From 55de46f92ae2700e8566e8921b4ff2e7096e33e0 Mon Sep 17 00:00:00 2001 From: Lindsay Holmwood Date: Thu, 29 Jan 2026 18:05:59 +1100 Subject: [PATCH 1/5] docs: explain intention of job triggers --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2e11a01f..7170a31d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,11 +1,11 @@ name: Release on: - push: + push: # publish to `main` tag on Docker Hub on merge to main: https://hub.docker.com/layers/cipherstash/proxy/main branches: - main - release: + release: # for cutting a numbered release (e.g. v2.1.9) types: [published] - workflow_dispatch: + workflow_dispatch: # for running the workflow on an arbitrary branch or commit env: REGISTRY_IMAGE: cipherstash/proxy From 3935fde9bea6fd9e7191f15db6dd84d5b7d307dc Mon Sep 17 00:00:00 2001 From: Lindsay Holmwood Date: Thu, 29 Jan 2026 23:50:11 +1100 Subject: [PATCH 2/5] fix(ci): lock version of cargo-binstall to one that builds --- mise.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mise.toml b/mise.toml index bec9e764..79f71d6d 100644 --- a/mise.toml +++ b/mise.toml @@ -38,7 +38,7 @@ CS_EQL_VERSION = "eql-2.2.1" [tools] -"cargo:cargo-binstall" = "latest" +"cargo:cargo-binstall" = "1.17.3" "cargo:cargo-nextest" = "latest" "cargo:cargo-sort" = "latest" From 06d27efcf750710b0efd526fe20f12f7a96a825f Mon Sep 17 00:00:00 2001 From: Lindsay Holmwood Date: Thu, 29 Jan 2026 23:51:34 +1100 Subject: [PATCH 3/5] chore: upgrade mise in CI --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7170a31d..80b96035 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,8 +45,8 @@ jobs: cache-all-crates: true - uses: jdx/mise-action@v2 with: - version: 2025.1.6 # [default: latest] mise version to install - install: true # [default: true] run `mise install` + version: 2026.1.6 # [default: latest] mise version to install + install: false # [default: true] run `mise install` cache: ${{ github.event_name != 'pull_request' }} # cache mise using GitHub's cache if running in a PR - run: | mise run build --platform ${{matrix.build.docker_platform}} --target ${{matrix.build.rust_target}} From 711466febbe246a0257933eb11d233a0a77210f3 Mon Sep 17 00:00:00 2001 From: Lindsay Holmwood Date: Thu, 29 Jan 2026 23:52:36 +1100 Subject: [PATCH 4/5] ci: switch back to GitHub runner for arm64 Because it's faster --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 80b96035..c90b4aca 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,8 +17,8 @@ jobs: fail-fast: false matrix: build: - - { os: blacksmith-16vcpu-ubuntu-2204, docker_platform: linux/amd64, rust_target: "x86_64-unknown-linux-gnu" } - - { os: blacksmith-16vcpu-ubuntu-2404-arm, docker_platform: linux/arm64, rust_target: "aarch64-unknown-linux-gnu" } + - { os: blacksmith-16vcpu-ubuntu-2404, docker_platform: linux/amd64, rust_target: "x86_64-unknown-linux-gnu" } + - { os: linux-arm64-public, docker_platform: linux/arm64, rust_target: "aarch64-unknown-linux-gnu" } env: CS_ZEROKMS_HOST: https://us-east-1.aws.zerokms.cipherstashmanaged.net CS_CTS_HOST: https://ap-southeast-2.aws.cts.cipherstashmanaged.net From 2d5fde15b2f37844b3775654186a037a6d6d22d3 Mon Sep 17 00:00:00 2001 From: Lindsay Holmwood Date: Thu, 29 Jan 2026 23:53:19 +1100 Subject: [PATCH 5/5] ci: run the release workflow when changes in PRs This won't publish the image, but it will build as much of it as possible, and indicate if the release may fail. --- .github/workflows/release.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c90b4aca..54f43c6b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,11 @@ on: push: # publish to `main` tag on Docker Hub on merge to main: https://hub.docker.com/layers/cipherstash/proxy/main branches: - main + pull_request: # run the release workflow when changes are made to it in PRs + branches: + - main + paths: + - '.github/workflows/release.yml' release: # for cutting a numbered release (e.g. v2.1.9) types: [published] workflow_dispatch: # for running the workflow on an arbitrary branch or commit @@ -107,6 +112,8 @@ jobs: timeout-minutes: 30 needs: - build + env: + publish: ${{contains(fromJSON('["push", "release"]'), github.event_name)}} steps: - uses: actions/checkout@v4 @@ -151,15 +158,19 @@ jobs: - name: Create manifest list and push working-directory: ${{ runner.temp }}/digests + env: + DRY_RUN: ${{case(fromJSON(env.publish),' ','--dry-run')}} # run the `docker buildx` command with --dry-run if we're not publishing a release run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + docker buildx imagetools create ${{ env.DRY_RUN }} $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - name: Inspect image + if: ${{ fromJSON(env.publish) }} run: | docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} - name: Notify Multitudes + if: ${{ fromJSON(env.publish) }} run: | curl --request POST \ --fail-with-body \