Compare commits

...

5 Commits

4 changed files with 123 additions and 135 deletions

View File

@@ -1,141 +1,113 @@
name: Docker Test & Publish name: Docker
on: on:
push: push:
# branches: branches:
# - "main" - "handmade"
tags:
- "*"
paths-ignore:
- ".github/**"
- "!.github/workflows/docker.yml"
- ".vscode/**"
- "doc/**"
- ".gitignore"
- "LICENSE"
- "README"
pull_request: pull_request:
branches: branches:
- "main" - "handmade"
paths: release:
- "Dockerfile" types:
workflow_dispatch: - published
permissions: permissions:
contents: read contents: read
packages: write
jobs: jobs:
base: # Builds the shared base image: the whole Rust workspace compiled once.
runs-on: ubuntu-latest # Every service image (currently only pushd) is derived from this so the
name: Build base image # workspace is built a single time per release. On non-release events this
steps: # still runs as a compile check, but nothing is pushed.
# Configure build environment base:
- name: Checkout runs-on: ubuntu-latest
uses: actions/checkout@v3 steps:
- name: Set up Docker Buildx - name: Checkout
uses: docker/setup-buildx-action@v2 uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Resolve registry host and owner
id: registry
# Owner is lowercased: Docker repository names must be lowercase.
run: |
echo "host=${GITHUB_SERVER_URL#*://}" >> "$GITHUB_OUTPUT"
echo "owner=$(echo "$GITHUB_REPOSITORY_OWNER" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
- name: Base image ref
id: base
run: echo "image=${{ steps.registry.outputs.host }}/${{ steps.registry.outputs.owner }}/handmade-revolt-backend-base" >> "$GITHUB_OUTPUT"
- name: Login to registry
uses: docker/login-action@v3
if: github.event_name == 'release'
with:
registry: ${{ steps.registry.outputs.host }}
username: ${{ secrets.PACKAGE_PUBLISH_USERNAME }}
password: ${{ secrets.PACKAGE_PUBLISH_TOKEN }}
- name: Build base image
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile
push: ${{ github.event_name == 'release' }}
platforms: linux/amd64
# Pinned to the commit so the publish job below consumes this
# exact base.
tags: |
${{ steps.base.outputs.image }}:latest
${{ steps.base.outputs.image }}:${{ github.sha }}
# Authenticate with GHCR # Builds individual service images from the base. Only runs on release.
- name: Login to Github Container Registry publish:
if: ${{ github.event_name != 'pull_request' }} needs: [base]
uses: docker/login-action@v2 runs-on: ubuntu-latest
with: if: github.event_name == 'release'
registry: ghcr.io strategy:
username: ${{ github.actor }} matrix:
password: ${{ secrets.GITHUB_TOKEN }} include:
- { project: pushd, path: crates/daemons/pushd, image: handmade-revolt-backend-pushd }
- name: Build base image - { project: delta, path: crates/delta, image: handmade-revolt-backend-server }
uses: docker/build-push-action@v4 - { project: bonfire, path: crates/bonfire, image: handmade-revolt-backend-bonfire }
with: - { project: autumn, path: crates/services/autumn, image: handmade-revolt-backend-autumn }
context: . - { project: january, path: crates/services/january, image: handmade-revolt-backend-january }
push: ${{ github.event_name != 'pull_request' }} - { project: crond, path: crates/daemons/crond, image: handmade-revolt-backend-crond }
platforms: linux/amd64,linux/arm64 name: Build ${{ matrix.project }} image
tags: ghcr.io/${{ github.repository_owner }}/base:latest steps:
cache-from: type=gha,scope=buildx-base-multi-arch - name: Checkout
cache-to: type=gha,scope=buildx-base-multi-arch,mode=max uses: actions/checkout@v4
- name: Set up Docker Buildx
publish: uses: docker/setup-buildx-action@v3
needs: [base] - name: Resolve registry host and owner
runs-on: ubuntu-latest id: registry
if: github.event_name != 'pull_request' # Owner is lowercased: Docker repository names must be lowercase,
strategy: # but the org (e.g. HMC) may be uppercase.
matrix: run: |
project: [delta, bonfire, autumn, january, pushd] echo "host=${GITHUB_SERVER_URL#*://}" >> "$GITHUB_OUTPUT"
name: Build ${{ matrix.project }} image echo "owner=$(echo "$GITHUB_REPOSITORY_OWNER" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
steps: - name: Docker meta
# Configure build environment id: meta
- name: Checkout uses: docker/metadata-action@v5
uses: actions/checkout@v3 with:
- name: Set up Docker Buildx images: ${{ steps.registry.outputs.host }}/${{ steps.registry.outputs.owner }}/${{ matrix.image }}
uses: docker/setup-buildx-action@v2 tags: |
type=semver,pattern={{version}}
# Authenticate with Docker Hub and GHCR type=semver,pattern={{major}}.{{minor}}
- name: Login to DockerHub type=raw,value=latest
uses: docker/login-action@v2 env:
with: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
registry: docker.io - name: Login to registry
username: ${{ secrets.DOCKERHUB_USERNAME }} uses: docker/login-action@v3
password: ${{ secrets.DOCKERHUB_TOKEN }} with:
- name: Login to Github Container Registry registry: ${{ steps.registry.outputs.host }}
uses: docker/login-action@v2 username: ${{ secrets.PACKAGE_PUBLISH_USERNAME }}
with: password: ${{ secrets.PACKAGE_PUBLISH_TOKEN }}
registry: ghcr.io - name: Build and publish
username: ${{ github.actor }} uses: docker/build-push-action@v6
password: ${{ secrets.GITHUB_TOKEN }} with:
context: .
# Resolve the correct project file: ${{ matrix.path }}/Dockerfile
- uses: kanga333/variable-mapper@master push: true
id: export platforms: linux/amd64
with: build-args: |
key: "${{ matrix.project }}" BASE_IMAGE=${{ steps.registry.outputs.host }}/${{ steps.registry.outputs.owner }}/handmade-revolt-backend-base:${{ github.sha }}
map: | tags: ${{ steps.meta.outputs.tags }}
{ annotations: ${{ steps.meta.outputs.annotations }}
"delta": { labels: ${{ steps.meta.outputs.labels }}
"path": "crates/delta",
"tag": "${{ github.repository_owner }}/server"
},
"bonfire": {
"path": "crates/bonfire",
"tag": "${{ github.repository_owner }}/bonfire"
},
"autumn": {
"path": "crates/services/autumn",
"tag": "${{ github.repository_owner }}/autumn"
},
"january": {
"path": "crates/services/january",
"tag": "${{ github.repository_owner }}/january"
},
"pushd": {
"path": "crates/daemons/pushd",
"tag": "${{ github.repository_owner }}/pushd"
},
"crond": {
"path": "crates/daemons/crond",
"tag": "${{ github.repository_owner }}/crond"
}
}
export_to: output
# Configure metadata
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: |
docker.io/${{ steps.export.outputs.tag }}
ghcr.io/${{ steps.export.outputs.tag }}
# Build crate image
- name: Publish
uses: docker/build-push-action@v4
with:
context: .
push: true
platforms: linux/amd64,linux/arm64
file: ${{ steps.export.outputs.path }}/Dockerfile
tags: ${{ steps.meta.outputs.tags }}
build-args: |
BASE_IMAGE=ghcr.io/${{ github.repository_owner }}/base:latest
labels: ${{ steps.meta.outputs.labels }}

View File

@@ -1,5 +1,8 @@
# Build Stage # Build Stage
FROM ghcr.io/revoltchat/base:latest AS builder # BASE_IMAGE is the compiled workspace base image. Defaults to the upstream
# revolt base, but CI overrides it with our own base built from repo.
ARG BASE_IMAGE=ghcr.io/revoltchat/base:latest
FROM ${BASE_IMAGE} AS builder
FROM debian:12 AS debian FROM debian:12 AS debian
# Bundle Stage # Bundle Stage

View File

@@ -111,7 +111,7 @@ impl AsyncConsumer for MessageConsumer {
config.pushd.vapid.queue.as_str(), config.pushd.vapid.queue.as_str(),
) )
.finish(); .finish();
sendable.extras.insert("p265dh".to_string(), sub.p256dh); sendable.extras.insert("p256dh".to_string(), sub.p256dh);
sendable sendable
.extras .extras
.insert("endpoint".to_string(), sub.endpoint.clone()); .insert("endpoint".to_string(), sub.endpoint.clone());

View File

@@ -55,11 +55,24 @@ impl AsyncConsumer for VapidOutboundConsumer {
let config = revolt_config::config().await; let config = revolt_config::config().await;
// A VAPID web push payload must carry the subscription endpoint and the
// p256dh public key in `extras`. Dropped malformed requests instead
// of panicking.
let (Some(endpoint), Some(p256dh)) =
(payload.extras.get("endpoint"), payload.extras.get("p256dh"))
else {
log::warn!(
"Dropping VAPID push for session {}: payload missing endpoint/p256dh in extras.",
payload.session_id
);
return;
};
let subscription = SubscriptionInfo { let subscription = SubscriptionInfo {
endpoint: payload.extras.get("endpoint").unwrap().clone(), endpoint: endpoint.clone(),
keys: SubscriptionKeys { keys: SubscriptionKeys {
auth: payload.token, auth: payload.token,
p256dh: payload.extras.get("p256dh").unwrap().clone(), p256dh: p256dh.clone(),
}, },
}; };