mirror of
https://github.com/rosenpass/rosenpass.git
synced 2025-12-05 20:40:02 -08:00
230 lines
8.7 KiB
YAML
230 lines
8.7 KiB
YAML
name: Build Docker Images
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- "main"
|
|
tags:
|
|
- "v*"
|
|
pull_request:
|
|
branches:
|
|
- "main"
|
|
|
|
jobs:
|
|
# ----------------------------------------
|
|
# 1. Check if docker/Dockerfile or .github/workflows/docker.yaml changed
|
|
# ----------------------------------------
|
|
check-dockerfile-changes:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
docker_files_changed: ${{ steps.filter.outputs.dockerfile || steps.filter.outputs.dockerbuild_workflow }}
|
|
steps:
|
|
- name: Check out repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Paths filter
|
|
id: filter
|
|
uses: dorny/paths-filter@v3
|
|
with:
|
|
filters: |
|
|
dockerfile:
|
|
- 'docker/Dockerfile'
|
|
dockerbuild_workflow:
|
|
- '.github/workflows/docker.yaml'
|
|
# --------------------------------
|
|
# 2. BUILD & TEST
|
|
# --------------------------------
|
|
build-and-test-rp:
|
|
needs: check-dockerfile-changes
|
|
# Run this job on all non-pull-request events,
|
|
# or if Docker-related files are changed in a pull request.
|
|
if: ${{ needs.check-dockerfile-changes.outputs.docker_files_changed == 'true' || github.event_name != 'pull_request' }}
|
|
strategy:
|
|
matrix:
|
|
arch: [amd64, arm64]
|
|
runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Build (no push) and Load
|
|
id: build
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: docker/Dockerfile
|
|
# no pushing here, so we can test locally
|
|
push: false
|
|
# load the built image into the local Docker daemon on the runner
|
|
load: true
|
|
target: rosenpass
|
|
tags: rosenpass:test
|
|
platforms: linux/${{ matrix.arch }}
|
|
- name: Integration Test - Standalone Key Exchange
|
|
run: |
|
|
# Create separate workdirs
|
|
mkdir -p workdir-server workdir-client
|
|
|
|
# Create a Docker network
|
|
docker network create -d bridge rp
|
|
|
|
echo "=== GENERATE SERVER KEYS ==="
|
|
docker run --rm \
|
|
-v $PWD/workdir-server:/workdir \
|
|
rosenpass:test gen-keys \
|
|
--public-key=workdir/server-public \
|
|
--secret-key=workdir/server-secret
|
|
|
|
echo "=== GENERATE CLIENT KEYS ==="
|
|
docker run --rm \
|
|
-v $PWD/workdir-client:/workdir \
|
|
rosenpass:test gen-keys \
|
|
--public-key=workdir/client-public \
|
|
--secret-key=workdir/client-secret
|
|
|
|
echo "=== SHARE PUBLIC KEYS ==="
|
|
cp workdir-client/client-public workdir-server/client-public
|
|
cp workdir-server/server-public workdir-client/server-public
|
|
|
|
echo "=== START SERVER CONTAINER ==="
|
|
docker run -d --rm \
|
|
--name rpserver \
|
|
--network rp \
|
|
-v $PWD/workdir-server:/workdir \
|
|
rosenpass:test exchange \
|
|
private-key workdir/server-secret \
|
|
public-key workdir/server-public \
|
|
listen 0.0.0.0:9999 \
|
|
peer public-key workdir/client-public \
|
|
outfile workdir/server-sharedkey
|
|
|
|
# Get the container IP of the server
|
|
SERVER_IP=$(docker inspect --format='{{.NetworkSettings.Networks.rp.IPAddress}}' rpserver)
|
|
echo "SERVER_IP=$SERVER_IP"
|
|
|
|
echo "=== START CLIENT CONTAINER ==="
|
|
docker run -d --rm \
|
|
--name rpclient \
|
|
--network rp \
|
|
-v $PWD/workdir-client:/workdir \
|
|
rosenpass:test exchange \
|
|
private-key workdir/client-secret \
|
|
public-key workdir/client-public \
|
|
peer public-key workdir/server-public \
|
|
endpoint ${SERVER_IP}:9999 \
|
|
outfile workdir/client-sharedkey
|
|
|
|
echo "=== COMPARE SHARED KEYS ==="
|
|
echo "Waiting up to 30 seconds for the server to generate 'server-sharedkey'..."
|
|
for i in $(seq 1 30); do
|
|
if [ -f "workdir-server/server-sharedkey" ]; then
|
|
echo "server-sharedkey found!"
|
|
break
|
|
fi
|
|
sleep 1
|
|
done
|
|
sudo cmp workdir-server/server-sharedkey workdir-client/client-sharedkey
|
|
|
|
echo "Standalone Key Exchange test OK."
|
|
# --------------------------------
|
|
# 3. PUSH (only if tests pass)
|
|
# --------------------------------
|
|
docker-image-rp:
|
|
needs:
|
|
- build-and-test-rp
|
|
- check-dockerfile-changes
|
|
# Skip if this is not a PR. Then we want to push this image.
|
|
if: ${{ github.event_name != 'pull_request' }}
|
|
# Use a matrix to build for both AMD64 and ARM64
|
|
strategy:
|
|
matrix:
|
|
arch: [amd64, arm64]
|
|
# Switch the runner based on the architecture
|
|
runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ghcr.io/rosenpass/rp
|
|
tags: |
|
|
type=edge,branch=main
|
|
type=sha,branch=main
|
|
type=semver,pattern={{version}}
|
|
labels: |
|
|
maintainer=Karolin Varner <karo@cupdev.net>, wucke13 <wucke13@gmail.com>
|
|
org.opencontainers.image.authors=Karolin Varner <karo@cupdev.net>, wucke13 <wucke13@gmail.com>
|
|
org.opencontainers.image.title=Rosenpass
|
|
org.opencontainers.image.description=The rp command-line integrates Rosenpass and WireGuard to help you create a VPN
|
|
org.opencontainers.image.vendor=Rosenpass e.V.
|
|
org.opencontainers.image.licenses=MIT OR Apache-2.0
|
|
org.opencontainers.image.url=https://rosenpass.eu
|
|
org.opencontainers.image.documentation=https://rosenpass.eu/docs/
|
|
org.opencontainers.image.source=https://github.com/rosenpass/rosenpass
|
|
- name: Log in to registry
|
|
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Build and push
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: docker/Dockerfile
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
target: rp
|
|
platforms: linux/${{ matrix.arch }}
|
|
docker-image-rosenpass:
|
|
needs:
|
|
- build-and-test-rp
|
|
- check-dockerfile-changes
|
|
# Run this job on all non-pull-request events,
|
|
# or if Docker-related files are changed in a pull request.
|
|
if: ${{ needs.check-dockerfile-changes.outputs.docker_files_changed == 'true' || github.event_name != 'pull_request' }}
|
|
# Use a matrix to build for both AMD64 and ARM64
|
|
strategy:
|
|
matrix:
|
|
arch: [amd64, arm64]
|
|
# Switch the runner based on the architecture
|
|
runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ghcr.io/rosenpass/rosenpass
|
|
tags: |
|
|
type=edge,branch=main
|
|
type=sha,branch=main
|
|
type=semver,pattern={{version}}
|
|
labels: |
|
|
maintainer=Karolin Varner <karo@cupdev.net>, wucke13 <wucke13@gmail.com>
|
|
org.opencontainers.image.authors=Karolin Varner <karo@cupdev.net>, wucke13 <wucke13@gmail.com>
|
|
org.opencontainers.image.title=Rosenpass
|
|
org.opencontainers.image.description=Reference implementation of the protocol rosenpass protocol
|
|
org.opencontainers.image.vendor=Rosenpass e.V.
|
|
org.opencontainers.image.licenses=MIT OR Apache-2.0
|
|
org.opencontainers.image.url=https://rosenpass.eu
|
|
org.opencontainers.image.documentation=https://rosenpass.eu/docs/
|
|
org.opencontainers.image.source=https://github.com/rosenpass/rosenpass
|
|
- name: Log in to registry
|
|
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Build and push
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: docker/Dockerfile
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
target: rosenpass
|
|
platforms: linux/${{ matrix.arch }}
|