mirror of https://github.com/telemt/telemt.git
Compare commits
1 Commits
dc1a351ca4
...
3bdbba8777
| Author | SHA1 | Date |
|---|---|---|
Alexey
|
3bdbba8777 |
|
|
@ -4,6 +4,7 @@ on:
|
||||||
push:
|
push:
|
||||||
tags:
|
tags:
|
||||||
- '[0-9]+.[0-9]+.[0-9]+'
|
- '[0-9]+.[0-9]+.[0-9]+'
|
||||||
|
- '[0-9]+.[0-9]+.[0-9]+-*'
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
concurrency:
|
concurrency:
|
||||||
|
|
@ -12,176 +13,204 @@ concurrency:
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
packages: write
|
|
||||||
|
|
||||||
env:
|
env:
|
||||||
CARGO_TERM_COLOR: always
|
CARGO_TERM_COLOR: always
|
||||||
|
RUST_BACKTRACE: "1"
|
||||||
BINARY_NAME: telemt
|
BINARY_NAME: telemt
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
prepare:
|
||||||
name: Build ${{ matrix.target }}
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
outputs:
|
||||||
|
version: ${{ steps.meta.outputs.version }}
|
||||||
|
prerelease: ${{ steps.meta.outputs.prerelease }}
|
||||||
|
release_enabled: ${{ steps.meta.outputs.release_enabled }}
|
||||||
|
steps:
|
||||||
|
- id: meta
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
|
||||||
|
VERSION="${GITHUB_REF#refs/tags/}"
|
||||||
|
RELEASE_ENABLED=true
|
||||||
|
else
|
||||||
|
VERSION="manual-${GITHUB_SHA::7}"
|
||||||
|
RELEASE_ENABLED=false
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "$VERSION" == *"-alpha"* || "$VERSION" == *"-beta"* || "$VERSION" == *"-rc"* ]]; then
|
||||||
|
PRERELEASE=true
|
||||||
|
else
|
||||||
|
PRERELEASE=false
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "prerelease=$PRERELEASE" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "release_enabled=$RELEASE_ENABLED" >> "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
|
checks:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
container:
|
||||||
|
image: debian:trixie
|
||||||
|
steps:
|
||||||
|
- run: |
|
||||||
|
apt-get update
|
||||||
|
apt-get install -y build-essential clang llvm pkg-config curl git
|
||||||
|
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- uses: dtolnay/rust-toolchain@stable
|
||||||
|
with:
|
||||||
|
components: rustfmt, clippy
|
||||||
|
|
||||||
|
- uses: actions/cache@v4
|
||||||
|
with:
|
||||||
|
path: |
|
||||||
|
/github/home/.cargo/registry
|
||||||
|
/github/home/.cargo/git
|
||||||
|
target
|
||||||
|
key: checks-${{ hashFiles('**/Cargo.lock') }}
|
||||||
|
|
||||||
|
- run: cargo fetch --locked
|
||||||
|
- run: cargo fmt --all -- --check
|
||||||
|
- run: cargo clippy
|
||||||
|
- run: cargo test
|
||||||
|
|
||||||
|
build-binaries:
|
||||||
|
needs: [prepare, checks]
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
container:
|
||||||
|
image: debian:trixie
|
||||||
|
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
include:
|
include:
|
||||||
# ===== GNU / glibc =====
|
- rust_target: x86_64-unknown-linux-gnu
|
||||||
- target: x86_64-unknown-linux-gnu
|
zig_target: x86_64-unknown-linux-gnu.2.28
|
||||||
asset_name: telemt-x86_64-linux-gnu
|
asset_name: telemt-x86_64-linux-gnu
|
||||||
- target: aarch64-unknown-linux-gnu
|
- rust_target: aarch64-unknown-linux-gnu
|
||||||
|
zig_target: aarch64-unknown-linux-gnu.2.28
|
||||||
asset_name: telemt-aarch64-linux-gnu
|
asset_name: telemt-aarch64-linux-gnu
|
||||||
|
- rust_target: x86_64-unknown-linux-musl
|
||||||
# ===== MUSL =====
|
zig_target: x86_64-unknown-linux-musl
|
||||||
- target: x86_64-unknown-linux-musl
|
|
||||||
asset_name: telemt-x86_64-linux-musl
|
asset_name: telemt-x86_64-linux-musl
|
||||||
|
- rust_target: aarch64-unknown-linux-musl
|
||||||
|
zig_target: aarch64-unknown-linux-musl
|
||||||
|
asset_name: telemt-aarch64-linux-musl
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- run: |
|
||||||
|
apt-get update
|
||||||
|
apt-get install -y clang llvm pkg-config curl git python3 python3-pip file tar xz-utils
|
||||||
|
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
- uses: dtolnay/rust-toolchain@stable
|
||||||
# ---------- Toolchain ----------
|
|
||||||
- uses: dtolnay/rust-toolchain@v1
|
|
||||||
with:
|
with:
|
||||||
toolchain: stable
|
targets: ${{ matrix.rust_target }}
|
||||||
targets: |
|
|
||||||
x86_64-unknown-linux-gnu
|
|
||||||
aarch64-unknown-linux-gnu
|
|
||||||
x86_64-unknown-linux-musl
|
|
||||||
|
|
||||||
# ---------- System deps (bookworm) ----------
|
|
||||||
- name: Install build deps
|
|
||||||
run: |
|
|
||||||
sudo apt-get update
|
|
||||||
sudo apt-get install -y --no-install-recommends \
|
|
||||||
build-essential \
|
|
||||||
clang \
|
|
||||||
lld \
|
|
||||||
pkg-config \
|
|
||||||
musl-tools \
|
|
||||||
gcc-aarch64-linux-gnu \
|
|
||||||
g++-aarch64-linux-gnu \
|
|
||||||
ca-certificates
|
|
||||||
|
|
||||||
# ---------- Cache ----------
|
|
||||||
- uses: actions/cache@v4
|
- uses: actions/cache@v4
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
~/.cargo/registry
|
/github/home/.cargo/registry
|
||||||
~/.cargo/git
|
/github/home/.cargo/git
|
||||||
target
|
target
|
||||||
key: ${{ runner.os }}-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
|
key: build-${{ matrix.zig_target }}-${{ hashFiles('**/Cargo.lock') }}
|
||||||
|
|
||||||
# ---------- Build ----------
|
- run: |
|
||||||
- name: Build
|
python3 -m pip install --user --break-system-packages cargo-zigbuild
|
||||||
env:
|
echo "/github/home/.local/bin" >> "$GITHUB_PATH"
|
||||||
CC_x86_64_unknown_linux_gnu: clang
|
|
||||||
CXX_x86_64_unknown_linux_gnu: clang++
|
|
||||||
|
|
||||||
CC_aarch64_unknown_linux_gnu: aarch64-linux-gnu-gcc
|
- run: cargo fetch --locked
|
||||||
CXX_aarch64_unknown_linux_gnu: aarch64-linux-gnu-g++
|
|
||||||
|
|
||||||
CC_x86_64_unknown_linux_musl: musl-gcc
|
- run: |
|
||||||
|
cargo zigbuild --release --locked --target "${{ matrix.zig_target }}"
|
||||||
|
|
||||||
RUSTFLAGS: "-C linker=clang -C link-arg=-fuse-ld=lld"
|
- run: |
|
||||||
run: |
|
BIN="target/${{ matrix.rust_target }}/release/${BINARY_NAME}"
|
||||||
case "${{ matrix.target }}" in
|
llvm-strip "$BIN" || true
|
||||||
x86_64-unknown-linux-musl)
|
|
||||||
export RUSTFLAGS="-C target-feature=+crt-static"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
cargo build --release --target ${{ matrix.target }}
|
- run: |
|
||||||
|
BIN="target/${{ matrix.rust_target }}/release/${BINARY_NAME}"
|
||||||
|
OUT="$RUNNER_TEMP/${{ matrix.asset_name }}"
|
||||||
|
mkdir -p "$OUT"
|
||||||
|
install -m755 "$BIN" "$OUT/${BINARY_NAME}"
|
||||||
|
|
||||||
# ---------- Package ----------
|
tar -C "$RUNNER_TEMP" -czf "${{ matrix.asset_name }}.tar.gz" "${{ matrix.asset_name }}"
|
||||||
- name: Package
|
sha256sum "${{ matrix.asset_name }}.tar.gz" > "${{ matrix.asset_name }}.sha256"
|
||||||
run: |
|
|
||||||
mkdir -p dist
|
|
||||||
|
|
||||||
BIN=target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}
|
|
||||||
|
|
||||||
cp "$BIN" dist/${{ env.BINARY_NAME }}-${{ matrix.target }}
|
|
||||||
|
|
||||||
cd dist
|
|
||||||
tar -czf ${{ matrix.asset_name }}.tar.gz ${{ env.BINARY_NAME }}-${{ matrix.target }}
|
|
||||||
sha256sum ${{ matrix.asset_name }}.tar.gz > ${{ matrix.asset_name }}.sha256
|
|
||||||
|
|
||||||
- uses: actions/upload-artifact@v4
|
- uses: actions/upload-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: ${{ matrix.asset_name }}
|
name: ${{ matrix.asset_name }}
|
||||||
path: |
|
path: |
|
||||||
dist/${{ matrix.asset_name }}.tar.gz
|
${{ matrix.asset_name }}.tar.gz
|
||||||
dist/${{ matrix.asset_name }}.sha256
|
${{ matrix.asset_name }}.sha256
|
||||||
|
|
||||||
docker:
|
docker-image:
|
||||||
name: Docker
|
name: Docker ${{ matrix.platform }}
|
||||||
|
needs: [prepare, build-binaries]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: build
|
|
||||||
continue-on-error: true
|
strategy:
|
||||||
|
matrix:
|
||||||
|
include:
|
||||||
|
- platform: linux/amd64
|
||||||
|
artifact: telemt-x86_64-linux-gnu
|
||||||
|
- platform: linux/arm64
|
||||||
|
artifact: telemt-aarch64-linux-gnu
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- uses: actions/download-artifact@v4
|
- uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
path: artifacts
|
name: ${{ matrix.artifact }}
|
||||||
|
path: dist
|
||||||
|
|
||||||
- name: Extract binaries
|
- run: |
|
||||||
run: |
|
mkdir docker-build
|
||||||
mkdir dist
|
tar -xzf dist/*.tar.gz -C docker-build --strip-components=1
|
||||||
find artifacts -name "*.tar.gz" -exec tar -xzf {} -C dist \;
|
|
||||||
|
|
||||||
cp dist/telemt-x86_64-unknown-linux-musl dist/telemt || true
|
|
||||||
|
|
||||||
- uses: docker/setup-qemu-action@v3
|
|
||||||
- uses: docker/setup-buildx-action@v3
|
- uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
- name: Login to GHCR
|
- name: Login
|
||||||
|
if: ${{ needs.prepare.outputs.release_enabled == 'true' }}
|
||||||
uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
with:
|
with:
|
||||||
registry: ghcr.io
|
registry: ghcr.io
|
||||||
username: ${{ github.actor }}
|
username: ${{ github.actor }}
|
||||||
password: ${{ secrets.GITHUB_TOKEN }}
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
- name: Extract version
|
- uses: docker/build-push-action@v6
|
||||||
id: vars
|
|
||||||
run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
|
|
||||||
|
|
||||||
- name: Build & Push prod
|
|
||||||
uses: docker/build-push-action@v6
|
|
||||||
with:
|
with:
|
||||||
context: .
|
context: ./docker-build
|
||||||
target: prod
|
platforms: ${{ matrix.platform }}
|
||||||
push: true
|
push: ${{ needs.prepare.outputs.release_enabled == 'true' }}
|
||||||
platforms: linux/amd64,linux/arm64
|
tags: ghcr.io/${{ github.repository }}:${{ needs.prepare.outputs.version }}
|
||||||
tags: |
|
cache-from: type=gha,scope=telemt-${{ matrix.platform }}
|
||||||
ghcr.io/${{ github.repository }}:${{ steps.vars.outputs.VERSION }}
|
cache-to: type=gha,mode=max,scope=telemt-${{ matrix.platform }}
|
||||||
ghcr.io/${{ github.repository }}:latest
|
provenance: false
|
||||||
build-args: |
|
sbom: false
|
||||||
BINARY=dist/telemt
|
|
||||||
|
|
||||||
release:
|
release:
|
||||||
name: Release
|
if: ${{ needs.prepare.outputs.release_enabled == 'true' }}
|
||||||
|
needs: [prepare, build-binaries]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: build
|
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: write
|
contents: write
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/download-artifact@v4
|
- uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
path: artifacts
|
path: release-artifacts
|
||||||
|
pattern: telemt-*
|
||||||
|
|
||||||
- name: Flatten artifacts
|
- run: |
|
||||||
run: |
|
mkdir upload
|
||||||
mkdir dist
|
find release-artifacts -type f \( -name '*.tar.gz' -o -name '*.sha256' \) -exec cp {} upload/ \;
|
||||||
find artifacts -type f -exec cp {} dist/ \;
|
|
||||||
|
|
||||||
- name: Create Release
|
- uses: softprops/action-gh-release@v2
|
||||||
uses: softprops/action-gh-release@v2
|
|
||||||
with:
|
with:
|
||||||
files: dist/*
|
files: upload/*
|
||||||
generate_release_notes: true
|
generate_release_notes: true
|
||||||
draft: false
|
prerelease: ${{ needs.prepare.outputs.prerelease == 'true' }}
|
||||||
prerelease: ${{ contains(github.ref, '-rc') || contains(github.ref, '-beta') || contains(github.ref, '-alpha') }}
|
|
||||||
|
|
|
||||||
65
Dockerfile
65
Dockerfile
|
|
@ -1,5 +1,3 @@
|
||||||
# syntax=docker/dockerfile:1
|
|
||||||
|
|
||||||
# ==========================
|
# ==========================
|
||||||
# Stage 1: Build
|
# Stage 1: Build
|
||||||
# ==========================
|
# ==========================
|
||||||
|
|
@ -7,87 +5,36 @@ FROM rust:1.88-slim-bookworm AS builder
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||||
pkg-config \
|
pkg-config \
|
||||||
ca-certificates \
|
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
WORKDIR /build
|
WORKDIR /build
|
||||||
|
|
||||||
# Depcache
|
|
||||||
COPY Cargo.toml Cargo.lock* ./
|
COPY Cargo.toml Cargo.lock* ./
|
||||||
RUN mkdir src && echo 'fn main() {}' > src/main.rs && \
|
RUN mkdir src && echo 'fn main() {}' > src/main.rs && \
|
||||||
cargo build --release 2>/dev/null || true && \
|
cargo build --release 2>/dev/null || true && \
|
||||||
rm -rf src
|
rm -rf src
|
||||||
|
|
||||||
# Build
|
|
||||||
COPY . .
|
COPY . .
|
||||||
RUN cargo build --release && strip target/release/telemt
|
RUN cargo build --release && strip target/release/telemt
|
||||||
|
|
||||||
# ==========================
|
# ==========================
|
||||||
# Stage 2: Compress (strip + UPX)
|
# Stage 2: Runtime
|
||||||
# ==========================
|
# ==========================
|
||||||
FROM debian:12-slim AS minimal
|
FROM debian:bookworm-slim
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
||||||
upx \
|
|
||||||
binutils \
|
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
|
||||||
|
|
||||||
COPY --from=builder /build/target/release/telemt /telemt
|
|
||||||
|
|
||||||
RUN strip /telemt || true
|
|
||||||
RUN upx --best --lzma /telemt || true
|
|
||||||
|
|
||||||
# ==========================
|
|
||||||
# Stage 3: Debug base
|
|
||||||
# ==========================
|
|
||||||
FROM debian:12-slim AS debug-base
|
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
tzdata \
|
|
||||||
curl \
|
|
||||||
iproute2 \
|
|
||||||
busybox \
|
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# ==========================
|
RUN useradd -r -s /usr/sbin/nologin telemt
|
||||||
# Stage 4: Debug image
|
|
||||||
# ==========================
|
|
||||||
FROM debug-base AS debug
|
|
||||||
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
COPY --from=minimal /telemt /app/telemt
|
COPY --from=builder /build/target/release/telemt /app/telemt
|
||||||
COPY config.toml /app/config.toml
|
COPY config.toml /app/config.toml
|
||||||
|
|
||||||
USER root
|
RUN chown -R telemt:telemt /app
|
||||||
|
USER telemt
|
||||||
EXPOSE 443
|
|
||||||
EXPOSE 9090
|
|
||||||
EXPOSE 9091
|
|
||||||
|
|
||||||
ENTRYPOINT ["/app/telemt"]
|
|
||||||
CMD ["config.toml"]
|
|
||||||
|
|
||||||
# ==========================
|
|
||||||
# Stage 5: Production (distroless)
|
|
||||||
# ==========================
|
|
||||||
FROM gcr.io/distroless/base-debian12 AS prod
|
|
||||||
|
|
||||||
WORKDIR /app
|
|
||||||
|
|
||||||
COPY --from=minimal /telemt /app/telemt
|
|
||||||
COPY config.toml /app/config.toml
|
|
||||||
|
|
||||||
# TLS + timezone + shell
|
|
||||||
COPY --from=debug-base /etc/ssl/certs /etc/ssl/certs
|
|
||||||
COPY --from=debug-base /usr/share/zoneinfo /usr/share/zoneinfo
|
|
||||||
COPY --from=debug-base /bin/busybox /bin/busybox
|
|
||||||
|
|
||||||
RUN ["/bin/busybox", "--install", "-s", "/bin"]
|
|
||||||
|
|
||||||
# distroless user
|
|
||||||
USER nonroot:nonroot
|
|
||||||
|
|
||||||
EXPOSE 443
|
EXPOSE 443
|
||||||
EXPOSE 9090
|
EXPOSE 9090
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue