fix(ci): add v12 dev/prod installer jobs, drop v11 #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "v12 - Build & Deploy Pipeline" | |
| on: | |
| push: | |
| branches: | |
| - 'release/v12**' | |
| release: | |
| types: [published] | |
| jobs: | |
| setup_deployment: | |
| name: Setup Deployment | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| tag: ${{ steps.set-env.outputs.tag }} | |
| environment: ${{ steps.set-env.outputs.environment }} | |
| cm_url: ${{ steps.set-env.outputs.cm_url }} | |
| event_processor_tag: ${{ steps.set-env.outputs.event_processor_tag }} | |
| enterprise_version: ${{ steps.set-env.outputs.enterprise_version }} | |
| steps: | |
| - name: Determine Build Environment | |
| id: set-env | |
| run: | | |
| # ===================================================================== | |
| # DEV — push to release/v12** | |
| # Version = <branch-base>-dev.N, auto-incremented via CM. | |
| # ===================================================================== | |
| if ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release/v12') }}; then | |
| ENVIRONMENT="dev" | |
| CM_URL="https://cm.dev.utmstack.com" | |
| echo "Environment: $ENVIRONMENT" | |
| echo "CM URL: $CM_URL" | |
| # Extract version from branch name (e.g. release/v12.2.1 → v12.2.1) | |
| BRANCH_VERSION=$(echo "${{ github.ref }}" | sed 's|refs/heads/release/||') | |
| echo "Branch version: $BRANCH_VERSION" | |
| RESPONSE=$(curl -s "${CM_URL}/api/v1/versions/latest") | |
| LATEST_VERSION=$(echo "$RESPONSE" | jq -r '.version // empty') | |
| echo "Latest version from CM: $LATEST_VERSION" | |
| if [ -n "$LATEST_VERSION" ]; then | |
| LATEST_BASE=$(echo "$LATEST_VERSION" | sed 's/-dev\.[0-9]*$//') | |
| if [ "$BRANCH_VERSION" = "$LATEST_BASE" ]; then | |
| DEV_NUM=$(echo "$LATEST_VERSION" | grep -oP '(?<=-dev\.)\d+') | |
| NEW_DEV_NUM=$((DEV_NUM + 1)) | |
| TAG="${BRANCH_VERSION}-dev.${NEW_DEV_NUM}" | |
| echo "Versions match, incrementing: $TAG" | |
| else | |
| TAG="${BRANCH_VERSION}-dev.1" | |
| echo "Versions don't match, starting fresh: $TAG" | |
| fi | |
| else | |
| TAG="${BRANCH_VERSION}-dev.1" | |
| echo "No previous version found, starting fresh: $TAG" | |
| fi | |
| echo "tag=$TAG" >> $GITHUB_OUTPUT | |
| echo "environment=$ENVIRONMENT" >> $GITHUB_OUTPUT | |
| echo "cm_url=$CM_URL" >> $GITHUB_OUTPUT | |
| echo "event_processor_tag=${{ vars.TW_EVENT_PROCESSOR_VERSION_DEV }}" >> $GITHUB_OUTPUT | |
| echo "enterprise_version=${{ vars.ENTERPRISE_ARTIFACTS_VERSION_DEV }}" >> $GITHUB_OUTPUT | |
| # ===================================================================== | |
| # PRODUCTION — release.published (prerelease or not) | |
| # | |
| # The tag is taken directly from the release event — no CM queries. | |
| # Always runs a full build and deploys to our production instances. | |
| # ===================================================================== | |
| elif ${{ github.event_name == 'release' }}; then | |
| CM_URL="https://cm.utmstack.com" | |
| TAG="${{ github.event.release.tag_name }}" | |
| echo "Event: release, tag=$TAG" | |
| if [[ ! "$TAG" =~ ^v12\. ]]; then | |
| echo "⏭️ Skipping: tag '$TAG' is not a v12 release." | |
| exit 0 | |
| fi | |
| echo "Environment: production (our instances)" | |
| echo "CM URL: $CM_URL" | |
| echo "tag=$TAG" >> $GITHUB_OUTPUT | |
| echo "environment=production" >> $GITHUB_OUTPUT | |
| echo "cm_url=$CM_URL" >> $GITHUB_OUTPUT | |
| echo "event_processor_tag=${{ vars.TW_EVENT_PROCESSOR_VERSION_PROD }}" >> $GITHUB_OUTPUT | |
| echo "enterprise_version=${{ vars.ENTERPRISE_ARTIFACTS_VERSION_PROD }}" >> $GITHUB_OUTPUT | |
| fi | |
| build_agent: | |
| name: Build Agent Binaries | |
| needs: [setup_deployment] | |
| if: ${{ needs.setup_deployment.outputs.tag != '' }} | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Check out code into the right branch | |
| uses: actions/checkout@v4 | |
| - name: Build Linux Binaries (amd64) | |
| env: | |
| GOOS: linux | |
| GOARCH: amd64 | |
| CGO_ENABLED: 0 | |
| run: | | |
| cd ${{ github.workspace }}/agent | |
| go build -o utmstack_agent_service_linux_amd64 -v -ldflags "-X 'github.com/utmstack/UTMStack/agent/config.REPLACE_KEY=${{ secrets.AGENT_SECRET_PREFIX }}'" . | |
| cd ${{ github.workspace }}/agent/updater | |
| go build -o utmstack_updater_service_linux_amd64 . | |
| - name: Build Linux Binaries (arm64) | |
| env: | |
| GOOS: linux | |
| GOARCH: arm64 | |
| CGO_ENABLED: 0 | |
| run: | | |
| cd ${{ github.workspace }}/agent | |
| go build -o utmstack_agent_service_linux_arm64 -v -ldflags "-X 'github.com/utmstack/UTMStack/agent/config.REPLACE_KEY=${{ secrets.AGENT_SECRET_PREFIX }}'" . | |
| cd ${{ github.workspace }}/agent/updater | |
| go build -o utmstack_updater_service_linux_arm64 . | |
| - name: Build Windows Binaries (amd64) | |
| env: | |
| GOOS: windows | |
| GOARCH: amd64 | |
| CGO_ENABLED: 0 | |
| run: | | |
| cd ${{ github.workspace }}/agent | |
| go build -o utmstack_agent_service_windows_amd64.exe -v -ldflags "-X 'github.com/utmstack/UTMStack/agent/config.REPLACE_KEY=${{ secrets.AGENT_SECRET_PREFIX }}'" . | |
| cd ${{ github.workspace }}/agent/updater | |
| go build -o utmstack_updater_service_windows_amd64.exe . | |
| - name: Build Windows Binaries (arm64) | |
| env: | |
| GOOS: windows | |
| GOARCH: arm64 | |
| CGO_ENABLED: 0 | |
| run: | | |
| cd ${{ github.workspace }}/agent | |
| go build -o utmstack_agent_service_windows_arm64.exe -v -ldflags "-X 'github.com/utmstack/UTMStack/agent/config.REPLACE_KEY=${{ secrets.AGENT_SECRET_PREFIX }}'" . | |
| cd ${{ github.workspace }}/agent/updater | |
| go build -o utmstack_updater_service_windows_arm64.exe . | |
| - name: Build macOS Binaries (arm64) | |
| env: | |
| GOOS: darwin | |
| GOARCH: arm64 | |
| CGO_ENABLED: 0 | |
| run: | | |
| cd ${{ github.workspace }}/agent | |
| go build -o utmstack_agent_service_darwin_arm64 -v -ldflags "-X 'github.com/utmstack/UTMStack/agent/config.REPLACE_KEY=${{ secrets.AGENT_SECRET_PREFIX }}'" . | |
| cd ${{ github.workspace }}/agent/updater | |
| go build -o utmstack_updater_service_darwin_arm64 . | |
| - name: Upload Linux binaries as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: agents-linux | |
| path: | | |
| agent/utmstack_agent_service_linux_amd64 | |
| agent/utmstack_agent_service_linux_arm64 | |
| agent/updater/utmstack_updater_service_linux_amd64 | |
| agent/updater/utmstack_updater_service_linux_arm64 | |
| retention-days: 1 | |
| - name: Upload unsigned Windows binaries as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: agents-windows-unsigned | |
| path: | | |
| agent/utmstack_agent_service_windows_amd64.exe | |
| agent/utmstack_agent_service_windows_arm64.exe | |
| agent/updater/utmstack_updater_service_windows_amd64.exe | |
| agent/updater/utmstack_updater_service_windows_arm64.exe | |
| retention-days: 1 | |
| - name: Upload unsigned macOS binaries as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: agents-darwin-unsigned | |
| path: | | |
| agent/utmstack_agent_service_darwin_arm64 | |
| agent/updater/utmstack_updater_service_darwin_arm64 | |
| retention-days: 1 | |
| sign_agent_windows: | |
| name: Sign Windows Agent Binaries | |
| needs: [build_agent, setup_deployment] | |
| if: ${{ needs.setup_deployment.outputs.tag != '' }} | |
| uses: ./.github/workflows/reusable-sign-agent.yml | |
| with: | |
| os: windows | |
| artifact_name: agents-windows-unsigned | |
| signed_artifact_name: agents-windows-signed | |
| gcp_project_id: ${{ vars.GCP_PROJECT_PROD }} | |
| kms_location: ${{ vars.KMS_KEYRING_LOCATION }} | |
| kms_keyring: ${{ vars.KMS_KEYRING_NAME }} | |
| kms_key: ${{ vars.KMS_KEY_NAME }} | |
| binaries: | | |
| utmstack_agent_service_windows_amd64.exe | |
| utmstack_agent_service_windows_arm64.exe | |
| updater/utmstack_updater_service_windows_amd64.exe | |
| updater/utmstack_updater_service_windows_arm64.exe | |
| secrets: inherit | |
| sign_agent_macos: | |
| name: Sign macOS Agent Binaries | |
| needs: [build_agent, setup_deployment] | |
| if: ${{ needs.setup_deployment.outputs.tag != '' }} | |
| uses: ./.github/workflows/reusable-sign-agent.yml | |
| with: | |
| os: macos | |
| artifact_name: agents-darwin-unsigned | |
| signed_artifact_name: agents-darwin-signed | |
| binaries: | | |
| utmstack_agent_service_darwin_arm64 | |
| updater/utmstack_updater_service_darwin_arm64 | |
| secrets: inherit | |
| build_utmstack_collector: | |
| name: Build UTMStack Collector | |
| needs: [setup_deployment] | |
| if: ${{ needs.setup_deployment.outputs.tag != '' }} | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Check out code into the right branch | |
| uses: actions/checkout@v4 | |
| - name: Build UTMStack Collectors | |
| run: | | |
| echo "Building UTMStack Collector..." | |
| cd ${{ github.workspace }}/collectors/utmstack | |
| GOOS=linux GOARCH=amd64 go build -o utmstack_collector -v -ldflags "-X 'github.com/utmstack/UTMStack/collectors/utmstack/config.REPLACE_KEY=${{ secrets.AGENT_SECRET_PREFIX }}'" . | |
| echo "Building UTMStack AS400 Collector..." | |
| cd ${{ github.workspace }}/collectors/as400 | |
| GOOS=linux GOARCH=amd64 go build -o utmstack_as400_collector_service -v -ldflags "-X 'github.com/utmstack/UTMStack/collectors/as400/config.REPLACE_KEY=${{ secrets.AGENT_SECRET_PREFIX }}'" . | |
| echo "Building UTMStack Forwarder..." | |
| cd ${{ github.workspace }}/collectors/forwarder | |
| GOOS=linux GOARCH=amd64 go build -o utmstack_forwarder -v -ldflags "-X 'github.com/utmstack/UTMStack/collectors/forwarder/config.REPLACE_KEY=${{ secrets.AGENT_SECRET_PREFIX }}'" . | |
| - name: Upload collector binary as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: utmstack-collectors | |
| path: | | |
| ${{ github.workspace }}/collectors/utmstack/utmstack_collector | |
| ${{ github.workspace }}/collectors/as400/utmstack_as400_collector_service | |
| ${{ github.workspace }}/collectors/forwarder/utmstack_forwarder | |
| retention-days: 1 | |
| build_agent_manager: | |
| name: Build Agent Manager Microservice | |
| needs: [sign_agent_windows, sign_agent_macos, build_utmstack_collector, setup_deployment] | |
| if: ${{ always() && needs.sign_agent_windows.result == 'success' && needs.sign_agent_macos.result == 'success' && needs.build_utmstack_collector.result == 'success' && needs.setup_deployment.outputs.tag != '' }} | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Check out code into the right branch | |
| uses: actions/checkout@v4 | |
| - name: Download Linux agents from artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: agents-linux | |
| path: ${{ github.workspace }}/agent | |
| - name: Download signed Windows agents from artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: agents-windows-signed | |
| path: ${{ github.workspace }}/agent | |
| - name: Download UTMStack Collectors from artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: utmstack-collectors | |
| path: ${{ github.workspace }}/collector-binaries | |
| - name: Download signed macOS agents from artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: agents-darwin-signed | |
| path: ${{ github.workspace }}/agent-darwin | |
| - name: Prepare dependencies for Agent Manager Image | |
| env: | |
| GH_TOKEN: ${{ secrets.READ_PRIVATE_REPO }} | |
| ENTERPRISE_VERSION: ${{ needs.setup_deployment.outputs.enterprise_version }} | |
| run: | | |
| cd ${{ github.workspace }}/agent-manager | |
| GOOS=linux GOARCH=amd64 go build -o agent-manager -v . | |
| mkdir -p ./dependencies/collector | |
| cp "${{ github.workspace }}/collector-binaries/utmstack/utmstack_collector" ./dependencies/collector/ | |
| cp "${{ github.workspace }}/collectors/utmstack/version.json" ./dependencies/collector/ | |
| mkdir -p ./dependencies/collector/as400 | |
| gh release download "$ENTERPRISE_VERSION" \ | |
| --repo utmstack/UTMStackEnterprise \ | |
| --pattern as400-collector.jar \ | |
| --output ./dependencies/collector/as400/as400-collector.jar \ | |
| --clobber | |
| cp "${{ github.workspace }}/collectors/as400/version.json" ./dependencies/collector/as400/ | |
| cp "${{ github.workspace }}/collector-binaries/as400/utmstack_as400_collector_service" ./dependencies/collector/as400/ | |
| mkdir -p ./dependencies/collector/forwarder | |
| cp "${{ github.workspace }}/collector-binaries/forwarder/utmstack_forwarder" ./dependencies/collector/forwarder/ | |
| cp "${{ github.workspace }}/collectors/forwarder/version.json" ./dependencies/collector/forwarder/ | |
| mkdir -p ./dependencies/agent/ | |
| # Linux agents | |
| cp "${{ github.workspace }}/agent/utmstack_agent_service_linux_amd64" ./dependencies/agent/ | |
| cp "${{ github.workspace }}/agent/utmstack_agent_service_linux_arm64" ./dependencies/agent/ | |
| cp "${{ github.workspace }}/agent/updater/utmstack_updater_service_linux_amd64" ./dependencies/agent/ | |
| cp "${{ github.workspace }}/agent/updater/utmstack_updater_service_linux_arm64" ./dependencies/agent/ | |
| # Windows agents | |
| cp "${{ github.workspace }}/agent/utmstack_agent_service_windows_amd64.exe" ./dependencies/agent/ | |
| cp "${{ github.workspace }}/agent/utmstack_agent_service_windows_arm64.exe" ./dependencies/agent/ | |
| cp "${{ github.workspace }}/agent/updater/utmstack_updater_service_windows_amd64.exe" ./dependencies/agent/ | |
| cp "${{ github.workspace }}/agent/updater/utmstack_updater_service_windows_arm64.exe" ./dependencies/agent/ | |
| # macOS agents (signed and notarized) | |
| cp "${{ github.workspace }}/agent-darwin/utmstack_agent_service_darwin_arm64" ./dependencies/agent/ | |
| cp "${{ github.workspace }}/agent-darwin/updater/utmstack_updater_service_darwin_arm64" ./dependencies/agent/ | |
| gh release download "$ENTERPRISE_VERSION" \ | |
| --repo utmstack/UTMStackEnterprise \ | |
| --pattern utmstack-collector-mac \ | |
| --output ./dependencies/agent/utmstack-collector-mac \ | |
| --clobber | |
| # TODO: Remove legacy binary names after all agents have migrated to new naming convention | |
| # Legacy names for backwards compatibility with existing agents | |
| cp "${{ github.workspace }}/agent/utmstack_agent_service_linux_amd64" ./dependencies/agent/utmstack_agent_service | |
| cp "${{ github.workspace }}/agent/updater/utmstack_updater_service_linux_amd64" ./dependencies/agent/utmstack_updater_service | |
| cp "${{ github.workspace }}/agent/utmstack_agent_service_windows_amd64.exe" ./dependencies/agent/utmstack_agent_service.exe | |
| cp "${{ github.workspace }}/agent/updater/utmstack_updater_service_windows_amd64.exe" ./dependencies/agent/utmstack_updater_service.exe | |
| cp "${{ github.workspace }}/agent/utmstack_agent_service_windows_arm64.exe" ./dependencies/agent/utmstack_agent_service_arm64.exe | |
| cp "${{ github.workspace }}/agent/updater/utmstack_updater_service_windows_arm64.exe" ./dependencies/agent/utmstack_updater_service_arm64.exe | |
| cp "${{ github.workspace }}/agent/version.json" ./dependencies/agent/ | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: utmstack | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and Push the Agent Manager Image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ./agent-manager | |
| push: true | |
| provenance: false | |
| tags: ghcr.io/utmstack/utmstack/agent-manager:${{ needs.setup_deployment.outputs.tag }} | |
| build_event_processor: | |
| name: Build Event Processor Microservice | |
| needs: [setup_deployment] | |
| if: ${{ needs.setup_deployment.outputs.tag != '' }} | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Check out code into the right branch | |
| uses: actions/checkout@v4 | |
| - name: Build Plugins | |
| env: | |
| GOOS: linux | |
| GOARCH: amd64 | |
| run: | | |
| cd ${{ github.workspace }}/plugins/alerts; go build -o com.utmstack.alerts.plugin -v . | |
| cd ${{ github.workspace }}/plugins/aws; go build -o com.utmstack.aws.plugin -v . | |
| cd ${{ github.workspace }}/plugins/azure; go build -o com.utmstack.azure.plugin -v . | |
| cd ${{ github.workspace }}/plugins/bitdefender; go build -o com.utmstack.bitdefender.plugin -v . | |
| cd ${{ github.workspace }}/plugins/events; go build -o com.utmstack.events.plugin -v . | |
| cd ${{ github.workspace }}/plugins/gcp; go build -o com.utmstack.gcp.plugin -v . | |
| cd ${{ github.workspace }}/plugins/geolocation; go build -o com.utmstack.geolocation.plugin -v . | |
| cd ${{ github.workspace }}/plugins/inputs; go build -o com.utmstack.inputs.plugin -v . | |
| cd ${{ github.workspace }}/plugins/o365; go build -o com.utmstack.o365.plugin -v . | |
| cd ${{ github.workspace }}/plugins/sophos; go build -o com.utmstack.sophos.plugin -v . | |
| cd ${{ github.workspace }}/plugins/stats; go build -o com.utmstack.stats.plugin -v . | |
| cd ${{ github.workspace }}/plugins/soc-ai; go build -o com.utmstack.soc-ai.plugin -v . | |
| cd ${{ github.workspace }}/plugins/crowdstrike; go build -o com.utmstack.crowdstrike.plugin -v . | |
| cd ${{ github.workspace }}/plugins/feeds; go build -o com.utmstack.feeds.plugin -v . | |
| cd ${{ github.workspace }}/plugins/ad-audit; go build -o com.utmstack.ad-audit.plugin -v . | |
| cd ${{ github.workspace }}/plugins/soar; go build -o com.utmstack.soar.plugin -v . | |
| - name: Prepare Dependencies for Event Processor Image | |
| env: | |
| GH_TOKEN: ${{ secrets.READ_PRIVATE_REPO }} | |
| ENTERPRISE_VERSION: ${{ needs.setup_deployment.outputs.enterprise_version }} | |
| run: | | |
| mkdir -p ./geolocation | |
| curl -sSL "https://storage.googleapis.com/utmstack-updates/dependencies/geolocation/asn-blocks-v4.csv" -o ./geolocation/asn-blocks-v4.csv | |
| curl -sSL "https://storage.googleapis.com/utmstack-updates/dependencies/geolocation/asn-blocks-v6.csv" -o ./geolocation/asn-blocks-v6.csv | |
| curl -sSL "https://storage.googleapis.com/utmstack-updates/dependencies/geolocation/blocks-v4.csv" -o ./geolocation/blocks-v4.csv | |
| curl -sSL "https://storage.googleapis.com/utmstack-updates/dependencies/geolocation/blocks-v6.csv" -o ./geolocation/blocks-v6.csv | |
| curl -sSL "https://storage.googleapis.com/utmstack-updates/dependencies/geolocation/locations-en.csv" -o ./geolocation/locations-en.csv | |
| # Enterprise entitlements plugin (prebuilt, from private UTMStackEnterprise release) | |
| mkdir -p ./plugins/entitlements | |
| gh release download "$ENTERPRISE_VERSION" \ | |
| --repo utmstack/UTMStackEnterprise \ | |
| --pattern entitlements \ | |
| --output ./plugins/entitlements/com.utmstack.entitlements.plugin \ | |
| --clobber | |
| chmod +x ./plugins/entitlements/com.utmstack.entitlements.plugin | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: utmstack | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and Push the Event Processor Image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./event_processor.Dockerfile | |
| push: true | |
| provenance: false | |
| tags: ghcr.io/utmstack/utmstack/eventprocessor:${{ needs.setup_deployment.outputs.tag }} | |
| build-args: | | |
| BASE_IMAGE=ghcr.io/threatwinds/eventprocessor/base:${{ needs.setup_deployment.outputs.event_processor_tag }} | |
| build_backend: | |
| name: Build Backend Microservice | |
| needs: [setup_deployment] | |
| if: ${{ needs.setup_deployment.outputs.tag != '' }} | |
| uses: ./.github/workflows/reusable-golang.yml | |
| with: | |
| image_name: backend | |
| tag: ${{ needs.setup_deployment.outputs.tag }} | |
| build_context: "." | |
| dockerfile: "./backend/Dockerfile" | |
| # NOTE: `secrets.*` is NOT allowed in `with:`. The values are passed via the | |
| # `secrets:` block below and expanded here as shell env vars at build time. | |
| flags: >- | |
| -X 'github.com/utmstack/utmstack/backend/modules/billing.PublicKey=${CM_SIGN_PUBLIC_KEY}' | |
| -X 'github.com/utmstack/utmstack/backend/modules/billing.EncryptSalt=${CM_ENCRYPT_SALT}' | |
| secrets: | |
| API_SECRET: ${{ secrets.API_SECRET }} | |
| CM_SIGN_PUBLIC_KEY: ${{ secrets.CM_SIGN_PUBLIC_KEY }} | |
| CM_ENCRYPT_SALT: ${{ secrets.CM_ENCRYPT_SALT }} | |
| build_frontend: | |
| name: Build Frontend Microservice | |
| needs: [setup_deployment] | |
| if: ${{ needs.setup_deployment.outputs.tag != '' }} | |
| uses: ./.github/workflows/reusable-node.yml | |
| with: | |
| image_name: frontend | |
| tag: ${{ needs.setup_deployment.outputs.tag }} | |
| all_builds_complete: | |
| name: All Builds Complete | |
| needs: [ | |
| build_agent_manager, | |
| build_event_processor, | |
| build_backend, | |
| build_frontend | |
| ] | |
| if: ${{ always() && needs.build_agent_manager.result == 'success' && needs.build_event_processor.result == 'success' && needs.build_backend.result == 'success' && needs.build_frontend.result == 'success' }} | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - run: echo "✅ All builds completed successfully." | |
| generate_changelog: | |
| name: Generate Changelog | |
| needs: [all_builds_complete, setup_deployment] | |
| if: ${{ needs.setup_deployment.outputs.tag != '' && github.event_name == 'release' }} | |
| uses: ./.github/workflows/generate-changelog.yml | |
| with: | |
| current_tag: ${{ needs.setup_deployment.outputs.tag }} | |
| secrets: | |
| THREATWINDS_API_KEY: ${{ secrets.THREATWINDS_API_KEY }} | |
| THREATWINDS_API_SECRET: ${{ secrets.THREATWINDS_API_SECRET }} | |
| # Installer build runs on any GitHub release event (prerelease or not). | |
| # The binary is uploaded to the release that triggered this pipeline. | |
| build_installer_release: | |
| name: Build & Upload Installer | |
| needs: [generate_changelog, setup_deployment] | |
| if: ${{ always() && needs.setup_deployment.result == 'success' && needs.setup_deployment.outputs.tag != '' && github.event_name == 'release' && needs.generate_changelog.result != 'cancelled' }} | |
| uses: ./.github/workflows/installer-release.yml | |
| with: | |
| version: ${{ needs.setup_deployment.outputs.tag }} | |
| version_major: v12 | |
| environment: ${{ needs.setup_deployment.outputs.environment }} | |
| changelog: ${{ needs.generate_changelog.outputs.changelog }} | |
| secrets: | |
| API_SECRET: ${{ secrets.API_SECRET }} | |
| CM_ENCRYPT_SALT: ${{ secrets.CM_ENCRYPT_SALT }} | |
| CM_SIGN_PUBLIC_KEY: ${{ secrets.CM_SIGN_PUBLIC_KEY }} | |
| deploy_installer_dev: | |
| name: Deploy Installer (Dev) | |
| needs: [all_builds_complete, setup_deployment] | |
| if: ${{ always() && needs.all_builds_complete.result == 'success' && needs.setup_deployment.outputs.tag != '' && needs.setup_deployment.outputs.environment == 'dev' }} | |
| uses: ./.github/workflows/installer-release.yml | |
| with: | |
| version: ${{ needs.setup_deployment.outputs.tag }} | |
| version_major: v12 | |
| environment: dev | |
| secrets: | |
| API_SECRET: ${{ secrets.API_SECRET }} | |
| CM_ENCRYPT_SALT: ${{ secrets.CM_ENCRYPT_SALT }} | |
| CM_SIGN_PUBLIC_KEY: ${{ secrets.CM_SIGN_PUBLIC_KEY }} | |
| publish_new_version: | |
| name: Publish New Version to Customer Manager | |
| needs: [all_builds_complete, generate_changelog, setup_deployment] | |
| if: ${{ always() && needs.all_builds_complete.result == 'success' && needs.setup_deployment.outputs.tag != '' }} | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Publish version | |
| env: | |
| CHANGELOG_CONTENT: ${{ needs.generate_changelog.outputs.changelog }} | |
| ENVIRONMENT: ${{ needs.setup_deployment.outputs.environment }} | |
| TAG: ${{ needs.setup_deployment.outputs.tag }} | |
| CM_URL: ${{ needs.setup_deployment.outputs.cm_url }} | |
| run: | | |
| # Use AI changelog for production releases, generic for dev. | |
| if [ "$ENVIRONMENT" != "dev" ] && [ -n "$CHANGELOG_CONTENT" ]; then | |
| changelog="$CHANGELOG_CONTENT" | |
| else | |
| changelog="Development build $TAG - Internal testing release" | |
| fi | |
| echo "Environment: $ENVIRONMENT" | |
| echo "CM URL: $CM_URL" | |
| echo "Tag: $TAG" | |
| # Select CM_SERVICE_ACCOUNT based on environment | |
| if [ "$ENVIRONMENT" = "dev" ]; then | |
| cmAuth=$(echo '${{ secrets.CM_SERVICE_ACCOUNT_DEV }}' | jq -r '.') | |
| else | |
| cmAuth=$(echo '${{ secrets.CM_SERVICE_ACCOUNT_PROD }}' | jq -r '.') | |
| fi | |
| id=$(echo "$cmAuth" | jq -r '.id') | |
| key=$(echo "$cmAuth" | jq -r '.key') | |
| body=$(jq -n \ | |
| --arg version "$TAG" \ | |
| --arg changelog "$changelog" \ | |
| '{version: $version, changelog: $changelog}' | |
| ) | |
| response=$(curl -s -X POST "${CM_URL}/api/v1/versions/register" \ | |
| -H "Content-Type: application/json" \ | |
| -H "id: $id" \ | |
| -H "key: $key" \ | |
| -d "$body") | |
| echo "Response: $response" | |
| schedule: | |
| name: Schedule release to our instances | |
| needs: [publish_new_version, setup_deployment] | |
| if: ${{ always() && needs.publish_new_version.result == 'success' && needs.setup_deployment.outputs.tag != '' }} | |
| runs-on: ubuntu-24.04 | |
| env: | |
| ENVIRONMENT: ${{ needs.setup_deployment.outputs.environment }} | |
| TAG: ${{ needs.setup_deployment.outputs.tag }} | |
| CM_URL: ${{ needs.setup_deployment.outputs.cm_url }} | |
| steps: | |
| - name: Schedule updates | |
| run: | | |
| echo "🔍 Environment: $ENVIRONMENT" | |
| echo "🔍 Version: $TAG" | |
| echo "🔍 CM URL: $CM_URL" | |
| # Select instance IDs and auth based on environment | |
| if [ "$ENVIRONMENT" = "dev" ]; then | |
| instance_ids="${{ vars.SCHEDULE_INSTANCES_DEV }}" | |
| auth_json='${{ secrets.CM_SERVICE_ACCOUNT_DEV }}' | |
| else | |
| instance_ids="${{ vars.SCHEDULE_INSTANCES_PROD }}" | |
| auth_json='${{ secrets.CM_SERVICE_ACCOUNT_PROD }}' | |
| fi | |
| # Extract id and key from auth JSON | |
| auth_id=$(echo "$auth_json" | jq -r '.id') | |
| auth_key=$(echo "$auth_json" | jq -r '.key') | |
| # Parse IDs (handle single ID or comma-separated IDs) | |
| IFS=',' read -ra ID_ARRAY <<< "$instance_ids" | |
| # Iterate over each instance ID | |
| for instance_id in "${ID_ARRAY[@]}"; do | |
| instance_id=$(echo "$instance_id" | xargs) | |
| echo "📅 Scheduling release for instance: $instance_id" | |
| response=$(curl -s -w "\n%{http_code}" -X POST "${CM_URL}/api/v1/updates" \ | |
| -H "Content-Type: application/json" \ | |
| -H "id: $auth_id" \ | |
| -H "key: $auth_key" \ | |
| -d "{\"instances_ids\": [\"$instance_id\"], \"version\": \"$TAG\"}") | |
| http_code=$(echo "$response" | tail -n1) | |
| body=$(echo "$response" | sed '$d') | |
| if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 300 ]; then | |
| echo "✅ Successfully scheduled for instance: $instance_id" | |
| else | |
| echo "❌ Failed to schedule for instance: $instance_id (HTTP $http_code)" | |
| echo "Response: $body" | |
| exit 1 | |
| fi | |
| done | |
| echo "✅ Scheduled release for all instances with version $TAG" |