bootstrap-python-fastapi/.github/workflows/ci-pipeline.yml at 006e5db4debde3bcccec3030b1cc88bc8dd45d84 · febus982/bootstrap-python-fastapi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: CI Pipeline

# This workflow build and run tests inside the dev container
# only after the pull request is merged to main branch.
# Once tests are successful it builds and pushes the
# smaller size production image with multiarch suppport.

on:
  push:
    branches: [ "main" ]
####### Uncomment this to test the CI pipeline in a PR
####### You'll also need to comment the rules containing {{branch}}
####### in the `Extract Docker metadata` step
#  pull_request:
#    branches: [ "main" ]

env:
  # Use docker.io for Docker Hub if empty
  REGISTRY: ghcr.io
  # github.repository as <account>/<repo>
  REGISTRY_PATH: ${{ github.repository }}
  TEST_TAG: user/app:test

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # This might be unnecessary as tests are not
      # multiplatform
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v3.9.0

      # Build but don't push Docker image with Buildx
      # https://github.com/docker/build-push-action
      - name: Build test image
        id: build-test
        uses: docker/build-push-action@v6.14.0
        with:
          context: .
          load: true
          target: dev
          tags: ${{ env.TEST_TAG }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      # This is a barrier check to make sure we push a functional
      # docker image, we can avoid linting
      - name: Run tests in the test image
        run: |
          docker run --rm ${{ env.TEST_TAG }} make ci-test

  build:
    runs-on: ubuntu-latest
    needs: test
    permissions:
      contents: read
      packages: write
      # This is used to complete the identity challenge
      # with sigstore/fulcio when running outside of PRs.
      id-token: write
    strategy:
      matrix:
        docker_target:
          - migrations
          - http
          - socketio
          - dramatiq
    steps:
      # GitHub gives only repository complete in <owner>/<repo> format.
      # Need some manual sheanigans
      # Set IMAGE_NAME so we can push to <owner>/<repo>/<image>
      - name: Set ENV variables
        run: |
          echo "IMAGE_NAME=${GITHUB_REPOSITORY#$GITHUB_REPOSITORY_OWNER/}" >> $GITHUB_ENV

      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      # Install the cosign tool
      # https://github.com/sigstore/cosign-installer
      - name: Install cosign
        uses: sigstore/cosign-installer@v3.8.1

      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v3.9.0

      # Login against a Docker registry
      # https://github.com/docker/login-action
      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v3.3.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5.6.1
        with:
          # list of Docker images to use as base name for tags
          # <registry/<owner>/<repo_name>/<repo_name>-<target>
          images: |
            ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/${{ env.IMAGE_NAME }}-${{ matrix.docker_target }}
          # generate Docker tags based on the following events/attributes
          tags: |
            type=sha
            type=raw,value={{branch}}-latest
            type=raw,value={{branch}}-{{date 'YYYYMMDDHHmmss'}}

      # Build and push Docker image with Buildx
      # https://github.com/docker/build-push-action
      - name: Build and push production image
        id: build-and-push
        uses: docker/build-push-action@v6.14.0
        with:
          context: .
          target: ${{ matrix.docker_target }}
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      #TODO: Implement signature using generated key: https://docs.sigstore.dev/signing/quickstart/#signing-with-a-generated-key

      # Sign the resulting Docker image digest except on PRs.
      # This will only write to the public Rekor transparency log when the Docker
      # repository is public to avoid leaking data.  If you would like to publish
      # transparency data even for private images, pass --force to cosign below.
      # https://github.com/sigstore/cosign
      - name: Sign the published Docker image using GitHub OIDC Token
        env:
          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
          TAGS: ${{ steps.meta.outputs.tags }}
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        # This step uses the identity token to provision an ephemeral certificate
        # against the sigstore community Fulcio instance.
        run: |
          images=""
          for tag in ${TAGS}; do
            images+="${tag}@${DIGEST} "
          done
          cosign sign --yes ${images}