Skip to content
Release

Merge pull request #378 from cipherstash/fix/cip-2860-aws-lc-sys-patch #434

Sign in to view logs

Merge pull request #378 from cipherstash/fix/cip-2860-aws-lc-sys-patch

Merge pull request #378 from cipherstash/fix/cip-2860-aws-lc-sys-patch #434

Workflow file for this run

.github/workflows/release.yml at 4dff16e
name: Release
on:
push: # publish to `main` tag on Docker Hub on merge to main: https://hub.docker.com/layers/cipherstash/proxy/main
branches:
- main
pull_request: # run the release workflow when changes are made to it in PRs
branches:
- main
paths:
- '.github/workflows/release.yml'
release: # for cutting a numbered release (e.g. v2.1.9)
types: [published]
workflow_dispatch: # for running the workflow on an arbitrary branch or commit
env:
REGISTRY_IMAGE: cipherstash/proxy
jobs:
build:
name: Build binaries + Docker images
strategy:
fail-fast: false
matrix:
build:
- { os: blacksmith-16vcpu-ubuntu-2404, docker_platform: linux/amd64, rust_target: "x86_64-unknown-linux-gnu" }
- { os: linux-arm64-public, docker_platform: linux/arm64, rust_target: "aarch64-unknown-linux-gnu" }
env:
CS_ZEROKMS_HOST: https://us-east-1.aws.zerokms.cipherstashmanaged.net
CS_CTS_HOST: https://ap-southeast-2.aws.cts.cipherstashmanaged.net
timeout-minutes: 30
runs-on: ${{matrix.build.os}}
steps:
- uses: actions/checkout@v4
- name: Decrypt secrets
uses: cipherstash/secrets-action@main
with:
secrets-file: .github/secrets.env.encrypted
env:
CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }}
CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }}
- name: Setup Rust cache
uses: Swatinem/rust-cache@v2
if: github.event_name == 'pull_request' # only cache in pull requests
with:
cache-all-crates: true
- uses: jdx/mise-action@v2
with:
version: 2026.1.6 # [default: latest] mise version to install
install: false # [default: true] run `mise install`
cache: ${{ github.event_name != 'pull_request' }} # cache mise using GitHub's cache if running in a PR
- run: |
mise run build --platform ${{matrix.build.docker_platform}} --target ${{matrix.build.rust_target}}
- uses: actions/upload-artifact@v4
with:
name: cipherstash-proxy-${{matrix.build.docker_platform == 'linux/amd64' && 'linux_amd64' || 'linux_arm64'}}
path: cipherstash-proxy
- name: Prepare
run: |
platform=${{ matrix.build.docker_platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_HUB_USERNAME }}
password: ${{ env.DOCKER_HUB_PASSWORD }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push by digest
id: build
uses: docker/build-push-action@v6
with:
context: .
file: proxy.Dockerfile
platforms: ${{ matrix.build.docker_platform }}
labels: ${{ steps.meta.outputs.labels }}
tags: ${{ env.REGISTRY_IMAGE }}
outputs: type=image,push-by-digest=true,name-canonical=true,push=true
- name: Export digest
run: |
mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v4
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1
merge:
name: Publish multi-platform image
runs-on: blacksmith-16vcpu-ubuntu-2404-arm
timeout-minutes: 30
needs:
- build
env:
publish: ${{contains(fromJSON('["push", "release"]'), github.event_name)}}
steps:
- uses: actions/checkout@v4
- name: Decrypt secrets
uses: cipherstash/secrets-action@main
with:
secrets-file: .github/secrets.env.encrypted
env:
CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }}
CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }}
CS_ZEROKMS_HOST: https://us-east-1.aws.zerokms.cipherstashmanaged.net
CS_CTS_HOST: https://ap-southeast-2.aws.cts.cipherstashmanaged.net
- name: Download digests
uses: actions/download-artifact@v4
with:
path: ${{ runner.temp }}/digests
pattern: digests-*
merge-multiple: true
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_HUB_USERNAME }}
password: ${{ env.DOCKER_HUB_PASSWORD }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
- name: Create manifest list and push
working-directory: ${{ runner.temp }}/digests
env:
DRY_RUN: ${{case(fromJSON(env.publish),' ','--dry-run')}} # run the `docker buildx` command with --dry-run if we're not publishing a release
run: |
docker buildx imagetools create ${{ env.DRY_RUN }} $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
- name: Inspect image
if: ${{ fromJSON(env.publish) }}
run: |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
- name: Notify Multitudes
if: ${{ fromJSON(env.publish) }}
run: |
curl --request POST \
--fail-with-body \
--url "https://api.developer.multitudes.co/deployments" \
--header "Content-Type: application/json" \
--header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \
--data '{"commitSha": "${{ github.sha }}", "environmentName":"dockerhub"}'