From cec46716b6ccf5c1e89b8ddcd7532aa463d9b242 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 09:09:08 +0200
Subject: [PATCH 01/15] build docker images on PR

Sometimes we want people to test features in PRs and
not everyone is used to using git, build go and docker.

This commit builds docker containers and pushes them to
GHCR (not dockerhub) for testing on pushes to branches
that has open pull requests to main using Ko.
This is configured to mimic the debug images produced
by goreleaser.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build-docker-pr.yml | 71 +++++++++++++++++++++++++++
 .github/workflows/build.yml           | 51 +++++++------------
 .goreleaser.yml                       |  2 -
 .ko.yaml                              | 16 ++++++
 4 files changed, 104 insertions(+), 36 deletions(-)
 create mode 100644 .github/workflows/build-docker-pr.yml
 create mode 100644 .ko.yaml

diff --git a/.github/workflows/build-docker-pr.yml b/.github/workflows/build-docker-pr.yml
new file mode 100644
index 00000000..09c5cd34
--- /dev/null
+++ b/.github/workflows/build-docker-pr.yml
@@ -0,0 +1,71 @@
+name: Build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions: write-all
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+        if: steps.changed-files.outputs.files == 'true'
+
+      - name: Run build
+        id: build
+        if: steps.changed-files.outputs.files == 'true'
+        run: |
+          nix build |& tee build-result
+          BUILD_STATUS="${PIPESTATUS[0]}"
+
+          OLD_HASH=$(cat build-result | grep specified: | awk -F ':' '{print $2}' | sed 's/ //g')
+          NEW_HASH=$(cat build-result | grep got: | awk -F ':' '{print $2}' | sed 's/ //g')
+
+          echo "OLD_HASH=$OLD_HASH" >> $GITHUB_OUTPUT
+          echo "NEW_HASH=$NEW_HASH" >> $GITHUB_OUTPUT
+
+          exit $BUILD_STATUS
+
+      - name: Nix gosum diverging
+        uses: actions/github-script@v6
+        if: failure() && steps.build.outcome == 'failure'
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.rest.pulls.createReviewComment({
+              pull_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}'
+            })
+
+      - uses: actions/upload-artifact@v4
+        if: steps.changed-files.outputs.files == 'true'
+        with:
+          name: headscale-linux
+          path: result/bin/headscale
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 09c5cd34..1e7c4723 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,9 +1,6 @@
-name: Build
+name: Build Docker images for PRs
 
 on:
-  push:
-    branches:
-      - main
   pull_request:
     branches:
       - main
@@ -36,36 +33,22 @@ jobs:
       - uses: DeterminateSystems/magic-nix-cache-action@main
         if: steps.changed-files.outputs.files == 'true'
 
-      - name: Run build
+      - uses: actions/github-script@v6
+        id: get_pr_data
+        with:
+          script: |
+            return (
+              await github.rest.repos.listPullRequestsAssociatedWithCommit({
+                commit_sha: context.sha,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+              })
+            ).data[0];
+
+      - name: Run ko build
         id: build
         if: steps.changed-files.outputs.files == 'true'
+        env:
+          KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}/headscale
         run: |
-          nix build |& tee build-result
-          BUILD_STATUS="${PIPESTATUS[0]}"
-
-          OLD_HASH=$(cat build-result | grep specified: | awk -F ':' '{print $2}' | sed 's/ //g')
-          NEW_HASH=$(cat build-result | grep got: | awk -F ':' '{print $2}' | sed 's/ //g')
-
-          echo "OLD_HASH=$OLD_HASH" >> $GITHUB_OUTPUT
-          echo "NEW_HASH=$NEW_HASH" >> $GITHUB_OUTPUT
-
-          exit $BUILD_STATUS
-
-      - name: Nix gosum diverging
-        uses: actions/github-script@v6
-        if: failure() && steps.build.outcome == 'failure'
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            github.rest.pulls.createReviewComment({
-              pull_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}'
-            })
-
-      - uses: actions/upload-artifact@v4
-        if: steps.changed-files.outputs.files == 'true'
-        with:
-          name: headscale-linux
-          path: result/bin/headscale
+          ko build --tags=pr-${{ fromJson(steps.get_pr_data.outputs.result).number }},${{ github.sha }} ./cmd/headscale
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 4e91c74d..262d85d4 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -27,8 +27,6 @@ builds:
       - -mod=readonly
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
-    tags:
-      - ts2019
 
 archives:
   - id: golang-cross
diff --git a/.ko.yaml b/.ko.yaml
new file mode 100644
index 00000000..38a2164b
--- /dev/null
+++ b/.ko.yaml
@@ -0,0 +1,16 @@
+defaultBaseImage: gcr.io/distroless/base-debian12:debug
+defaultPlatforms:
+  - linux/arm64
+  - linux/arm/v7
+  - linux/amd64
+  - linux/386
+
+builds:
+  - id: headscale
+    main: ./cmd/headscale
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -mod=readonly
+    ldflags:
+      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Git.ShortCommit}}

From e1416a72cb21a173a3e3ac618e449e31cc07e611 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 09:15:15 +0200
Subject: [PATCH 02/15] make it so ko.yaml changes trigger build

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1e7c4723..99377b11 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -28,6 +28,7 @@ jobs:
               - '**/*.go'
               - 'integration_test/'
               - 'config-example.yaml'
+              - '.ko.yaml'
       - uses: DeterminateSystems/nix-installer-action@main
         if: steps.changed-files.outputs.files == 'true'
       - uses: DeterminateSystems/magic-nix-cache-action@main

From 0d6a25d6ee2ff3d20f74f00af11c3f89df011b03 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 09:16:50 +0200
Subject: [PATCH 03/15] env it

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 99377b11..c42bedeb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -51,5 +51,7 @@ jobs:
         if: steps.changed-files.outputs.files == 'true'
         env:
           KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}/headscale
+          TAG_PR_NAME: pr-${{ fromJson(steps.get_pr_data.outputs.result).number }}
+          TAG_SHA: ${{ github.sha }}
         run: |
-          ko build --tags=pr-${{ fromJson(steps.get_pr_data.outputs.result).number }},${{ github.sha }} ./cmd/headscale
+          ko build --tags=$TAG_PR_NAME,$TAG_SHA ./cmd/headscale

From 68669238f952b99609aa4ece541a0795d0881312 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 09:18:04 +0200
Subject: [PATCH 04/15] debug pr name

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c42bedeb..d907fab9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -54,4 +54,5 @@ jobs:
           TAG_PR_NAME: pr-${{ fromJson(steps.get_pr_data.outputs.result).number }}
           TAG_SHA: ${{ github.sha }}
         run: |
-          ko build --tags=$TAG_PR_NAME,$TAG_SHA ./cmd/headscale
+          echo $TAG_PR_NAME
+          ko build --tags=$TAG_SHA ./cmd/headscale

From 52cce46cd876e77a386dc32ece03fdad042a8583 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 09:22:29 +0200
Subject: [PATCH 05/15] debug pr number

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d907fab9..7f827b81 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,6 +46,9 @@ jobs:
               })
             ).data[0];
 
+      - name: Issue number
+        run: echo '${{steps.get_pr_data.outputs.result}}'
+
       - name: Run ko build
         id: build
         if: steps.changed-files.outputs.files == 'true'

From 53a08e5ab6c223ee169d68fb91f770e1a0d2661f Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 09:26:23 +0200
Subject: [PATCH 06/15] derp

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7f827b81..e27f44cb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,7 +12,9 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
-    permissions: write-all
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
       - uses: actions/checkout@v4
         with:
@@ -34,7 +36,7 @@ jobs:
       - uses: DeterminateSystems/magic-nix-cache-action@main
         if: steps.changed-files.outputs.files == 'true'
 
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@v7
         id: get_pr_data
         with:
           script: |
@@ -46,8 +48,11 @@ jobs:
               })
             ).data[0];
 
-      - name: Issue number
-        run: echo '${{steps.get_pr_data.outputs.result}}'
+      - name: Pull Request data
+        run: |
+          echo '${{ fromJson(steps.get_pr_data.outputs.result).number }}'
+          echo '${{ fromJson(steps.get_pr_data.outputs.result).title }}'
+          echo '${{steps.get_pr_data.outputs.result}}'
 
       - name: Run ko build
         id: build

From 49952dda401112bf796deab5aa4f5857a7be5d90 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 09:27:30 +0200
Subject: [PATCH 07/15] derp

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e27f44cb..bebb7664 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -50,8 +50,6 @@ jobs:
 
       - name: Pull Request data
         run: |
-          echo '${{ fromJson(steps.get_pr_data.outputs.result).number }}'
-          echo '${{ fromJson(steps.get_pr_data.outputs.result).title }}'
           echo '${{steps.get_pr_data.outputs.result}}'
 
       - name: Run ko build

From 1efb817acc0001e065f466861aab33cea4ff47b7 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 09:29:52 +0200
Subject: [PATCH 08/15] all

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bebb7664..756d419a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,7 +46,7 @@ jobs:
                 owner: context.repo.owner,
                 repo: context.repo.repo,
               })
-            ).data[0];
+            ).data;
 
       - name: Pull Request data
         run: |

From aba61ceb1b147611306feb200f7a8d27fe4e0cfb Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 09:47:21 +0200
Subject: [PATCH 09/15] test without pr number

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 756d419a..b6027aa2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -57,7 +57,7 @@ jobs:
         if: steps.changed-files.outputs.files == 'true'
         env:
           KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}/headscale
-          TAG_PR_NAME: pr-${{ fromJson(steps.get_pr_data.outputs.result).number }}
+          # TAG_PR_NAME: pr-${{ fromJson(steps.get_pr_data.outputs.result).number }}
           TAG_SHA: ${{ github.sha }}
         run: |
           echo $TAG_PR_NAME

From 9a4c7e444641164f73581a4659d587694c124627 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 09:48:47 +0200
Subject: [PATCH 10/15] run ko with nix

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b6027aa2..f373e2c4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -60,5 +60,4 @@ jobs:
           # TAG_PR_NAME: pr-${{ fromJson(steps.get_pr_data.outputs.result).number }}
           TAG_SHA: ${{ github.sha }}
         run: |
-          echo $TAG_PR_NAME
-          ko build --tags=$TAG_SHA ./cmd/headscale
+          nix develop --command -- ko build --tags=$TAG_SHA ./cmd/headscale

From 10a9eda8933d60800b7e005ac742f511558cfcc7 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 09:56:02 +0200
Subject: [PATCH 11/15] restore write all

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f373e2c4..029ed323 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,9 +12,7 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
+    permissions: write-all
     steps:
       - uses: actions/checkout@v4
         with:

From 610223df67ffbbb94e1444db947f7588cb817632 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 12 Aug 2024 10:04:42 +0200
Subject: [PATCH 12/15] add back pr attempt in hope for more perms

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 029ed323..c9fae63b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -44,7 +44,7 @@ jobs:
                 owner: context.repo.owner,
                 repo: context.repo.repo,
               })
-            ).data;
+            ).data[0];
 
       - name: Pull Request data
         run: |
@@ -55,7 +55,7 @@ jobs:
         if: steps.changed-files.outputs.files == 'true'
         env:
           KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}/headscale
-          # TAG_PR_NAME: pr-${{ fromJson(steps.get_pr_data.outputs.result).number }}
+          TAG_PR_NAME: pr-${{ fromJson(steps.get_pr_data.outputs.result).number }}
           TAG_SHA: ${{ github.sha }}
         run: |
-          nix develop --command -- ko build --tags=$TAG_SHA ./cmd/headscale
+          nix develop --command -- ko build --tags=$TAG_SHA,$TAG_PR_NAME ./cmd/headscale

From 8e26fcfeea48f5808aa2e6792c9dbae84f2593ce Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Tue, 13 Aug 2024 08:24:21 +0200
Subject: [PATCH 13/15] remove pr number again

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c9fae63b..c9784300 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -34,28 +34,28 @@ jobs:
       - uses: DeterminateSystems/magic-nix-cache-action@main
         if: steps.changed-files.outputs.files == 'true'
 
-      - uses: actions/github-script@v7
-        id: get_pr_data
-        with:
-          script: |
-            return (
-              await github.rest.repos.listPullRequestsAssociatedWithCommit({
-                commit_sha: context.sha,
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-              })
-            ).data[0];
+      # - uses: actions/github-script@v7
+      #   id: get_pr_data
+      #   with:
+      #     script: |
+      #       return (
+      #         await github.rest.repos.listPullRequestsAssociatedWithCommit({
+      #           commit_sha: context.sha,
+      #           owner: context.repo.owner,
+      #           repo: context.repo.repo,
+      #         })
+      #       ).data[0];
 
-      - name: Pull Request data
-        run: |
-          echo '${{steps.get_pr_data.outputs.result}}'
+      # - name: Pull Request data
+      #   run: |
+      #     echo '${{steps.get_pr_data.outputs.result}}'
 
       - name: Run ko build
         id: build
         if: steps.changed-files.outputs.files == 'true'
         env:
           KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}/headscale
-          TAG_PR_NAME: pr-${{ fromJson(steps.get_pr_data.outputs.result).number }}
+          # TAG_PR_NAME: pr-${{ fromJson(steps.get_pr_data.outputs.result).number }}
           TAG_SHA: ${{ github.sha }}
         run: |
-          nix develop --command -- ko build --tags=$TAG_SHA,$TAG_PR_NAME ./cmd/headscale
+          nix develop --command -- ko build --tags=$TAG_SHA ./cmd/headscale

From 71607ae13c424467dd5cf93cefe65118b1d32a50 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Tue, 13 Aug 2024 08:35:29 +0200
Subject: [PATCH 14/15] disable sbom

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c9784300..2657b45e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -58,4 +58,4 @@ jobs:
           # TAG_PR_NAME: pr-${{ fromJson(steps.get_pr_data.outputs.result).number }}
           TAG_SHA: ${{ github.sha }}
         run: |
-          nix develop --command -- ko build --tags=$TAG_SHA ./cmd/headscale
+          nix develop --command -- ko build --sbom=none --tags=$TAG_SHA ./cmd/headscale

From 46ccfff71d68d78d783ea6aaf9d0e0e500b84a32 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Tue, 13 Aug 2024 08:43:47 +0200
Subject: [PATCH 15/15] pull_request_target

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2657b45e..867dc823 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,7 +1,7 @@
 name: Build Docker images for PRs
 
 on:
-  pull_request:
+  pull_request_target:
     branches:
       - main