Refactor auto extension resolution to not use k6deps and esbuild #7082
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| k6_version: | |
| description: 'The version of the release, it must use the semantic versioning format with the v prefix. It is a development release so it is suggested to append a build metadata (e.g. v0.38.0-dev).' | |
| required: true | |
| go_version: | |
| description: 'Go version for building binaries' | |
| default: '1.x' | |
| required: true | |
| push: | |
| branches: | |
| - master | |
| tags: | |
| - v* | |
| pull_request: | |
| defaults: | |
| run: | |
| shell: bash | |
| permissions: | |
| contents: read | |
| env: | |
| APP_NAME: "k6" | |
| DOCKER_IMAGE_ID: "grafana/k6" | |
| GHCR_IMAGE_ID: ${{ github.repository }} | |
| DEFAULT_GO_VERSION: "1.25.x" | |
| jobs: | |
| configure: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| k6_version: ${{ steps.get_k6_version.outputs.k6_version }} | |
| go_version: ${{ steps.get_go_version.outputs.go_version }} | |
| sign_windows_artifacts: ${{ steps.determine_windows_signing.outputs.sign_windows_artifacts }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Get the k6 version | |
| id: get_k6_version | |
| env: | |
| INPUT_K6_VERSION: ${{ github.event.inputs.k6_version }} | |
| run: | | |
| set -x # Show exactly what commands are executed | |
| if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]] && [[ "${INPUT_K6_VERSION}" != "" ]]; then | |
| VERSION="${INPUT_K6_VERSION}" | |
| echo "Building custom dev build with version '${VERSION}' from manual workflow_dispatch..." | |
| elif [[ "${GITHUB_REF}" =~ ^refs/tags/v.+$ ]]; then | |
| VERSION="${GITHUB_REF##*/}" | |
| echo "Building real version tag '${GITHUB_REF}', parsed '${VERSION}' as the actual version..." | |
| else | |
| VERSION="$(git describe --tags --always --long --dirty)" | |
| echo "Building a non-version ref '${GITHUB_REF}', use '${VERSION}' as the version instead..." | |
| fi | |
| echo "VERSION=${VERSION}" | |
| echo "k6_version=${VERSION}" >> $GITHUB_OUTPUT | |
| - name: Get the used Go version | |
| id: get_go_version | |
| env: | |
| INPUT_GO_VERSION: ${{ github.event.inputs.go_version }} | |
| run: | | |
| set -x # Show exactly what commands are executed | |
| if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]] && [[ "${INPUT_GO_VERSION}" != "" ]]; then | |
| GO_VERSION="${INPUT_GO_VERSION}" | |
| echo "Using custom Go version '${GO_VERSION}' from manual workflow_dispatch..." | |
| else | |
| GO_VERSION="${DEFAULT_GO_VERSION}" | |
| echo "Using the default Go version '${GO_VERSION}'..." | |
| fi | |
| echo "GO_VERSION=${GO_VERSION}" | |
| echo "go_version=${GO_VERSION}" >> $GITHUB_OUTPUT | |
| # Secrets are unavailable when building from project forks, so this | |
| # will fail for external PRs, even if we wanted to do it. And we don't. | |
| # We are only going to sign packages that are built from the default branch | |
| # or a version tag, or manually triggered dev builds, so we have enough | |
| # assurance that package signing works, but don't sign every PR build. | |
| - name: Determine whether to sign the Windows artifacts | |
| id: determine_windows_signing | |
| env: | |
| SIGN_FILES: ${{ github.ref_name == github.event.repository.default_branch || startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch' }} | |
| run: | | |
| set -x # Show exactly what commands are executed | |
| if [[ "${SIGN_FILES}" == "true" ]]; then | |
| echo "Windows artifacts will be signed" | |
| sign_windows_artifacts="true" | |
| else | |
| echo "Windows artifacts will not be signed" | |
| sign_windows_artifacts="false" | |
| fi | |
| echo "sign_windows_artifacts=${sign_windows_artifacts}" >> ${GITHUB_OUTPUT} | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: [configure] | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Install Go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6 | |
| with: | |
| go-version: ${{ needs.configure.outputs.go_version }} | |
| check-latest: true | |
| cache: false # against cache-poisoning | |
| - name: Install nfpm (dep and rpm package builder) | |
| run: | | |
| go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0 | |
| - name: Install goversioninfo (.syso file creator) | |
| run: | | |
| go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@v1.4.0 | |
| - name: Generate Windows binary metadata (.syso files) | |
| run: | | |
| IFS=. read -a version_parts <<< "${VERSION#v}" | |
| IFS=- read -a version_patch <<< "${version_parts[2]}" | |
| # Need a blank versioninfo.json for the CLI overrides to work. | |
| echo '{}' > versioninfo.json | |
| set -x | |
| goversioninfo -64 \ | |
| -platform-specific=true \ | |
| -charset="1200" \ | |
| -company="Raintank Inc. d.b.a. Grafana Labs" \ | |
| -copyright="© Raintank Inc. d.b.a. Grafana Labs. Licensed under AGPL." \ | |
| -description="A modern load testing tool, using Go and JavaScript" \ | |
| -icon=packaging/k6.ico \ | |
| -internal-name="k6" \ | |
| -original-name="k6.exe" \ | |
| -product-name="k6" \ | |
| -translation="0x0409" \ | |
| -ver-major="${version_parts[0]}" \ | |
| -ver-minor="${version_parts[1]}" \ | |
| -ver-patch="${version_patch[0]}" \ | |
| -special-build=$(IFS='-'; echo "${version_patch[*]:1}";) \ | |
| -product-version="${VERSION#v}" | |
| set +x | |
| ls -lah | grep -i syso | |
| - name: Build | |
| run: | | |
| go version | |
| ./build-release.sh "dist" "${VERSION}" | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: binaries | |
| path: dist/ | |
| retention-days: 7 | |
| build-docker: | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| needs: [configure] | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Build | |
| run: | | |
| docker buildx create \ | |
| --name multibuilder \ | |
| --platform linux/amd64,linux/arm64 \ | |
| --bootstrap --use | |
| docker buildx build \ | |
| --target release \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID . | |
| - name: Check | |
| run: | | |
| docker buildx build --load -t $DOCKER_IMAGE_ID . | |
| # Assert that simple cases works for the new built image | |
| docker run $DOCKER_IMAGE_ID version | |
| docker run $DOCKER_IMAGE_ID --help | |
| docker run $DOCKER_IMAGE_ID help | |
| docker run $DOCKER_IMAGE_ID run --help | |
| docker run $DOCKER_IMAGE_ID inspect --help | |
| docker run $DOCKER_IMAGE_ID status --help | |
| docker run $DOCKER_IMAGE_ID stats --help | |
| docker run $DOCKER_IMAGE_ID scale --help | |
| docker run $DOCKER_IMAGE_ID pause --help | |
| docker run $DOCKER_IMAGE_ID resume --help | |
| - name: Login to DockerHub | |
| if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v') }} | |
| uses: grafana/shared-workflows/actions/dockerhub-login@c6d954f7cd9c0022018982e01268de6cb75b913c # dockerhub-login/v1.0.2 | |
| - name: Login to ghcr.io | |
| env: | |
| GITHUB_ACTOR: ${{ github.actor }} | |
| if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v') }} | |
| run: | | |
| # Log into GitHub Container Registry | |
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login https://ghcr.io -u ${GITHUB_ACTOR} --password-stdin | |
| - name: Publish k6:master images | |
| if: ${{ github.ref == 'refs/heads/master' }} | |
| run: | | |
| echo "Publish $GHCR_IMAGE_ID:master* images" | |
| docker buildx build --push \ | |
| --target release \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:master \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:master . | |
| docker buildx build --push \ | |
| --target with-browser \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:master-with-browser \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:master-with-browser . | |
| - name: Publish tagged version images | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') }} | |
| run: | | |
| VERSION="${VERSION#v}" | |
| echo "Publish $GHCR_IMAGE_ID:$VERSION images" | |
| docker buildx build --push \ | |
| --target release \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:$VERSION \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:$VERSION . | |
| docker buildx build --push \ | |
| --target with-browser \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:$VERSION-with-browser \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:$VERSION-with-browser . | |
| # We also want to tag the latest stable version as latest | |
| echo "Publish $GHCR_IMAGE_ID:latest" | |
| docker buildx build --push \ | |
| --target release \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:latest \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:latest . | |
| docker buildx build --push \ | |
| --target with-browser \ | |
| --platform linux/amd64,linux/arm64 \ | |
| -t $DOCKER_IMAGE_ID:latest-with-browser \ | |
| -t ghcr.io/$GHCR_IMAGE_ID:latest-with-browser . | |
| # Forks, PRs etc. won't actually sign the binary, but the workflow will run most of the same steps as | |
| # GitHub Actions workflows don't support conditional `needs` so we have to run the signing step unconditionally. | |
| sign-binaries: | |
| permissions: | |
| contents: read | |
| actions: read | |
| id-token: write # Required for Vault | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| environment: | |
| name: azure-trusted-signing | |
| runs-on: windows-latest | |
| defaults: | |
| run: | |
| shell: pwsh | |
| needs: [configure, build] | |
| outputs: | |
| binary_artifact_name: ${{ steps.assign-artifact-names.outputs.binary-artifact-name }} | |
| windows_binary_artifact_name: ${{ steps.assign-artifact-names.outputs.windows-binary-artifact-name }} | |
| steps: | |
| - name: Download binaries | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 | |
| with: | |
| name: binaries | |
| path: dist | |
| - name: Unzip Windows binary | |
| run: | | |
| Expand-Archive -Path ".\dist\k6-${env:VERSION}-windows-amd64.zip" -DestinationPath .\packaging\ | |
| - name: Upload artifact for Windows installer build | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: windows-binary | |
| path: 'packaging/k6-${{ env.VERSION }}-windows-amd64/k6.exe' | |
| retention-days: 7 | |
| if-no-files-found: error | |
| - name: Get secrets for Azure Trusted Signing | |
| uses: grafana/shared-workflows/actions/get-vault-secrets@a37de51f3d713a30a9e4b21bcdfbd38170020593 # get-vault-secrets/v1.3.0 | |
| id: get-signing-secrets | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| export_env: false | |
| repo_secrets: | | |
| client-id=azure-trusted-signing:client-id | |
| subscription-id=azure-trusted-signing:subscription-id | |
| tenant-id=azure-trusted-signing:tenant-id | |
| - name: Sign Windows binary | |
| uses: grafana/shared-workflows/actions/azure-trusted-signing@e86cdb1c0a8cf5df57d3078f285261f7c9577174 # azure-trusted-signing/v1.0.0 | |
| id: sign-artifacts | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| application-description: 'Grafana k6' | |
| artifact-to-sign: 'windows-binary' | |
| azure-client-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).client-id }} | |
| azure-subscription-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).subscription-id }} | |
| azure-tenant-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).tenant-id }} | |
| signed-artifact-name: 'windows-binary-signed' | |
| - name: Download signed Windows binary | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| name: ${{ steps.sign-artifacts.outputs.artifact-name }} | |
| path: 'packaging/k6-${{ env.VERSION }}-windows-amd64' | |
| # Re-zip the signed Windows binary to replace the original unsigned version | |
| - name: Zip signed Windows binary | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| run: | | |
| Compress-Archive -Path ".\packaging\*" -DestinationPath ".\dist\k6-${env:VERSION}-windows-amd64.zip" -Force | |
| - name: Upload signed artifacts | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| name: binaries-signed | |
| path: dist/ | |
| retention-days: 7 | |
| if-no-files-found: error | |
| - name: Assign artifact name for Windows binary for installer build | |
| id: assign-artifact-names | |
| env: | |
| BINARY_ARTIFACT_NAME: ${{ needs.configure.outputs.sign_windows_artifacts == 'true' && 'binaries-signed' || 'binaries' }} | |
| WINDOWS_BINARY_ARTIFACT_NAME: ${{ needs.configure.outputs.sign_windows_artifacts == 'true' && steps.sign-artifacts.outputs.artifact-name || 'windows-binary' }} | |
| run: | | |
| echo "binary-artifact-name=${env:BINARY_ARTIFACT_NAME}" >> ${env:GITHUB_OUTPUT} | |
| echo "windows-binary-artifact-name=${env:WINDOWS_BINARY_ARTIFACT_NAME}" >> ${env:GITHUB_OUTPUT} | |
| package: | |
| permissions: | |
| contents: read | |
| actions: read | |
| runs-on: windows-latest | |
| defaults: | |
| run: | |
| shell: pwsh | |
| needs: [configure, build, sign-binaries] | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| persist-credentials: false | |
| - name: Install pandoc | |
| uses: crazy-max/ghaction-chocolatey@2526f467ccbd337d307fe179959cabbeca0bc8c0 # v3.4.0 | |
| with: | |
| args: install -y pandoc | |
| - name: Install wix tools | |
| run: | | |
| curl -Lso wix311-binaries.zip https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip | |
| Expand-Archive -Path .\wix311-binaries.zip -DestinationPath .\wix311\ | |
| echo "$pwd\wix311" | Out-File -FilePath $env:GITHUB_PATH -Append | |
| - name: Download Windows binary | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 | |
| with: | |
| name: ${{ needs.sign-binaries.outputs.windows_binary_artifact_name }} | |
| path: packaging | |
| - name: Create the MSI package | |
| run: | | |
| $env:VERSION = $env:VERSION -replace 'v(\d+\.\d+\.\d+).*','$1' | |
| pandoc -s -f markdown -t rtf -o packaging\LICENSE.rtf LICENSE.md | |
| cd .\packaging | |
| candle.exe -arch x64 "-dVERSION=${env:VERSION}" k6.wxs | |
| light.exe -ext WixUIExtension k6.wixobj | |
| - name: Rename MSI package | |
| # To keep it consistent with the other artifacts | |
| run: move "packaging\k6.msi" "packaging\k6-${env:VERSION}-windows-amd64.msi" | |
| - name: Upload Windows installer | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: binaries-windows | |
| path: | | |
| packaging/k6-*.msi | |
| retention-days: 7 | |
| if-no-files-found: error | |
| # Forks, PRs etc. won't actually sign the installer, but the workflow will run most of the same steps as | |
| # GitHub Actions workflows don't support conditional `needs` so we have to run the signing step unconditionally. | |
| sign-packages: | |
| permissions: | |
| actions: read | |
| contents: read | |
| id-token: write # Required for Vault | |
| environment: | |
| name: azure-trusted-signing | |
| outputs: | |
| artifact_name: ${{ steps.assign-artifact-name.outputs.artifact-name }} | |
| runs-on: windows-latest | |
| defaults: | |
| run: | |
| shell: pwsh | |
| needs: [configure, package] | |
| steps: | |
| - name: Download Windows artifacts | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| name: binaries-windows | |
| path: packaging | |
| - name: Get secrets for Azure Trusted Signing | |
| uses: grafana/shared-workflows/actions/get-vault-secrets@a37de51f3d713a30a9e4b21bcdfbd38170020593 # get-vault-secrets/v1.3.0 | |
| id: get-signing-secrets | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| export_env: false | |
| repo_secrets: | | |
| client-id=azure-trusted-signing:client-id | |
| subscription-id=azure-trusted-signing:subscription-id | |
| tenant-id=azure-trusted-signing:tenant-id | |
| - name: Sign Windows installer | |
| uses: grafana/shared-workflows/actions/azure-trusted-signing@e86cdb1c0a8cf5df57d3078f285261f7c9577174 # azure-trusted-signing/v1.0.0 | |
| id: sign-artifacts | |
| if: needs.configure.outputs.sign_windows_artifacts == 'true' | |
| with: | |
| application-description: 'Grafana k6' | |
| artifact-to-sign: 'binaries-windows' | |
| azure-client-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).client-id }} | |
| azure-subscription-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).subscription-id }} | |
| azure-tenant-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).tenant-id }} | |
| signed-artifact-name: 'binaries-windows-signed' | |
| - name: Assign artifact name for Windows installer | |
| id: assign-artifact-name | |
| env: | |
| ARTIFACT_NAME: ${{ needs.configure.outputs.sign_windows_artifacts == 'true' && steps.sign-artifacts.outputs.artifact-name || 'binaries-windows' }} | |
| run: | | |
| echo "artifact-name=${env:ARTIFACT_NAME}" >> ${env:GITHUB_OUTPUT} | |
| publish-github: | |
| runs-on: ubuntu-latest | |
| needs: [configure, sign-binaries, sign-packages] | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') && github.event_name != 'workflow_dispatch' }} | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| permissions: | |
| actions: read | |
| contents: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| persist-credentials: false | |
| - name: Download binaries | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 | |
| with: | |
| name: ${{ needs.sign-binaries.outputs.binary_artifact_name }} | |
| path: dist | |
| - name: Download Windows binaries | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 | |
| with: | |
| name: ${{ needs.sign-packages.outputs.artifact_name }} | |
| path: dist | |
| - name: Generate checksum file | |
| run: cd dist && sha256sum * > "k6-${VERSION}-checksums.txt" | |
| - name: Anchore SBOM Action | |
| continue-on-error: true | |
| uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6 | |
| with: | |
| artifact-name: k6-${{ env.VERSION }}-spdx.json | |
| upload-release-assets: false | |
| output-file: dist/k6-${{ env.VERSION }}-spdx.json | |
| - name: Create release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -x | |
| assets=() | |
| for asset in ./dist/*; do | |
| assets+=("$asset") | |
| done | |
| gh release create "$VERSION" "${assets[@]}" --target "$GITHUB_SHA" -F "./release notes/${VERSION}.md" | |
| submit-winget-manifest: | |
| needs: [configure, publish-github] | |
| runs-on: windows-2025 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Install WingetCreate | |
| shell: pwsh | |
| run: | | |
| Import-Module Appx -UseWindowsPowerShell | |
| $appxBundleFile = Join-Path ${env:RUNNER_TEMP} "wingetcreate.msixbundle" | |
| Invoke-WebRequest https://aka.ms/wingetcreate/latest/msixbundle -OutFile $appxBundleFile | |
| Add-AppxPackage $appxBundleFile | |
| - name: Get WinGet token | |
| uses: grafana/shared-workflows/actions/get-vault-secrets@a37de51f3d713a30a9e4b21bcdfbd38170020593 # get-vault-secrets/v1.3.0 | |
| id: get-token | |
| with: | |
| export_env: false | |
| common_secrets: | | |
| token=winget-packages:token | |
| - name: Submit WinGet Manifest | |
| env: | |
| PACKAGE_ID: GrafanaLabs.k6 | |
| PACKAGE_VERSION: ${{ needs.configure.outputs.k6_version }} | |
| WINGET_CREATE_GITHUB_TOKEN: ${{ fromJSON(steps.get-token.outputs.secrets).token }} | |
| shell: pwsh | |
| run: | | |
| wingetcreate token --store | |
| wingetcreate update ${env:PACKAGE_ID} ` | |
| --urls "${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}/releases/download/${env:PACKAGE_VERSION}/k6-${env:PACKAGE_VERSION}-windows-amd64.msi" ` | |
| --version ${env:PACKAGE_VERSION}.TrimStart("v") ` | |
| --submit | |
| publish-packages: | |
| runs-on: ubuntu-latest | |
| needs: [configure, sign-binaries, sign-packages] | |
| if: ${{ startsWith(github.ref, 'refs/tags/v') && github.event_name != 'workflow_dispatch' }} | |
| env: | |
| VERSION: ${{ needs.configure.outputs.k6_version }} | |
| permissions: | |
| actions: read | |
| contents: read | |
| packages: read | |
| id-token: write # Required for Vault | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| persist-credentials: false | |
| - name: Download binaries | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 | |
| with: | |
| name: ${{ needs.sign-binaries.outputs.binary_artifact_name }} | |
| path: dist | |
| - name: Download Windows binaries | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 | |
| with: | |
| name: ${{ needs.sign-packages.outputs.artifact_name }} | |
| path: dist | |
| - name: Rename binaries | |
| # To be consistent with the filenames used in dl.k6.io | |
| run: | | |
| mv "dist/k6-$VERSION-windows-amd64.msi" "dist/k6-$VERSION-amd64.msi" | |
| mv "dist/k6-$VERSION-linux-amd64.rpm" "dist/k6-$VERSION-amd64.rpm" | |
| mv "dist/k6-$VERSION-linux-amd64.deb" "dist/k6-$VERSION-amd64.deb" | |
| - uses: grafana/shared-workflows/actions/get-vault-secrets@a37de51f3d713a30a9e4b21bcdfbd38170020593 # get-vault-secrets/v1.3.0 | |
| with: | |
| repo_secrets: | | |
| IAM_ROLE_ARN=deploy:packager-iam-role | |
| AWS_CF_DISTRIBUTION=cloudfront:AWS_CF_DISTRIBUTION | |
| PGP_SIGN_KEY_PASSPHRASE=pgp:PGP_SIGN_KEY_PASSPHRASE | |
| PGP_SIGN_KEY=pgp:PGP_SIGN_KEY | |
| S3_BUCKET=s3:AWS_S3_BUCKET | |
| - uses: grafana/shared-workflows/actions/aws-auth@85022085ed5314601c05d10e846de56bdd71e369 # aws-auth/v1.0.3 | |
| with: | |
| aws-region: "us-east-2" | |
| role-arn: ${{ env.IAM_ROLE_ARN }} | |
| set-creds-in-environment: true | |
| - name: Setup docker compose environment | |
| run: | | |
| cat > packaging/.env <<EOF | |
| AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} | |
| AWS_CF_DISTRIBUTION="${AWS_CF_DISTRIBUTION}" | |
| AWS_DEFAULT_REGION=us-east-2 | |
| AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} | |
| AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} | |
| PGP_SIGN_KEY_PASSPHRASE=${PGP_SIGN_KEY_PASSPHRASE} | |
| S3_BUCKET=${S3_BUCKET} | |
| EOF | |
| echo "${PGP_SIGN_KEY}" > packaging/sign-key.gpg | |
| - name: Publish packages | |
| env: | |
| GITHUB_ACTOR: ${{ github.actor }} | |
| run: | | |
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login https://ghcr.io -u ${GITHUB_ACTOR} --password-stdin | |
| cd packaging | |
| docker compose pull packager | |
| docker compose run --rm packager |