forgejo/.forgejo/workflows/build-release.yml

#
# See also https://forgejo.org/docs/next/developer/RELEASE/#release-process
#
# https://codeberg.org/forgejo-integration/forgejo
#
#  Builds a release from a codeberg.org/forgejo-integration tag
#
#  vars.ROLE: forgejo-integration
#
#  secrets.DOER: forgejo-experimental-ci
#  secrets.TOKEN: <generated from codeberg.org/forgejo-experimental-ci> scope read:user, write:repository, write:package
#
#  secrets.CASCADE_ORIGIN_TOKEN: <generated from codeberg.org/forgejo-experimental-ci> scope read:user, write:repository, write:issue
#  secrets.CASCADE_DESTINATION_TOKEN: <generated from code.forgejo.org/forgejo-ci> scope read:user, write:repository, write:issue
#  vars.CASCADE_DESTINATION_DOER: forgejo-ci
#
on:
  push:
    tags: 'v[0-9]+.[0-9]+.*'
    branches:
      - 'forgejo'
      - 'v*/forgejo'

jobs:
  release:
    runs-on: self-hosted
    # root is used for testing, allow it
    if: vars.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Sanitize the name of the repository
        id: repository
        run: |
          repository="${{ github.repository }}"
          echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"          

      - uses: https://code.forgejo.org/actions/setup-node@v3
        with:
          node-version: 20

      - uses: https://code.forgejo.org/actions/setup-go@v4
        with:
          go-version: "1.22"
          check-latest: true

      - name: version from ref
        id: release-info
        shell: bash
        run: |
          set -x
          ref="${{ github.ref }}"
          if [[ $ref =~ ^refs/heads/ ]] ; then
            if test "$ref" = "refs/heads/forgejo" ; then
              version=$(git tag -l --sort=version:refname --merged | grep -v -e '-test$' | tail -1 | sed -E -e 's/^(v[0-9]+\.[0-9]+).*/\1/')-test
            else
              version=${ref#refs/heads/}
              version=${version%/forgejo}-test
            fi
            override=true
          fi
          if [[ $ref =~ ^refs/tags/ ]] ; then
            version=${ref#refs/tags/}
            override=false
          fi
          if test -z "$version" ; then
            echo failed to figure out the release version from the reference=$ref
            exit 1
          fi
          version=${version#v}
          git describe --exclude '*-test' --tags --always
          echo "sha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
          echo "version=$version" >> "$GITHUB_OUTPUT"
          echo "override=$override" >> "$GITHUB_OUTPUT"          

      - name: release notes
        id: release-notes
        run: |
          anchor=${{ steps.release-info.outputs.version }}
          anchor=${anchor//./-}
          cat >> "$GITHUB_OUTPUT" <<EOF
          value<<ENDVAR
          See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#$anchor
          ENDVAR
          EOF          

      - name: cache node_modules
        id: node
        uses: https://code.forgejo.org/actions/cache@v3
        with:
          path: |
            node_modules            
          key: node-${{ steps.release-info.outputs.version }}

      - name: skip if node cache hit
        if: steps.node.outputs.cache-hit != 'true'
        run: echo no hit

      - name: Build sources
        run: |
          set -x
          apt-get -qq install -y make
          version=${{ steps.release-info.outputs.version }}
          #
          # Make sure all files are owned by the current user.
          # When run as root `npx webpack` will assume the identity
          # of the owner of the current working directory and may
          # fail to create files if some sub-directories are not owned
          # by the same user.
          #
          #   Binaries:
          #   Node: 18.17.0 - /usr/local/node-v18.17.0-linux-x64/bin/node
          #   npm: 9.6.7 - /usr/local/node-v18.17.0-linux-x64/bin/npm
          # Packages:
          #   add-asset-webpack-plugin: 2.0.1 => 2.0.1
          #   css-loader: 6.8.1 => 6.8.1
          #   esbuild-loader: 3.0.1 => 3.0.1
          #   license-checker-webpack-plugin: 0.2.1 => 0.2.1
          #   monaco-editor-webpack-plugin: 7.0.1 => 7.0.1
          #   vue-loader: 17.2.2 => 17.2.2
          #   webpack: 5.87.0 => 5.87.0
          #   webpack-cli: 5.1.4 => 5.1.4
          #
          chown -R $(id -u) .
          make VERSION=$version TAGS=bindata sources-tarbal
          mv dist/release release

          (
            tmp=$(mktemp -d)
            tar --directory $tmp -zxvf release/*$version*.tar.gz
            cd $tmp/*
            #
            # Verify `make frontend` files are available
            #
            test -d public/assets/css
            test -d public/assets/fonts
            test -d public/assets/js
            #
            # Verify `make generate` files are available
            #
            test -f modules/public/bindata.go
            #
            # Sanity check to verify that the source tarbal knows the
            # version and is able to rebuild itself from it.
            #
            # When in sources the version is determined with git.
            # When in the tarbal the version is determined from a VERSION file.
            #
            make sources-tarbal
            tarbal=$(echo dist/release/*$version*.tar.gz)
            if ! test -f $tarbal ; then
              echo $tarbal does not exist
              find dist release
              exit 1
            fi
          )          

      - name: build container & release
        if: ${{ secrets.TOKEN != '' }}
        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v5.1.1
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
          repository: "${{ steps.repository.outputs.value }}"
          doer: "${{ secrets.DOER }}"
          release-version: "${{ steps.release-info.outputs.version }}"
          sha: "${{ steps.release-info.outputs.sha }}"
          token: "${{ secrets.TOKEN }}"
          platforms: linux/amd64,linux/arm64,linux/arm/v6
          release-notes: "${{ steps.release-notes.outputs.value }}"
          binary-name: forgejo
          binary-path: /app/gitea/gitea
          override: "${{ steps.release-info.outputs.override }}"
          verify-labels: "maintainer=contact@forgejo.org,org.opencontainers.image.version=${{ steps.release-info.outputs.version }}"
          verbose: ${{ vars.VERBOSE || secrets.VERBOSE || 'false' }}

      - name: build rootless container
        if: ${{ secrets.TOKEN != '' }}
        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v5.1.1
        with:
          forgejo: "${{ env.GITHUB_SERVER_URL }}"
          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
          repository: "${{ steps.repository.outputs.value }}"
          doer: "${{ secrets.DOER }}"
          release-version: "${{ steps.release-info.outputs.version }}"
          sha: "${{ steps.release-info.outputs.sha }}"
          token: "${{ secrets.TOKEN }}"
          platforms: linux/amd64,linux/arm64,linux/arm/v6
          suffix: -rootless
          dockerfile: Dockerfile.rootless
          override: "${{ steps.release-info.outputs.override }}"
          verify-labels: "maintainer=contact@forgejo.org,org.opencontainers.image.version=${{ steps.release-info.outputs.version }}"
          verbose: ${{ vars.VERBOSE || secrets.VERBOSE || 'false' }}

      - name: end-to-end tests
        if: ${{ secrets.TOKEN != '' && vars.ROLE == 'forgejo-integration' }}
        uses: https://code.forgejo.org/actions/cascading-pr@v2
        with:
          origin-url: ${{ env.GITHUB_SERVER_URL }}
          origin-repo: ${{ github.repository }}
          origin-token: ${{ secrets.CASCADE_ORIGIN_TOKEN }}
          origin-ref: refs/heads/forgejo
          destination-url: https://code.forgejo.org
          destination-fork-repo: ${{ vars.CASCADE_DESTINATION_DOER }}/end-to-end
          destination-repo: forgejo/end-to-end
          destination-branch: main
          destination-token: ${{ secrets.CASCADE_DESTINATION_TOKEN }}
          update: .forgejo/cascading-release-end-to-end

      - name: copy to experimental
        if: vars.ROLE == 'forgejo-integration' && secrets.TOKEN != ''
        run: |
          if test "${{ vars.VERBOSE }}" = true ; then
            set -x
          fi
          tag=v${{ steps.release-info.outputs.version }}
          url=https://any:${{ secrets.TOKEN }}@codeberg.org
          if test "${{ steps.release-info.outputs.override }}" = "true" ; then
            curl -sS -X DELETE $url/api/v1/repos/forgejo-experimental/forgejo/releases/tags/$tag > /dev/null
            curl -sS -X DELETE $url/api/v1/repos/forgejo-experimental/forgejo/tags/$tag > /dev/null
          fi
          # actions/checkout@v3 sets http.https://codeberg.org/.extraheader with the automatic token.
          # Get rid of it so it does not prevent using the token that has write permissions
          git config --local --unset http.https://codeberg.org/.extraheader
          if test -f .git/shallow ; then
            echo "unexptected .git/shallow file is present"
            echo "it suggests a checkout --depth X was used which may prevent pushing the commit"
            echo "it happens when actions/checkout is called without depth: 0"
          fi
          git push $url/forgejo-experimental/forgejo ${{ steps.release-info.outputs.sha }}:refs/tags/$tag