wireapp · mohitrajain · Sep 5, 2025 · Sep 5, 2025 · Sep 8, 2025 · Sep 8, 2025
@@ -0,0 +1,57 @@
+on:
+  push:
+    branches: [min-release*]
+    tags: [ v* ]
+    paths-ignore:
+      - '*.md'
+      - '**/*.md'
+  pull_request:
+    branches: [min-release*]
+    paths-ignore:
+      - '*.md'
+      - '**/*.md'
+jobs:
+  offline:
+    name: Prepare min offline package
+    # Useful to skip expensive CI when writing docs
+    if: "!contains(github.event.head_commit.message, 'skip ci')"
+    runs-on:
+      group: wire-server-deploy
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: true
+      - uses: cachix/install-nix-action@v27
+      - uses: cachix/cachix-action@v15
+        with:
+          name: wire-server
+          signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}"
+
+      - name: Install nix environment
+        run: nix-env -f default.nix -iA env
+
+      - name: Get upload name
+        id: upload_name
+        run: |
+          # FIXME: Tag with a nice release name using the github tag...
+          # SOURCE_TAG=${GITHUB_REF#refs/tags/}
+          echo ::set-output name=UPLOAD_NAME::$GITHUB_SHA
+          # echo ::set-output name=UPLOAD_NAME::${SOURCE_TAG:-$GITHUB_SHA}
+
+      - name: Process the min profile build
+        run: ./offline/min-build/build.sh
+        env:
+          GPG_PRIVATE_KEY: '${{ secrets.GPG_PRIVATE_KEY }}'
+          DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}'
+
+      - name: Copy min build assets tarball to S3
+        run: |
+          # Upload tarball for each profile by specifying their OUTPUT_TAR path
+          aws s3 cp offline/min-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-min-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz
+          echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-min-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz"
+          # remove the archives from the build to optimize the space on the server
+          rm -rf offline/min-build/output/*
+        env:
+          AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}'
+          AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}'
+          AWS_REGION: "eu-west-1"
@@ -1,6 +1,6 @@
 on:
   push:
-    branches: [master, develop]
+    branches: [master,develop,min-release*]
     tags: [ v* ]
     paths-ignore:
       - '*.md'
@@ -66,43 +66,24 @@ jobs:
         env:
           DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}'
 
-      # demo profile build
-      - name: Process the demo profile build
-        run: ./offline/demo-build/build.sh
-        env:
-          GPG_PRIVATE_KEY: '${{ secrets.GPG_PRIVATE_KEY }}'
-          DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}'
+      # # demo profile build
+      # - name: Process the demo profile build
+      #   run: ./offline/demo-build/build.sh
+      #   env:
+      #     GPG_PRIVATE_KEY: '${{ secrets.GPG_PRIVATE_KEY }}'
+      #     DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}'
 
-      - name: Copy demo build assets tarball to S3 and clean up
-        run: |
-          # Upload tarball for each profile by specifying their OUTPUT_TAR path
-          aws s3 cp offline/demo-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz
-          echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz"
-          # remove the assets from the build to optimize the space on the server
-          rm -rf offline/demo-build/output/*
-        env:
-          AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}'
-          AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}'
-          AWS_REGION: "eu-west-1"
-
-      # min profile build
-      - name: Process the min profile build
-        run: ./offline/min-build/build.sh
-        env:
-          GPG_PRIVATE_KEY: '${{ secrets.GPG_PRIVATE_KEY }}'
-          DOCKER_LOGIN: '${{ secrets.DOCKER_LOGIN }}'
-
-      - name: Copy min build assets tarball to S3
-        run: |
-          # Upload tarball for each profile by specifying their OUTPUT_TAR path
-          aws s3 cp offline/min-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-min-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz
-          echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-min-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz"
-          # remove the archives from the build to optimize the space on the server
-          rm -rf offline/min-build/output/*
-        env:
-          AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}'
-          AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}'
-          AWS_REGION: "eu-west-1"
+      # - name: Copy demo build assets tarball to S3 and clean up
+      #   run: |
+      #     # Upload tarball for each profile by specifying their OUTPUT_TAR path
+      #     aws s3 cp offline/demo-build/output/assets.tgz s3://public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz
+      #     echo "Uploaded to: https://s3-$AWS_REGION.amazonaws.com/public.wire.com/artifacts/wire-server-deploy-static-demo-${{ steps.upload_name.outputs.UPLOAD_NAME }}.tgz"
+      #     # remove the assets from the build to optimize the space on the server
+      #     rm -rf offline/demo-build/output/*
+      #   env:
+      #     AWS_ACCESS_KEY_ID: '${{ secrets.AWS_ACCESS_KEY_ID }}'
+      #     AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}'
+      #     AWS_REGION: "eu-west-1"
 
       - name: Install terraform
         uses: hashicorp/setup-terraform@v3
@@ -116,8 +97,8 @@ jobs:
         env:
           HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
 
-      #- name: Clean up hetzner environment; just in case
-      #  if: always()
-      #  run: (cd terraform/examples/wire-server-deploy-offline-hetzner ; terraform init && terraform destroy -auto-approve)
-      #  env:
-      #    HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
+      - name: Clean up hetzner environment; just in case
+        if: always()
+        run: (cd terraform/examples/wire-server-deploy-offline-hetzner ; terraform init && terraform destroy -auto-approve)
+        env:
+          HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
@@ -0,0 +1 @@
+Added: a separate workflow for min build to be able to generate separate artifacts
@@ -31,7 +31,7 @@ HELM_CHART_EXCLUDE_LIST="inbucket,wire-server-enterprise,k8ssandra-operator,k8ss
 "${TASKS_DIR}"/proc_pull_charts.sh OUTPUT_DIR="${OUTPUT_DIR}" HELM_CHART_EXCLUDE_LIST="${HELM_CHART_EXCLUDE_LIST}"
 
 # pulling the charts from helm-charts repo, charts to be included are passed as arguments HELM_CHART_INCLUDE_LIST
-"${TASKS_DIR}"/proc_pull_ext_charts.sh OUTPUT_DIR="${OUTPUT_DIR}" HELM_CHART_INCLUDE_LIST="postgresql-external"
+# "${TASKS_DIR}"/proc_pull_ext_charts.sh OUTPUT_DIR="${OUTPUT_DIR}" HELM_CHART_INCLUDE_LIST="postgresql-external"
 
 # copy local copy of values from root directory to output directory
 cp -r "${ROOT_DIR}"/values "${OUTPUT_DIR}"/
@@ -49,7 +49,7 @@ cp -r "${ROOT_DIR}"/values "${OUTPUT_DIR}"/
 # processing the charts
 # here we also filter the images post processing the helm charts
 # pass the image names to be filtered as arguments as regex #IMAGE_EXCLUDE_LIST='brig|galley'
-"${TASKS_DIR}"/process_charts.sh OUTPUT_DIR="${OUTPUT_DIR}" VALUES_TYPE="demo" #IMAGE_EXCLUDE_LIST=""
+"${TASKS_DIR}"/process_charts.sh OUTPUT_DIR="${OUTPUT_DIR}" VALUES_TYPE="prod" #IMAGE_EXCLUDE_LIST=""
 
 # all basic chart pre-processing tasks
 "${TASKS_DIR}"/post_chart_process_0.sh "${OUTPUT_DIR}"

@@ -83,5 +83,5 @@ pull_charts() {
   echo "Pulling charts done."
 }
 
-wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/5f5af940a89c50f485327391b293419e42ba92c0/build.json"
+wire_build="https://raw.githubusercontent.com/wireapp/wire-builds/0ed27ef439f741d1e7313af69349c7bba8f7047b/build.json"
 wire_build_chart_release "$wire_build" | pull_charts
@@ -12,8 +12,3 @@ ingress-nginx:
         image:
           tag: "v20220916-gd32f8c343"
           digest: ""
-    # Enable prometheus operator to scrape metrics from the ingress-nginx controller with servicemonitor.
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
@@ -1,14 +1,10 @@
-# CHANGEME-DEMO: Assuming you run helm directly (and not helm-wrapper with sops), you can
-# simply drop your certificate/private key here. Be careful with spaces/indentation,
-# as the ingress seems to simply "swallow" errors if any (and serve the Fake default certificate
-# which is highly confusing)
 secrets:
   tlsWildcardCert: |
     -----BEGIN CERTIFICATE-----
-    .... OWN CERTIFICATE ......
+    .... REAL CERTIFICATE .....
     -----END CERTIFICATE-------
     -----BEGIN CERTIFICATE-----
-    .... INTERMEDIATE CERT ....
+    .... MAYBE CHAIN CERT .....
     -----END CERTIFICATE-------
   tlsWildcardKey: |
     -----BEGIN PRIVATE KEY-----

@@ -1,24 +1,22 @@
 teamSettings:
-  enabled: true
+  enabled: false
 accountPages:
-  enabled: true
+  enabled: false
 tls:
   enabled: true
   # NOTE: enable to automate certificate issuing with jetstack/cert-manager instead of
   #       providing your own certs in secrets.yaml. Cert-manager is not installed automatically,
   #       it needs to be installed beforehand (see ./../../charts/certificate-manager/README.md)
   useCertManager: false
-  issuer:
-    kind: ClusterIssuer
 
 certManager:
-  inTestMode: false
+  # NOTE: change to tell cert-manager to issue a valid certificate
+  inTestMode: true
   # CHANGEME-PROD: required, if certificate manager is used; set to receive cert expiration
   #                notice and other Letsencrypt related notification
   certmasterEmail:
 
-# CHANGEME-PROD: These values are suggested for deployments on bare metal and
-#                should be adjusted on a per installation basis
+# NOTE: These values must be adjusted on a per installation basis
 config:
   dns:
     https: nginz-https.example.com
@@ -27,12 +25,3 @@ config:
     fakeS3: assets.example.com
     teamSettings: teams.example.com
     accountPages: account.example.com
-    # uncomment below to activate cert acquisition for federator ingress
-    # federator: federator.example.com 
-
-# Redirection configuration for fake-aws-s3
-service:
-  useFakeS3: true
-  s3:
-    externalPort: 9000
-    serviceName: fake-aws-s3
@@ -8,8 +8,7 @@ tls:
   #       providing your own certs in secrets.yaml. Cert-manager is not installed automatically,
   #       it needs to be installed beforehand (see ./../../charts/certificate-manager/README.md)
   useCertManager: false
-  issuer:
-    kind: ClusterIssuer
+
 certManager:
   inTestMode: false
   # CHANGEME-PROD: required, if certificate manager is used; set to receive cert expiration
@@ -18,7 +17,6 @@ certManager:
 
 # CHANGEME-PROD: These values are suggested for deployments on bare metal and
 #                should be adjusted on a per installation basis
-
 config:
   dns:
     https: nginz-https.example.com

@@ -4,4 +4,3 @@ replicaCount: 3
 tls:
   issuerRef:
     name: letsencrypt-http01
-    kind: ClusterIssuer
@@ -1,9 +1,3 @@
-# CHANGEME-DEMO: All values here should be changed/reviewed
-elasticsearch-index:
-  secrets:
-    elasticsearch:
-      username: elastic
-      password: changeme
 brig:
   secrets:
     smtpPassword: dummyPassword
@@ -15,61 +9,36 @@ brig:
     turn:
       # generate a high-entropy random string, e.g. using
       # openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 42
-      secret: CHANGEMEE6KHMJU1uDhhgvsVWoIyzmn3u3GHRoWjTp
+      secret:
     # these only need to be changed if using real AWS services
     awsKeyId: dummykey
     awsSecretKey: dummysecret
     # These are only necessary if you wish to support sign up via SMS/calls
     # And require accounts at twilio.com / nexmo.com
-    rabbitmq:
-      username: wire-server
-      password: verysecurepassword
-    pgPassword: verysecurepassword
     setTwilio: |-
       sid: "dummy"
       token: "dummy"
     setNexmo: |-
       key: "dummy"
       secret: "dummy"
-    elasticsearch:
-      username: "elastic"
-      password: "changeme"
-    elasticsearchAdditional:
-      username: "elastic"
-      password: "changeme"
-cannon:
-  secrets:
-    rabbitmq:
-      username: wire-server
-      password: verysecurepassword
 
 cargohold:
   secrets:
     # these only need to be changed if using real AWS services
     awsKeyId: dummykey
     awsSecretKey: dummysecret
-    rabbitmq:
-      username: wire-server
-      password: verysecurepassword
 
 galley:
   secrets:
     # these only need to be changed if using real AWS services
     awsKeyId: dummykey
     awsSecretKey: dummysecret
-    pgPassword: verysecurepassword
-    rabbitmq:
-      username: wire-server
-      password: verysecurepassword
 
 gundeck:
   secrets:
     # these only need to be changed if using real AWS services
     awsKeyId: dummykey
     awsSecretKey: dummysecret
-    rabbitmq:
-      username: wire-server
-      password: verysecurepassword
 
 proxy:
   secrets:
@@ -93,24 +62,7 @@ nginz:
     # only necessary in test environments (env="staging"). See charts/nginz/README.md
     basicAuth: "<username>:<htpasswd-hashed-password>"
 
-# RabbitMQ credentials for background-worker.
-background-worker:
+team-settings:
   secrets:
-    rabbitmq:
-      username: wire-server
-      password: verysecurepassword
-
-# Uncomment for legalhold. Set values accordingly
-
-# legalhold:
-#   serviceToken: "supersecret"
-#   # openssl req -x509 -newkey rsa:4096 -sha256 -keyout tls.key -out tls.crt -days
-#   # 365 -subj '/CN={{ .Values.legalhold.host }}' Or provide your own signed by a
-#   # proper CA
-#   tlsKey: |
-#     -----BEGIN PRIVATE KEY-----
-#     -----END PRIVATE KEY-----
-#
-#   tlsCrt: |
-#     -----BEGIN CERTIFICATE-----
-#     -----END CERTIFICATE-----
+    # Required if you want to use team-settings
+    configJson:
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Added: a separate workflow for min build to be able to generate separate artifacts