nadir-agent/.gitea/workflows/build.yaml

name: build-and-release

on:
  push:
    branches: [main]

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-go@v5
        with:
          go-version: "1.26"
          cache: false

      - name: Install PAM headers (needed by go test)
        run: sudo apt-get update && sudo apt-get install -y libpam0g-dev

      - name: Run tests
        run: |
          set -ex
          go vet ./...
          go test ./...

      - name: Install svu
        timeout-minutes: 3
        run: |
          set -ex
          which curl tar
          curl -fL --max-time 120 --connect-timeout 15 \
            -o /tmp/svu.tar.gz \
            https://github.com/caarlos0/svu/releases/download/v3.2.2/svu_3.2.2_linux_amd64.tar.gz
          ls -la /tmp/svu.tar.gz
          tar -xzf /tmp/svu.tar.gz -C /usr/local/bin svu
          svu --version

      - name: Compute next version
        id: ver
        run: |
          CURRENT=$(svu current 2>/dev/null || echo v0.0.0)
          NEXT=$(svu next)
          echo "current=$CURRENT" >> $GITHUB_OUTPUT
          echo "next=$NEXT"       >> $GITHUB_OUTPUT
          if [ "$CURRENT" = "$NEXT" ]; then
            echo "release=false" >> $GITHUB_OUTPUT
            echo "No version-worthy commits since $CURRENT; skipping release."
          else
            echo "release=true"  >> $GITHUB_OUTPUT
            echo "Releasing $NEXT (was $CURRENT)."
          fi

      - name: Install build deps (PAM headers + UPX + arm64 cross toolchain)
        if: steps.ver.outputs.release == 'true'
        run: |
          set -ex
          sudo dpkg --add-architecture arm64

          # Restrict existing Ubuntu sources to amd64 so `apt update` doesn't try
          # to fetch arm64 indexes from archive.ubuntu.com (which is amd64-only).
          # Noble uses deb822 (ubuntu.sources); older releases use sources.list.
          if [ -f /etc/apt/sources.list.d/ubuntu.sources ]; then
            sudo sed -i '/^Signed-By:/i Architectures: amd64' /etc/apt/sources.list.d/ubuntu.sources
          fi
          if [ -s /etc/apt/sources.list ]; then
            sudo sed -i -E 's|^deb (https?://)|deb [arch=amd64] \1|' /etc/apt/sources.list
          fi

          # Add the arm64 mirror (Ubuntu non-amd64 packages live on ports.ubuntu.com).
          sudo tee /etc/apt/sources.list.d/arm64.list >/dev/null <<'EOF'
          deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports noble main universe
          deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports noble-updates main universe
          deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports noble-security main universe
          EOF

          sudo apt-get update
          sudo apt-get install -y \
            upx-ucl \
            libpam0g-dev \
            libpam0g-dev:arm64 \
            gcc-aarch64-linux-gnu

      - name: Build binaries
        if: steps.ver.outputs.release == 'true'
        env:
          VERSION: ${{ steps.ver.outputs.next }}
          LDFLAGS: -s -w -X nadir.Version=${{ steps.ver.outputs.next }}
        run: |
          mkdir -p dist
          CGO_ENABLED=1 GOOS=linux GOARCH=amd64 \
            go build -ldflags="$LDFLAGS" -o dist/nadir-$VERSION-linux-amd64 ./cmd/server
          CGO_ENABLED=1 GOOS=linux GOARCH=arm64 CC=aarch64-linux-gnu-gcc \
            go build -ldflags="$LDFLAGS" -o dist/nadir-$VERSION-linux-arm64 ./cmd/server
          upx --best --lzma dist/nadir-$VERSION-linux-amd64 dist/nadir-$VERSION-linux-arm64

      - name: Sign checksums
        if: steps.ver.outputs.release == 'true'
        env:
          MINISIGN_SECRET_KEY: ${{ secrets.MINISIGN_SECRET_KEY }}
          MINISIGN_PASSWORD: ${{ secrets.MINISIGN_PASSWORD }}
        run: |
          set -ex
          cd dist
          sha256sum nadir-* > sha256sums.txt
          cat sha256sums.txt
          go run ../tools/sign-checksums sha256sums.txt
          ls -la sha256sums.txt sha256sums.txt.minisig

      - name: Tag and release
        if: steps.ver.outputs.release == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.GITEATOKEN }}
          VERSION: ${{ steps.ver.outputs.next }}
        run: |
          git config user.email "ci@nadir"
          git config user.name  "nadir-ci"
          git tag -a "$VERSION" -m "$VERSION"
          git push "https://x:${GITEA_TOKEN}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" "$VERSION"
          # Create the release via Gitea API (works on any Gitea ≥ 1.20)
          curl -sSf -X POST \
            -H "Authorization: token $GITEA_TOKEN" \
            -H "Content-Type: application/json" \
            -d "{\"tag_name\":\"$VERSION\",\"name\":\"$VERSION\"}" \
            "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/releases" > release.json
          RELEASE_ID=$(grep -o '"id":[0-9]*' release.json | head -1 | cut -d: -f2)
          for f in dist/*; do
            curl -sSf -X POST \
              -H "Authorization: token $GITEA_TOKEN" \
              -F "attachment=@$f" \
              "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/releases/$RELEASE_ID/assets?name=$(basename $f)"
          done