name: Release on: push: tags: - "v*.*.*" permissions: contents: write packages: write attestations: write id-token: write jobs: build: runs-on: depot-ubuntu-24.04-16 env: CONTAINER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/pocket-id steps: - name: Checkout code uses: actions/checkout@v6 - name: Setup pnpm uses: pnpm/action-setup@v4 - name: Set up Depot CLI uses: depot/setup-action@v1 - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: 24 cache: "pnpm" - uses: actions/setup-go@v6 with: go-version-file: "backend/go.mod" - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{github.repository_owner}} password: ${{secrets.GITHUB_TOKEN}} - name: Docker metadata id: meta uses: docker/metadata-action@v5 with: images: | ${{ env.DOCKER_IMAGE_NAME }} tags: | type=semver,pattern={{version}},prefix=v type=semver,pattern={{major}}.{{minor}},prefix=v type=semver,pattern={{major}},prefix=v labels: | org.opencontainers.image.authors=Pocket ID org.opencontainers.image.url=https://github.com/pocket-id/pocket-id org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md org.opencontainers.image.source=https://github.com/pocket-id/pocket-id org.opencontainers.image.version=next org.opencontainers.image.licenses=BSD-2-Clause org.opencontainers.image.ref.name=pocket-id org.opencontainers.image.title=Pocket ID - name: Docker metadata (distroless) id: meta-distroless uses: docker/metadata-action@v5 with: images: | ${{ env.CONTAINER_IMAGE_NAME }} flavor: | suffix=-distroless,onlatest=true tags: | type=semver,pattern={{version}},prefix=v type=semver,pattern={{major}}.{{minor}},prefix=v type=semver,pattern={{major}},prefix=v labels: | org.opencontainers.image.authors=Pocket ID org.opencontainers.image.url=https://github.com/pocket-id/pocket-id org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md org.opencontainers.image.source=https://github.com/pocket-id/pocket-id org.opencontainers.image.version=next-distroless org.opencontainers.image.licenses=BSD-2-Clause org.opencontainers.image.ref.name=pocket-id org.opencontainers.image.title=Pocket ID - name: Install frontend dependencies run: pnpm --filter pocket-id-frontend install --frozen-lockfile - name: Build frontend run: pnpm --filter pocket-id-frontend build - name: Build binaries run: sh scripts/development/build-binaries.sh - name: Build and push container image uses: depot/build-push-action@v1 id: container-build-push with: context: . file: docker/Dockerfile-prebuilt platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} sbom: true provenance: true - name: Build and push container image (distroless) uses: depot/build-push-action@v1 id: container-build-push-distroless with: context: . file: docker/Dockerfile-distroless platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta-distroless.outputs.tags }} labels: ${{ steps.meta-distroless.outputs.labels }} sbom: true provenance: true - name: Binary attestation uses: actions/attest-build-provenance@v2 with: subject-path: "backend/.bin/pocket-id-**" - name: Container image attestation uses: actions/attest-build-provenance@v2 with: subject-name: "${{ env.CONTAINER_IMAGE_NAME }}" subject-digest: ${{ steps.container-build-push.outputs.digest }} push-to-registry: true - name: Container image attestation (distroless) uses: actions/attest-build-provenance@v2 with: subject-name: "${{ env.CONTAINER_IMAGE_NAME }}" subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }} push-to-registry: true - name: Upload binaries to release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: gh release upload ${{ github.ref_name }} backend/.bin/* publish-release: runs-on: depot-ubuntu-latest needs: [build] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout code uses: actions/checkout@v6 - name: Mark release as published run: gh release edit ${{ github.ref_name }} --draft=false