From 93eb41a290047a6155f332d48f3aaeee282e6858 Mon Sep 17 00:00:00 2001
From: Lee Briggs <lee@leebriggs.co.uk>
Date: Wed, 16 Jul 2025 15:01:20 -0400
Subject: [PATCH] Create a binary for releases

Signed-off-by: Lee Briggs <lee@leebriggs.co.uk>
---
 .github/dependabot.yml      |   6 --
 .github/workflows/build.yml | 142 ++++++++++++++++++++++++++++++++++++
 action.yml                  |  22 ++++--
 3 files changed, 157 insertions(+), 13 deletions(-)
 delete mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/build.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index ca79ca5..0000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: weekly
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..9b8c8af
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,142 @@
+name: Build and Release gitops-pusher
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      gitops_pusher_commit:
+        description: 'Tailscale gitops-pusher commit hash'
+        required: true
+        default: '66aa77416744037baec93206ae212012a2314f83'
+      tag_name:
+        description: 'Release tag name'
+        required: true
+        default: 'v1.0.0'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        goos: [linux]
+        goarch: [amd64]
+    
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.22.4
+
+      - name: Set commit hash
+        id: commit
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "hash=${{ github.event.inputs.gitops_pusher_commit }}" >> $GITHUB_OUTPUT
+          else
+            echo "hash=66aa77416744037baec93206ae212012a2314f83" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build binary
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          CGO_ENABLED: 0
+        run: |
+          COMMIT_HASH="${{ steps.commit.outputs.hash }}"
+          BINARY_NAME="gitops-pusher-${{ matrix.goos }}-${{ matrix.goarch }}"
+          
+          if [ "${{ matrix.goos }}" = "windows" ]; then
+            BINARY_NAME="${BINARY_NAME}.exe"
+          fi
+          
+          echo "Building for ${{ matrix.goos }}/${{ matrix.goarch }}"
+          
+          # Create a temporary directory for the build
+          mkdir -p /tmp/gitops-pusher-build
+          cd /tmp/gitops-pusher-build
+          
+          # Initialize a new Go module and enable module mode
+          go mod init temp-build
+          go env -w GO111MODULE=on
+          
+          # Install the specific version of gitops-pusher
+          GOBIN="${GITHUB_WORKSPACE}" go install "tailscale.com/cmd/gitops-pusher@${COMMIT_HASH}"
+          
+          # Rename the binary to include platform info
+          mv "${GITHUB_WORKSPACE}/gitops-pusher" "${GITHUB_WORKSPACE}/${BINARY_NAME}"
+          
+          # Make executable (for non-Windows)
+          if [ "${{ matrix.goos }}" != "windows" ]; then
+            chmod +x "${GITHUB_WORKSPACE}/${BINARY_NAME}"
+          fi
+          
+          echo "BINARY_NAME=${BINARY_NAME}" >> $GITHUB_ENV
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.BINARY_NAME }}
+          path: ${{ env.BINARY_NAME }}
+
+  release:
+    needs: build
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch'
+    
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: ./binaries
+
+      - name: Set release tag
+        id: tag
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "tag=${{ github.event.inputs.tag_name }}" >> $GITHUB_OUTPUT
+          else
+            echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create checksums
+        run: |
+          cd binaries
+          find . -type f -name "gitops-pusher-*" -exec sha256sum {} \; > ../checksums.txt
+          cd ..
+          echo "Checksums created:"
+          cat checksums.txt
+
+      - name: Create release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ steps.tag.outputs.tag }}
+          name: gitops-pusher ${{ steps.tag.outputs.tag }}
+          body: |
+            ## gitops-pusher Binary Release
+            
+            Pre-compiled binaries for Tailscale's gitops-pusher tool.
+            
+            **Commit:** ${{ steps.commit.outputs.hash || '66aa77416744037baec93206ae212012a2314f83' }}
+            
+            ### Usage
+            Download the appropriate binary for your platform and use it in your workflows:
+            
+            ```yaml
+            - name: Download gitops-pusher
+              run: |
+                wget https://github.com/${{ github.repository }}/releases/download/${{ steps.tag.outputs.tag }}/gitops-pusher-linux-amd64
+                chmod +x gitops-pusher-linux-amd64
+                ./gitops-pusher-linux-amd64 --policy-file=policy.hujson test
+            ```
+            
+            ### Checksums
+            See `checksums.txt` for file verification.
+          files: |
+            binaries/*/gitops-pusher-*
+            checksums.txt
+          draft: false
+          prerelease: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
diff --git a/action.yml b/action.yml
index 5a688ef..a52542f 100644
--- a/action.yml
+++ b/action.yml
@@ -20,6 +20,10 @@ inputs:
   action:
     description: "Action to take (test/apply)"
     required: true
+  gitops-pusher-version:
+    description: "Version of gitops-pusher to use"
+    required: false
+    default: "latest"
 runs:
   using: "composite"
   steps:
@@ -33,14 +37,18 @@ runs:
       if: ${{ inputs['api-key'] != '' && inputs['oauth-secret'] != '' }}
       shell: bash
       run: |
-        echo "::error title=⛔ error hint::only one of API Key or OAuth secret should be specified.
+        echo "::error title=⛔ error hint::only one of API Key or OAuth secret should be specified."
         exit 1
-    - uses: actions/setup-go@v5
+    - name: Install gitops-pusher
+      uses: jaxxstorm/action-install-gh-release@v1.12.0
       with:
-        go-version: 1.22.4
-        cache: false
-
-    - name: Gitops pusher
+        repo: ${{ github.repository }}
+        tag: ${{ inputs.gitops-pusher-version }}
+        binaries-location: binaries
+        rename-to: gitops-pusher
+        chmod: 0755
+        file: gitops-pusher-linux-amd64
+    - name: Run gitops-pusher
       shell: bash
       env:
         # gitops-pusher will use OAUTH_ID and OAUTH_SECRET if non-empty,
@@ -49,4 +57,4 @@ runs:
         TS_OAUTH_SECRET: "${{ inputs.oauth-secret }}"
         TS_API_KEY: "${{ inputs.api-key }}"
         TS_TAILNET: "${{ inputs.tailnet }}"
-      run: go run tailscale.com/cmd/gitops-pusher@66aa77416744037baec93206ae212012a2314f83 "--policy-file=${{ inputs.policy-file }}" "${{ inputs.action }}"
+      run: gitops-pusher "--policy-file=${{ inputs.policy-file }}" "${{ inputs.action }}"
\ No newline at end of file