mirror of
https://github.com/getnora-io/nora.git
synced 2026-04-12 19:40:31 +00:00
devitway
fb0f80ac5a
- Add NORA (localhost:5000) as internal registry for image push and cache - Replace type=gha cache with type=registry pointing to NORA - Move scan and release jobs from ubuntu-latest to self-hosted runner - Upload binary as artifact in build, download in release (no docker pull) - Generate SBOM from NORA image instead of ghcr.io - Add driver-opts: network=host to buildx for localhost registry access
259 lines
8.4 KiB
YAML
259 lines
8.4 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags: ['v*']
|
|
|
|
env:
|
|
REGISTRY: ghcr.io
|
|
NORA: localhost:5000
|
|
IMAGE_NAME: ${{ github.repository }}
|
|
|
|
jobs:
|
|
build:
|
|
name: Build & Push
|
|
runs-on: [self-hosted, nora]
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Rust
|
|
run: |
|
|
echo "/home/github-runner/.cargo/bin" >> $GITHUB_PATH
|
|
echo "RUSTUP_HOME=/home/github-runner/.rustup" >> $GITHUB_ENV
|
|
echo "CARGO_HOME=/home/github-runner/.cargo" >> $GITHUB_ENV
|
|
|
|
- name: Build release binary (musl static)
|
|
run: |
|
|
cargo build --release --target x86_64-unknown-linux-musl --package nora-registry
|
|
cp target/x86_64-unknown-linux-musl/release/nora ./nora
|
|
|
|
- name: Upload binary artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: nora-binary-${{ github.run_id }}
|
|
path: ./nora
|
|
retention-days: 1
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
driver-opts: network=host
|
|
|
|
- name: Log in to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
# ── Alpine ───────────────────────────────────────────────────────────────
|
|
- name: Extract metadata (alpine)
|
|
id: meta-alpine
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: |
|
|
${{ env.NORA }}/${{ env.IMAGE_NAME }}
|
|
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
tags: |
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=raw,value=latest
|
|
|
|
- name: Build and push (alpine)
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: Dockerfile
|
|
platforms: linux/amd64
|
|
push: true
|
|
tags: ${{ steps.meta-alpine.outputs.tags }}
|
|
labels: ${{ steps.meta-alpine.outputs.labels }}
|
|
cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine
|
|
cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:alpine,mode=max
|
|
|
|
# ── RED OS ───────────────────────────────────────────────────────────────
|
|
- name: Extract metadata (redos)
|
|
id: meta-redos
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: |
|
|
${{ env.NORA }}/${{ env.IMAGE_NAME }}
|
|
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
flavor: suffix=-redos,onlatest=true
|
|
tags: |
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=raw,value=redos
|
|
|
|
- name: Build and push (redos)
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: Dockerfile.redos
|
|
platforms: linux/amd64
|
|
push: true
|
|
tags: ${{ steps.meta-redos.outputs.tags }}
|
|
labels: ${{ steps.meta-redos.outputs.labels }}
|
|
cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos
|
|
cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:redos,mode=max
|
|
|
|
# ── Astra Linux SE ───────────────────────────────────────────────────────
|
|
- name: Extract metadata (astra)
|
|
id: meta-astra
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: |
|
|
${{ env.NORA }}/${{ env.IMAGE_NAME }}
|
|
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
flavor: suffix=-astra,onlatest=true
|
|
tags: |
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=raw,value=astra
|
|
|
|
- name: Build and push (astra)
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: Dockerfile.astra
|
|
platforms: linux/amd64
|
|
push: true
|
|
tags: ${{ steps.meta-astra.outputs.tags }}
|
|
labels: ${{ steps.meta-astra.outputs.labels }}
|
|
cache-from: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra
|
|
cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,mode=max
|
|
|
|
scan:
|
|
name: Scan (${{ matrix.name }})
|
|
runs-on: [self-hosted, nora]
|
|
needs: build
|
|
permissions:
|
|
contents: read
|
|
packages: read
|
|
security-events: write
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- name: alpine
|
|
suffix: ""
|
|
- name: redos
|
|
suffix: "-redos"
|
|
- name: astra
|
|
suffix: "-astra"
|
|
|
|
steps:
|
|
- name: Set version tag (strip leading v)
|
|
id: ver
|
|
run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
|
|
|
|
- name: Trivy — image scan (${{ matrix.name }})
|
|
uses: aquasecurity/trivy-action@0.30.0
|
|
with:
|
|
scan-type: image
|
|
image-ref: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
|
|
format: sarif
|
|
output: trivy-image-${{ matrix.name }}.sarif
|
|
severity: HIGH,CRITICAL
|
|
exit-code: 1
|
|
|
|
- name: Upload Trivy image results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v4
|
|
if: always()
|
|
with:
|
|
sarif_file: trivy-image-${{ matrix.name }}.sarif
|
|
category: trivy-image-${{ matrix.name }}
|
|
|
|
release:
|
|
name: GitHub Release
|
|
runs-on: [self-hosted, nora]
|
|
needs: [build, scan]
|
|
permissions:
|
|
contents: write
|
|
packages: read
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set version tag (strip leading v)
|
|
id: ver
|
|
run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
|
|
|
|
- name: Download binary artifact
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: nora-binary-${{ github.run_id }}
|
|
path: ./artifacts
|
|
|
|
- name: Prepare binary
|
|
run: |
|
|
cp ./artifacts/nora ./nora-linux-amd64
|
|
chmod +x ./nora-linux-amd64
|
|
sha256sum ./nora-linux-amd64 > nora-linux-amd64.sha256
|
|
echo "Binary size: $(du -sh nora-linux-amd64 | cut -f1)"
|
|
cat nora-linux-amd64.sha256
|
|
|
|
- name: Generate SBOM (SPDX)
|
|
uses: anchore/sbom-action@v0
|
|
with:
|
|
image: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}
|
|
format: spdx-json
|
|
output-file: nora-${{ github.ref_name }}.sbom.spdx.json
|
|
|
|
- name: Generate SBOM (CycloneDX)
|
|
uses: anchore/sbom-action@v0
|
|
with:
|
|
image: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}
|
|
format: cyclonedx-json
|
|
output-file: nora-${{ github.ref_name }}.sbom.cdx.json
|
|
|
|
- name: Create Release
|
|
uses: softprops/action-gh-release@v1
|
|
with:
|
|
generate_release_notes: true
|
|
files: |
|
|
nora-linux-amd64
|
|
nora-linux-amd64.sha256
|
|
nora-${{ github.ref_name }}.sbom.spdx.json
|
|
nora-${{ github.ref_name }}.sbom.cdx.json
|
|
body: |
|
|
## Install
|
|
|
|
```bash
|
|
curl -fsSL https://getnora.io/install.sh | sh
|
|
```
|
|
|
|
Or download the binary directly:
|
|
|
|
```bash
|
|
curl -LO https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/nora-linux-amd64
|
|
chmod +x nora-linux-amd64
|
|
sudo mv nora-linux-amd64 /usr/local/bin/nora
|
|
```
|
|
|
|
## Docker
|
|
|
|
**Alpine (standard):**
|
|
```bash
|
|
docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}
|
|
```
|
|
|
|
**RED OS:**
|
|
```bash
|
|
docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}-redos
|
|
```
|
|
|
|
**Astra Linux SE:**
|
|
```bash
|
|
docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}-astra
|
|
```
|
|
|
|
## Changelog
|
|
|
|
See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/main/CHANGELOG.md)
|