fix: wireguard needs w in apparmor profile #251
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Naisdevice workflow | |
| on: | |
| pull_request: | |
| types: [opened, reopened, synchronize] | |
| push: | |
| branches: [main] | |
| paths: | |
| - "go.*" | |
| - "cmd/naisdevice-*" | |
| - "internal/deviceagent/**" | |
| - "internal/enroll/**" | |
| - "internal/systray/**" | |
| - "internal/helper/**" | |
| - "internal/otel/**" | |
| - "internal/bootstrap/**" | |
| - "internal/ioconvenience/**" | |
| - "internal/logger/**" | |
| - "internal/program/**" | |
| - "internal/notify/**" | |
| - "internal/random/**" | |
| - "internal/unixsocket/**" | |
| - "internal/version/**" | |
| - "internal/wireguard/**" | |
| - ".github/workflows/build.yaml" | |
| - ".github/workflows/templates/*" | |
| - "mise/config.toml" | |
| - "mise/tasks/**" | |
| - "!mise/tasks/**/*controlplane*" | |
| env: | |
| # some mise tasks use this to determine how they package/sign stuff. | |
| RELEASE: ${{ (github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]') && 'true' || 'false' }} | |
| concurrency: | |
| group: ${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| release-info: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # ratchet:jdx/mise-action@v3 | |
| - id: generate | |
| run: mise run ci:release-info | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| outputs: | |
| version: ${{ steps.generate.outputs.version }} | |
| changelog: ${{ steps.generate.outputs.changelog }} | |
| checks: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| mise_task: | |
| - check:golangci-lint | |
| - check:govet | |
| - check:govulncheck | |
| - check:ratchet | |
| - check:staticcheck | |
| - ci:fmt | |
| - test | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6 | |
| - uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # ratchet:jdx/mise-action@v3 | |
| - run: mise run ${{ matrix.mise_task }} | |
| builds: | |
| name: build ${{ matrix.platform.goos }} / ${{ matrix.arch }} / ${{ matrix.gotags || 'Nav' }} | |
| needs: [release-info] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| gotags: ["", tenant] | |
| arch: [amd64, arm64] | |
| platform: | |
| - goos: windows | |
| os: windows | |
| runner: ubuntu-latest | |
| ext: exe | |
| - goos: linux | |
| os: linux | |
| runner: ubuntu-latest | |
| ext: deb | |
| - goos: darwin | |
| os: macos | |
| runner: macos-latest | |
| ext: pkg | |
| runs-on: ${{ matrix.platform.runner }} | |
| env: | |
| VERSION: ${{ needs.release-info.outputs.version || 'none' }} # Allow builds to continue with no version, it won't release. | |
| GOOS: ${{ matrix.platform.goos }} | |
| GOARCH: ${{ matrix.arch }} | |
| GOTAGS: ${{ matrix.gotags }} | |
| OUTFILE: ./release_artifacts/naisdevice${{ matrix.gotags == 'tenant' && '-tenant' || '' }}_${{ matrix.platform.os }}_${{ matrix.arch }}.${{ matrix.platform.ext }} | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6 | |
| - uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # ratchet:jdx/mise-action@v3 | |
| - if: matrix.platform.os == 'windows' | |
| run: sudo apt-get update && sudo apt-get install --yes nsis osslsigncode | |
| - if: matrix.platform.os == 'macos' | |
| run: brew install bash | |
| - if: matrix.platform.os == 'macos' && env.RELEASE == 'true' | |
| uses: Apple-Actions/import-codesign-certs@b610f78488812c1e56b20e6df63ec42d833f2d14 # ratchet:Apple-Actions/import-codesign-certs@v6 | |
| with: | |
| p12-file-base64: ${{ secrets.CERTIFICATES_P12 }} | |
| p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }} | |
| - name: mise run package:${{ matrix.platform.os }} | |
| env: | |
| MSI_SIGN_CERT: ${{ secrets.MSI_SIGN_CERT }} | |
| MSI_SIGN_KEY: ${{ secrets.MSI_SIGN_KEY }} | |
| APPLE_NOTARIZE_AUTH_KEY_P8_BASE64: ${{ secrets.APPLE_NOTARIZE_AUTH_KEY_P8_BASE64 }} | |
| APPLE_NOTARIZE_D: ${{ secrets.APPLE_NOTARIZE_D }} | |
| APPLE_NOTARIZE_I: ${{ secrets.APPLE_NOTARIZE_I }} | |
| run: | | |
| mkdir -p "$(dirname $OUTFILE)" | |
| mise run "package:${{ matrix.platform.os }}" | |
| - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # ratchet:actions/upload-artifact@v5 | |
| with: | |
| name: installer-${{ matrix.platform.os }}-${{ matrix.arch }}-${{ matrix.gotags || 'nav' }} | |
| path: ${{ env.OUTFILE }} | |
| # Used by GitHub to determine if all checks/builds have passed | |
| branch-protection-checkpoint: | |
| needs: [checks, builds] | |
| if: ${{ always() }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - if: ${{ needs.checks.result != 'success' || needs.builds.result != 'success' }} | |
| run: exit 1 | |
| - run: echo "All checks and builds passed." | |
| release-github: | |
| if: github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]' && needs.release-info.outputs.changelog != '' && needs.release-info.outputs.version != '' | |
| needs: [release-info, branch-protection-checkpoint] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # ratchet:jdx/mise-action@v3 | |
| - run: git tag ${{ needs.release-info.outputs.version }} | |
| - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # ratchet:actions/download-artifact@v6 | |
| with: | |
| merge-multiple: true | |
| path: release_artifacts | |
| - run: mise run ci:generate-checksums ./release_artifacts/ > ./release_artifacts/checksums.txt | |
| - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # ratchet:softprops/action-gh-release@v2.5.0 | |
| id: release | |
| with: | |
| tag_name: ${{ needs.release-info.outputs.version }} | |
| body: ${{ needs.release-info.outputs.changelog }} | |
| prerelease: false | |
| files: ./release_artifacts/* | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - env: | |
| VERSION: ${{ needs.release-info.outputs.version }} | |
| run: mise run ci:prepare-template-vars ./release_artifacts/checksums.txt -v > template.vars | |
| - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # ratchet:actions/upload-artifact@v5 | |
| with: | |
| name: template-vars | |
| path: ./template.vars | |
| - run: | | |
| echo "## :rocket: Release ${{ needs.release-info.outputs.version }}" >> $GITHUB_STEP_SUMMARY | |
| echo "A new release is available over at https://github.com/${{ github.repository }}/releases/tag/${{ needs.release-info.outputs.version }}." >> $GITHUB_STEP_SUMMARY | |
| release-gar: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [arm64, amd64] | |
| suffix: [nav, tenant] | |
| needs: [release-github] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6 | |
| - id: auth | |
| uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # ratchet:google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: gh-naisdevice@nais-io.iam.gserviceaccount.com | |
| token_format: access_token | |
| - uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # ratchet:google-github-actions/setup-gcloud@v3 | |
| - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # ratchet:actions/download-artifact@v6 | |
| with: | |
| name: installer-linux-${{ matrix.arch }}-${{ matrix.suffix }} | |
| path: ./downloaded-artifact/ | |
| - run: | | |
| gcloud artifacts apt upload nais-ppa --project nais-io --quiet --location europe-north1 --source ./downloaded-artifact/* | |
| release-external-repos: | |
| needs: [release-github] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: | |
| - repo: nais/scoop-bucket | |
| file: naisdevice.json | |
| - repo: nais/scoop-bucket | |
| file: naisdevice-tenant.json | |
| - repo: nais/homebrew-tap | |
| file: Casks/naisdevice.rb | |
| - repo: nais/homebrew-tap | |
| file: Casks/naisdevice-tenant.rb | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # ratchet:actions/checkout@v6 | |
| - uses: navikt/github-app-token-generator@b96ff604b2300989cd1105e3fad09199fca56681 # ratchet:navikt/github-app-token-generator@v1 | |
| id: token | |
| with: | |
| private-key: ${{ secrets.NAIS_APP_PRIVATE_KEY }} | |
| app-id: ${{ secrets.NAIS_APP_ID }} | |
| repo: ${{ matrix.target.repo }} | |
| - uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # ratchet:jdx/mise-action@v3 | |
| - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # ratchet:actions/download-artifact@v6 | |
| with: | |
| name: template-vars | |
| - name: update ${{ matrix.target.repo }} | |
| timeout-minutes: 1 | |
| env: | |
| GH_TOKEN: ${{ steps.token.outputs.token }} | |
| run: | | |
| mise run ci:create-package-manager-pr "${{ matrix.target.repo }}" "${{ matrix.target.file }}" |