name: Release on: push: tags: ['v*'] env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: build: name: Build & Push runs-on: self-hosted permissions: contents: read packages: write steps: - uses: actions/checkout@v4 - name: Set up Rust run: | echo "/home/github-runner/.cargo/bin" >> $GITHUB_PATH echo "RUSTUP_HOME=/home/github-runner/.rustup" >> $GITHUB_ENV echo "CARGO_HOME=/home/github-runner/.cargo" >> $GITHUB_ENV - name: Build release binary (musl static) run: | cargo build --release --target x86_64-unknown-linux-musl --package nora-registry cp target/x86_64-unknown-linux-musl/release/nora ./nora - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # ── Alpine (standard) ──────────────────────────────────────────────────── - name: Extract metadata (alpine) id: meta-alpine uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=latest - name: Build and push (alpine) uses: docker/build-push-action@v5 with: context: . file: Dockerfile platforms: linux/amd64 push: true tags: ${{ steps.meta-alpine.outputs.tags }} labels: ${{ steps.meta-alpine.outputs.labels }} cache-from: type=gha,scope=alpine cache-to: type=gha,mode=max,scope=alpine # ── RED OS ─────────────────────────────────────────────────────────────── - name: Extract metadata (redos) id: meta-redos uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} flavor: suffix=-redos,onlatest=true tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=redos - name: Build and push (redos) uses: docker/build-push-action@v5 with: context: . file: Dockerfile.redos platforms: linux/amd64 push: true tags: ${{ steps.meta-redos.outputs.tags }} labels: ${{ steps.meta-redos.outputs.labels }} cache-from: type=gha,scope=redos cache-to: type=gha,mode=max,scope=redos scan: name: Scan (${{ matrix.name }}) runs-on: ubuntu-latest needs: build permissions: contents: read packages: read security-events: write strategy: fail-fast: false matrix: include: - name: alpine suffix: "" - name: redos suffix: "-redos" steps: - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set version tag (strip leading v) id: ver run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT # ── CVE scan of the pushed image ──────────────────────────────────────── # Images are FROM scratch — no OS packages, only binary CVE scan - name: Trivy — image scan (${{ matrix.name }}) uses: aquasecurity/trivy-action@0.30.0 with: scan-type: image image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }} format: sarif output: trivy-image-${{ matrix.name }}.sarif severity: HIGH,CRITICAL exit-code: 1 # block release on HIGH/CRITICAL vulnerabilities - name: Upload Trivy image results to GitHub Security tab uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: trivy-image-${{ matrix.name }}.sarif category: trivy-image-${{ matrix.name }} release: name: GitHub Release runs-on: ubuntu-latest needs: [build, scan] permissions: contents: write packages: read # to pull image for SBOM generation steps: - uses: actions/checkout@v4 - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set version tag (strip leading v) id: ver run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT # ── Binary — extract from Docker image ────────────────────────────────── - name: Extract binary from image run: | docker create --name nora-extract \ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }} docker cp nora-extract:/nora ./nora-linux-amd64 docker rm nora-extract chmod +x ./nora-linux-amd64 sha256sum ./nora-linux-amd64 > nora-linux-amd64.sha256 echo "Binary size: $(du -sh nora-linux-amd64 | cut -f1)" cat nora-linux-amd64.sha256 # ── SBOM — Software Bill of Materials ─────────────────────────────────── - name: Generate SBOM (SPDX) uses: anchore/sbom-action@v0 with: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }} format: spdx-json output-file: nora-${{ github.ref_name }}.sbom.spdx.json registry-username: ${{ github.actor }} registry-password: ${{ secrets.GITHUB_TOKEN }} - name: Generate SBOM (CycloneDX) uses: anchore/sbom-action@v0 with: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }} format: cyclonedx-json output-file: nora-${{ github.ref_name }}.sbom.cdx.json registry-username: ${{ github.actor }} registry-password: ${{ secrets.GITHUB_TOKEN }} - name: Create Release uses: softprops/action-gh-release@v1 with: generate_release_notes: true files: | nora-linux-amd64 nora-linux-amd64.sha256 nora-${{ github.ref_name }}.sbom.spdx.json nora-${{ github.ref_name }}.sbom.cdx.json body: | ## Install ```bash curl -fsSL https://getnora.io/install.sh | sh ``` Or download the binary directly: ```bash curl -LO https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/nora-linux-amd64 chmod +x nora-linux-amd64 sudo mv nora-linux-amd64 /usr/local/bin/nora ``` ## Docker **Alpine (standard):** ```bash docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }} ``` **RED OS:** ```bash docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}-redos ``` ## Changelog See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/main/CHANGELOG.md)