--- name: Release - On publish on: release: types: [published, created] jobs: build-server: uses: ./.github/workflows/_reusable-docker-build.yml secrets: inherit permissions: contents: read # Needed to upload container images to ghcr.io packages: write # Needed for attestation id-token: write attestations: write with: image_name: ghcr.io/goauthentik/server,authentik/server release: true registry_dockerhub: true registry_ghcr: true build-docs: runs-on: ubuntu-latest permissions: contents: read # Needed to upload container images to ghcr.io packages: write # Needed for attestation id-token: write attestations: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5 - name: Set up QEMU uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: prepare variables uses: ./.github/actions/docker-push-variables id: ev env: DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }} with: image-name: ghcr.io/goauthentik/docs - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build Docker Image id: push uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 with: tags: ${{ steps.ev.outputs.imageTags }} file: website/Dockerfile push: true platforms: linux/amd64,linux/arm64 context: . - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3 id: attest if: true with: subject-name: ${{ steps.ev.outputs.attestImageNames }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true build-outpost: runs-on: ubuntu-latest permissions: contents: read # Needed to upload container images to ghcr.io packages: write # Needed for attestation id-token: write attestations: write strategy: fail-fast: false matrix: type: - proxy - ldap - radius - rac steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5 - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: "go.mod" - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5 with: node-version-file: web/package.json cache: "npm" cache-dependency-path: web/package-lock.json - name: Set up QEMU uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: prepare variables uses: ./.github/actions/docker-push-variables id: ev env: DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }} with: image-name: ghcr.io/goauthentik/${{ matrix.type }},authentik/${{ matrix.type }} - name: Docker Login Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: username: ${{ secrets.DOCKER_CORP_USERNAME }} password: ${{ secrets.DOCKER_CORP_PASSWORD }} - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build Docker Image uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 id: push with: push: true build-args: | VERSION=${{ github.ref }} tags: ${{ steps.ev.outputs.imageTags }} file: lifecycle/container/${{ matrix.type }}.Dockerfile platforms: linux/amd64,linux/arm64 context: . - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3 id: attest with: subject-name: ${{ steps.ev.outputs.attestImageNames }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true build-outpost-binary: timeout-minutes: 120 runs-on: ubuntu-latest permissions: # Needed to upload binaries to the release contents: write strategy: fail-fast: false matrix: type: - proxy - ldap - radius goos: [linux, darwin] goarch: [amd64, arm64] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5 - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version-file: "go.mod" - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v5 with: node-version-file: web/package.json cache: "npm" cache-dependency-path: web/package-lock.json - name: Install web dependencies working-directory: web/ run: | npm ci - name: Build web working-directory: web/ run: | npm run build-proxy - name: Build outpost run: | set -x export GOOS=${{ matrix.goos }} export GOARCH=${{ matrix.goarch }} export CGO_ENABLED=0 go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }} - name: Upload binaries to release uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2 with: repo_token: ${{ secrets.GITHUB_TOKEN }} file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} tag: ${{ github.ref }} upload-aws-cfn-template: permissions: # Needed for AWS login id-token: write contents: read needs: - build-server - build-outpost env: AWS_REGION: eu-central-1 runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5 - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 with: role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik" aws-region: ${{ env.AWS_REGION }} - name: Upload template run: | aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml test-release: needs: - build-server - build-outpost - build-outpost-binary runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5 - name: Run test suite in final docker images run: | echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> lifecycle/container/.env echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> lifecycle/container/.env docker compose -f lifecycle/container/compose.yml pull -q docker compose -f lifecycle/container/compose.yml up --no-start docker compose -f lifecycle/container/compose.yml start postgresql docker compose -f lifecycle/container/compose.yml run -u root server test-all sentry-release: needs: - build-server - build-outpost - build-outpost-binary runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5 - name: prepare variables uses: ./.github/actions/docker-push-variables id: ev env: DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }} with: image-name: ghcr.io/goauthentik/server - name: Get static files from docker image run: | docker pull ${{ steps.ev.outputs.imageMainName }} container=$(docker container create ${{ steps.ev.outputs.imageMainName }}) docker cp ${container}:web/ . - name: Create a Sentry.io release uses: getsentry/action-release@5657c9e888b4e2cc85f4d29143ea4131fde4a73a # v3 continue-on-error: true env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} SENTRY_ORG: authentik-security-inc SENTRY_PROJECT: authentik with: release: authentik@${{ steps.ev.outputs.version }} sourcemaps: "./web/dist" url_prefix: "~/static/dist"