-
Notifications
You must be signed in to change notification settings - Fork 0
274 lines (244 loc) · 10.8 KB
/
Copy pathrelease.yml
File metadata and controls
274 lines (244 loc) · 10.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
name: Release
on:
push:
tags:
- 'v*'
workflow_dispatch:
permissions:
contents: write
packages: write
jobs:
build:
name: Build ${{ matrix.target }}
# Binary matrix runs only on tag push — manual dispatch is for
# docker-publish smoke tests and shouldn't create GitHub releases.
if: github.event_name == 'push'
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- target: x86_64-unknown-linux-gnu
os: ubuntu-latest
platform: linux
arch: x86_64
ext: tar.gz
- target: x86_64-pc-windows-msvc
os: windows-latest
platform: windows
arch: x86_64
ext: zip
- target: x86_64-apple-darwin
os: macos-latest
platform: macos
arch: x86_64
ext: tar.gz
- target: aarch64-apple-darwin
os: macos-latest
platform: macos
arch: aarch64
ext: tar.gz
# Native aarch64 Linux runner avoids the `cross` tool entirely.
# Previous attempts with `cross` failed on the rusqlite bundled
# SQLite compile because the default docker image lacked the
# necessary aarch64 C toolchain pieces. GitHub's `ubuntu-24.04-arm`
# runner (free for public repos) builds natively — faster, simpler,
# and rusqlite/aes-gcm/sha2/etc. compile against the system gcc
# without any cross-toolchain configuration.
- target: aarch64-unknown-linux-gnu
os: ubuntu-24.04-arm
platform: linux
arch: aarch64
ext: tar.gz
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
# ── Build the embedded local web UI (Phase C, 2026-05-09) ───────
# rust-embed picks up `web-dist/` at compile time — without this
# step the binary would ship with build.rs's "Web UI not built"
# placeholder and the browser dashboard would 503 in production.
# Node 20 LTS is the minimum the Vite 5.4 toolchain supports.
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
cache-dependency-path: web/package-lock.json
- name: Install web/ deps
run: npm ci
working-directory: web
- name: Build web/ → web-dist/
run: npm run build
working-directory: web
- name: Build release binary
run: cargo build --release --target ${{ matrix.target }}
shell: bash
- name: Package (Unix)
if: matrix.platform != 'windows'
run: |
cd target/${{ matrix.target }}/release
tar czf ../../../sourcebox-sentry-cloudnode-${{ matrix.platform }}-${{ matrix.arch }}.tar.gz sourcebox-sentry-cloudnode
cd ../../..
- name: Package (Windows)
if: matrix.platform == 'windows'
shell: pwsh
run: |
cd target/${{ matrix.target }}/release
Compress-Archive -Path sourcebox-sentry-cloudnode.exe -DestinationPath ../../../sourcebox-sentry-cloudnode-${{ matrix.platform }}-${{ matrix.arch }}.zip
cd ../../..
# ── Build the Windows MSI ──────────────────────────────────────
# Runs only on the Windows matrix entry, only after the binary
# has compiled (cargo-wix consumes target/release/...exe). Has
# two side effects worth knowing about:
#
# 1. Installs the WiX Toolset 3.x via the official MSI. WiX 4 is
# out, but cargo-wix as of 0.3 still emits 3.x-compatible
# XML, so we pin to 3.14 — the latest 3.x release.
# 2. Installs the cargo-wix subcommand. ~1m of build time the
# first time, cached after that.
#
# The MSI itself is unsigned. SmartScreen will warn the user on
# first install; the README documents the "More info → Run anyway"
# workaround. Code signing is deferred (see docs/LAUNCH_HANDOFF
# in the Command Center repo).
- name: Install WiX Toolset (Windows only)
if: matrix.platform == 'windows'
shell: pwsh
run: |
# WiX 3.14 — last 3.x release. cargo-wix 0.3 emits 3.x XML.
$url = 'https://github.com/wixtoolset/wix3/releases/download/wix314rtm/wix314-binaries.zip'
$zip = "$env:RUNNER_TEMP\wix314.zip"
$dst = "$env:RUNNER_TEMP\wix"
Invoke-WebRequest -Uri $url -OutFile $zip
Expand-Archive -Path $zip -DestinationPath $dst -Force
# Add to PATH for subsequent steps.
echo $dst | Out-File -FilePath $env:GITHUB_PATH -Append -Encoding utf8
- name: Install cargo-wix (Windows only)
if: matrix.platform == 'windows'
run: cargo install cargo-wix --locked
shell: pwsh
- name: Build MSI (Windows only)
if: matrix.platform == 'windows'
shell: pwsh
run: |
# --no-build because the cargo build step above already
# produced target\release\sourcebox-sentry-cloudnode.exe with the
# right release-profile flags (LTO, strip). Letting cargo-wix
# rebuild would also use a stripped exe but pays the cost twice.
cargo wix --no-build --nocapture --output target/wix/
- name: Rename MSI to standard naming (Windows only)
if: matrix.platform == 'windows'
shell: pwsh
run: |
# cargo-wix names the MSI `sourcebox-sentry-cloudnode-<version>-<arch>.msi`
# by default. Move it to the predictable name the install
# script + landing page link to. We keep the version-stamped
# name in the GitHub release URL by also uploading the
# original; this rename produces the "always-latest" copy
# the install scripts pull.
$generated = Get-ChildItem target/wix -Filter '*.msi' | Select-Object -First 1
if (-not $generated) { throw "No MSI generated under target/wix/" }
Copy-Item $generated.FullName -Destination "sourcebox-sentry-cloudnode-${{ matrix.platform }}-${{ matrix.arch }}.msi"
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: sourcebox-sentry-cloudnode-${{ matrix.platform }}-${{ matrix.arch }}
path: sourcebox-sentry-cloudnode-${{ matrix.platform }}-${{ matrix.arch }}.${{ matrix.ext }}
# Separate upload for the MSI so the `release` job's
# `download-artifact` step picks it up alongside the .zip.
# Conditional on Windows matrix entry — others would have nothing
# to upload.
- name: Upload MSI artifact (Windows only)
if: matrix.platform == 'windows'
uses: actions/upload-artifact@v4
with:
name: sourcebox-sentry-cloudnode-${{ matrix.platform }}-${{ matrix.arch }}-msi
path: sourcebox-sentry-cloudnode-${{ matrix.platform }}-${{ matrix.arch }}.msi
release:
name: Create Release
# Same gating as the matrix — manual dispatch skips GitHub release creation.
if: github.event_name == 'push'
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download all artifacts
uses: actions/download-artifact@v4
with:
path: artifacts
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true
files: artifacts/**/*
# Mark hyphen-suffixed tags (v0.1.18-msi-rc3, v0.1.19-beta, etc.)
# as prereleases so the GitHub `/releases/latest/download/...`
# redirect — used by the landing page MSI link, the docs
# download buttons, and any curl-style consumers — keeps
# pointing at the most recent *stable* release. A bare
# `vX.Y.Z` tag has no hyphen and
# ships as the default-latest; any hyphen suffix is per
# SemVer prerelease territory and we honour that. Without
# this gate, an RC tag temporarily bumps GitHub's "latest"
# pointer and the public install URLs serve the unverified
# RC binary to anyone who curls it.
prerelease: ${{ contains(github.ref_name, '-') }}
docker-publish:
name: Publish Docker image (multi-arch → GHCR)
# Runs on both tag push and manual dispatch. Independent of the binary
# matrix — rebuilds from source inside Docker, so no dependency on
# `build` and can run in parallel.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# QEMU is only used for cross-arch emulation (arm64 on x86 runner).
# Rust compilation for arm64 under QEMU adds ~10 min vs native; still
# well under GitHub's 6-hour job limit and acceptable for release cadence.
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# metadata-action auto-lowercases the image name, so
# `SourceBox-LLC/Sentinel-CameraNode` → `sourcebox-llc/sentinel-cameranode`.
# The GitHub repo was renamed `opensentry-cloud-node` → `Sentinel-CameraNode`
# in May 2026; ghcr.io image name follows the repo, so existing pulls of
# `ghcr.io/sourcebox-llc/opensentry-cloudnode:<tag>` will keep working
# only via GitHub's package-redirect window — re-pull against the new
# image name once you next update your compose/k8s manifests. The
# binary inside is still `sourcebox-sentry-cloudnode` per Cargo.toml.
# `latest=auto` tags :latest only on stable semver tag pushes.
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,prefix=sha-
flavor: |
latest=auto
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
pull: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# GHA cache disabled for this release to flush stale layers
# from the rust:1.75-alpine era. Re-enable after a clean
# build populates fresh cache:
# cache-from: type=gha
# cache-to: type=gha,mode=max
no-cache: true