name: Pipeline env: VAULT_ADDR: https://vault.svc.plus DEFAULT_TARGET_HOST: jp-xhttp-contabo.svc.plus on: pull_request: branches: [main] push: branches: ['**'] workflow_dispatch: inputs: target_host: description: "Ansible inventory host or alias" required: false default: "jp-xhttp-contabo.svc.plus" type: string run_apply: description: "Apply deployment (false = dry-run)" required: true default: true type: boolean ai_workspace_auth_token: description: "Optional ACP auth token for deploy" required: false default: "" type: string permissions: contents: read packages: write id-token: write concurrency: group: pipeline-${{ github.ref }} cancel-in-progress: true defaults: run: shell: bash jobs: production_state: name: Production State runs-on: ubuntu-latest outputs: production_image: ${{ steps.production_state.outputs.production_image }} production_tag: ${{ steps.production_state.outputs.production_tag }} production_commit: ${{ steps.production_state.outputs.production_commit }} production_version: ${{ steps.production_state.outputs.production_version }} steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Load Vault secrets id: vault if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} uses: hashicorp/vault-action@v2 with: url: ${{ env.VAULT_ADDR }} method: jwt role: github-actions-xworkmate-bridge jwtGithubAudience: vault ignoreNotFound: true secrets: | kv/data/github-actions/xworkmate-bridge AI_WORKSPACE_AUTH_TOKEN | AI_WORKSPACE_AUTH_TOKEN - name: Export bridge auth token if: ${{ steps.vault.outcome == 'success' }} run: echo "AI_WORKSPACE_AUTH_TOKEN=${{ steps.vault.outputs.AI_WORKSPACE_AUTH_TOKEN }}" >> "$GITHUB_ENV" - name: Probe current production bridge id: production_state env: BRIDGE_SERVER_URL: https://xworkmate-bridge.svc.plus run: | while IFS='=' read -r key value; do echo "${key}=${value}" >> "$GITHUB_OUTPUT" done < <(bash ./scripts/github-actions/report-production-state.sh "${BRIDGE_SERVER_URL}") - name: Explain branch push vs production if: ${{ github.event_name == 'push' }} run: | echo "::notice title=Production state::Current production bridge before this run is ${{ steps.production_state.outputs.production_commit }}." prep: name: Prep runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod cache: true - name: Install golangci-lint run: | GOBIN="$(go env GOPATH)/bin" go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.64.8 echo "${GOBIN}" >> "$GITHUB_PATH" - name: Run lint and tests run: bash ./scripts/github-actions/prep.sh build: name: Build needs: - production_state - prep runs-on: ubuntu-latest env: SERVICE_REGISTRY: ghcr.io SERVICE_IMAGE_REPO_OWNER: ${{ vars.IMAGE_REPO_OWNER || github.repository_owner }} SERVICE_IMAGE_NAME: xworkmate-bridge outputs: artifact_name: ${{ steps.artifact_meta.outputs.artifact_name }} binary_artifact_name: ${{ steps.binary_artifact_meta.outputs.binary_artifact_name }} service_image_ref: ${{ steps.service_ref.outputs.image_ref }} steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Load Vault secrets id: vault if: ${{ github.event_name != 'pull_request' }} uses: hashicorp/vault-action@v2 with: url: ${{ env.VAULT_ADDR }} method: jwt role: github-actions-xworkmate-bridge jwtGithubAudience: vault ignoreNotFound: true secrets: | kv/data/github-actions/xworkmate-bridge GHCR_TOKEN | GHCR_TOKEN - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Log in to GHCR if: ${{ github.event_name != 'pull_request' }} uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ vars.GHCR_USERNAME || github.repository_owner }} password: ${{ steps.vault.outputs.GHCR_TOKEN || github.token }} - name: Resolve service image ref id: service_ref run: bash ./scripts/github-actions/resolve-service-image-ref.sh - name: Build and optionally push service image uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0 with: context: . file: Dockerfile platforms: linux/amd64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.service_ref.outputs.image_ref }} build-args: | BUILD_COMMIT=${{ github.sha }} BUILD_DATE=${{ github.event.head_commit.timestamp || github.event.repository.pushed_at }} BUILD_VERSION=v1.0-beta2 - name: Build native linux service binary run: bash ./scripts/github-actions/build-artifact.sh dist/native-binary - name: Write image ref artifact run: | set -euo pipefail mkdir -p dist printf '%s\n' "${{ steps.service_ref.outputs.image_ref }}" > dist/service-image-ref.txt - name: Record artifact metadata id: artifact_meta run: bash ./scripts/github-actions/resolve-artifact-name.sh - name: Record native binary artifact metadata id: binary_artifact_meta run: printf 'binary_artifact_name=xworkmate-bridge-linux-amd64-%s\n' "${GITHUB_SHA}" >> "$GITHUB_OUTPUT" - name: Upload image ref artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ${{ steps.artifact_meta.outputs.artifact_name }} path: dist/service-image-ref.txt - name: Upload native linux service binary uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ${{ steps.binary_artifact_meta.outputs.binary_artifact_name }} path: dist/native-binary/xworkmate-bridge deploy: name: Deploy needs: build if: ${{ github.event_name != 'pull_request' && github.event_name != 'push' }} runs-on: ubuntu-latest outputs: run_apply: ${{ steps.deploy_meta.outputs.run_apply }} steps: - name: Checkout service repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: xworkmate-bridge - name: Load Vault secrets id: vault uses: hashicorp/vault-action@v2 with: url: ${{ env.VAULT_ADDR }} method: jwt role: github-actions-xworkmate-bridge jwtGithubAudience: vault ignoreNotFound: true secrets: | kv/data/github-actions/xworkmate-bridge AI_WORKSPACE_AUTH_TOKEN | AI_WORKSPACE_AUTH_TOKEN ; kv/data/github-actions/xworkmate-bridge WORKSPACE_REPO_TOKEN | WORKSPACE_REPO_TOKEN ; kv/data/github-actions/xworkmate-bridge SINGLE_NODE_VPS_SSH_PRIVATE_KEY | SINGLE_NODE_VPS_SSH_PRIVATE_KEY ; kv/data/github-actions/xworkmate-bridge SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64 | SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64 ; kv/data/github-actions/xworkmate-bridge SSH_KNOWN_HOSTS | SSH_KNOWN_HOSTS - name: Export deploy secrets run: | { if [[ "${{ github.event_name }}" == "workflow_dispatch" && -n "${{ inputs.ai_workspace_auth_token }}" ]]; then echo "AI_WORKSPACE_AUTH_TOKEN=${{ inputs.ai_workspace_auth_token }}" else echo "AI_WORKSPACE_AUTH_TOKEN=${{ steps.vault.outputs.AI_WORKSPACE_AUTH_TOKEN }}" fi } >> "$GITHUB_ENV" - name: Validate deploy secrets run: | if [[ -z "${AI_WORKSPACE_AUTH_TOKEN}" ]]; then echo "::error::AI_WORKSPACE_AUTH_TOKEN is empty. Provide it via the workflow_dispatch input, or ensure kv/data/github-actions/xworkmate-bridge AI_WORKSPACE_AUTH_TOKEN is readable from Vault." exit 1 fi echo "AI_WORKSPACE_AUTH_TOKEN length=${#AI_WORKSPACE_AUTH_TOKEN}" - name: Checkout playbooks repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: x-evor/playbooks token: ${{ steps.vault.outputs.WORKSPACE_REPO_TOKEN || github.token }} path: playbooks - name: Download build image ref artifact uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: ${{ needs.build.outputs.artifact_name }} path: xworkmate-bridge/dist/image-artifact - name: Download native linux service binary uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: ${{ needs.build.outputs.binary_artifact_name }} path: xworkmate-bridge/dist/native-binary - name: Set up Python uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.11" - name: Install Ansible runtime run: | python -m pip install --upgrade pip python -m pip install "ansible-core==2.18.3" ansible-galaxy collection install ansible.posix - name: Resolve deployment settings id: deploy_meta run: | if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then target_host="${{ inputs.target_host }}" run_apply="${{ inputs.run_apply }}" else target_host="${DEFAULT_TARGET_HOST}" run_apply="true" fi if [[ -z "${target_host}" ]]; then target_host="${DEFAULT_TARGET_HOST}" fi echo "target_host=${target_host}" >> "$GITHUB_OUTPUT" echo "run_apply=${run_apply}" >> "$GITHUB_OUTPUT" - name: Prepare runner SSH access working-directory: xworkmate-bridge env: SINGLE_NODE_VPS_SSH_PRIVATE_KEY: ${{ steps.vault.outputs.SINGLE_NODE_VPS_SSH_PRIVATE_KEY }} SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64: ${{ steps.vault.outputs.SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64 }} SSH_KNOWN_HOSTS: ${{ steps.vault.outputs.SSH_KNOWN_HOSTS }} run: bash ./scripts/github-actions/prepare-ssh.sh "${{ steps.deploy_meta.outputs.target_host }}" "${SSH_KNOWN_HOSTS}" - name: Install native bridge binary on target if: ${{ steps.deploy_meta.outputs.run_apply == 'true' }} working-directory: xworkmate-bridge run: bash ./scripts/github-actions/deploy-native-binary.sh "${{ steps.deploy_meta.outputs.target_host }}" "dist/native-binary/xworkmate-bridge" "$(git rev-parse --short HEAD)" - name: Run Ansible deploy playbook working-directory: playbooks env: ANSIBLE_CONFIG: ./ansible.cfg run: | CHECK_MODE_FLAG="" if [[ "${{ steps.deploy_meta.outputs.run_apply }}" != "true" ]]; then CHECK_MODE_FLAG="-C" fi ansible-playbook -i inventory.ini deploy_xworkmate_bridge_vhosts.yml \ -D ${CHECK_MODE_FLAG} \ --tags xworkmate_bridge \ -l "${{ steps.deploy_meta.outputs.target_host }}" publish_release: name: Publish GitHub Release needs: - build - deploy - validate if: ${{ github.event_name != 'pull_request' && needs.deploy.result == 'success' && needs.validate.result == 'success' }} runs-on: ubuntu-latest permissions: contents: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download image ref artifact uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 with: name: ${{ needs.build.outputs.artifact_name }} path: dist - name: Resolve release metadata id: release_meta run: bash ./scripts/github-actions/resolve-release-metadata.sh - name: Publish GitHub release env: GITHUB_TOKEN: ${{ github.token }} run: | tag="${{ steps.release_meta.outputs.tag }}" asset="dist/service-image-ref.txt#xworkmate-bridge-service-image-ref.txt" if gh release view "${tag}" --repo "${{ github.repository }}" >/dev/null 2>&1; then gh release upload "${tag}" "${asset}" \ --repo "${{ github.repository }}" \ --clobber else gh release create "${tag}" "${asset}" \ --repo "${{ github.repository }}" \ --target "${{ github.sha }}" \ --title "${{ steps.release_meta.outputs.title }}" \ --notes "Automated release for ${GITHUB_SHA}." fi validate: name: Validate needs: - build - deploy if: ${{ github.event_name != 'push' && needs.deploy.result == 'success' && needs.deploy.outputs.run_apply == 'true' }} runs-on: ubuntu-latest env: BRIDGE_SERVER_URL: https://xworkmate-bridge.svc.plus steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Load Vault secrets id: vault uses: hashicorp/vault-action@v2 with: url: ${{ env.VAULT_ADDR }} method: jwt role: github-actions-xworkmate-bridge jwtGithubAudience: vault ignoreNotFound: true secrets: | kv/data/github-actions/xworkmate-bridge AI_WORKSPACE_AUTH_TOKEN | AI_WORKSPACE_AUTH_TOKEN - name: Export bridge auth token run: echo "AI_WORKSPACE_AUTH_TOKEN=${{ steps.vault.outputs.AI_WORKSPACE_AUTH_TOKEN }}" >> "$GITHUB_ENV" - name: Validate deployed endpoints run: bash ./scripts/github-actions/validate-deploy.sh "$(git rev-parse --short HEAD)" "${BRIDGE_SERVER_URL}" - name: Validate public ACP contract run: bash ./scripts/github-actions/verify-public-rpc-contract.sh - name: Validate OpenClaw session contract run: bash ./scripts/github-actions/validate-openclaw-session.sh