fix CI to write digests and shit #59
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build MistServer | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| - 'frameworks-*' | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| packages: write | |
| env: | |
| REGISTRY_GHCR: ghcr.io/livepeer-frameworks | |
| REGISTRY_DOCKERHUB: livepeerframeworks | |
| jobs: | |
| # --------------------------------------------------------------------------- | |
| # Docker image — linux/amd64 on ubuntu | |
| # --------------------------------------------------------------------------- | |
| build-image-amd64: | |
| name: Build Docker Image (linux/amd64) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get version info | |
| id: version | |
| run: | | |
| SHORT_SHA=$(git rev-parse --short=7 HEAD) | |
| echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "tag=development-${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Log in to DockerHub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Build and push (amd64) | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: Dockerfile.mistserver | |
| platforms: linux/amd64 | |
| push: true | |
| provenance: true | |
| sbom: true | |
| tags: | | |
| ${{ env.REGISTRY_GHCR }}/mistserver:${{ steps.version.outputs.tag }}-amd64 | |
| ${{ env.REGISTRY_DOCKERHUB }}/mistserver:${{ steps.version.outputs.tag }}-amd64 | |
| cache-from: | | |
| type=gha,scope=mistserver-amd64 | |
| type=registry,ref=${{ env.REGISTRY_GHCR }}/mistserver:latest | |
| cache-to: type=gha,mode=max,ignore-error=true,scope=mistserver-amd64 | |
| - name: Save digest | |
| run: | | |
| mkdir -p release-metadata | |
| echo "${{ steps.build.outputs.digest }}" > release-metadata/docker-digest-amd64.txt | |
| echo "${{ steps.version.outputs.tag }}" > release-metadata/docker-tag.txt | |
| - name: Upload metadata | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: docker-metadata-amd64 | |
| path: release-metadata/*.txt | |
| # --------------------------------------------------------------------------- | |
| # Docker image — linux/arm64 on self-hosted Mac (Docker Desktop, native ARM) | |
| # --------------------------------------------------------------------------- | |
| build-image-arm64: | |
| name: Build Docker Image (linux/arm64) | |
| runs-on: macos-arm64-self-hosted | |
| env: | |
| ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY: "4" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Docker environment (Colima) | |
| run: | | |
| echo "DOCKER_HOST=unix://$HOME/.colima/default/docker.sock" >> "$GITHUB_ENV" | |
| echo "/opt/homebrew/bin" >> "$GITHUB_PATH" | |
| - name: Get version info | |
| id: version | |
| run: | | |
| SHORT_SHA=$(git rev-parse --short=7 HEAD) | |
| echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "tag=development-${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Log in to DockerHub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Build and push (arm64) | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: Dockerfile.mistserver | |
| platforms: linux/arm64 | |
| push: true | |
| provenance: true | |
| sbom: true | |
| tags: | | |
| ${{ env.REGISTRY_GHCR }}/mistserver:${{ steps.version.outputs.tag }}-arm64 | |
| ${{ env.REGISTRY_DOCKERHUB }}/mistserver:${{ steps.version.outputs.tag }}-arm64 | |
| cache-from: | | |
| type=gha,scope=mistserver-arm64 | |
| cache-to: type=gha,mode=max,ignore-error=true,scope=mistserver-arm64 | |
| - name: Save digest | |
| run: | | |
| mkdir -p release-metadata | |
| echo "${{ steps.build.outputs.digest }}" > release-metadata/docker-digest-arm64.txt | |
| - name: Upload metadata | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: docker-metadata-arm64 | |
| path: release-metadata/*.txt | |
| # --------------------------------------------------------------------------- | |
| # Multi-arch Docker manifest — combine amd64 + arm64 images | |
| # --------------------------------------------------------------------------- | |
| create-manifest: | |
| name: Create Multi-arch Docker Manifest | |
| needs: [build-image-amd64, build-image-arm64] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Get version info | |
| id: version | |
| run: | | |
| SHORT_SHA=$(git rev-parse --short=7 HEAD) | |
| echo "tag=development-${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| - name: Log in to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Log in to DockerHub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Create and push multi-arch manifests | |
| run: | | |
| set -euo pipefail | |
| TAG="${{ steps.version.outputs.tag }}" | |
| # GHCR manifests | |
| docker buildx imagetools create \ | |
| -t ${{ env.REGISTRY_GHCR }}/mistserver:${TAG} \ | |
| ${{ env.REGISTRY_GHCR }}/mistserver:${TAG}-amd64 \ | |
| ${{ env.REGISTRY_GHCR }}/mistserver:${TAG}-arm64 | |
| docker buildx imagetools create \ | |
| -t ${{ env.REGISTRY_GHCR }}/mistserver:latest \ | |
| ${{ env.REGISTRY_GHCR }}/mistserver:${TAG}-amd64 \ | |
| ${{ env.REGISTRY_GHCR }}/mistserver:${TAG}-arm64 | |
| # DockerHub manifests | |
| docker buildx imagetools create \ | |
| -t ${{ env.REGISTRY_DOCKERHUB }}/mistserver:${TAG} \ | |
| ${{ env.REGISTRY_DOCKERHUB }}/mistserver:${TAG}-amd64 \ | |
| ${{ env.REGISTRY_DOCKERHUB }}/mistserver:${TAG}-arm64 | |
| docker buildx imagetools create \ | |
| -t ${{ env.REGISTRY_DOCKERHUB }}/mistserver:latest \ | |
| ${{ env.REGISTRY_DOCKERHUB }}/mistserver:${TAG}-amd64 \ | |
| ${{ env.REGISTRY_DOCKERHUB }}/mistserver:${TAG}-arm64 | |
| - name: Save Docker metadata | |
| run: | | |
| TAG="${{ steps.version.outputs.tag }}" | |
| mkdir -p release-metadata | |
| echo "${TAG}" > release-metadata/docker-tag.txt | |
| - name: Upload Docker metadata | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: docker-metadata | |
| path: release-metadata/*.txt | |
| # --------------------------------------------------------------------------- | |
| # Native binary — linux/amd64 on ubuntu | |
| # --------------------------------------------------------------------------- | |
| build-binaries-amd64: | |
| name: Build Native Binaries (linux/amd64) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get version info | |
| id: version | |
| run: | | |
| SHORT_SHA=$(git rev-parse --short=7 HEAD) | |
| echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "tag=development-${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| - name: Install build dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| build-essential git python3 python3-pip ninja-build \ | |
| libavcodec-dev libavfilter-dev libavformat-dev libavutil-dev libswscale-dev libswresample-dev \ | |
| libmbedtls-dev libcjson-dev | |
| pip3 install meson>=1.3.0 | |
| - name: Build MistServer | |
| run: | | |
| meson setup build \ | |
| --default-library=static \ | |
| --wrap-mode=default \ | |
| --force-fallback-for=mbedtls,usrsctp \ | |
| -DWITH_AV=true \ | |
| -DDEBUG=3 \ | |
| -DNORIST=true \ | |
| -DRELEASE=Generic_x86_64 \ | |
| --prefix=/tmp/mistserver-install | |
| ninja -C build install | |
| - name: Strip binaries | |
| run: | | |
| strip /tmp/mistserver-install/bin/Mist* | |
| - name: Package binaries | |
| run: | | |
| cd /tmp/mistserver-install | |
| tar czf ${{ github.workspace }}/mistserver-linux-amd64-${{ steps.version.outputs.tag }}.tar.gz bin/ lib/ | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: mistserver-linux-amd64 | |
| path: mistserver-linux-amd64-${{ steps.version.outputs.tag }}.tar.gz | |
| # --------------------------------------------------------------------------- | |
| # Native binaries — all arm64 + darwin on self-hosted Mac Mini | |
| # | |
| # Builds two targets: | |
| # 1. linux/arm64 — inside Docker container (Alpine ARM, native via Docker Desktop) | |
| # 2. darwin/arm64 — native Meson build | |
| # --------------------------------------------------------------------------- | |
| build-arm64-and-darwin: | |
| name: Build Native Binaries (arm64 + darwin) | |
| runs-on: macos-arm64-self-hosted | |
| permissions: | |
| contents: write | |
| env: | |
| ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY: "4" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Docker environment (Colima) | |
| run: | | |
| echo "DOCKER_HOST=unix://$HOME/.colima/default/docker.sock" >> "$GITHUB_ENV" | |
| echo "/opt/homebrew/bin" >> "$GITHUB_PATH" | |
| - name: Get version info | |
| id: version | |
| run: | | |
| SHORT_SHA=$(git rev-parse --short=7 HEAD) | |
| echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "tag=development-${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| - name: Install macOS build dependencies | |
| run: brew install meson ninja pkg-config ffmpeg srt srtp cmake | |
| # -- linux/arm64 via Docker (native ARM container, no QEMU) -- | |
| - name: Build linux/arm64 via Docker | |
| run: | | |
| docker run --rm \ | |
| -v "${{ github.workspace }}:/src:ro" \ | |
| -v "$RUNNER_TEMP/linux-arm64:/output" \ | |
| alpine:3.21 sh -c ' | |
| apk add --no-cache build-base git python3 py3-pip ninja pkgconf \ | |
| binutils cmake \ | |
| mbedtls-dev libsrtp-dev libsrt-dev cjson-dev \ | |
| ffmpeg-dev ffmpeg-libavcodec ffmpeg-libavformat ffmpeg-libavutil \ | |
| ffmpeg-libswscale ffmpeg-libswresample | |
| pip3 install --break-system-packages meson>=1.3.0 | |
| cp -r /src /build-src && cd /build-src | |
| meson setup /build \ | |
| --default-library=static \ | |
| --wrap-mode=default \ | |
| --force-fallback-for=mbedtls,usrsctp \ | |
| -DWITH_AV=true \ | |
| -DDEBUG=3 \ | |
| -DNORIST=true \ | |
| -DRELEASE=Generic_aarch64 \ | |
| -Dmbedtls:default_library=static \ | |
| -Dusrsctp:default_library=static \ | |
| --prefix=/output/mistserver-install | |
| ninja -C /build install | |
| strip /output/mistserver-install/bin/Mist* | |
| ' | |
| - name: Package linux/arm64 | |
| run: | | |
| cd "$RUNNER_TEMP/linux-arm64/mistserver-install" | |
| tar czf "${{ github.workspace }}/mistserver-linux-arm64-${{ steps.version.outputs.tag }}.tar.gz" bin/ lib/ | |
| - name: Upload linux/arm64 artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: mistserver-linux-arm64 | |
| path: mistserver-linux-arm64-${{ steps.version.outputs.tag }}.tar.gz | |
| # -- darwin/arm64 (native build) -- | |
| - name: Build darwin/arm64 | |
| run: | | |
| meson setup build-darwin-arm64 \ | |
| --default-library=static \ | |
| --wrap-mode=default \ | |
| --force-fallback-for=mbedtls,usrsctp \ | |
| -DWITH_AV=true \ | |
| -DDEBUG=3 \ | |
| -DNORIST=true \ | |
| -DRELEASE=macOS_aarch64 \ | |
| --prefix="$RUNNER_TEMP/darwin-arm64/mistserver-install" | |
| ninja -C build-darwin-arm64 install | |
| - name: Package darwin/arm64 | |
| run: | | |
| cd "$RUNNER_TEMP/darwin-arm64/mistserver-install" | |
| tar czf "${{ github.workspace }}/mistserver-darwin-arm64-${{ steps.version.outputs.tag }}.tar.gz" bin/ lib/ | |
| - name: Upload darwin/arm64 artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: mistserver-darwin-arm64 | |
| path: mistserver-darwin-arm64-${{ steps.version.outputs.tag }}.tar.gz | |
| # --------------------------------------------------------------------------- | |
| # Code signing + notarization for darwin binaries | |
| # --------------------------------------------------------------------------- | |
| sign-darwin: | |
| name: Sign and Notarize darwin Binaries | |
| needs: [build-arm64-and-darwin] | |
| runs-on: macos-arm64-self-hosted | |
| env: | |
| ACTIONS_ARTIFACT_UPLOAD_CONCURRENCY: "4" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download darwin/arm64 artifact | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: mistserver-darwin-arm64 | |
| path: dist/ | |
| - name: Extract darwin binaries | |
| run: | | |
| mkdir -p sign/darwin-arm64 | |
| tar xzf dist/mistserver-darwin-arm64-*.tar.gz -C sign/darwin-arm64 | |
| - name: Unlock keychain | |
| run: security unlock-keychain -p "${{ secrets.LOGIN_KEYCHAIN_PASSWORD }}" login.keychain | |
| - name: Sign darwin binaries | |
| run: | | |
| for bin in sign/darwin-arm64/bin/Mist*; do | |
| [ -f "$bin" ] || continue | |
| codesign --sign "${{ secrets.APPLE_DEVELOPER_ID }}" \ | |
| --timestamp --options runtime --force "$bin" | |
| echo "Signed: $bin" | |
| done | |
| - name: Verify signatures | |
| run: | | |
| for bin in sign/darwin-arm64/bin/Mist*; do | |
| [ -f "$bin" ] || continue | |
| codesign --verify --verbose=2 "$bin" | |
| done | |
| - name: Notarize darwin/arm64 | |
| run: | | |
| cd sign/darwin-arm64 | |
| zip -r ../../notarize-darwin-arm64.zip bin/ | |
| xcrun notarytool submit ../../notarize-darwin-arm64.zip \ | |
| --apple-id "${{ secrets.APPLE_ID }}" \ | |
| --team-id "${{ secrets.APPLE_TEAM_ID }}" \ | |
| --password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" \ | |
| --wait | |
| - name: Get version info | |
| id: version | |
| run: | | |
| SHORT_SHA=$(git rev-parse --short=7 HEAD) | |
| echo "tag=development-${SHORT_SHA}" >> "$GITHUB_OUTPUT" | |
| - name: Re-package signed binaries | |
| run: | | |
| TAG="${{ steps.version.outputs.tag }}" | |
| cd sign/darwin-arm64 | |
| tar czf "${{ github.workspace }}/mistserver-darwin-arm64-${TAG}.tar.gz" bin/ lib/ | |
| - name: Upload signed darwin/arm64 | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: mistserver-darwin-arm64-signed | |
| path: mistserver-darwin-arm64-*.tar.gz | |
| # --------------------------------------------------------------------------- | |
| # GitHub Release — assemble all artifacts | |
| # --------------------------------------------------------------------------- | |
| create-release: | |
| name: Create GitHub Release | |
| needs: [create-manifest, build-binaries-amd64, build-arm64-and-darwin, sign-darwin] | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.ref, 'refs/tags/') | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Download linux/amd64 binary | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: mistserver-linux-amd64 | |
| path: dist/ | |
| - name: Download linux/arm64 binary | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: mistserver-linux-arm64 | |
| path: dist/ | |
| - name: Download signed darwin/arm64 binary | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: mistserver-darwin-arm64-signed | |
| path: dist/ | |
| - name: Download Docker metadata | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: docker-metadata | |
| path: dist/ | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ github.ref_name }} | |
| name: MistServer ${{ github.ref_name }} | |
| generate_release_notes: true | |
| files: | | |
| dist/*.tar.gz | |
| dist/*.txt | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |