Guard against configuration mistakes leading to security issues #169
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# References: | |
# - https://github.com/marketplace/actions/get-the-latest-release-upload-url-tag-date | |
# - https://github.com/actions/upload-artifact | |
# - https://github.com/marketplace/actions/yet-another-upload-release-asset-action | |
# - https://github.com/marketplace/actions/download-a-build-artifact | |
# | |
# Its called 'build' so that the README badge displays nicely | |
name: build | |
# Update the RUST_VERSION here and in the Makefile when we upgrade | |
env: | |
CARGO_TERM_COLOR: always | |
RUST_VERSION: 1.78.0 | |
on: | |
push: | |
branches: | |
- master | |
pull_request: | |
branches: | |
- master | |
release: | |
types: [ created ] | |
jobs: | |
get_version: | |
name: Get unFTP version | |
runs-on: ubuntu-latest | |
outputs: | |
version: ${{ steps.get_latest_tag.outputs.version }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Otherwise we get a 'fatal: No names found, cannot describe anything.' error. | |
- name: Get latest tag | |
id: get_latest_tag | |
run: | | |
tag=$(git describe --tags) | |
echo "version=$tag" >> $GITHUB_OUTPUT | |
format: | |
name: Check Formatting | |
runs-on: ubuntu-latest | |
if: ${{ github.ref != 'refs/heads/master' }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Install Rust toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
override: true | |
default: true | |
components: rustfmt | |
- name: Check formatting | |
uses: actions-rs/cargo@v1 | |
with: | |
command: fmt | |
args: --all -- --check | |
clippy: | |
name: Run Clippy | |
runs-on: ubuntu-latest | |
if: ${{ github.ref != 'refs/heads/master' }} | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v3 | |
with: | |
persist-credentials: false | |
- name: Install rust toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
override: true | |
default: true | |
components: clippy | |
- uses: actions-rs/cargo@v1 | |
with: | |
command: clippy | |
args: --all-features --workspace -- -D warnings | |
test: | |
name: Run Tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout sources | |
uses: actions/checkout@v3 | |
- name: Install rust toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
override: true | |
default: true | |
components: clippy | |
- name: Install build dependencies | |
run: sudo apt-get update && sudo apt-get install -y libpam-dev | |
- name: Run tests | |
run: cargo test --verbose --workspace --all --all-features | |
- name: Build Docs | |
run: cargo doc --all-features --workspace --no-deps | |
build-linux-gnu: | |
runs-on: ubuntu-latest | |
name: Build for Linux (GNU) | |
needs: get_version | |
env: | |
target: x86_64-unknown-linux-gnu | |
BUILD_VERSION: ${{ needs.get_version.outputs.version }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Otherwise the code that retrieves the git version doesn't work | |
- name: Install Rust toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
override: true | |
default: true | |
target: ${{ env.target }} | |
- name: Install build dependencies | |
run: sudo apt-get update && sudo apt-get install -y libpam-dev | |
- name: Build for Linux (GNU) | |
run: cargo build --no-default-features --features gnu --release --target=${{ env.target }} | |
- name: Rename | |
run: mv target/${{ env.target }}/release/unftp target/${{ env.target }}/release/unftp_${{ env.target }} | |
- name: Upload build artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: unftp_${{ env.target }} | |
path: target/${{ env.target }}/release/unftp_${{ env.target }} | |
build-linux-musl: | |
runs-on: ubuntu-latest | |
name: Build for Linux (MUSL) | |
needs: get_version | |
env: | |
target: x86_64-unknown-linux-musl | |
BUILD_VERSION: ${{ needs.get_version.outputs.version }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Otherwise the code that retrieves the git version doesn't work | |
- name: Install Rust toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
override: true | |
default: true | |
target: ${{ env.target }} | |
- name: Install build dependencies | |
run: sudo apt-get update && sudo apt-get install -y musl-tools | |
- name: Build for Linux (MUSL) | |
run: RUSTFLAGS="-C target-feature=+crt-static" cargo build --no-default-features --features docker --release --target=${{ env.target }} | |
- name: Rename | |
run: mv target/${{ env.target }}/release/unftp target/${{ env.target }}/release/unftp_${{ env.target }} | |
- name: Upload build artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: unftp_${{ env.target }} | |
path: target/${{ env.target }}/release/unftp_${{ env.target }} | |
build-windows: | |
runs-on: windows-latest | |
name: Build for Windows | |
needs: get_version | |
env: | |
trget: x86_64-pc-windows-msvc | |
BUILD_VERSION: ${{ needs.get_version.outputs.version }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Otherwise the code that retrieves the git version doesn't work | |
- name: Install Rust toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
override: true | |
default: true | |
target: ${{ env.trget }} | |
- name: Build for Windows | |
run: cargo build --release --target=${{ env.trget }} --features rest_auth,jsonfile_auth | |
- name: Rename | |
run: ren "target\${{ env.trget }}\release\unftp.exe" "unftp_${{ env.trget }}.exe" | |
- name: Upload build artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: unftp_${{ env.trget }}.exe | |
path: target/${{ env.trget }}/release/unftp_${{ env.trget }}.exe | |
build-macos-intel: | |
runs-on: macos-latest | |
name: Build for macOS (Intel) | |
needs: get_version | |
env: | |
target: x86_64-apple-darwin | |
BUILD_VERSION: ${{ needs.get_version.outputs.version }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Otherwise the code that retrieves the git version doesn't work | |
- name: Install Rust toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
override: true | |
default: true | |
target: ${{ env.target }} | |
- name: Build for macOS (Intel) | |
run: cargo build --release --target=${{ env.target }} --features rest_auth,jsonfile_auth,cloud_storage | |
- name: Rename | |
run: mv target/${{ env.target }}/release/unftp target/${{ env.target }}/release/unftp_${{ env.target }} | |
- name: Upload build artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: unftp_${{ env.target }} | |
path: target/${{ env.target }}/release/unftp_${{ env.target }} | |
build-macos-arm: | |
runs-on: macos-latest | |
name: Build for macOS (ARM) | |
needs: get_version | |
env: | |
target: aarch64-apple-darwin | |
BUILD_VERSION: ${{ needs.get_version.outputs.version }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Otherwise the code that retrieves the git version doesn't work | |
- name: Install Rust toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: ${{ env.RUST_VERSION }} | |
override: true | |
default: true | |
target: ${{ env.target }} | |
- name: Install Rosetta | |
if: runner.os == 'macOS' && runner.arch == 'arm64' | |
run: softwareupdate --install-rosetta --agree-to-license | |
- name: Build | |
run: cargo build --release --target=${{ env.target }} --features rest_auth,jsonfile_auth,cloud_storage | |
- name: Rename | |
run: mv target/${{ env.target }}/release/unftp target/${{ env.target }}/release/unftp_${{ env.target }} | |
- name: Upload build artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: unftp_${{ env.target }} | |
path: target/${{ env.target }}/release/unftp_${{ env.target }} | |
upload-release-binaries: | |
if: ${{ github.event_name == 'release' }} # Testing: if: ${{ github.ref == 'refs/heads/hannes/upload' }} | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
build: | |
- x86_64-unknown-linux-gnu | |
- x86_64-unknown-linux-musl | |
- x86_64-apple-darwin | |
- aarch64-apple-darwin | |
- x86_64-pc-windows-msvc | |
env: | |
file_name: unftp_${{ matrix.build }}${{ contains(matrix.build, 'windows') && '.exe' || '' }} | |
file_dir: ./${{ matrix.build }} | |
needs: | |
- build-linux-gnu | |
- build-linux-musl | |
- build-macos-intel | |
- build-macos-arm | |
- build-windows | |
name: Upload Release Artifacts | |
steps: | |
# For testing: | |
# - name: Gets latest created release info | |
# id: latest_release_info | |
# uses: jossef/[email protected] | |
# env: | |
# GITHUB_TOKEN: ${{ github.token }} | |
- name: Download | |
uses: actions/download-artifact@v2 | |
with: | |
name: ${{ env.file_name }} | |
path: ${{ env.file_dir }} | |
- name: Calculate MD5 checksum | |
id: calculate_checksum | |
run: md5sum ${{ env.file_dir }}/${{ env.file_name }} > ${{ env.file_dir }}/${{ env.file_name }}.md5 | |
- name: Upload | |
uses: shogo82148/actions-upload-release-asset@v1 | |
with: | |
upload_url: ${{ github.event.release.upload_url }} # Testing: ${{ steps.latest_release_info.outputs.upload_url }} | |
asset_path: ${{ env.file_dir }}/${{ env.file_name }} | |
asset_name: ${{ env.file_name }} | |
asset_content_type: application/octet-stream | |
- name: Upload MD5 | |
uses: shogo82148/actions-upload-release-asset@v1 | |
with: | |
upload_url: ${{ github.event.release.upload_url }} | |
asset_path: ${{ env.file_dir }}/${{ env.file_name }}.md5 | |
asset_name: ${{ env.file_name }}.md5 | |
asset_content_type: text/plain | |
build-docker-images: | |
if: ${{ github.event_name == 'release' }} # Testing if: ${{ github.ref == 'refs/heads/hannes/docker-actions' }} | |
runs-on: ubuntu-latest | |
needs: | |
- build-linux-musl | |
- get_version | |
env: | |
BUILD_VERSION: ${{ needs.get_version.outputs.version }} | |
name: Build docker images | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Download linux musl | |
uses: actions/download-artifact@v2 | |
with: | |
name: unftp_x86_64-unknown-linux-musl | |
path: ./x86_64-unknown-linux-musl | |
- name: Change file permission | |
run: chmod +x ./x86_64-unknown-linux-musl/unftp_x86_64-unknown-linux-musl | |
- name: Build Docker image | |
run: docker build -t bolcom/unftp:${{ env.BUILD_VERSION }}-scratch -f packaging/docker/scratch.Dockerfile.ci . | |
- name: Save Docker image as tar | |
run: docker save -o docker-image-scratch.tar bolcom/unftp:${{ env.BUILD_VERSION }}-scratch | |
- name: Upload scratch tar image | |
uses: actions/upload-artifact@v2 | |
with: | |
name: docker-image-scratch | |
path: docker-image-scratch.tar | |
- name: Login to Docker Hub | |
uses: docker/login-action@v1 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Build and push scratch image | |
uses: docker/build-push-action@v2 | |
with: | |
context: . | |
file: ./packaging/docker/scratch.Dockerfile.ci | |
push: true | |
tags: bolcom/unftp:${{ env.BUILD_VERSION }}-scratch | |
- name: Build and push alpine image | |
uses: docker/build-push-action@v2 | |
with: | |
context: . | |
file: ./packaging/docker/alpine.Dockerfile.ci | |
push: true | |
tags: bolcom/unftp:${{ env.BUILD_VERSION }}-alpine | |
- name: Build and push alpine-istio image | |
uses: docker/build-push-action@v2 | |
with: | |
context: . | |
file: ./packaging/docker/alpine-istio.Dockerfile.ci | |
push: true | |
tags: bolcom/unftp:${{ env.BUILD_VERSION }}-alpine-istio | |
- name: Build and push alpine-debug image | |
uses: docker/build-push-action@v2 | |
with: | |
context: . | |
file: ./packaging/docker/alpine-debug.Dockerfile.ci | |
push: true | |
tags: bolcom/unftp:${{ env.BUILD_VERSION }}-alpine-debug | |
- name: Build and push Scratch image | |
uses: docker/build-push-action@v2 | |
with: | |
context: . | |
file: ./packaging/docker/alpine-istio-debug.Dockerfile.ci | |
push: true | |
tags: bolcom/unftp:${{ env.BUILD_VERSION }}-alpine-istio-debug |