@@ -2,32 +2,17 @@ name: Build & Release
22
33on :
44 push :
5- branches :
6- - main
7- paths :
8- - " src/**"
9- - " Cargo.toml"
10- - " Cargo.lock"
11- - " Dockerfile"
12- - " Dockerfile.*"
5+ tags :
6+ - " v*"
137 workflow_dispatch :
148 inputs :
15- chart_bump :
16- description : ' Chart version bump type '
9+ tag :
10+ description : ' Version tag (e.g. v0.7.0-beta.1 or v0.7.0) '
1711 required : true
18- type : choice
19- options :
20- - patch
21- - minor
22- - major
23- default : patch
24- release :
25- description : ' Stable release (no beta suffix)'
26- required : false
27- type : boolean
28- default : false
12+ type : string
13+ default : ' v'
2914 dry_run :
30- description : ' Dry run (show changes without committing )'
15+ description : ' Dry run (build only, no push )'
3116 required : false
3217 type : boolean
3318 default : false
3722 IMAGE_NAME : ${{ github.repository }}
3823
3924jobs :
25+ resolve-tag :
26+ runs-on : ubuntu-latest
27+ outputs :
28+ tag : ${{ steps.resolve.outputs.tag }}
29+ chart_version : ${{ steps.resolve.outputs.chart_version }}
30+ is_prerelease : ${{ steps.resolve.outputs.is_prerelease }}
31+ steps :
32+ - name : Resolve and validate tag
33+ id : resolve
34+ run : |
35+ if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
36+ TAG="${{ inputs.tag }}"
37+ else
38+ TAG="${GITHUB_REF_NAME}"
39+ fi
40+
41+ # Validate tag format
42+ if [[ ! "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]; then
43+ echo "::error::Invalid tag format '${TAG}'. Expected v{major}.{minor}.{patch}[-prerelease]"
44+ exit 1
45+ fi
46+
47+ CHART_VERSION="${TAG#v}"
48+
49+ # Pre-release if version contains '-' (e.g. 0.7.0-beta.1)
50+ if [[ "$CHART_VERSION" == *-* ]]; then
51+ IS_PRERELEASE="true"
52+ else
53+ IS_PRERELEASE="false"
54+ fi
55+
56+ echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
57+ echo "chart_version=${CHART_VERSION}" >> "$GITHUB_OUTPUT"
58+ echo "is_prerelease=${IS_PRERELEASE}" >> "$GITHUB_OUTPUT"
59+
60+ # ── Pre-release path: full build ──────────────────────────────
61+
4062 build-image :
63+ needs : resolve-tag
64+ if : ${{ needs.resolve-tag.outputs.is_prerelease == 'true' }}
4165 strategy :
4266 matrix :
4367 variant :
4468 - { suffix: "", dockerfile: "Dockerfile", artifact: "default" }
4569 - { suffix: "-codex", dockerfile: "Dockerfile.codex", artifact: "codex" }
4670 - { suffix: "-claude", dockerfile: "Dockerfile.claude", artifact: "claude" }
4771 - { suffix: "-gemini", dockerfile: "Dockerfile.gemini", artifact: "gemini" }
72+ - { suffix: "-copilot", dockerfile: "Dockerfile.copilot", artifact: "copilot" }
4873 platform :
4974 - { os: linux/amd64, runner: ubuntu-latest }
5075 - { os: linux/arm64, runner: ubuntu-24.04-arm }
@@ -53,19 +78,19 @@ jobs:
5378 contents : read
5479 packages : write
5580 steps :
56- - uses : actions/checkout@v4
81+ - uses : actions/checkout@v6
5782
5883 - uses : docker/setup-buildx-action@v3
5984
60- - uses : docker/login-action@v3
85+ - uses : docker/login-action@v4
6186 with :
6287 registry : ${{ env.REGISTRY }}
6388 username : ${{ github.repository_owner }}
6489 password : ${{ secrets.GITHUB_TOKEN }}
6590
6691 - name : Docker metadata
6792 id : meta
68- uses : docker/metadata-action@v5
93+ uses : docker/metadata-action@v6
6994 with :
7095 images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ matrix.variant.suffix }}
7196
@@ -96,21 +121,20 @@ jobs:
96121 retention-days : 1
97122
98123 merge-manifests :
99- needs : build-image
100- if : inputs.dry_run != true
124+ needs : [resolve-tag, build-image]
125+ if : ${{ inputs.dry_run != true && needs.resolve-tag.outputs.is_prerelease == 'true' }}
101126 strategy :
102127 matrix :
103128 variant :
104129 - { suffix: "", artifact: "default" }
105130 - { suffix: "-codex", artifact: "codex" }
106131 - { suffix: "-claude", artifact: "claude" }
107132 - { suffix: "-gemini", artifact: "gemini" }
133+ - { suffix: "-copilot", artifact: "copilot" }
108134 runs-on : ubuntu-latest
109135 permissions :
110136 contents : read
111137 packages : write
112- outputs :
113- version : ${{ steps.meta.outputs.version }}
114138 steps :
115139 - name : Download digests
116140 uses : actions/download-artifact@v4
@@ -121,109 +145,119 @@ jobs:
121145
122146 - uses : docker/setup-buildx-action@v3
123147
124- - uses : docker/login-action@v3
148+ - uses : docker/login-action@v4
125149 with :
126150 registry : ${{ env.REGISTRY }}
127151 username : ${{ github.repository_owner }}
128152 password : ${{ secrets.GITHUB_TOKEN }}
129153
130154 - name : Docker metadata
131155 id : meta
132- uses : docker/metadata-action@v5
156+ uses : docker/metadata-action@v6
133157 with :
134158 images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ matrix.variant.suffix }}
135159 tags : |
136160 type=sha,prefix=
137- type=raw, value=latest
161+ type=semver,pattern={{version}}, value=${{ needs.resolve-tag.outputs.tag }}
138162
139163name : Create manifest list
140164 working-directory : /tmp/digests
141165 run : |
142166 docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
143167 $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ matrix.variant.suffix }}@sha256:%s ' *)
144168
145- bump-chart :
146- needs : merge-manifests
147- if : inputs.dry_run != true
169+ # ── Stable path: promote pre-release image (no rebuild) ──────
170+
171+ promote-stable :
172+ needs : resolve-tag
173+ if : ${{ inputs.dry_run != true && needs.resolve-tag.outputs.is_prerelease == 'false' }}
174+ strategy :
175+ matrix :
176+ variant :
177+ - { suffix: "" }
178+ - { suffix: "-codex" }
179+ - { suffix: "-claude" }
180+ - { suffix: "-gemini" }
181+ - { suffix: "-copilot" }
148182 runs-on : ubuntu-latest
149183 permissions :
150- contents : write
151- pull-requests : write
184+ contents : read
185+ packages : write
152186 steps :
153- - name : Generate App token
154- id : app-token
155- uses : actions/create-github-app-token@v1
156- with :
157- app-id : ${{ secrets.APP_ID }}
158- private-key : ${{ secrets.APP_PRIVATE_KEY }}
159-
160- - uses : actions/checkout@v4
187+ - uses : actions/checkout@v6
161188 with :
162189 fetch-depth : 0
163190
164- - name : Get current chart version
165- id : current
166- run : |
167- chart_version=$(grep '^version:' charts/openab/Chart.yaml | awk '{print $2}')
168- echo "chart_version=$chart_version" >> "$GITHUB_OUTPUT"
191+ - uses : docker/setup-buildx-action@v3
169192
170- name : Bump chart version
171- id : bump
193+ - uses : docker/login-action@v4
194+ with :
195+ registry : ${{ env.REGISTRY }}
196+ username : ${{ github.repository_owner }}
197+ password : ${{ secrets.GITHUB_TOKEN }}
198+
199+ - name : Find pre-release image
200+ id : find-prerelease
172201 run : |
173- current="${{ steps.current.outputs.chart_version }}"
174- # Strip any existing pre-release suffix for base version
175- base="${current%%-*}"
176- IFS='.' read -r major minor patch <<< "$base"
177- bump_type="${{ inputs.chart_bump }}"
178- bump_type="${bump_type:-patch}"
179- case "$bump_type" in
180- major) major=$((major + 1)); minor=0; patch=0 ;;
181- minor) minor=$((minor + 1)); patch=0 ;;
182- patch) patch=$((patch + 1)) ;;
183- esac
184- # Stable release: clean version. Otherwise: beta with run number.
185- if [ "${{ inputs.release }}" = "true" ]; then
186- new_version="${major}.${minor}.${patch}"
187- else
188- new_version="${major}.${minor}.${patch}-beta.${GITHUB_RUN_NUMBER}"
202+ CHART_VERSION="${{ needs.resolve-tag.outputs.chart_version }}"
203+ # Find latest pre-release tag matching this version (e.g. v0.7.0-beta.1)
204+ PRERELEASE_TAG=$(git tag -l "v${CHART_VERSION}-*" --sort=-v:refname | head -1)
205+ if [ -z "$PRERELEASE_TAG" ]; then
206+ echo "::error::No pre-release tag found for v${CHART_VERSION}-*. Run a pre-release build first."
207+ exit 1
189208 fi
190- echo "new_version=$new_version" >> "$GITHUB_OUTPUT"
209+ PRERELEASE_VERSION="${PRERELEASE_TAG#v}"
210+ echo "Found pre-release: ${PRERELEASE_TAG} (${PRERELEASE_VERSION})"
211+ echo "prerelease_version=${PRERELEASE_VERSION}" >> "$GITHUB_OUTPUT"
191212
192- name : Resolve image SHA
193- id : image-sha
213+ name : Verify pre-release image exists
194214 run : |
195- # Use the commit SHA that triggered this build — this is the SHA
196- # that merge-manifests tagged the Docker image with (type=sha,prefix=).
197- # We capture it here explicitly so it survives the bump commit.
198- IMAGE_SHA="${{ github.sha }}"
199- IMAGE_SHA="${IMAGE_SHA:0:7}"
200- echo "sha=${IMAGE_SHA}" >> "$GITHUB_OUTPUT"
201-
202- name : Update Chart.yaml and values.yaml
215+ IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ matrix.variant.suffix }}"
216+ PRERELEASE_VERSION="${{ steps.find-prerelease.outputs.prerelease_version }}"
217+ echo "Checking ${IMAGE}:${PRERELEASE_VERSION} ..."
218+ docker buildx imagetools inspect "${IMAGE}:${PRERELEASE_VERSION}" || \
219+ { echo "::error::Image ${IMAGE}:${PRERELEASE_VERSION} not found — build the pre-release first"; exit 1; }
220+
221+ name : Promote to stable tags
203222 run : |
204- IMAGE_SHA="${{ steps.image-sha.outputs.sha }}"
205- sed -i "s/^version: .*/version: ${{ steps.bump.outputs.new_version }}/" charts/openab/Chart.yaml
206- sed -i "s/^appVersion: .*/appVersion: \"${IMAGE_SHA}\"/" charts/openab/Chart.yaml
207- sed -i "s|repository: .*|repository: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}|" charts/openab/values.yaml
208- sed -i "s/tag: .*/tag: \"${IMAGE_SHA}\"/" charts/openab/values.yaml
209-
210- name : Create and auto-merge bump PR
211- env :
212- GH_TOKEN : ${{ steps.app-token.outputs.token }}
223+ IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ matrix.variant.suffix }}"
224+ PRERELEASE_VERSION="${{ steps.find-prerelease.outputs.prerelease_version }}"
225+ CHART_VERSION="${{ needs.resolve-tag.outputs.chart_version }}"
226+ MAJOR_MINOR="${CHART_VERSION%.*}"
227+
228+ echo "Promoting ${IMAGE}:${PRERELEASE_VERSION} → ${CHART_VERSION}, ${MAJOR_MINOR}, latest"
229+ docker buildx imagetools create \
230+ -t "${IMAGE}:${CHART_VERSION}" \
231+ -t "${IMAGE}:${MAJOR_MINOR}" \
232+ -t "${IMAGE}:latest" \
233+ "${IMAGE}:${PRERELEASE_VERSION}"
234+
235+ # ── Chart release (runs after either path) ───────────────────
236+
237+ release-chart :
238+ needs : [resolve-tag, merge-manifests, promote-stable]
239+ if : >-
240+ ${{ always() && inputs.dry_run != true &&
241+ needs.resolve-tag.result == 'success' &&
242+ (needs.merge-manifests.result == 'success' || needs.promote-stable.result == 'success') }}
243+ runs-on : ubuntu-latest
244+ permissions :
245+ contents : read
246+ packages : write
247+ steps :
248+ - uses : actions/checkout@v6
249+
250+ - name : Install Helm
251+ uses : azure/setup-helm@v4
252+
253+ - uses : docker/login-action@v4
254+ with :
255+ registry : ${{ env.REGISTRY }}
256+ username : ${{ github.repository_owner }}
257+ password : ${{ secrets.GITHUB_TOKEN }}
258+
259+ - name : Build and push chart to OCI
213260 run : |
214- VERSION="${{ steps.bump.outputs.new_version }}"
215- IMAGE_SHA="${{ steps.image-sha.outputs.sha }}"
216- BRANCH="chore/chart-${VERSION}"
217- git config user.name "openab-app[bot]"
218- git config user.email "274185012+openab-app[bot]@users.noreply.github.com"
219- git checkout -b "$BRANCH"
220- git add charts/openab/Chart.yaml charts/openab/values.yaml
221- git commit -m "chore: bump chart to ${VERSION}
222-
223- image: ${IMAGE_SHA}"
224- git push origin "$BRANCH"
225- PR_URL=$(gh pr create \
226- --title "chore: bump chart to ${VERSION}" \
227- --body "Auto-generated chart version bump for image \`${IMAGE_SHA}\`." \
228- --base main --head "$BRANCH")
229- gh pr merge "$PR_URL" --squash --delete-branch
261+ CHART_VERSION="${{ needs.resolve-tag.outputs.chart_version }}"
262+ helm package charts/openab
263+ helm push openab-${CHART_VERSION}.tgz oci://ghcr.io/${{ github.repository_owner }}/charts
0 commit comments