name: build-and-release on: push: branches: [main] jobs: release: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # svu needs full history + tags - uses: actions/setup-go@v5 with: go-version: '1.26' cache: false - name: Install svu timeout-minutes: 3 run: | set -ex which curl tar curl -fL --max-time 120 --connect-timeout 15 \ -o /tmp/svu.tar.gz \ https://github.com/caarlos0/svu/releases/download/v3.2.2/svu_3.2.2_linux_amd64.tar.gz ls -la /tmp/svu.tar.gz tar -xzf /tmp/svu.tar.gz -C /usr/local/bin svu svu --version - name: Compute next version id: ver run: | CURRENT=$(svu current 2>/dev/null || echo v0.0.0) NEXT=$(svu next) echo "current=$CURRENT" >> $GITHUB_OUTPUT echo "next=$NEXT" >> $GITHUB_OUTPUT if [ "$CURRENT" = "$NEXT" ]; then echo "release=false" >> $GITHUB_OUTPUT echo "No version-worthy commits since $CURRENT; skipping release." else echo "release=true" >> $GITHUB_OUTPUT echo "Releasing $NEXT (was $CURRENT)." fi - name: Install build deps (PAM headers + UPX + arm64 cross toolchain) if: steps.ver.outputs.release == 'true' run: | set -ex sudo dpkg --add-architecture arm64 # Restrict existing Ubuntu sources to amd64 so `apt update` doesn't try # to fetch arm64 indexes from archive.ubuntu.com (which is amd64-only). # Noble uses deb822 (ubuntu.sources); older releases use sources.list. if [ -f /etc/apt/sources.list.d/ubuntu.sources ]; then sudo sed -i '/^Signed-By:/i Architectures: amd64' /etc/apt/sources.list.d/ubuntu.sources fi if [ -s /etc/apt/sources.list ]; then sudo sed -i -E 's|^deb (https?://)|deb [arch=amd64] \1|' /etc/apt/sources.list fi # Add the arm64 mirror (Ubuntu non-amd64 packages live on ports.ubuntu.com). sudo tee /etc/apt/sources.list.d/arm64.list >/dev/null <<'EOF' deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports noble main universe deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports noble-updates main universe deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports noble-security main universe EOF sudo apt-get update sudo apt-get install -y \ upx-ucl \ libpam0g-dev \ libpam0g-dev:arm64 \ gcc-aarch64-linux-gnu - name: Build binaries if: steps.ver.outputs.release == 'true' env: VERSION: ${{ steps.ver.outputs.next }} LDFLAGS: -s -w -X nadir.Version=${{ steps.ver.outputs.next }} run: | mkdir -p dist CGO_ENABLED=1 GOOS=linux GOARCH=amd64 \ go build -ldflags="$LDFLAGS" -o dist/nadir-$VERSION-linux-amd64 ./cmd/server CGO_ENABLED=1 GOOS=linux GOARCH=arm64 CC=aarch64-linux-gnu-gcc \ go build -ldflags="$LDFLAGS" -o dist/nadir-$VERSION-linux-arm64 ./cmd/server upx --best --lzma dist/nadir-$VERSION-linux-amd64 dist/nadir-$VERSION-linux-arm64 - name: Tag and release if: steps.ver.outputs.release == 'true' env: GITEA_TOKEN: ${{ secrets.GITEATOKEN }} VERSION: ${{ steps.ver.outputs.next }} run: | git config user.email "ci@nadir" git config user.name "nadir-ci" git tag -a "$VERSION" -m "$VERSION" git push "https://x:${GITEA_TOKEN}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" "$VERSION" # Create the release via Gitea API (works on any Gitea ≥ 1.20) curl -sSf -X POST \ -H "Authorization: token $GITEA_TOKEN" \ -H "Content-Type: application/json" \ -d "{\"tag_name\":\"$VERSION\",\"name\":\"$VERSION\"}" \ "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/releases" > release.json RELEASE_ID=$(grep -o '"id":[0-9]*' release.json | head -1 | cut -d: -f2) for f in dist/*; do curl -sSf -X POST \ -H "Authorization: token $GITEA_TOKEN" \ -F "attachment=@$f" \ "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/releases/$RELEASE_ID/assets?name=$(basename $f)" done