DevContainer Release & Validate & Publish #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ******************************************************************************* | |
| # Copyright (c) 2026 Contributors to the Eclipse Foundation | |
| # | |
| # See the NOTICE file(s) distributed with this work for additional | |
| # information regarding copyright ownership. | |
| # | |
| # This program and the accompanying materials are made available under the | |
| # terms of the Apache License Version 2.0 which is available at | |
| # https://www.apache.org/licenses/LICENSE-2.0 | |
| # | |
| # SPDX-License-Identifier: Apache-2.0 | |
| # ******************************************************************************* | |
| name: DevContainer Release & Validate & Publish | |
| description: This workflow creates a semantic version release when main changed since the last release tag. Then it checks that for releases, updates do not break stuff and publishes the released container. | |
| on: | |
| schedule: | |
| - cron: '0 0 * * 1' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read # for checkout | |
| jobs: | |
| release: | |
| if: github.ref == 'refs/heads/main' | |
| permissions: | |
| contents: write # to be able to publish a GitHub release | |
| issues: write # to be able to comment on released issues | |
| pull-requests: write # to be able to comment on released pull requests | |
| name: release | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tag_name: ${{ steps.run-semantic-release.outputs.tag_name }} | |
| container: | |
| image: mcr.microsoft.com/devcontainers/javascript-node:4-24 | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| # this should have been done by the checkout action, but it doesn't work in a container, see https://github.com/actions/checkout/issues/766 | |
| - run: git config --global --add safe.directory $PWD | |
| # pinned version updated automatically by Dependabot. | |
| # details at https://semantic-release.gitbook.io/semantic-release/usage/installation#global-installation | |
| - name: npx semantic-release | |
| id: run-semantic-release | |
| run: | | |
| set -eux pipefail | |
| npx semantic-release@25.0.1 >> /tmp/semantic-release.log 2>&1 || (cat /tmp/semantic-release.log && exit 1) | |
| cat /tmp/semantic-release.log | |
| tag_name=$(grep "Created tag" /tmp/semantic-release.log | sed -E 's/.*Created tag (.*)/\1/') | |
| echo "tag_name=$tag_name" >> $GITHUB_OUTPUT | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| build: | |
| needs: [release] | |
| if: needs.release.outputs.tag_name != '' | |
| strategy: | |
| matrix: | |
| os: [arm64, amd64] | |
| include: | |
| - os: amd64 | |
| name: DevContainer (amd64) | |
| runner: ubuntu-24.04 | |
| - os: arm64 | |
| name: DevContainer (arm64) | |
| runner: ubuntu-24.04-arm | |
| name: ${{ matrix.name }} | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - uses: eclipse-score/more-disk-space@v1 | |
| - name: Checkout (GitHub) | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ needs.release.outputs.tag_name }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Use .devcontainer from THIS repo for building and testing | |
| - name: Check, Build, Test, Publish | |
| uses: devcontainers/ci@v0.3 | |
| with: | |
| # The .devcontainer is never published as pre-built container. | |
| # We want to only use it for building and testing the actual container, which resides in src/s-core-devcontainer. | |
| push: never | |
| runCmd: | | |
| set -eux pipefail | |
| # Check | |
| pre-commit run --show-diff-on-failure --color=always --all-files || exit 1 | |
| # Create builder for multi-arch builds | |
| ./scripts/create_builder.sh | |
| # Build | |
| ./scripts/build.sh --${{ matrix.os }} "${{ needs.release.outputs.tag_name }}" "latest" | |
| # Test | |
| ./scripts/test.sh | |
| # Publish | |
| # We do not use the push feature of devcontainers/ci here, since that would push the wrong container. | |
| # Instead, we use the publish script which pushes the correct container (residing in src/s-core-devcontainer). | |
| # manually login to ghcr.io for publishing | |
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
| ./scripts/publish.sh --${{ matrix.os }} "${{ needs.release.outputs.tag_name }}" "latest" | |
| merge: | |
| name: Merge Labels | |
| needs: [build, release] | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - uses: eclipse-score/more-disk-space@v1 | |
| - name: Checkout (GitHub) | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ needs.release.outputs.tag_name }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Use .devcontainer from THIS repo for building and testing | |
| - name: Merge | |
| uses: devcontainers/ci@v0.3 | |
| with: | |
| # The .devcontainer is never published as pre-built container. | |
| # We want to only use it for building and testing the actual container, which resides in src/s-core-devcontainer. | |
| push: never | |
| runCmd: | | |
| set -eux pipefail | |
| # Merge | |
| # We do not use the push feature of devcontainers/ci here, since that would push the wrong container. | |
| # Instead, we use the publish script which pushes the correct container (residing in src/s-core-devcontainer). | |
| # manually login to ghcr.io for publishing | |
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
| ./scripts/merge.sh "${{ needs.release.outputs.tag_name }}" "latest" |