Sentinel/.github/workflows/release.yml at master · NodeNestor/Sentinel · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
name: Release

on:
  push:
    tags:
      - 'v*.*.*'

permissions:
  contents: write
  packages: write

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: nodenester/sentinel

jobs:
  test:
    name: Syntax Check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Syntax check all JS files
        run: |
          echo "Checking JavaScript syntax..."
          errors=0
          while IFS= read -r file; do
            if ! node --check "$file" 2>/dev/null; then
              echo "FAIL: $file"
              errors=$((errors + 1))
            fi
          done < <(find src/ -name '*.js' -type f)
          if [ $errors -gt 0 ]; then
            echo "$errors file(s) have syntax errors"
            exit 1
          fi
          echo "All JS files passed syntax check"

  docker:
    name: Build & Push Docker Image
    runs-on: ubuntu-latest
    needs: test
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract version from tag
        id: version
        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT

      - name: Build and push multi-arch image
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          tags: |
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          labels: |
            org.opencontainers.image.title=Sentinel
            org.opencontainers.image.description=Autonomous AI Security Team
            org.opencontainers.image.version=${{ steps.version.outputs.VERSION }}
            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}

  release:
    name: Create GitHub Release
    runs-on: ubuntu-latest
    needs: [test, docker]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Extract version from tag
        id: version
        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT

      - name: Install Helm
        uses: azure/setup-helm@v4
        with:
          version: v3.14.0

      - name: Package Helm chart
        run: |
          helm package charts/sentinel \
            --version "${{ steps.version.outputs.VERSION }}" \
            --app-version "${{ steps.version.outputs.VERSION }}" \
            --destination ./release-assets/

      - name: Copy install script
        run: |
          mkdir -p ./release-assets
          cp scripts/install.sh ./release-assets/install.sh
          cp scripts/install-k8s.sh ./release-assets/install-k8s.sh
          chmod +x ./release-assets/install.sh ./release-assets/install-k8s.sh

      - name: Generate changelog
        id: changelog
        run: |
          # Find previous tag
          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
          if [ -z "$PREV_TAG" ]; then
            COMMITS=$(git log --oneline --no-decorate)
          else
            COMMITS=$(git log --oneline --no-decorate "${PREV_TAG}..HEAD")
          fi

          cat > ./release-assets/CHANGELOG.md <<EOF
          ## What's Changed in v${{ steps.version.outputs.VERSION }}

          ### Commits
          ${COMMITS}

          ### Docker Image
          \`\`\`bash
          docker pull ghcr.io/nodenester/sentinel:${{ steps.version.outputs.VERSION }}
          \`\`\`

          ### Quick Install
          \`\`\`bash
          curl -fsSL https://raw.githubusercontent.com/NodeNestor/Sentinel/main/scripts/install.sh | bash
          \`\`\`

          ### Helm Install
          \`\`\`bash
          helm install sentinel ./sentinel-${{ steps.version.outputs.VERSION }}.tgz -n sentinel --create-namespace
          \`\`\`
          EOF

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          body_path: ./release-assets/CHANGELOG.md
          generate_release_notes: true
          files: |
            ./release-assets/sentinel-*.tgz
            ./release-assets/install.sh
            ./release-assets/install-k8s.sh
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}