ci: add build workflow for vault plugin

Adds CI/CD workflow that: - Runs golangci-lint for code quality - Runs tests - Builds Go plugin (.so) for Linux amd64/arm64 - Builds keygen utility for all platforms - Uploads artifacts to releases on tag push Note: macOS plugin builds are disabled until runners are configured for native execution (Go plugins cannot be cross-compiled). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-17 03:39:03 -05:00
parent 6d314bcb9c
commit a1a805a5c1
1 changed files with 268 additions and 0 deletions
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -0,0 +1,268 @@
+name: Build and Release
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+
+env:
+  GOPROXY: https://proxy.golang.org,direct
+  GOPRIVATE: git.marketally.com
+  GONOSUMDB: git.marketally.com
+  GO_VERSION: "1.25"
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: linux-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Remove local replace directives
+        run: |
+          sed -i '/replace code.gitea.io\/gitea => ..\/gitcaddy-server/d' go.mod
+          go mod tidy
+
+      - name: Run linter
+        run: go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.7.2 run --timeout=10m
+
+  test:
+    name: Tests
+    runs-on: linux-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Remove local replace directives
+        run: |
+          sed -i '/replace code.gitea.io\/gitea => ..\/gitcaddy-server/d' go.mod
+          go mod tidy
+
+      - name: Run tests
+        run: go test -race -v ./...
+
+  create-release:
+    name: Create Release
+    runs-on: linux-latest
+    if: startsWith(github.ref, 'refs/tags/v')
+    outputs:
+      release_id: ${{ steps.create.outputs.release_id }}
+    steps:
+      - name: Create or get release
+        id: create
+        run: |
+          TAG="${{ github.ref_name }}"
+          echo "Creating/getting release for tag: $TAG"
+
+          # Try to get existing release first
+          EXISTING=$(curl -sf \
+            -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+            "https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases/tags/$TAG" 2>/dev/null || echo "")
+
+          if echo "$EXISTING" | grep -q '"id":[0-9]'; then
+            RELEASE_ID=$(echo "$EXISTING" | grep -o '"id":[0-9]*' | head -1 | cut -d: -f2)
+            echo "Found existing release: $RELEASE_ID"
+            echo "release_id=$RELEASE_ID" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Create new release
+          echo "Creating new release..."
+          RESPONSE=$(curl -sf -X POST \
+            -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d '{"tag_name":"'"$TAG"'","name":"GitCaddy Vault '"$TAG"'","body":"Official release of GitCaddy Vault plugin '"$TAG"'.","draft":false,"prerelease":false}' \
+            "https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases" 2>&1)
+
+          if echo "$RESPONSE" | grep -q '"id":[0-9]'; then
+            RELEASE_ID=$(echo "$RESPONSE" | grep -o '"id":[0-9]*' | head -1 | cut -d: -f2)
+            echo "Created release: $RELEASE_ID"
+            echo "release_id=$RELEASE_ID" >> "$GITHUB_OUTPUT"
+          else
+            echo "ERROR: Failed to create release: $RESPONSE"
+            exit 1
+          fi
+
+  # Build Go plugins - only supported on Linux and macOS
+  build:
+    name: Build Plugin
+    runs-on: ${{ matrix.runs-on }}
+    needs: [lint, test, create-release]
+    if: startsWith(github.ref, 'refs/tags/v') && needs.lint.result == 'success' && needs.create-release.result == 'success'
+    strategy:
+      matrix:
+        include:
+          - goos: linux
+            goarch: amd64
+            runs-on: linux-latest
+          - goos: linux
+            goarch: arm64
+            runs-on: linux-latest
+          # Note: Go plugins for macOS must be built on macOS (no cross-compilation)
+          # Uncomment these when macOS runners are available and configured for native execution
+          # - goos: darwin
+          #   goarch: amd64
+          #   runs-on: macos-latest
+          # - goos: darwin
+          #   goarch: arm64
+          #   runs-on: macos-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Remove local replace directives
+        run: |
+          sed -i '/replace code.gitea.io\/gitea => ..\/gitcaddy-server/d' go.mod
+          go mod tidy
+
+      - name: Build plugin
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          CGO_ENABLED: 1
+        run: |
+          VERSION=$(git describe --tags --always 2>/dev/null || echo "dev")
+          LDFLAGS="-X git.marketally.com/gitcaddy/vault.PluginVersion=${VERSION}"
+          OUTPUT="gitcaddy-vault-${VERSION}-${GOOS}-${GOARCH}.so"
+
+          echo "Building plugin: $OUTPUT"
+
+          # Go plugins require -buildmode=plugin
+          go build -buildmode=plugin -trimpath -ldflags "${LDFLAGS}" -o "dist/${OUTPUT}" .
+
+          # Create checksum
+          cd dist && sha256sum "${OUTPUT}" > "${OUTPUT}.sha256"
+
+          echo "Build complete: dist/${OUTPUT}"
+          ls -la
+
+      - name: Upload to release
+        env:
+          RELEASE_ID: ${{ needs.create-release.outputs.release_id }}
+        run: |
+          set -e
+          echo "Uploading plugin to release ID: $RELEASE_ID"
+
+          if [ -z "$RELEASE_ID" ]; then
+            echo "ERROR: No release ID provided"
+            exit 1
+          fi
+
+          for file in dist/*; do
+            if [ -f "$file" ]; then
+              filename=$(basename "$file")
+              echo "Uploading $filename..."
+
+              for attempt in 1 2 3; do
+                UPLOAD_RESPONSE=$(curl -sf -X POST \
+                  -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+                  -F "attachment=@$file" \
+                  "https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=$filename" 2>&1 || echo "")
+
+                if echo "$UPLOAD_RESPONSE" | grep -q '"id":[0-9]'; then
+                  echo "Uploaded $filename successfully"
+                  break
+                else
+                  if [ $attempt -lt 3 ]; then
+                    echo "Attempt $attempt failed, retrying in 5s..."
+                    sleep 5
+                  else
+                    echo "Failed to upload $filename after 3 attempts: $UPLOAD_RESPONSE"
+                    exit 1
+                  fi
+                fi
+              done
+            fi
+          done
+          echo "All uploads complete!"
+
+  # Build keygen utility
+  build-keygen:
+    name: Build Keygen Utility
+    runs-on: linux-latest
+    needs: [lint, test, create-release]
+    if: startsWith(github.ref, 'refs/tags/v') && needs.lint.result == 'success' && needs.create-release.result == 'success'
+    strategy:
+      matrix:
+        include:
+          - goos: linux
+            goarch: amd64
+          - goos: linux
+            goarch: arm64
+          - goos: darwin
+            goarch: amd64
+          - goos: darwin
+            goarch: arm64
+          - goos: windows
+            goarch: amd64
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Remove local replace directives
+        run: |
+          sed -i '/replace code.gitea.io\/gitea => ..\/gitcaddy-server/d' go.mod
+          go mod tidy
+
+      - name: Build keygen
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          CGO_ENABLED: 0
+        run: |
+          VERSION=$(git describe --tags --always 2>/dev/null || echo "dev")
+          EXT=""
+          if [ "$GOOS" = "windows" ]; then
+            EXT=".exe"
+          fi
+          OUTPUT="vault-keygen-${VERSION}-${GOOS}-${GOARCH}${EXT}"
+
+          mkdir -p dist
+          go build -trimpath -ldflags "-s -w" -o "dist/${OUTPUT}" ./cmd/keygen
+
+          cd dist && sha256sum "${OUTPUT}" > "${OUTPUT}.sha256"
+
+      - name: Upload to release
+        env:
+          RELEASE_ID: ${{ needs.create-release.outputs.release_id }}
+        run: |
+          for file in dist/*; do
+            if [ -f "$file" ]; then
+              filename=$(basename "$file")
+              echo "Uploading $filename..."
+              curl -sf -X POST \
+                -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+                -F "attachment=@$file" \
+                "https://direct.git.marketally.com/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=$filename" || true
+            fi
+          done