ci: remove garble — obfuscation caused 5 new AV detections, revert to… #14
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| contents: write | |
| pages: write | |
| env: | |
| GO_VERSION: '1.25' | |
| jobs: | |
| build: | |
| name: build / ${{ matrix.group }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # Each target: "GOOS/GOARCH[/VARIANT]". | |
| # VARIANT is GOAMD64 (v1|v3), GOARM (5|6|7), or GOMIPS. | |
| - group: linux-main | |
| targets: linux/amd64/v1 linux/amd64/v3 linux/386 linux/arm64 | |
| - group: linux-arm | |
| targets: linux/arm/5 linux/arm/6 linux/arm/7 | |
| - group: linux-mips | |
| targets: linux/mips/softfloat linux/mips/hardfloat linux/mipsle/softfloat linux/mipsle/hardfloat | |
| - group: linux-misc | |
| targets: linux/mips64 linux/mips64le linux/s390x linux/riscv64 | |
| - group: darwin | |
| targets: darwin/amd64/v1 darwin/arm64 | |
| - group: freebsd | |
| targets: freebsd/386 freebsd/amd64/v1 | |
| - group: windows | |
| targets: windows/386 windows/amd64/v1 windows/amd64/v3 windows/arm64 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Checkout gust-x | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_PAT }} | |
| run: gh repo clone lovitus/gust-x ../gust-x -- --depth 1 --branch main | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Download modules | |
| run: | | |
| go mod download | |
| (cd ../gust-x && go mod download) | |
| - name: Build targets | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| VERSION="${GITHUB_REF_NAME#v}" | |
| mkdir -p dist | |
| for target in ${{ matrix.targets }}; do | |
| IFS='/' read -r GOOS GOARCH VARIANT <<< "$target" | |
| NAME="${GOOS}-${GOARCH}" | |
| extra_env="" | |
| case "$GOARCH" in | |
| amd64) | |
| AMD64="${VARIANT:-v1}" | |
| NAME="${GOOS}-amd64${AMD64/v1/}" | |
| extra_env="GOAMD64=${AMD64}" | |
| ;; | |
| arm) | |
| NAME="${GOOS}-armv${VARIANT}" | |
| extra_env="GOARM=${VARIANT}" | |
| ;; | |
| mips|mipsle) | |
| NAME="${GOOS}-${GOARCH}-${VARIANT}" | |
| extra_env="GOMIPS=${VARIANT}" | |
| ;; | |
| esac | |
| EXT="" | |
| [[ "$GOOS" == "windows" ]] && EXT=".exe" | |
| BIN="dist/gost-${NAME}${EXT}" | |
| echo "building ${NAME}..." | |
| env CGO_ENABLED=0 GOOS="$GOOS" GOARCH="$GOARCH" $extra_env \ | |
| go build -trimpath -ldflags="-s -w -X main.version=${GITHUB_REF_NAME}" \ | |
| -o "$BIN" ./cmd/gost | |
| if [[ "$GOOS" == "windows" ]]; then | |
| zip -j "dist/gost-${NAME}-${VERSION}.zip" "$BIN" | |
| else | |
| tar -czf "dist/gost-${NAME}-${VERSION}.tar.gz" -C dist "gost-${NAME}" | |
| fi | |
| rm -f "$BIN" | |
| # Build portyd (standalone porty server) from gust-x | |
| PORTYD_BIN="dist/portyd-${NAME}${EXT}" | |
| echo "building portyd-${NAME}..." | |
| (cd ../gust-x && env CGO_ENABLED=0 GOOS="$GOOS" GOARCH="$GOARCH" $extra_env \ | |
| go build -trimpath -ldflags="-s -w" \ | |
| -o "$GITHUB_WORKSPACE/$PORTYD_BIN" ./cmd/portyd) | |
| if [[ "$GOOS" == "windows" ]]; then | |
| zip -j "dist/portyd-${NAME}-${VERSION}.zip" "$PORTYD_BIN" | |
| else | |
| tar -czf "dist/portyd-${NAME}-${VERSION}.tar.gz" -C dist "portyd-${NAME}" | |
| fi | |
| rm -f "$PORTYD_BIN" | |
| done | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist-${{ matrix.group }} | |
| path: dist/ | |
| retention-days: 1 | |
| release: | |
| name: publish release | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Resolve release metadata | |
| id: meta | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| TAG="${GITHUB_REF_NAME#refs/tags/}" | |
| VERSION="${TAG#v}" | |
| if [[ -z "${TAG}" || "${TAG}" != v* ]]; then | |
| echo "release tag must start with v" >&2 | |
| exit 1 | |
| fi | |
| if [[ "${TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| STABLE=true | |
| PRERELEASE=false | |
| MAKE_LATEST=true | |
| else | |
| STABLE=false | |
| PRERELEASE=true | |
| MAKE_LATEST=false | |
| fi | |
| echo "tag=${TAG}" >> "$GITHUB_OUTPUT" | |
| echo "version=${VERSION}" >> "$GITHUB_OUTPUT" | |
| echo "stable=${STABLE}" >> "$GITHUB_OUTPUT" | |
| echo "prerelease=${PRERELEASE}" >> "$GITHUB_OUTPUT" | |
| echo "make_latest=${MAKE_LATEST}" >> "$GITHUB_OUTPUT" | |
| - name: Preflight package signing secrets | |
| if: ${{ steps.meta.outputs.stable == 'true' }} | |
| shell: bash | |
| env: | |
| PACKAGE_GPG_PRIVATE_KEY: ${{ secrets.PACKAGE_GPG_PRIVATE_KEY }} | |
| PACKAGE_GPG_PASSPHRASE: ${{ secrets.PACKAGE_GPG_PASSPHRASE }} | |
| run: | | |
| set -euo pipefail | |
| if [[ -z "${PACKAGE_GPG_PRIVATE_KEY}" || -z "${PACKAGE_GPG_PASSPHRASE}" ]]; then | |
| echo "Stable package publishing requires PACKAGE_GPG_PRIVATE_KEY and PACKAGE_GPG_PASSPHRASE." >&2 | |
| exit 1 | |
| fi | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: dist-* | |
| path: dist/ | |
| merge-multiple: true | |
| - name: Install Linux packaging tools | |
| if: ${{ steps.meta.outputs.stable == 'true' }} | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| sudo apt-get update | |
| sudo apt-get install -y apt-utils createrepo-c dpkg-dev gnupg rpm | |
| go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest | |
| echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH" | |
| - name: Build Linux packages | |
| if: ${{ steps.meta.outputs.stable == 'true' }} | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| bash .github/scripts/build_linux_packages.sh \ | |
| --version "${{ steps.meta.outputs.version }}" \ | |
| --artifacts-dir dist \ | |
| --out-dir dist | |
| - name: Prepare package repository worktree | |
| if: ${{ steps.meta.outputs.stable == 'true' }} | |
| id: package_pages | |
| shell: bash | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: | | |
| set -euo pipefail | |
| pages_dir="${RUNNER_TEMP}/gust-package-pages" | |
| rm -rf "${pages_dir}" | |
| git clone --no-checkout "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "${pages_dir}" | |
| cd "${pages_dir}" | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| if git ls-remote --exit-code --heads origin gh-pages >/dev/null 2>&1; then | |
| git checkout gh-pages | |
| else | |
| git checkout --orphan gh-pages | |
| git rm -rf . >/dev/null 2>&1 || true | |
| fi | |
| echo "dir=${pages_dir}" >> "$GITHUB_OUTPUT" | |
| - name: Update Linux package repositories | |
| if: ${{ steps.meta.outputs.stable == 'true' }} | |
| shell: bash | |
| env: | |
| PACKAGE_GPG_PRIVATE_KEY: ${{ secrets.PACKAGE_GPG_PRIVATE_KEY }} | |
| PACKAGE_GPG_PASSPHRASE: ${{ secrets.PACKAGE_GPG_PASSPHRASE }} | |
| run: | | |
| set -euo pipefail | |
| bash .github/scripts/update_linux_repos.sh \ | |
| --version "${{ steps.meta.outputs.version }}" \ | |
| --tag "${{ steps.meta.outputs.tag }}" \ | |
| --artifacts dist \ | |
| --pages-dir "${{ steps.package_pages.outputs.dir }}" | |
| - name: Generate checksums | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| ( | |
| cd dist | |
| sha256sum * > checksums.txt | |
| ) | |
| - name: Checkout master for package manifests | |
| if: ${{ steps.meta.outputs.stable == 'true' }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: master | |
| path: manifest-main | |
| - name: Update package manifests | |
| if: ${{ steps.meta.outputs.stable == 'true' }} | |
| shell: bash | |
| working-directory: manifest-main | |
| run: | | |
| set -euo pipefail | |
| python3 "${GITHUB_WORKSPACE}/.github/scripts/update_package_manifests.py" \ | |
| --version "${{ steps.meta.outputs.version }}" \ | |
| --checksums "${GITHUB_WORKSPACE}/dist/checksums.txt" | |
| ruby -c Formula/gust.rb | |
| python3 -m json.tool bucket/gust.json >/dev/null | |
| - name: Prepare release notes | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| TAG="${{ steps.meta.outputs.tag }}" | |
| PREV="$(git tag --sort=-v:refname | grep -v "^${TAG}$" | head -1 || true)" | |
| { | |
| echo "## What's new in ${TAG}" | |
| echo "" | |
| if [[ -n "${PREV}" ]]; then | |
| git log --pretty="- %s" "${PREV}..${TAG}" 2>/dev/null | head -50 || true | |
| else | |
| git log --pretty="- %s" "${TAG}" 2>/dev/null | head -50 || true | |
| fi | |
| echo "" | |
| echo "See [docs/sings-protocol.md](https://github.com/lovitus/gust-x/blob/main/docs/sings-protocol.md) for full documentation." | |
| } > /tmp/release-notes.md | |
| - name: Create or update GitHub Release | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -euo pipefail | |
| TAG="${{ steps.meta.outputs.tag }}" | |
| PRERELEASE="${{ steps.meta.outputs.prerelease }}" | |
| MAKE_LATEST="${{ steps.meta.outputs.make_latest }}" | |
| if gh release view "${TAG}" >/dev/null 2>&1; then | |
| gh release upload "${TAG}" dist/* --clobber | |
| release_id="$(gh api "repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}" --jq .id)" | |
| export TAG PRERELEASE MAKE_LATEST | |
| python3 - <<'PY' | |
| from __future__ import annotations | |
| import json | |
| import os | |
| from pathlib import Path | |
| Path("/tmp/release-patch.json").write_text( | |
| json.dumps( | |
| { | |
| "name": os.environ["TAG"], | |
| "tag_name": os.environ["TAG"], | |
| "body": Path("/tmp/release-notes.md").read_text(encoding="utf-8"), | |
| "prerelease": os.environ["PRERELEASE"] == "true", | |
| "make_latest": os.environ["MAKE_LATEST"], | |
| } | |
| ), | |
| encoding="utf-8", | |
| ) | |
| PY | |
| gh api -X PATCH "repos/${GITHUB_REPOSITORY}/releases/${release_id}" \ | |
| --input /tmp/release-patch.json >/dev/null | |
| else | |
| create_args=( | |
| "${TAG}" | |
| dist/* | |
| --title "${TAG}" | |
| --notes-file /tmp/release-notes.md | |
| ) | |
| if [[ "${PRERELEASE}" == "true" ]]; then | |
| create_args+=(--prerelease --latest=false) | |
| else | |
| create_args+=(--latest) | |
| fi | |
| gh release create "${create_args[@]}" | |
| fi | |
| - name: Publish Linux package repositories | |
| if: ${{ steps.meta.outputs.stable == 'true' }} | |
| shell: bash | |
| working-directory: ${{ steps.package_pages.outputs.dir }} | |
| run: | | |
| set -euo pipefail | |
| if [[ -n "$(git status --porcelain)" ]]; then | |
| git add -A | |
| git commit -m "chore: update Linux package repositories for ${{ steps.meta.outputs.tag }} [skip ci]" | |
| git push origin HEAD:gh-pages | |
| else | |
| echo "Linux package repositories are already up to date." | |
| fi | |
| - name: Commit package manifests | |
| if: ${{ steps.meta.outputs.stable == 'true' }} | |
| shell: bash | |
| working-directory: manifest-main | |
| run: | | |
| set -euo pipefail | |
| if [[ -z "$(git status --porcelain -- Formula/gust.rb bucket/gust.json)" ]]; then | |
| echo "Package manifests are already up to date." | |
| exit 0 | |
| fi | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git add Formula/gust.rb bucket/gust.json | |
| git commit -m "chore: update package manifests for ${{ steps.meta.outputs.tag }} [skip ci]" | |
| git push origin HEAD:master | |
| - name: Ensure GitHub Pages is enabled | |
| if: ${{ steps.meta.outputs.stable == 'true' }} | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| set -euo pipefail | |
| if gh api "repos/${GITHUB_REPOSITORY}/pages" >/dev/null 2>&1; then | |
| echo "GitHub Pages is already enabled." | |
| else | |
| gh api -X POST "repos/${GITHUB_REPOSITORY}/pages" \ | |
| -f "source[branch]=gh-pages" \ | |
| -f "source[path]=/" | |
| fi |