name: release on: push: tags: - 'v*' permissions: id-token: write attestations: write contents: write issues: write discussions: write pull-requests: write jobs: binaries: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v5 - run: make binaries - run: cd binaries && sha256sum -b * > checksums.sha256 - uses: actions/attest-build-provenance@v3 with: subject-path: '${{ github.workspace }}/binaries/*' - uses: actions/upload-artifact@v4 with: name: binaries path: binaries github_release: needs: binaries runs-on: ubuntu-22.04 steps: - uses: actions/download-artifact@v5 with: name: binaries path: binaries - uses: actions/github-script@v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | const fs = require('fs').promises; const { repo: { owner, repo } } = context; const currentRelease = context.ref.split('/')[2]; let body = `## New major features\n` + `\n` + `TODO\n` + `\n` + `## Fixes and improvements\n` + `\n` + `TODO\n` + `\n` + `## Security\n` + `\n` + `Binaries are compiled from source through the [Release workflow](https://github.com/${owner}/${repo}/actions/workflows/release.yml) without human intervention,` + ` preventing any external interference.` + `\n` + 'You can verify that binaries have been produced by the workflow by using [GitHub Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds):\n' + `\n` + '```\n' + `ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx\n` + '```\n' + `\n` + 'You can verify the binaries checksum by downloading `checksums.sha256` and running:\n' + `\n` + '```\n' + `cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check\n` + '```\n' + `\n`; const res = await github.rest.repos.createRelease({ owner, repo, tag_name: currentRelease, name: currentRelease, body, }); const release_id = res.data.id; for (const name of await fs.readdir('./binaries/')) { await github.rest.repos.uploadReleaseAsset({ owner, repo, release_id, name, data: await fs.readFile(`./binaries/${name}`), }); } github_notify_issues: needs: github_release runs-on: ubuntu-22.04 steps: - uses: actions/github-script@v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | const { repo: { owner, repo } } = context; const tags = await github.rest.repos.listTags({ owner, repo, }); const curTag = tags.data[0]; const prevTag = tags.data[1]; const diff = await github.rest.repos.compareCommitsWithBasehead({ owner, repo, basehead: `${prevTag.commit.sha}...${curTag.commit.sha}`, }); const issues = {}; for (const commit of diff.data.commits) { for (const match of commit.commit.message.matchAll(/(^| |\()#([0-9]+)( |\)|$)/g)) { issues[match[2]] = 1; } } for (const issue in issues) { try { await github.rest.issues.createComment({ owner, repo, issue_number: parseInt(issue), body: `This issue is mentioned in release ${curTag.name} 🚀\n` + `Check out the entire changelog by [clicking here](https://github.com/${owner}/${repo}/releases/tag/${curTag.name})`, }); } catch (exc) { console.error(exc.toString()); } } dockerhub: needs: binaries runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v5 - uses: actions/download-artifact@v5 with: name: binaries path: binaries - run: make dockerhub env: DOCKER_USER: ${{ secrets.DOCKER_USER }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}