name: Stable Workflow on: pull_request: branches: [ 'develop' ] types: [ closed ] workflow_dispatch: inputs: pr_number: description: 'PR Number to fetch release notes from (for manual retries)' required: false type: string jobs: check-release: name: Validate Release & Fetch Notes runs-on: ubuntu-24.04 if: | (github.event_name == 'pull_request' && github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')) || github.event_name == 'workflow_dispatch' outputs: pr_body: ${{ steps.get-notes.outputs.BODY }} steps: - name: Fetch PR Notes id: get-notes env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # 1. Map the input to an environment variable safely PR_NUMBER_INPUT: ${{ inputs.pr_number }} run: | if [[ "${{ github.event_name }}" == "pull_request" ]]; then # Securely extract the PR body without shell interpolation RAW_BODY=$(jq -r '.pull_request.body // empty' "$GITHUB_EVENT_PATH") elif [[ -n "$PR_NUMBER_INPUT" ]]; then # 2. Validate that the input is strictly numeric if ! [[ "$PR_NUMBER_INPUT" =~ ^[0-9]+$ ]]; then echo "Error: pr_number input must be purely numeric." exit 1 fi # 3. Fetch via GitHub CLI using the validated and quoted variable RAW_BODY=$(gh pr view "$PR_NUMBER_INPUT" --repo "${{ github.repository }}" --json body --jq '.body') else RAW_BODY="Read full changelog: https://github.com/Kareadita/Kavita/releases/latest" fi # Generate a random delimiter to prevent multiline EOF injection DELIMITER=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) # Safely write the multiline string to GITHUB_OUTPUT echo "BODY<<$DELIMITER" >> "$GITHUB_OUTPUT" echo "$RAW_BODY" >> "$GITHUB_OUTPUT" echo "$DELIMITER" >> "$GITHUB_OUTPUT" stable: name: Build Stable and Nightly Docker needs: [ check-release ] runs-on: ubuntu-24.04 permissions: packages: write contents: read steps: - name: Parse PR body id: parse-body env: RAW_BODY: ${{ needs.check-release.outputs.pr_body }} PR_NUMBER: ${{ inputs.pr_number || github.event.pull_request.number }} run: | body="$RAW_BODY" if [[ ${#body} -gt 1870 ]] ; then body=${body:0:1870} body="${body}...and much more. Read full changelog: https://github.com/Kareadita/Kavita/pull/$PR_NUMBER" fi body=${body//\'/} body=${body//'%'/'%25'} body=${body//$'\n'/'%0A'} body=${body//$'\r'/'%0D'} body=${body//$'`'/'%60'} body=${body//$'>'/'%3E'} echo "BODY=$body" >> $GITHUB_OUTPUT - name: Check Out Repo uses: actions/checkout@v4 with: fetch-depth: 1 - name: NodeJS to Compile WebUI uses: actions/setup-node@v4 with: node-version: 22 cache: 'npm' cache-dependency-path: UI/Web/package-lock.json - run: | cd UI/Web || exit echo 'Installing web dependencies' npm ci echo 'Building UI' npm run prod echo 'Copying back to Kavita wwwroot' rsync -a dist/ ../../API/wwwroot/ cd ../ || exit - name: Get csproj Version uses: kzrnm/get-net-sdk-project-versions-action@v2 id: get-version with: proj-path: Kavita.Common/Kavita.Common.csproj - name: Echo csproj version run: echo "${{steps.get-version.outputs.assembly-version}}" - name: Parse Version run: | version='${{steps.get-version.outputs.assembly-version}}' newVersion=${version%.*} echo $newVersion echo "VERSION=$newVersion" >> $GITHUB_OUTPUT id: parse-version - name: Compile dotnet app uses: actions/setup-dotnet@v4 with: dotnet-version: 10.0.x - name: Cache NuGet packages uses: actions/cache@v4 with: path: ~/.nuget/packages key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }} restore-keys: | ${{ runner.os }}-nuget- - name: Install Swashbuckle CLI run: | dotnet new tool-manifest --force dotnet tool install Swashbuckle.AspNetCore.Cli - run: ./monorepo-build.sh - name: Login to Docker Hub uses: docker/login-action@v3 if: ${{ github.repository_owner == 'Kareadita' }} with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Login to GitHub Container Registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v3 # Consolidate ALL tags into a single metadata block to prevent building twice - name: Extract metadata (tags, labels) for Docker id: docker_meta uses: docker/metadata-action@v5 with: tags: | type=raw,value=latest type=raw,value=${{ steps.parse-version.outputs.VERSION }} type=raw,value=nightly type=raw,value=nightly-${{ steps.parse-version.outputs.VERSION }} images: | name=jvmilazz0/kavita,enable=${{ github.repository_owner == 'Kareadita' }} name=ghcr.io/${{ github.repository }} # Push all 4 tags in a single execution - name: Build and push combined tags id: docker_build uses: docker/build-push-action@v6 with: context: . platforms: linux/amd64,linux/arm/v7,linux/arm64 push: true tags: ${{ steps.docker_meta.outputs.tags }} labels: ${{ steps.docker_meta.outputs.labels }} - name: Image digest run: echo ${{ steps.docker_build.outputs.digest }}