directus/.github/workflows/release.yml

name: Release

on:
  push:
    tags:
      - 'v[0-9]*'

permissions:
  contents: write
  packages: write
  attestations: write
  id-token: write

env:
  GHCR_IMAGE: ghcr.io/${{ github.repository }}
  DOCKERHUB_IMAGE: docker.io/${{ github.repository }}
  COSIGN_REPOSITORY: docker.io/${{ github.repository }}-signatures

jobs:
  check-version:
    name: Check Version
    runs-on: ubuntu-latest
    outputs:
      prerelease: ${{ steps.version.outputs.prerelease && true || false }}
    steps:
      - name: Check version
        uses: madhead/semver-utils@v4
        id: version
        with:
          version: ${{ github.ref_name }}
          lenient: false

  create-release:
    name: Create Release
    runs-on: ubuntu-latest
    needs: check-version
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Create release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh release create \
            "$GITHUB_REF_NAME" \
            ${{ needs.check-version.outputs.prerelease == 'true' && '--prerelease' || '' }} \
            --notes "Directus $GITHUB_REF_NAME"

  publish-npm:
    name: Publish to NPM
    runs-on: ubuntu-latest
    needs: check-version
    permissions:
      actions: write
      attestations: write
      checks: write
      contents: write
      deployments: write
      discussions: write
      id-token: write
      issues: write
      models: read
      packages: write
      pages: write
      pull-requests: write
      security-events: write
      statuses: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Prepare
        uses: ./.github/actions/prepare
        with:
          registry: https://registry.npmjs.org

      - name: Publish packages to NPM
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
          NPM_CONFIG_PROVENANCE: true
        run: |
          pnpm --recursive publish \
            --access=public \
            --no-git-checks \
            --tag ${{ needs.check-version.outputs.prerelease == 'true' && 'canary'  || 'latest' }}

  build-images:
    name: Build Images
    runs-on: ubuntu-latest
    needs: check-version
    permissions:
      actions: write
      attestations: write
      checks: write
      contents: write
      deployments: write
      discussions: write
      id-token: write
      issues: write
      models: read
      packages: write
      pages: write
      pull-requests: write
      security-events: write
      statuses: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup QEMU
        uses: docker/setup-qemu-action@v3

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3
        if: env.DOCKERHUB_IMAGE

      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Cache Docker layers
        uses: actions/cache@v4
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-

      - name: Extract metadata for Docker image
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.DOCKERHUB_IMAGE }}
            ${{ env.GHCR_IMAGE }}
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=raw,value=canary,enable=${{ needs.check-version.outputs.prerelease }}

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        if: env.DOCKERHUB_IMAGE
        with:
          registry: docker.io
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Login to GHCR
        uses: docker/login-action@v3
        if: env.GHCR_IMAGE
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@v6
        id: build-and-push
        with:
          context: .
          file: ./Dockerfile
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64,linux/arm64
          push: true
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache-new

      - name: Sign Docker Hub image with GitHub OIDC Token
        if: env.DOCKERHUB_IMAGE
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: cosign sign --yes --recursive ${DOCKERHUB_IMAGE}@${DIGEST}

      # Temp fix:
      # https://github.com/docker/build-push-action/issues/252
      # https://github.com/moby/buildkit/issues/1896
      - name: Move cache
        run: |
          rm -rf /tmp/.buildx-cache
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache