - echo "Drop's release tag will be: $FINAL_VER" - echo "final_ver=$FINAL_VER" >> $GITHUB_OUTPUT - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - name: Set up Docker Buildx id: buildx @@ -60,24 +51,6 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/drop-OSS/drop - tags: | - type=schedule,pattern=nightly - type=schedule,pattern=nightly.${{ steps.get_final_ver.outputs.today }} - type=semver,pattern=v{{version}} - type=semver,pattern=v{{major}}.{{minor}} - type=semver,pattern=v{{major}} - type=ref,event=branch,prefix=branch- - type=ref,event=pr - type=sha - # set latest tag for stable releases - type=raw,value=latest,enable=${{ github.event_name == 'release' && github.event.release.prerelease == false }} - - name: Cache uses: actions/cache@v4 id: cache @@ -93,6 +66,13 @@ jobs: dockerfile: Dockerfile skip-extraction: ${{ steps.cache.outputs.cache-hit }} + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/drop-OSS/drop + - name: Build and push image id: build-and-push uses: docker/build-push-action@v6 @@ -103,8 +83,86 @@ jobs: sbom: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - platforms: linux/amd64,linux/arm64 + platforms: ${{ matrix.platform }} cache-from: type=gha cache-to: type=gha,mode=max build-args: | BUILD_DROP_VERSION=${{ steps.get_final_ver.outputs.final_ver }} + + - name: Export digest + run: | + mkdir -p ${{ runner.temp }}/digests + digest="${{ steps.build.outputs.digest }}" + touch "${{ runner.temp }}/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: ${{ runner.temp }}/digests/* + if-no-files-found: error + retention-days: 1 + merge: + runs-on: ubuntu-latest + needs: + - build + steps: + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: ${{ runner.temp }}/digests + pattern: digests-* + merge-multiple: true + + - name: Determine final version + id: get_final_ver + run: | + BASE_VER=v$(jq -r '.version' package.json) + TODAY=$(date +'%Y.%m.%d') + + echo "Today will be: $TODAY" + echo "today=$TODAY" >> $GITHUB_OUTPUT + + if [[ "${{ github.event_name }}" == "release" ]]; then + FINAL_VER="$BASE_VER" + else + FINAL_VER="${BASE_VER}-nightly.$TODAY" + fi + + echo "Drop's release tag will be: $FINAL_VER" + echo "final_ver=$FINAL_VER" >> $GITHUB_OUTPUT + + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/drop-OSS/drop + tags: | + type=schedule,pattern=nightly + type=schedule,pattern=nightly.${{ steps.get_final_ver.outputs.today }} + type=semver,pattern=v{{version}} + type=semver,pattern=v{{major}}.{{minor}} + type=semver,pattern=v{{major}} + type=ref,event=branch,prefix=branch- + type=ref,event=pr + type=sha + # set latest tag for stable releases + type=raw,value=latest,enable=${{ github.event_name == 'release' && github.event.release.prerelease == false }} + + - name: Create manifest list and push + working-directory: ${{ runner.temp }}/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + + - name: Inspect image + run: | + docker buildx imagetools inspect ghcr.io/drop-OSS/drop:${{ steps.meta.outputs.version }} From 5d689ee28b8ba12f93a01e9d041665eefd4ef019 Mon Sep 17 00:00:00 2001 From: DecDuck Date: Fri, 6 Feb 2026 09:12:27 +1100 Subject: [PATCH 2/8] feat: replace with template --- .github/workflows/release.yml | 96 +++++++++-------------------------- 1 file changed, 24 insertions(+), 72 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8b024bfd..b61a9ae8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,9 +8,11 @@ on: schedule: - cron: "0 2 * * *" # run at 2 AM UTC +env: + REGISTRY_IMAGE: user/app + jobs: build: - name: Build Docker image strategy: fail-fast: false matrix: @@ -20,74 +22,39 @@ jobs: - platform: linux/arm64 runner: ubuntu-24.04-arm runs-on: ${{ matrix.runner }} - permissions: - packages: write - contents: read steps: - - name: Check out the repo - uses: actions/checkout@v4 - with: - submodules: true - fetch-depth: 3 # fix for when this gets triggered by tag - fetch-tags: true - ref: ${{ github.ref }} - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Set platform + - name: Prepare run: | platform=${{ matrix.platform }} echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 with: - buildkitd-flags: --debug + images: ${{ env.REGISTRY_IMAGE }} - - name: Log in to the Container registry + - name: Login to Docker Hub uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Cache - uses: actions/cache@v4 - id: cache - with: - path: cache-mount - key: cache-mount-${{ hashFiles('Dockerfile') }} - - - name: Restore Docker cache mounts - uses: reproducible-containers/buildkit-cache-dance@v3 - with: - builder: ${{ steps.setup-buildx.outputs.name }} - cache-dir: cache-mount - dockerfile: Dockerfile - skip-extraction: ${{ steps.cache.outputs.cache-hit }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/drop-OSS/drop + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - - name: Build and push image - id: build-and-push + - name: Build and push by digest + id: build uses: docker/build-push-action@v6 with: - context: . - push: true - provenance: mode=max - sbom: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} platforms: ${{ matrix.platform }} - cache-from: type=gha - cache-to: type=gha,mode=max - build-args: | - BUILD_DROP_VERSION=${{ steps.get_final_ver.outputs.final_ver }} + labels: ${{ steps.meta.outputs.labels }} + tags: ${{ env.REGISTRY_IMAGE }} + outputs: type=image,push-by-digest=true,name-canonical=true,push=true - name: Export digest run: | @@ -102,6 +69,7 @@ jobs: path: ${{ runner.temp }}/digests/* if-no-files-found: error retention-days: 1 + merge: runs-on: ubuntu-latest needs: @@ -114,31 +82,15 @@ jobs: pattern: digests-* merge-multiple: true - - name: Determine final version - id: get_final_ver - run: | - BASE_VER=v$(jq -r '.version' package.json) - TODAY=$(date +'%Y.%m.%d') - - echo "Today will be: $TODAY" - echo "today=$TODAY" >> $GITHUB_OUTPUT - - if [[ "${{ github.event_name }}" == "release" ]]; then - FINAL_VER="$BASE_VER" - else - FINAL_VER="${BASE_VER}-nightly.$TODAY" - fi - - echo "Drop's release tag will be: $FINAL_VER" - echo "final_ver=$FINAL_VER" >> $GITHUB_OUTPUT - - - name: Log in to the Container registry + - name: Login to Docker Hub uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@v5 @@ -156,7 +108,7 @@ jobs: type=sha # set latest tag for stable releases type=raw,value=latest,enable=${{ github.event_name == 'release' && github.event.release.prerelease == false }} - + - name: Create manifest list and push working-directory: ${{ runner.temp }}/digests run: | @@ -165,4 +117,4 @@ jobs: - name: Inspect image run: | - docker buildx imagetools inspect ghcr.io/drop-OSS/drop:${{ steps.meta.outputs.version }} + docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} From dc5dd8c23d822b53618bd3fcd7727b8c20476b44 Mon Sep 17 00:00:00 2001 From: DecDuck Date: Fri, 6 Feb 2026 09:14:48 +1100 Subject: [PATCH 3/8] fix: image name --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b61a9ae8..dfcb15ac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,7 +9,7 @@ on: - cron: "0 2 * * *" # run at 2 AM UTC env: - REGISTRY_IMAGE: user/app + REGISTRY_IMAGE: ghcr.io/drop-OSS/drop jobs: build: @@ -108,7 +108,7 @@ jobs: type=sha # set latest tag for stable releases type=raw,value=latest,enable=${{ github.event_name == 'release' && github.event.release.prerelease == false }} - + - name: Create manifest list and push working-directory: ${{ runner.temp }}/digests run: | From 67ffe8ebb9f45982830667ae9a5c7d282dc7afac Mon Sep 17 00:00:00 2001 From: DecDuck Date: Fri, 6 Feb 2026 09:15:56 +1100 Subject: [PATCH 4/8] fix: registry image name --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dfcb15ac..a09f1bad 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,7 +9,7 @@ on: - cron: "0 2 * * *" # run at 2 AM UTC env: - REGISTRY_IMAGE: ghcr.io/drop-OSS/drop + REGISTRY_IMAGE: ghcr.io/drop-oss/drop jobs: build: From d2399f8e517ce066d6c05c53ed9d9d8c561e3e71 Mon Sep 17 00:00:00 2001 From: DecDuck Date: Fri, 6 Feb 2026 09:18:39 +1100 Subject: [PATCH 5/8] fix: checkout repo --- .github/workflows/release.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a09f1bad..841e22db 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,6 +23,15 @@ jobs: runner: ubuntu-24.04-arm runs-on: ${{ matrix.runner }} steps: + - name: Check out the repo + uses: actions/checkout@v4 + with: + submodules: true + fetch-depth: 3 # fix for when this gets triggered by tag + fetch-tags: true + ref: ${{ github.ref }} + token: ${{ secrets.GITHUB_TOKEN }} + - name: Prepare run: | platform=${{ matrix.platform }} From 24ba29d26fdb216718c09c7ae5db5961f1fca8ab Mon Sep 17 00:00:00 2001 From: DecDuck Date: Fri, 6 Feb 2026 09:22:57 +1100 Subject: [PATCH 6/8] fix: add drop version --- .github/workflows/release.yml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 841e22db..1ec2ca48 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,7 +31,7 @@ jobs: fetch-tags: true ref: ${{ github.ref }} token: ${{ secrets.GITHUB_TOKEN }} - + - name: Prepare run: | platform=${{ matrix.platform }} @@ -56,6 +56,24 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Determine final version + id: get_final_ver + run: | + BASE_VER=v$(jq -r '.version' package.json) + TODAY=$(date +'%Y.%m.%d') + + echo "Today will be: $TODAY" + echo "today=$TODAY" >> $GITHUB_OUTPUT + + if [[ "${{ github.event_name }}" == "release" ]]; then + FINAL_VER="$BASE_VER" + else + FINAL_VER="${BASE_VER}-nightly.$TODAY" + fi + + echo "Drop's release tag will be: $FINAL_VER" + echo "final_ver=$FINAL_VER" >> $GITHUB_OUTPUT + - name: Build and push by digest id: build uses: docker/build-push-action@v6 @@ -64,6 +82,10 @@ jobs: labels: ${{ steps.meta.outputs.labels }} tags: ${{ env.REGISTRY_IMAGE }} outputs: type=image,push-by-digest=true,name-canonical=true,push=true + provenance: mode=max + sbom: true + build-args: | + BUILD_DROP_VERSION=${{ steps.get_final_ver.outputs.final_ver }} - name: Export digest run: | From 37f33a48012184447fc81d61f0ae56c733ad629b Mon Sep 17 00:00:00 2001 From: DecDuck Date: Fri, 6 Feb 2026 09:27:39 +1100 Subject: [PATCH 7/8] fix: add sha env --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1ec2ca48..b3130b79 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -86,6 +86,7 @@ jobs: sbom: true build-args: | BUILD_DROP_VERSION=${{ steps.get_final_ver.outputs.final_ver }} + BUILD_GIT_REF=${{ github.sha }} - name: Export digest run: | From 52447eec9ee92c83c9591137cae85e52c5734bc5 Mon Sep 17 00:00:00 2001 From: DecDuck Date: Fri, 6 Feb 2026 09:37:32 +1100 Subject: [PATCH 8/8] fix: permissions --- .github/workflows/release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b3130b79..fd3e8efb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,6 +22,9 @@ jobs: - platform: linux/arm64 runner: ubuntu-24.04-arm runs-on: ${{ matrix.runner }} + permissions: + packages: write + contents: read steps: - name: Check out the repo uses: actions/checkout@v4 @@ -106,6 +109,9 @@ jobs: runs-on: ubuntu-latest needs: - build + permissions: + packages: write + contents: read steps: - name: Download digests uses: actions/download-artifact@v4