name: Vendoo Release on: release: types: [published] permissions: contents: read concurrency: group: vendoo-release-${{ github.event.release.tag_name }} cancel-in-progress: false env: REGISTRY: ghcr.io IMAGE_NAME: masterluke77/vendoo jobs: release-assets: name: Release-Paket und Prüfsummen permissions: contents: write runs-on: ubuntu-latest timeout-minutes: 30 steps: - name: Repository auschecken uses: actions/checkout@v6 - name: Node.js 22 aktivieren uses: actions/setup-node@v4 with: node-version: '22.x' cache: npm - name: Abhängigkeiten installieren run: npm ci - name: Release-Tag gegen Paketversion prüfen env: RELEASE_TAG: ${{ github.event.release.tag_name }} run: | EXPECTED="v$(node -p "require('./package.json').version")" test "$RELEASE_TAG" = "$EXPECTED" || { echo "Release-Tag $RELEASE_TAG passt nicht zu $EXPECTED." >&2; exit 1; } - name: Vollständige Prüfung run: | npm run verify:git npm run verify:git-regression npm run verify:git-staging npm run verify:ignore-boundaries npm run check npm run verify:source-boundaries npm run verify:esm-exports npm run verify:flux-loop npm run verify:capabilities npm run verify:coolify npm run verify:initial-modules npm run verify:architecture npm run verify:themes npm run verify:security npm run verify:identity npm run verify:catalog npm run verify:modules npm run verify:deployment npm run verify:config npm run verify:installer-shell npm run verify:db - name: Release-Staging erzeugen run: node tools/build-release.mjs - name: ZIP und SHA-256 erzeugen id: package shell: bash run: | PACKAGE_NAME="$(cat release-output/RELEASE_NAME.txt)" cd release-output zip -r -9 "${PACKAGE_NAME}.zip" "${PACKAGE_NAME}" sha256sum "${PACKAGE_NAME}.zip" > "${PACKAGE_NAME}.zip.sha256.txt" echo "package_name=${PACKAGE_NAME}" >> "$GITHUB_OUTPUT" - name: Assets an GitHub Release anhängen env: GH_TOKEN: ${{ github.token }} TAG: ${{ github.event.release.tag_name }} PACKAGE_NAME: ${{ steps.package.outputs.package_name }} run: | gh release upload "$TAG" \ "release-output/${PACKAGE_NAME}.zip" \ "release-output/${PACKAGE_NAME}.zip.sha256.txt" \ --clobber - name: Build-Artefakte sichern uses: actions/upload-artifact@v4 with: name: ${{ steps.package.outputs.package_name }} path: | release-output/${{ steps.package.outputs.package_name }}.zip release-output/${{ steps.package.outputs.package_name }}.zip.sha256.txt if-no-files-found: error retention-days: 30 container: name: GHCR-Container veröffentlichen permissions: contents: read packages: write attestations: write id-token: write runs-on: ubuntu-latest timeout-minutes: 35 steps: - name: Repository auschecken uses: actions/checkout@v6 - name: Docker Buildx aktivieren uses: docker/setup-buildx-action@v3 - name: Bei GHCR anmelden uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Container-Metadaten erzeugen id: meta uses: docker/metadata-action@v6 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=semver,pattern={{version}},value=${{ github.event.release.tag_name }} type=semver,pattern={{major}}.{{minor}},value=${{ github.event.release.tag_name }} type=raw,value=stable,enable=${{ !github.event.release.prerelease }} type=raw,value=latest,enable=${{ !github.event.release.prerelease }} - name: Container bauen und veröffentlichen id: push uses: docker/build-push-action@v6 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} platforms: linux/amd64,linux/arm64 provenance: true sbom: true - name: Container-Provenienz attestieren uses: actions/attest@v4 with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true