docs: Update SECURITY.md #354
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build + Publish | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- 'v*' | |
env: | |
BASE_DEV_VERSION: 2.5.0 | |
jobs: | |
build: | |
name: Build | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set Build Variables | |
run: | | |
if [[ "$GITHUB_REF" =~ ^refs/tags/v* ]]; then | |
echo "Using TAG mode: $GITHUB_REF_NAME" | |
echo "REL_VERSION=$GITHUB_REF_NAME" >> $GITHUB_ENV | |
echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV | |
else | |
echo "Using BRANCH mode: v$BASE_DEV_VERSION-dev.$GITHUB_RUN_NUMBER" | |
echo "REL_VERSION=v$BASE_DEV_VERSION-dev.$GITHUB_RUN_NUMBER" >> $GITHUB_ENV | |
echo "REL_VERSION_STRICT=$BASE_DEV_VERSION-dev.$GITHUB_RUN_NUMBER" >> $GITHUB_ENV | |
fi | |
- name: Disable DEV Flag + Set Version | |
run: | | |
sudo apt-get install jq -y | |
mv package.json pkg-temp.json | |
jq --arg vs "$REL_VERSION_STRICT" -r '. + {dev:false, version:$vs}' pkg-temp.json > package.json | |
rm pkg-temp.json | |
cat package.json | |
- name: Login to DockerHub | |
uses: docker/[email protected] | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Login to GitHub Container Registry | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push Docker images | |
uses: docker/[email protected] | |
with: | |
context: . | |
file: dev/build/Dockerfile | |
push: true | |
tags: | | |
requarks/wiki:canary | |
requarks/wiki:canary-${{ env.REL_VERSION_STRICT }} | |
ghcr.io/requarks/wiki:canary | |
ghcr.io/requarks/wiki:canary-${{ env.REL_VERSION_STRICT }} | |
- name: Extract compiled files | |
run: | | |
mkdir -p _dist | |
docker create --name wiki ghcr.io/requarks/wiki:canary-$REL_VERSION_STRICT | |
docker cp wiki:/wiki _dist | |
docker rm wiki | |
rm _dist/wiki/config.yml | |
cp ./config.sample.yml _dist/wiki/config.sample.yml | |
find _dist/wiki/ -printf "%P\n" | tar -czf wiki-js.tar.gz --no-recursion -C _dist/wiki/ -T - | |
- name: Upload a Build Artifact | |
uses: actions/[email protected] | |
with: | |
name: drop | |
path: wiki-js.tar.gz | |
cypress: | |
name: Run Cypress Tests | |
runs-on: ubuntu-latest | |
needs: [build] | |
strategy: | |
matrix: | |
dbtype: [postgres, mysql, mariadb, mssql, sqlite] | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set Test Variables | |
run: | | |
if [[ "$GITHUB_REF" =~ ^refs/tags/v* ]]; then | |
echo "Using TAG mode: $GITHUB_REF_NAME" | |
echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV | |
else | |
echo "Using BRANCH mode: v$BASE_DEV_VERSION-dev.$GITHUB_RUN_NUMBER" | |
echo "REL_VERSION_STRICT=$BASE_DEV_VERSION-dev.$GITHUB_RUN_NUMBER" >> $GITHUB_ENV | |
fi | |
- name: Run Tests | |
env: | |
MATRIXENV: ${{ matrix.dbtype }} | |
CYPRESS_KEY: ${{ secrets.CYPRESS_KEY }} | |
run: | | |
chmod u+x dev/cypress/ci-setup.sh | |
dev/cypress/ci-setup.sh | |
docker run --name cypress --ipc=host --shm-size 1G -v $GITHUB_WORKSPACE:/e2e -w /e2e cypress/included:4.9.0 --record --key "$CYPRESS_KEY" --headless --group "$MATRIXENV" --ci-build-id "$REL_VERSION_STRICT-run$GITHUB_RUN_NUMBER.$GITHUB_RUN_ATTEMPT" --tag "$REL_VERSION_STRICT" --config baseUrl=http://172.17.0.1:3000 | |
arm: | |
name: ARM Build | |
runs-on: ubuntu-latest | |
needs: [cypress] | |
permissions: | |
packages: write | |
strategy: | |
matrix: | |
include: | |
- platform: linux/arm64 | |
docker: arm64 | |
- platform: linux/arm/v7 | |
docker: armv7 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set Version Variables | |
run: | | |
if [[ "$GITHUB_REF" =~ ^refs/tags/v* ]]; then | |
echo "Using TAG mode: $GITHUB_REF_NAME" | |
echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV | |
else | |
echo "Using BRANCH mode: v$BASE_DEV_VERSION-dev.$GITHUB_RUN_NUMBER" | |
echo "REL_VERSION_STRICT=$BASE_DEV_VERSION-dev.$GITHUB_RUN_NUMBER" >> $GITHUB_ENV | |
fi | |
- name: Set up QEMU | |
uses: docker/[email protected] | |
- name: Set up Docker Buildx | |
uses: docker/[email protected] | |
- name: Login to DockerHub | |
uses: docker/[email protected] | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Login to GitHub Container Registry | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Download a Build Artifact | |
uses: actions/[email protected] | |
with: | |
name: drop | |
path: drop | |
- name: Extract Build | |
run: | | |
mkdir -p build | |
tar -xzf $GITHUB_WORKSPACE/drop/wiki-js.tar.gz -C $GITHUB_WORKSPACE/build --exclude=node_modules | |
- name: Build and push Docker images | |
uses: docker/[email protected] | |
with: | |
context: . | |
file: dev/build-arm/Dockerfile | |
platforms: ${{ matrix.platform }} | |
provenance: false | |
push: true | |
tags: | | |
requarks/wiki:canary-${{ matrix.docker }}-${{ env.REL_VERSION_STRICT }} | |
ghcr.io/requarks/wiki:canary-${{ matrix.docker }}-${{ env.REL_VERSION_STRICT }} | |
windows: | |
name: Windows Build | |
runs-on: windows-latest | |
needs: [cypress] | |
steps: | |
- name: Setup Node.js environment | |
uses: actions/[email protected] | |
with: | |
node-version: 18.x | |
- name: Download a Build Artifact | |
uses: actions/[email protected] | |
with: | |
name: drop | |
path: drop | |
- name: Extract Build | |
run: | | |
mkdir -p win | |
tar -xzf $env:GITHUB_WORKSPACE\drop\wiki-js.tar.gz -C $env:GITHUB_WORKSPACE\win | |
Copy-Item win\node_modules\extract-files\package.json patch-extractfile.json -Force | |
Remove-Item -Path win\node_modules -Force -Recurse | |
- name: Install Dependencies | |
run: | | |
yarn --production --frozen-lockfile --non-interactive | |
yarn patch-package | |
working-directory: win | |
- name: Fix patched packages | |
run: | | |
Copy-Item patch-extractfile.json win\node_modules\extract-files\package.json -Force | |
- name: Create Bundle | |
run: tar -czf wiki-js-windows.tar.gz -C $env:GITHUB_WORKSPACE\win . | |
- name: Upload a Build Artifact | |
uses: actions/[email protected] | |
with: | |
name: drop-win | |
path: wiki-js-windows.tar.gz | |
beta: | |
name: Publish Beta Images | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/tags/v') | |
needs: [build, arm, windows] | |
permissions: | |
packages: write | |
steps: | |
- name: Set Version Variables | |
run: | | |
echo "Using TAG mode: $GITHUB_REF_NAME" | |
echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV | |
- name: Login to DockerHub | |
uses: docker/[email protected] | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Login to GitHub Container Registry | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Create and Push Manifests | |
run: | | |
echo "Creating the manifests..." | |
docker manifest create requarks/wiki:beta-$REL_VERSION_STRICT requarks/wiki:canary-$REL_VERSION_STRICT requarks/wiki:canary-arm64-$REL_VERSION_STRICT requarks/wiki:canary-armv7-$REL_VERSION_STRICT | |
docker manifest create ghcr.io/requarks/wiki:beta-$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-arm64-$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-armv7-$REL_VERSION_STRICT | |
echo "Pushing the manifests..." | |
docker manifest push -p requarks/wiki:beta-$REL_VERSION_STRICT | |
docker manifest push -p ghcr.io/requarks/wiki:beta-$REL_VERSION_STRICT | |
release: | |
name: Publish Release Images | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/tags/v') | |
environment: prod | |
needs: [beta] | |
permissions: | |
packages: write | |
contents: write | |
steps: | |
- name: Set Version Variables | |
run: | | |
echo "Using TAG mode: $GITHUB_REF_NAME" | |
echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV | |
- name: Login to DockerHub | |
uses: docker/[email protected] | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Login to GitHub Container Registry | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Create and Push Manifests | |
run: | | |
echo "Fetching semver tool..." | |
curl -LJO https://static.requarks.io/semver | |
chmod +x semver | |
MAJOR=`./semver get major $REL_VERSION_STRICT` | |
MINOR=`./semver get minor $REL_VERSION_STRICT` | |
MAJORMINOR="$MAJOR.$MINOR" | |
echo "Using major $MAJOR and minor $MINOR..." | |
echo "Creating the manifests..." | |
docker manifest create requarks/wiki:$REL_VERSION_STRICT requarks/wiki:canary-$REL_VERSION_STRICT requarks/wiki:canary-arm64-$REL_VERSION_STRICT requarks/wiki:canary-armv7-$REL_VERSION_STRICT | |
docker manifest create requarks/wiki:$MAJOR requarks/wiki:canary-$REL_VERSION_STRICT requarks/wiki:canary-arm64-$REL_VERSION_STRICT requarks/wiki:canary-armv7-$REL_VERSION_STRICT | |
docker manifest create requarks/wiki:$MAJORMINOR requarks/wiki:canary-$REL_VERSION_STRICT requarks/wiki:canary-arm64-$REL_VERSION_STRICT requarks/wiki:canary-armv7-$REL_VERSION_STRICT | |
docker manifest create requarks/wiki:latest requarks/wiki:canary-$REL_VERSION_STRICT requarks/wiki:canary-arm64-$REL_VERSION_STRICT requarks/wiki:canary-armv7-$REL_VERSION_STRICT | |
docker manifest create ghcr.io/requarks/wiki:$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-arm64-$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-armv7-$REL_VERSION_STRICT | |
docker manifest create ghcr.io/requarks/wiki:$MAJOR ghcr.io/requarks/wiki:canary-$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-arm64-$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-armv7-$REL_VERSION_STRICT | |
docker manifest create ghcr.io/requarks/wiki:$MAJORMINOR ghcr.io/requarks/wiki:canary-$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-arm64-$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-armv7-$REL_VERSION_STRICT | |
docker manifest create ghcr.io/requarks/wiki:latest ghcr.io/requarks/wiki:canary-$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-arm64-$REL_VERSION_STRICT ghcr.io/requarks/wiki:canary-armv7-$REL_VERSION_STRICT | |
echo "Pushing the manifests..." | |
docker manifest push -p requarks/wiki:$REL_VERSION_STRICT | |
docker manifest push -p requarks/wiki:$MAJOR | |
docker manifest push -p requarks/wiki:$MAJORMINOR | |
docker manifest push -p requarks/wiki:latest | |
docker manifest push -p ghcr.io/requarks/wiki:$REL_VERSION_STRICT | |
docker manifest push -p ghcr.io/requarks/wiki:$MAJOR | |
docker manifest push -p ghcr.io/requarks/wiki:$MAJORMINOR | |
docker manifest push -p ghcr.io/requarks/wiki:latest | |
- name: Download Linux Build | |
uses: actions/[email protected] | |
with: | |
name: drop | |
path: drop | |
- name: Download Windows Build | |
uses: actions/[email protected] | |
with: | |
name: drop-win | |
path: drop-win | |
- name: Generate Changelog | |
id: changelog | |
uses: Requarks/changelog-action@v1 | |
with: | |
token: ${{ github.token }} | |
tag: ${{ github.ref_name }} | |
writeToFile: false | |
- name: Update GitHub Release | |
uses: ncipollo/[email protected] | |
with: | |
allowUpdates: true | |
draft: false | |
makeLatest: true | |
name: ${{ github.ref_name }} | |
body: ${{ steps.changelog.outputs.changes }} | |
token: ${{ github.token }} | |
artifacts: 'drop/wiki-js.tar.gz,drop-win/wiki-js-windows.tar.gz' | |
- name: Notify Slack Releases Channel | |
uses: slackapi/[email protected] | |
with: | |
payload: | | |
{ | |
"text": "Wiki.js ${{ github.ref_name }} has been released." | |
} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
- name: Notify Telegram Channel | |
uses: appleboy/[email protected] | |
with: | |
to: ${{ secrets.TELEGRAM_TO }} | |
token: ${{ secrets.TELEGRAM_TOKEN }} | |
format: markdown | |
disable_web_page_preview: true | |
message: | | |
Wiki.js *${{ github.ref_name }}* has been released! | |
See [release notes](https://github.com/requarks/wiki/releases) for details. | |
- name: Notify Discord Channel | |
uses: sebastianpopp/[email protected] | |
with: | |
webhook: ${{ secrets.DISCORD_WEBHOOK }} | |
message: Wiki.js ${{ github.ref_name }} has been released! See https://github.com/requarks/wiki/releases for details. | |
build-do-image: | |
name: Build DigitalOcean Image | |
runs-on: ubuntu-latest | |
needs: [release] | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set Version Variables | |
run: | | |
echo "Using TAG mode: $GITHUB_REF_NAME" | |
echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV | |
- name: Install Packer | |
run: | | |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - | |
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | |
sudo apt-get update && sudo apt-get install packer | |
- name: Build Droplet Image | |
env: | |
DIGITALOCEAN_API_TOKEN: ${{ secrets.DO_TOKEN }} | |
WIKI_APP_VERSION: ${{ env.REL_VERSION_STRICT }} | |
working-directory: dev/packer | |
run: | | |
packer build digitalocean.json |