From 8a35f5dd57f52c663c9a93de34b05f4b3bbe1fac Mon Sep 17 00:00:00 2001 From: Ronni Skansing Date: Thu, 18 Jun 2026 18:50:55 +0200 Subject: [PATCH] update test build Signed-off-by: Ronni Skansing --- .github/workflows/test-build.yml | 140 ++++++++++++++++++++++--------- 1 file changed, 99 insertions(+), 41 deletions(-) diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index dcb25c8..4efcc62 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -3,6 +3,18 @@ name: Test Build on: push: branches: [test-build] + workflow_dispatch: + inputs: + build_arm: + description: "Also build arm64 (default builds amd64 only)" + type: boolean + default: false + +# BUILD_ARM controls whether arm64 is built alongside amd64. +# defaults to false so a normal push to test-build only builds amd64. +# trigger the workflow manually and tick "build_arm" to also build arm64. +env: + BUILD_ARM: ${{ github.event.inputs.build_arm || 'false' }} jobs: test-build: @@ -63,30 +75,33 @@ jobs: - name: Build binaries for multiple architectures run: | - mkdir -p build/arm64 /tmp/go-build-cache + mkdir -p build/amd64 build/arm64 /tmp/go-build-cache - # amd64 build disabled for test builds — rarely used, arm64 only below - # mkdir -p build/amd64 - # # build amd64 binary — static musl so no glibc floor on target systems - # sudo docker run --rm \ - # -v "$(pwd)":/app \ - # -v /tmp/go-build-cache:/root/.cache/go-build \ - # -w /app/backend \ - # golang@sha256:c4ea15b4a7912716eb362a022e2b12317762eca387423760bc59c0f9ae69423c `# golang:1.25.10-alpine linux/amd64` \ - # sh -c "apk add --no-cache gcc musl-dev && go build -trimpath \ - # -ldflags='-X github.com/phishingclub/phishingclub/version.hash=ph${{ steps.get_version.outputs.HASH }} -X github.com/phishingclub/phishingclub/version.version=${{ steps.get_version.outputs.VERSION }} -linkmode=external -extldflags=-static' \ - # -tags production -o ../build/amd64/phishingclub main.go" - - # build arm64 binary — run natively under QEMU (already set up above) + # build amd64 binary — static musl so no glibc floor on target systems sudo docker run --rm \ - --platform linux/arm64 \ -v "$(pwd)":/app \ -v /tmp/go-build-cache:/root/.cache/go-build \ -w /app/backend \ - golang@sha256:5331adf7f8a0803631d9dc28843e288874789c14b97a3d0b54ed13e59f9e0589 `# golang:1.25.10-alpine linux/arm64` \ + golang@sha256:c4ea15b4a7912716eb362a022e2b12317762eca387423760bc59c0f9ae69423c `# golang:1.25.10-alpine linux/amd64` \ sh -c "apk add --no-cache gcc musl-dev && go build -trimpath \ -ldflags='-X github.com/phishingclub/phishingclub/version.hash=ph${{ steps.get_version.outputs.HASH }} -X github.com/phishingclub/phishingclub/version.version=${{ steps.get_version.outputs.VERSION }} -linkmode=external -extldflags=-static' \ - -tags production -o ../build/arm64/phishingclub main.go" + -tags production -o ../build/amd64/phishingclub main.go" + + # build arm64 binary — run natively under QEMU (already set up above) + # only when opted in via the BUILD_ARM variable + if [ "${BUILD_ARM}" = "true" ]; then + sudo docker run --rm \ + --platform linux/arm64 \ + -v "$(pwd)":/app \ + -v /tmp/go-build-cache:/root/.cache/go-build \ + -w /app/backend \ + golang@sha256:5331adf7f8a0803631d9dc28843e288874789c14b97a3d0b54ed13e59f9e0589 `# golang:1.25.10-alpine linux/arm64` \ + sh -c "apk add --no-cache gcc musl-dev && go build -trimpath \ + -ldflags='-X github.com/phishingclub/phishingclub/version.hash=ph${{ steps.get_version.outputs.HASH }} -X github.com/phishingclub/phishingclub/version.version=${{ steps.get_version.outputs.VERSION }} -linkmode=external -extldflags=-static' \ + -tags production -o ../build/arm64/phishingclub main.go" + else + echo "BUILD_ARM not enabled - skipping arm64 build" + fi - name: Fix build directory permissions run: | @@ -107,11 +122,17 @@ jobs: echo "${{ secrets.SIGNKEY_1 }}" > /tmp/keys/private1.pem chmod 600 /tmp/keys/private1.pem - # amd64 signing disabled for test builds (amd64 build is off) - # sign arm64 binary with primary key + # sign amd64 binary with primary key openssl pkeyutl -sign -inkey /tmp/keys/private1.pem \ - -rawin -in build/arm64/phishingclub \ - -out build/arm64/phishingclub.sig + -rawin -in build/amd64/phishingclub \ + -out build/amd64/phishingclub.sig + + # sign arm64 binary with primary key (only when built) + if [ -f build/arm64/phishingclub ]; then + openssl pkeyutl -sign -inkey /tmp/keys/private1.pem \ + -rawin -in build/arm64/phishingclub \ + -out build/arm64/phishingclub.sig + fi # clean up keys rm -rf /tmp/keys @@ -125,23 +146,37 @@ jobs: run: | mkdir -p packages - # amd64 packaging disabled for test builds (amd64 build is off) - - # test packaging for arm64 - if [ -f build/arm64/phishingclub.sig ]; then - tar -czf packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_arm64.tar.gz \ - -C build/arm64 \ + # package amd64 binary with signature + if [ -f build/amd64/phishingclub.sig ]; then + tar -czf packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_amd64.tar.gz \ + -C build/amd64 \ phishingclub \ phishingclub.sig - echo "✅ ARM64 package created with signature" + echo "✅ AMD64 package created with signature" else - tar -czf packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_arm64.tar.gz \ - -C build/arm64 \ + tar -czf packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_amd64.tar.gz \ + -C build/amd64 \ phishingclub - echo "✅ ARM64 package created without signature" + echo "✅ AMD64 package created without signature" fi - # legacy amd64 package disabled for test builds (amd64 build is off) + # test packaging for arm64 (only when built) + if [ -f build/arm64/phishingclub ]; then + if [ -f build/arm64/phishingclub.sig ]; then + tar -czf packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_arm64.tar.gz \ + -C build/arm64 \ + phishingclub \ + phishingclub.sig + echo "✅ ARM64 package created with signature" + else + tar -czf packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_arm64.tar.gz \ + -C build/arm64 \ + phishingclub + echo "✅ ARM64 package created without signature" + fi + else + echo "BUILD_ARM not enabled - skipping arm64 package" + fi # - name: Build and push test multi-arch Docker image # uses: docker/build-push-action@v5 @@ -165,26 +200,49 @@ jobs: run: | echo "=== Build Summary ===" echo "" - # amd64 verification disabled for test builds (amd64 build is off) - echo "ARM64 Binary size: $(du -h build/arm64/phishingclub | cut -f1)" - echo "ARM64 Binary info:" - file build/arm64/phishingclub + echo "AMD64 Binary size: $(du -h build/amd64/phishingclub | cut -f1)" + echo "AMD64 Binary info:" + file build/amd64/phishingclub - if [ -f build/arm64/phishingclub.sig ]; then - echo "ARM64 Signature size: $(du -h build/arm64/phishingclub.sig | cut -f1)" + if [ -f build/amd64/phishingclub.sig ]; then + echo "AMD64 Signature size: $(du -h build/amd64/phishingclub.sig | cut -f1)" fi echo "" - echo "ARM64 Package size: $(du -h packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_arm64.tar.gz | cut -f1)" - echo "ARM64 Package contents:" - tar -tzf packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_arm64.tar.gz + echo "AMD64 Package size: $(du -h packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_amd64.tar.gz | cut -f1)" + echo "AMD64 Package contents:" + tar -tzf packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_amd64.tar.gz + + if [ -f build/arm64/phishingclub ]; then + echo "" + echo "ARM64 Binary size: $(du -h build/arm64/phishingclub | cut -f1)" + echo "ARM64 Binary info:" + file build/arm64/phishingclub + + if [ -f build/arm64/phishingclub.sig ]; then + echo "ARM64 Signature size: $(du -h build/arm64/phishingclub.sig | cut -f1)" + fi + + echo "" + echo "ARM64 Package size: $(du -h packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_arm64.tar.gz | cut -f1)" + echo "ARM64 Package contents:" + tar -tzf packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_arm64.tar.gz + else + echo "" + echo "ARM64 not built (BUILD_ARM not enabled)" + fi - name: Upload build artifacts (for review) uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: phishingclub-test-build-${{ steps.get_version.outputs.HASH }} + # arm64 paths are only present when BUILD_ARM is enabled + if-no-files-found: ignore path: | + build/amd64/phishingclub + build/amd64/phishingclub.sig build/arm64/phishingclub build/arm64/phishingclub.sig + packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_amd64.tar.gz packages/phishingclub_${{ steps.get_version.outputs.VERSION }}_linux_arm64.tar.gz retention-days: 2