aheh/MasterHttpRelayVPN-RUST
1
0
Fork 0
mirror of https://github.com/therealaleph/MasterHttpRelayVPN-RUST.git synced 2026-05-18 07:34:36 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
fb552c227d755f7058b1abcd544e6e20ec7a7b03
MasterHttpRelayVPN-RUST/.github/workflows/release.yml
T
therealaleph fb552c227d v1.5.0: long-poll Full Tunnel + Docker tunnel-node + brief FA release notes 
Ships PR #173 (event-driven drain) plus three operational improvements:

PR #173 — long-poll tunnel mode. The tunnel-node's batch drain
switched from a fixed 150 ms sleep to an event-driven Notify wait;
idle sessions long-poll up to 5 s and wake on the first byte from
upstream. Push notifications and chat messages now arrive in roughly
RTT instead of waiting for the next client poll tick. Backward compat
with pre-#173 tunnel-nodes is automatic via a sticky AtomicBool that
detects fast empty replies and reverts to the legacy cadence.
92 client tests + 17 tunnel-node tests pass, including end-to-end
TCP-pair verification of the notify wiring.

Docker image for tunnel-node. Adds a hardened Dockerfile (BuildKit
cache mounts, non-root runtime user, ca-certificates for HTTPS
upstreams) and a .dockerignore to keep build context small. New
`tunnel-docker` job in the release workflow builds + pushes
multi-arch (linux/amd64 + linux/arm64) to
ghcr.io/therealaleph/mhrv-tunnel-node with `:latest`, `:1.5`, and
`:1.5.0` tags on every release. Setting up Full Tunnel mode goes
from "rustup + cargo build on a 1 GB VPS" (which fails on memory
half the time) to a one-liner. tunnel-node/README.md updated with
prebuilt-image + docker-compose recipes.

Brief Persian release note in Telegram caption. The release-post
caption now leads with a `<blockquote>`-wrapped FA bullet headlines
extracted from `docs/changelog/v<ver>.md`, above the existing two
links (repo + release). Markdown links → Telegram HTML <a> for
clickability. Cap-budget-aware truncation at bullet boundaries
keeps total caption under Telegram's 1024-char limit. Headlines-only
rather than full bullets so multiple "what's new" items fit
comfortably (the full bullets remain on the GH release page and as
the optional --with-changelog reply-threaded message).

GitHub Releases page bodies now lead with the changelog content
(Persian section + `---` + English) instead of just a Full Changelog
comparison link. The auto comparison link is appended at the bottom
via `append_body: true` rather than removed.

Workflow changes:
- New `permissions: packages: write` at the workflow level (required
  for ghcr push via docker/login-action).
- New `tunnel-docker` job needs `build` (not the full matrix) to
  serialize the QEMU buildx layer with the matrix cache.
- Release job composes the body from `docs/changelog/v${VER}.md`
  in a pre-step that handles both tag-push and workflow_dispatch
  paths (uses inputs.version || github.ref_name like the rest of
  the workflow).

Tested locally:
- `cargo test` — 92 lib tests pass
- `cargo test -p mhrv-tunnel-node` — 17 tests pass
- `docker build` of tunnel-node Dockerfile — 32 MB image, runs as
  non-root, /health returns "ok", auth rejection works correctly,
  legitimate requests open sessions to remote hosts
- Telegram script `--dry-run` mode added; rendered captions for
  v1.4.0, v1.4.1, v1.5.0 all fit under 900 chars

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 11:56:41 +03:00

720 lines
33 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
name: release
on:
push:
tags:
- 'v*'
# Manual re-trigger for the case where one matrix job (e.g. mipsel-softfloat)
# failed on the original tag push and we've since pushed the build fix to
# main but can't force-move the immutable tag (tag protection rule). Run
# this workflow manually with `version` set to the existing release tag —
# the build matrix runs against the current main, artifacts are uploaded
# to the matching release page, and the release-notes step is a no-op
# (release already exists). Pair with `gh variable set
# TELEGRAM_NOTIFY_ENABLED --body false` before dispatch if you don't want
# the channel re-pinged for what's effectively the same release.
workflow_dispatch:
inputs:
version:
description: 'Existing release tag to upload to (without the leading v). Example: 1.4.0'
required: true
type: string
permissions:
contents: write
# `tunnel-docker` job pushes to ghcr.io/therealaleph/mhrv-tunnel-node.
# `packages: write` is required by docker/login-action when authenticating
# to GHCR with the workflow's auto-provisioned GITHUB_TOKEN. Granted at
# the workflow level so the matrix-build job (which doesn't need it) and
# the release job (which doesn't need it) both still have a single
# well-scoped permissions block.
packages: write
# Runner strategy:
# - Linux + Android + mipsel: self-hosted (mhrv-hetzner-*, Hetzner
# 8-core / 31 GB Ubuntu 24.04 box with
# Rust, Android SDK+NDK, Docker, all
# cross-compile toolchains pre-installed).
# Two runners registered for parallelism.
# - macOS arm64 + amd64, Windows: GitHub-hosted (we don't self-host those
# OSes; the free minutes on a public repo
# are plenty for those two platforms).
#
# Why self-hosted: GH-hosted 2-core runners were spending ~13 min cold per
# release; on the Hetzner box a cold linux-amd64 build is 1m9s, and warm
# builds with Swatinem/rust-cache are sub-minute. Keeps the toolchain warm,
# and more importantly keeps target/ warm via the rust-cache action.
jobs:
build:
strategy:
fail-fast: false
matrix:
include:
# Pin to Ubuntu 22.04 GLIBC target (GLIBC 2.35) so the glibc builds
# load on any distro ≥ Ubuntu 22.04 / Debian 12 / Mint 21 / Fedora 36.
# On self-hosted this is a Rust-side choice (cargo target triple),
# not an OS-of-the-runner choice — the runner itself is Ubuntu 24.04
# (GLIBC 2.39), but we link against the 2.35-era glibc via the
# x86_64-unknown-linux-gnu target triple which pins to the oldest
# GLIBC symbol version rustc is willing to emit. Users behind tight
# internet who can't dist-upgrade keep working.
- target: x86_64-unknown-linux-gnu
os: [self-hosted, linux, x64, mhrv-build]
name: mhrv-rs-linux-amd64
- target: aarch64-unknown-linux-gnu
os: [self-hosted, linux, x64, mhrv-build]
name: mhrv-rs-linux-arm64
- target: arm-unknown-linux-gnueabihf
os: [self-hosted, linux, x64, mhrv-build]
name: mhrv-rs-raspbian-armhf
- target: x86_64-apple-darwin
os: macos-latest
name: mhrv-rs-macos-amd64
- target: aarch64-apple-darwin
os: macos-latest
name: mhrv-rs-macos-arm64
- target: x86_64-pc-windows-gnu
os: windows-latest
name: mhrv-rs-windows-amd64
- target: x86_64-unknown-linux-musl
os: [self-hosted, linux, x64, mhrv-build]
name: mhrv-rs-linux-musl-amd64
- target: aarch64-unknown-linux-musl
os: [self-hosted, linux, x64, mhrv-build]
name: mhrv-rs-linux-musl-arm64
# OpenWRT MT7621 (soft-float mipsel 32-bit). Dozens of cheap
# home routers run this chipset and they *specifically* need
# the soft-float variant — MT7621 has no hardware FPU and a
# hard-float binary segfaults on the first fp op. Tier-3 in
# Rust since 1.72; we build it via messense's musl-cross
# docker image which still has a mipsel-softfloat toolchain.
# `continue-on-error: true` so a regression here doesn't block
# the rest of the release. Issue #26.
- target: mipsel-unknown-linux-musl
os: [self-hosted, linux, x64, mhrv-build]
name: mhrv-rs-openwrt-mipsel-softfloat
mipsel_softfloat: true
runs-on: ${{ matrix.os }}
# mipsel-softfloat is best-effort: the Rust tier-3 target occasionally
# regresses. Letting it fail keeps the main release going so
# desktop/Android users aren't blocked by MT7621 router support.
continue-on-error: ${{ matrix.mipsel_softfloat == true }}
steps:
# Heal any root-owned leftovers from a previous mipsel docker
# build that failed before its post-step chown could run. The
# docker container writes target/ as root, and if cargo errors
# inside the container the outer `sudo chown -R` line never
# executes (bash -e exits on the docker non-zero), leaving root-
# owned files that fail every subsequent `actions/checkout@v4`
# workspace clean with `EACCES: permission denied unlink`. This
# step is a no-op on a clean runner, so cheap to keep always-on.
# Self-hosted only; GitHub-hosted runners get a fresh VM each run.
- name: Pre-checkout — clean root-owned files (self-hosted only)
if: contains(matrix.os, 'self-hosted')
run: |
if [ -d "$GITHUB_WORKSPACE/target" ]; then
sudo rm -rf "$GITHUB_WORKSPACE/target" || true
fi
# Stale .rustc_info.json at the workspace root is the
# specific file `actions/checkout` errors on; nuke any
# other root-owned scraps that may be sitting there too.
sudo find "$GITHUB_WORKSPACE" -maxdepth 2 -uid 0 -exec rm -rf {} + 2>/dev/null || true
- uses: actions/checkout@v4
# Skip the host-level rustup install for mipsel-softfloat — that
# target is tier-3 in stable Rust (no prebuilt stdlib available
# via rustup), and the docker image we use for this build ships
# its own Rust toolchain + std. Trying to pass
# `targets: mipsel-unknown-linux-musl` to dtolnay/rust-toolchain
# errors out with "error: component 'rust-std' for target
# 'mipsel-unknown-linux-musl' is unavailable for download", which
# fails the job before the docker step ever runs.
#
# On self-hosted this action is mostly a no-op: rustup is already
# installed and the standard target triples are pre-added. It
# still verifies the target is present and is cheap enough to keep
# as a safety net.
- uses: dtolnay/rust-toolchain@stable
if: matrix.mipsel_softfloat != true
with:
targets: ${{ matrix.target }}
# Cache target/ + cargo registry across runs — this is the big
# self-hosted speedup. Without it, actions/checkout@v4's default
# `git clean -ffdx` wipes target/ between runs and every build is
# cold. With it, warm builds are sub-minute even for the full
# release profile.
#
# cache-bin: false is MANDATORY on our self-hosted runners. With
# the default (true), rust-cache aggressively prunes $CARGO_HOME/bin
# of binaries it didn't install via `cargo install`, including the
# `rustup` binary that cargo/rustc/etc. are symlinked to. The next
# job then hits "command not found" or a broken-symlink TOML parse
# error from a stale cargo. We want target/ + registry caching, NOT
# bin pruning. rustup is pre-installed on the runners anyway.
- uses: Swatinem/rust-cache@v2
if: matrix.mipsel_softfloat != true
with:
key: ${{ matrix.target }}
cache-bin: "false"
# eframe needs a few system libs on Linux for window management, keyboard,
# and OpenGL/X11/Wayland. Gated to GitHub-hosted runners only — the
# self-hosted runners pre-install all of these once at setup time, and
# letting multiple parallel matrix jobs race on `sudo apt-get install`
# fights over /var/lib/apt/lists/lock and fails them all.
- name: Install Linux eframe system deps
if: runner.os == 'Linux' && runner.environment == 'github-hosted'
run: |
sudo apt-get update
sudo apt-get install -y \
libxkbcommon-dev \
libwayland-dev \
libxcb1-dev libxcb-render0-dev libxcb-shape0-dev libxcb-xfixes0-dev \
libx11-dev \
libgl1-mesa-dev libglib2.0-dev libgtk-3-dev
# Cross-compile toolchains. Same story as above — gated to hosted
# runners; self-hosted has gcc-aarch64-linux-gnu + gcc-arm-linux-gnueabihf
# pre-installed, and the linker entries live in
# /home/ghrunner/cargo-{01,02}/config.toml (seeded once at runner
# setup time, picked up via CARGO_HOME env).
- name: Install aarch64 cross-compile toolchain (Linux only)
if: matrix.target == 'aarch64-unknown-linux-gnu' && runner.environment == 'github-hosted'
run: |
sudo apt-get update
sudo apt-get install -y gcc-aarch64-linux-gnu
echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config.toml
echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config.toml
- name: Install armhf cross-compile toolchain (Linux only)
if: matrix.target == 'arm-unknown-linux-gnueabihf' && runner.environment == 'github-hosted'
run: |
sudo apt-get update
sudo apt-get install -y gcc-arm-linux-gnueabihf
echo '[target.arm-unknown-linux-gnueabihf]' >> ~/.cargo/config.toml
echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config.toml
- name: Install Windows MinGW toolchain
if: matrix.target == 'x86_64-pc-windows-gnu'
id: msys2
uses: msys2/setup-msys2@v2
with:
msystem: MINGW64
update: true
install: mingw-w64-x86_64-gcc
- name: Configure Windows GNU linker
if: matrix.target == 'x86_64-pc-windows-gnu'
shell: pwsh
run: |
$gcc = "${{ steps.msys2.outputs.msys2-location }}\mingw64\bin\gcc.exe" -replace '\\','/'
New-Item -ItemType Directory -Force -Path $env:USERPROFILE/.cargo | Out-Null
Add-Content -Path $env:USERPROFILE/.cargo/config.toml -Value '[target.x86_64-pc-windows-gnu]'
Add-Content -Path $env:USERPROFILE/.cargo/config.toml -Value "linker = '$gcc'"
- name: Build CLI
if: "!endsWith(matrix.target, '-linux-musl')"
run: cargo build --release --target ${{ matrix.target }} --bin mhrv-rs
# Fully-static musl builds for OpenWRT / Alpine / libc-less systems.
# messense/rust-musl-cross ships a pre-built musl toolchain so `ring`
# (rustls' crypto backend) cross-compiles cleanly on both archs.
- name: Build CLI (musl via docker)
if: matrix.target == 'x86_64-unknown-linux-musl'
run: |
docker run --rm -v "$PWD":/src -w /src \
messense/rust-musl-cross:x86_64-musl \
cargo build --release --target x86_64-unknown-linux-musl --bin mhrv-rs
sudo chown -R "$(id -u):$(id -g)" target
- name: Build CLI (musl via docker, arm64)
if: matrix.target == 'aarch64-unknown-linux-musl'
run: |
docker run --rm -v "$PWD":/src -w /src \
messense/rust-musl-cross:aarch64-musl \
cargo build --release --target aarch64-unknown-linux-musl --bin mhrv-rs
sudo chown -R "$(id -u):$(id -g)" target
# OpenWRT MT7621 / mipsel-softfloat. messense doesn't publish a
# `:mipsel-musl-softfloat` tag — the mipsel-musl image is
# hardfloat. We build soft-float anyway via
# `RUSTFLAGS=-C target-feature=+soft-float` + `-Z build-std` so
# libstd itself is recompiled to emit soft-float code. The
# gcc/musl shipping in the image is hardfloat but we never link
# anything more than libc (`ring` is pure asm for the crypto
# that matters), so musl's lack of softfloat libm doesn't bite.
# Requires nightly Rust since mipsel is Rust tier 3 in the
# stable channel — no prebuilt std.
- name: Build CLI (mipsel-softfloat via docker)
if: matrix.target == 'mipsel-unknown-linux-musl' && matrix.mipsel_softfloat == true
# The inner script is single-quoted so the `#` lines stay as
# real comments. An earlier version of this step used
# `sh -c "... \` (backslash-continuation inside a
# double-quoted YAML folded string) which collapsed into one
# line — the first `#` then commented out everything after it,
# reducing the whole docker payload to `set -eux;` and failing
# silently at the post-docker chown. Heredoc-style single
# quotes preserve newlines verbatim; no comment collapse.
run: |
# Always chown back, even if docker exits non-zero. The previous
# form (`docker run …; sudo chown …`) ran chown only on success
# because bash -e short-circuits on the docker failure; that
# left target/ root-owned and broke `actions/checkout@v4` on
# every subsequent self-hosted run with EACCES on
# target/.rustc_info.json. The `trap … EXIT` runs the chown
# whether docker succeeded or failed, so a transient mipsel
# compile regression never poisons the runner workspace.
set +e
trap 'sudo chown -R "$(id -u):$(id -g)" target 2>/dev/null || true' EXIT
docker run --rm -v "$PWD":/src -w /src \
-e RUSTFLAGS='-C target-feature=+soft-float' \
messense/rust-musl-cross:mipsel-musl \
bash -c '
set -eux
# The image ships a pre-installed nightly that rustup
# cannot upgrade in place — `clippy-preview/share/doc/clippy/README.md`
# is missing from the pre-bake, and rustup errors with
# "failure removing component clippy-preview". Nuke it
# first, then install fresh.
rustup toolchain uninstall nightly 2>/dev/null || true
rustup toolchain install nightly --profile minimal
rustup component add rust-src --toolchain nightly
cargo +nightly build --release \
-Z build-std=std,panic_abort \
--target mipsel-unknown-linux-musl \
--bin mhrv-rs
'
rc=$?
# `trap … EXIT` will fire the chown on shell exit — the explicit
# exit here just propagates the docker exit code as the step
# status (success vs continue-on-error path).
exit $rc
# UI build: we try to build the UI binary on every platform. If it fails
# on cross-compile for linux-arm64 (missing arm64 system libs cross),
# we still ship the CLI. We also skip the UI on musl targets (OpenWRT etc.
# are headless, bundling X11 makes no sense).
- name: Build UI
if: matrix.target != 'aarch64-unknown-linux-gnu' && matrix.target != 'arm-unknown-linux-gnueabihf' && !endsWith(matrix.target, '-linux-musl')
run: cargo build --release --target ${{ matrix.target }} --features ui --bin mhrv-rs-ui
- name: Package (unix)
if: runner.os != 'Windows'
run: |
mkdir -p dist
cp target/${{ matrix.target }}/release/mhrv-rs dist/mhrv-rs
chmod +x dist/mhrv-rs
if [ -f target/${{ matrix.target }}/release/mhrv-rs-ui ]; then
cp target/${{ matrix.target }}/release/mhrv-rs-ui dist/mhrv-rs-ui
chmod +x dist/mhrv-rs-ui
fi
# OpenWRT / musl archives get the procd init script instead of run.sh,
# since routers don't have a CA to install and run headless via procd.
case "${{ matrix.target }}" in
*-linux-musl)
cp assets/openwrt/mhrv-rs.init dist/mhrv-rs.init
chmod +x dist/mhrv-rs.init
;;
*)
cp assets/launchers/run.sh dist/run.sh
chmod +x dist/run.sh
if [ "${{ runner.os }}" = "macOS" ]; then
cp assets/launchers/run.command dist/run.command
chmod +x dist/run.command
fi
;;
esac
- name: Build macOS .app bundle
if: runner.os == 'macOS'
run: |
# Tag push: $GITHUB_REF == "refs/tags/v1.4.0", strip "refs/tags/v".
# workflow_dispatch: inputs.version comes in as e.g. "1.4.0".
# Fall back to ref_name (the bare branch/tag name) and strip a
# possible leading "v" so both paths produce the bare version.
VER="${{ inputs.version || github.ref_name }}"
VER="${VER#v}"
./assets/macos/build-app.sh dist/mhrv-rs-ui "$VER" dist
# Make a clean zip of just the .app for the release
cd dist
zip -qry "${{ matrix.name }}-app.zip" mhrv-rs.app
- name: Package (windows)
if: runner.os == 'Windows'
shell: pwsh
run: |
New-Item -ItemType Directory -Force -Path dist | Out-Null
Copy-Item target/${{ matrix.target }}/release/mhrv-rs.exe dist/mhrv-rs.exe
if (Test-Path target/${{ matrix.target }}/release/mhrv-rs-ui.exe) {
Copy-Item target/${{ matrix.target }}/release/mhrv-rs-ui.exe dist/mhrv-rs-ui.exe
}
Copy-Item assets/launchers/run.bat dist/run.bat
- name: Make archive
shell: bash
run: |
cd dist
case "${{ matrix.target }}" in
*-pc-windows-*)
7z a -tzip "${{ matrix.name }}.zip" mhrv-rs.exe mhrv-rs-ui.exe run.bat
;;
*-apple-darwin)
tar czf "${{ matrix.name }}.tar.gz" mhrv-rs mhrv-rs-ui run.sh run.command
;;
*-linux-musl)
tar czf "${{ matrix.name }}.tar.gz" mhrv-rs mhrv-rs.init
;;
*)
tar czf "${{ matrix.name }}.tar.gz" mhrv-rs mhrv-rs-ui run.sh 2>/dev/null || tar czf "${{ matrix.name }}.tar.gz" mhrv-rs run.sh
;;
esac
- uses: actions/upload-artifact@v4
with:
name: ${{ matrix.name }}
path: |
dist/${{ matrix.name }}.tar.gz
dist/${{ matrix.name }}.zip
dist/${{ matrix.name }}-app.zip
if-no-files-found: ignore
# Android build — separate job so it doesn't inflate the matrix. The
# Rust side here cross-compiles to FOUR ABIs (arm64-v8a, armeabi-v7a,
# x86_64, x86) via cargo-ndk and drops the .so files into the Gradle
# project's jniLibs/ tree, which then packages them into a single
# universal APK. Users pick it once, no per-ABI split.
#
# Runs on self-hosted. The runner has Android SDK + NDK r26c + cargo-ndk
# pre-installed under /opt/android-sdk; the env block below points Gradle
# at those paths so we don't re-download ~1 GB of SDK per release.
android:
runs-on: [self-hosted, linux, x64, mhrv-build]
env:
ANDROID_SDK_ROOT: /opt/android-sdk
ANDROID_HOME: /opt/android-sdk
ANDROID_NDK_HOME: /opt/android-sdk/ndk/26.2.11394342
ANDROID_NDK_ROOT: /opt/android-sdk/ndk/26.2.11394342
JAVA_HOME: /usr/lib/jvm/java-17-openjdk-amd64
steps:
- uses: actions/checkout@v4
# Rust toolchain: idempotent on self-hosted (targets already present),
# kept here so the workflow still works if we ever run it on a GH-hosted
# fallback.
- uses: dtolnay/rust-toolchain@stable
with:
targets: aarch64-linux-android,armv7-linux-androideabi,x86_64-linux-android,i686-linux-android
# Cache cargo + target/ across Android release builds. Four cargo-ndk
# release builds back-to-back with LTO is where the cold cost comes
# from; rust-cache brings warm runs down to ~34 min from ~9 min cold.
# cache-bin: false — see the rationale on the matrix build job above.
# On top of that, `cargo-ndk` lives in /usr/local/bin/ on our runners
# (not $CARGO_HOME/bin), specifically so rust-cache's default bin
# pruning can't delete it.
- uses: Swatinem/rust-cache@v2
with:
key: android-universal
cache-bin: "false"
# cargo-ndk writes into `target/<android-triple>/release/`, all
# four of which we want to cache.
workspaces: |
. -> target
# `./gradlew :app:assembleRelease` triggers cargoBuildRelease first
# which invokes cargo-ndk with all four targets, then Gradle packages
# the APK (release buildType signed with the committed release.jks —
# see android/app/build.gradle.kts comment explaining why).
- name: Build release APK
working-directory: android
run: |
chmod +x ./gradlew
./gradlew :app:assembleRelease --no-daemon --stacktrace
- name: Rename APKs with version
working-directory: android
run: |
VER="${{ inputs.version || github.ref_name }}"
VER="${VER#v}"
mkdir -p ../dist
# With splits.abi enabled in build.gradle.kts (issue #136), AGP
# emits:
# app-universal-release.apk — all 4 ABIs bundled (~50 MB)
# app-arm64-v8a-release.apk — modern 64-bit ARM (~15 MB)
# app-armeabi-v7a-release.apk — older 32-bit ARM
# app-x86_64-release.apk — emulator on Intel Macs / Chromebook
# app-x86-release.apk — legacy 32-bit Intel emulator
#
# We publish all of them so users behind narrow / flaky
# censorship tunnels can grab the per-ABI APK that matches
# their device (~15 MB) instead of the ~50 MB universal.
# Universal stays named `mhrv-rs-android-universal-v*.apk` so
# existing download links and Telegram mirrors keep working.
declare -A ABI_TO_OUTNAME=(
["universal"]="mhrv-rs-android-universal-v${VER}.apk"
["arm64-v8a"]="mhrv-rs-android-arm64-v8a-v${VER}.apk"
["armeabi-v7a"]="mhrv-rs-android-armeabi-v7a-v${VER}.apk"
["x86_64"]="mhrv-rs-android-x86_64-v${VER}.apk"
["x86"]="mhrv-rs-android-x86-v${VER}.apk"
)
missing=0
for abi in "${!ABI_TO_OUTNAME[@]}"; do
SRC="app/build/outputs/apk/release/app-${abi}-release.apk"
if [ -f "$SRC" ]; then
cp "$SRC" "../dist/${ABI_TO_OUTNAME[$abi]}"
ls -la "../dist/${ABI_TO_OUTNAME[$abi]}"
else
echo "::warning::missing expected APK: $SRC"
missing=$((missing + 1))
fi
done
# Require at least the universal — if that's missing something
# is genuinely broken and we should fail loud rather than ship
# a partial release.
if [ ! -f "../dist/mhrv-rs-android-universal-v${VER}.apk" ]; then
echo "::error::universal APK missing; actual outputs:"
find app/build/outputs/apk -type f -name '*.apk' -print
exit 1
fi
if [ "$missing" -gt 0 ]; then
echo "::warning::$missing per-ABI APK(s) missing; continuing with universal + whatever built"
fi
- uses: actions/upload-artifact@v4
with:
name: mhrv-rs-android-universal
path: dist/*.apk
if-no-files-found: error
# Build + publish the tunnel-node Docker image to GHCR. Issue: every
# full-mode user has to set up tunnel-node on a VPS, and "rustup +
# cargo build --release" on a 1GB VPS is non-trivial — fails on memory,
# takes 8+ minutes if it works, blocks anyone without Rust experience.
# A prebuilt multi-arch image makes deployment a one-liner:
# docker run -d -p 8080:8080 -e TUNNEL_AUTH_KEY=... \
# ghcr.io/therealaleph/mhrv-tunnel-node:latest
#
# Tags published per release:
# v1.5.0 — exact version pin
# 1.5 — auto-following minor
# latest — most recent release (skipped on workflow_dispatch
# re-publishes; see `latest` condition below)
#
# Build platforms: linux/amd64 and linux/arm64. Most VPS providers
# (DigitalOcean, Hetzner, Oracle Free Tier) offer arm64 instances at
# half price, and the binary works on both.
tunnel-docker:
needs: build
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
# Compute the version string the same way the rest of the workflow
# does: tag pushes get it from github.ref_name (e.g. "v1.5.0"),
# workflow_dispatch from the explicit `inputs.version` (e.g.
# "1.5.0"). Strip a possible leading "v" so the docker tag namespace
# is consistent: `:1.5.0`, not `:v1.5.0`.
- name: Compute version
id: ver
run: |
VER="${{ inputs.version || github.ref_name }}"
VER="${VER#v}"
MINOR="${VER%.*}"
echo "version=${VER}" >> "$GITHUB_OUTPUT"
echo "minor=${MINOR}" >> "$GITHUB_OUTPUT"
echo "Building docker for v${VER} (minor: ${MINOR})"
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Build for both amd64 and arm64. `:latest` is only updated on
# actual tag pushes — workflow_dispatch re-runs on an existing
# version (e.g. for the v1.4.0 mipsel republish) shouldn't move
# the latest pointer.
- name: Build and push image
uses: docker/build-push-action@v6
with:
context: ./tunnel-node
file: ./tunnel-node/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: |
ghcr.io/${{ github.repository_owner }}/mhrv-tunnel-node:${{ steps.ver.outputs.version }}
ghcr.io/${{ github.repository_owner }}/mhrv-tunnel-node:${{ steps.ver.outputs.minor }}
${{ github.event_name == 'push' && format('ghcr.io/{0}/mhrv-tunnel-node:latest', github.repository_owner) || '' }}
cache-from: type=gha
cache-to: type=gha,mode=max
# release + telegram: lightweight aggregation jobs kept on GH-hosted
# ubuntu-latest. They only download artifacts and call APIs — no build
# tooling needed, no benefit from moving to self-hosted, and keeping them
# off the self-hosted runners avoids contention with Linux build jobs from
# the next tag if two releases overlap.
release:
needs: [build, android]
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/download-artifact@v4
with:
path: dist
merge-multiple: true
# Compose the GitHub release body from `docs/changelog/v<ver>.md`
# so the Releases page tells humans what actually changed —
# `generate_release_notes: true` alone produces "Full Changelog:
# …compare/v1.x.0...v1.x.1" which is empty when no PRs landed
# between tags (e.g. for fix-forward releases like v1.4.1). The
# changelog file already exists for every release in our format
# (Persian section, then `---`, then English section); we wrap it
# with a header and append the auto-generated commit list at the
# bottom by NOT setting body_path and instead setting body
# directly to changelog_content + (the existing
# generate_release_notes flag handles the trailing comparison
# link automatically).
- name: Compose release body
id: relbody
run: |
VER="${{ inputs.version || github.ref_name }}"
VER="${VER#v}"
CHANGELOG="docs/changelog/v${VER}.md"
if [ ! -f "$CHANGELOG" ]; then
echo "::warning::no changelog at $CHANGELOG; release body will fall back to generate_release_notes only"
echo "has_changelog=false" >> "$GITHUB_OUTPUT"
exit 0
fi
{
echo 'body<<__RELEASE_BODY_EOF__'
# Strip leading HTML comment that documents the file format.
sed -e '1{/^<!--/d;}' "$CHANGELOG"
echo
echo '__RELEASE_BODY_EOF__'
} >> "$GITHUB_OUTPUT"
echo "has_changelog=true" >> "$GITHUB_OUTPUT"
- name: Release
uses: softprops/action-gh-release@v2
with:
# On tag push, action-gh-release defaults tag_name to the
# current ref. On workflow_dispatch the ref is `main` (or
# whichever branch we dispatched from), which would create a
# bogus release named "main"; force the tag explicitly so
# artifacts upload to the existing release identified by
# `inputs.version`. The leading `v` is preserved (release
# tags are `v1.4.0`, not `1.4.0`).
tag_name: ${{ inputs.version && format('v{0}', inputs.version) || github.ref_name }}
files: dist/*
# Append auto-generated comparison link AFTER our changelog
# body — `append_body: true` puts our body first, then the
# auto notes. If no changelog file existed, body is empty and
# the auto notes carry the whole release-page content (same
# behavior as before this change).
body: ${{ steps.relbody.outputs.body }}
append_body: true
generate_release_notes: true
# Notify the Persian-speaking Telegram channel with the CI-built
# Android APK + its sha256 + the per-version changelog from
# `docs/changelog/v<tag>.md`.
#
# Two Telegram API calls:
# 1. sendDocument — APK file + a short caption (Telegram caps
# captions at 1024 chars, and we have bigger changelogs than
# that).
# 2. sendMessage — full changelog as a reply to #1, Persian
# quote-block first then English, same pattern as the
# previous manual post. No emojis, as the user asked.
#
# Needs two repo secrets:
# TELEGRAM_BOT_TOKEN — bot the channel admits as poster
# TELEGRAM_CHAT_ID — numeric chat id (starts with -100...)
# Missing either => the whole job is skipped (not failed) so a
# forker who hasn't set up a Telegram channel gets a clean release.
telegram:
needs: [android, release]
runs-on: ubuntu-latest
# Gated on the repo variable `TELEGRAM_NOTIFY_ENABLED`. Default is
# OFF — the job skips silently unless the variable is set to the
# literal string "true". Toggle via:
#
# gh variable set TELEGRAM_NOTIFY_ENABLED --body true
# gh variable set TELEGRAM_NOTIFY_ENABLED --body false
#
# Keeping the machinery (script + secrets) in place so flipping
# the switch back on is a one-liner, not a workflow edit.
if: ${{ vars.TELEGRAM_NOTIFY_ENABLED == 'true' && needs.android.result == 'success' }}
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: mhrv-rs-android-universal
path: apk
- name: Post to Telegram
env:
BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }}
CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }}
INCLUDE_CHANGELOG: ${{ vars.TELEGRAM_INCLUDE_CHANGELOG }}
# Python over curl/bash so we don't have to fight curl's -F
# value-interpretation rules. curl treats `-F "caption=<..."`
# as "read the caption from file named ..." when the value
# starts with `<`, which matches our `<b>` HTML-bold tags and
# silently turns the whole job into a "file not found" exit
# 26. Python stdlib has no such wart.
run: |
set -euo pipefail
VER="${{ inputs.version || github.ref_name }}"
VER="${VER#v}"
APK="apk/mhrv-rs-android-universal-v${VER}.apk"
if [ -z "${BOT_TOKEN:-}" ] || [ -z "${CHAT_ID:-}" ]; then
echo "::notice::TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID not set, skipping Telegram post"
exit 0
fi
if [ ! -f "$APK" ]; then
echo "::error::expected $APK to exist; got:"
ls -la apk/
exit 1
fi
# --with-changelog is opt-in. Default post is just the APK
# plus a short caption with the SHA-256, repo URL, and release
# URL — no long body. To include the Persian/English bullets
# for a specific tag, set the repo variable
# TELEGRAM_INCLUDE_CHANGELOG=true before pushing that tag.
INCLUDE_CHANGELOG_FLAG=""
if [ "${INCLUDE_CHANGELOG:-}" = "true" ]; then
INCLUDE_CHANGELOG_FLAG="--with-changelog"
fi
python3 .github/scripts/telegram_release_notify.py \
--apk "$APK" \
--version "$VER" \
--repo "$GITHUB_REPOSITORY" \
--changelog "docs/changelog/v${VER}.md" \
$INCLUDE_CHANGELOG_FLAG
Reference in New Issue View Git Blame Copy Permalink