1- # Mozilla Deploy Actions url: <https://github.com/mozilla-it/deploy-actions>
2- # Note: even though Mozilla maintains the above actions, it is still suggested
3- # when upgrading to use the full commit SHA and comment with version.
4- # See <https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions>
5- # Ex. `mozilla-it/deploy-actions/.github/workflows/build-and-push.yml@4784cb70739a4f32ce010921f60fb1ebbc791a38 # v6.2.2`
6- name : Build, Tag and Push Container Images to GAR Repository
1+ name : Build, Tag and Push Container Images to GAR
72
83on :
94 pull_request :
105 types : [opened, labeled, unlabeled, synchronize]
11- # paths:
12- # - '**/sync*/**'
136 push :
147 branches :
158 - master
@@ -48,46 +41,116 @@ jobs:
4841 contents : read
4942 id-token : write
5043 packages : write
51- uses : mozilla-it/deploy-actions/.github/workflows/build-and-push.yml@4784cb70739a4f32ce010921f60fb1ebbc791a38 # v6.2.2
52- with :
53- image_name : syncstorage-rs
54- gar_name : sync-prod
55- project_id : moz-fx-sync-prod
56- docker_build_args : |
57- SYNCSTORAGE_DATABASE_BACKEND=spanner
58- MYSQLCLIENT_PKG=libmysqlclient-dev
59- should_tag_ghcr : true
44+ runs-on : ubuntu-latest
45+ steps :
46+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
47+ with :
48+ persist-credentials : false
49+
50+ - uses : ./.github/actions/setup-build-and-push
51+ id : setup
52+ with :
53+ workload_identity_provider : ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
54+ gcp_service_account : " ${{ vars.SERVICE_ACCOUNT_NAME || 'artifact-writer' }}@moz-fx-sync-prod.iam.gserviceaccount.com"
55+
56+ - name : Compute tags
57+ run : |
58+ TAGS=$(cat <<EOF
59+ us-docker.pkg.dev/moz-fx-sync-prod/sync-prod/syncstorage-rs:${{ steps.setup.outputs.image_tag }}
60+ ghcr.io/${{ github.repository }}/syncstorage-rs:${{ steps.setup.outputs.image_tag }}
61+ EOF
62+ )
63+ if [[ "${{ steps.setup.outputs.push_latest }}" == "true" ]]; then
64+ TAGS="$TAGS
65+ us-docker.pkg.dev/moz-fx-sync-prod/sync-prod/syncstorage-rs:latest
66+ ghcr.io/${{ github.repository }}/syncstorage-rs:latest"
67+ fi
68+ echo "IMAGE_TAGS<<EOF" >> "$GITHUB_ENV"
69+ echo "$TAGS" >> "$GITHUB_ENV"
70+ echo "EOF" >> "$GITHUB_ENV"
71+
72+ uses : docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
73+ with :
74+ context : .
75+ push : true
76+ build-args : |
77+ SYNCSTORAGE_DATABASE_BACKEND=spanner
78+ MYSQLCLIENT_PKG=libmysqlclient-dev
79+ tags : ${{ env.IMAGE_TAGS }}
80+ cache-from : type=gha
81+ cache-to : type=gha,mode=max
6082
6183 build-and-push-syncserver-postgres :
6284 needs : check
6385 permissions :
6486 contents : read
6587 id-token : write
6688 packages : write
67- uses : mozilla-it/deploy-actions/.github/workflows/build-and-push.yml@4784cb70739a4f32ce010921f60fb1ebbc791a38 # v6.2.2
68- with :
69- image_name : syncserver-postgres
70- gar_name : sync-prod
71- project_id : moz-fx-sync-prod
72- docker_build_args : |
73- SYNCSTORAGE_DATABASE_BACKEND=postgres
74- TOKENSERVER_DATABASE_BACKEND=postgres
75- should_tag_ghcr : true
76-
77- build-and-push-syncserver-postgres-enterprise-gar :
78- needs : check
79- permissions :
80- contents : read
81- id-token : write
82- packages : write
83- uses : mozilla-it/deploy-actions/.github/workflows/build-and-push.yml@4784cb70739a4f32ce010921f60fb1ebbc791a38 # v6.2.2
84- with :
85- image_name : syncserver-postgres
86- gar_name : fx-enterprise-private
87- project_id : moz-fx-fx-enterprise-prod
88- docker_build_args : |
89- SYNCSTORAGE_DATABASE_BACKEND=postgres
90- TOKENSERVER_DATABASE_BACKEND=postgres
89+ runs-on : ubuntu-latest
90+ steps :
91+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
92+ with :
93+ persist-credentials : false
94+
95+ - uses : ./.github/actions/setup-build-and-push
96+ id : setup
97+ with :
98+ workload_identity_provider : ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
99+ gcp_service_account : " ${{ vars.SERVICE_ACCOUNT_NAME || 'artifact-writer' }}@moz-fx-sync-prod.iam.gserviceaccount.com"
100+
101+ - name : Compute tags
102+ run : |
103+ TAGS=$(cat <<EOF
104+ us-docker.pkg.dev/moz-fx-sync-prod/sync-prod/syncserver-postgres:${{ steps.setup.outputs.image_tag }}
105+ ghcr.io/${{ github.repository }}/syncserver-postgres:${{ steps.setup.outputs.image_tag }}
106+ EOF
107+ )
108+ if [[ "${{ steps.setup.outputs.push_latest }}" == "true" ]]; then
109+ TAGS="$TAGS
110+ us-docker.pkg.dev/moz-fx-sync-prod/sync-prod/syncserver-postgres:latest
111+ ghcr.io/${{ github.repository }}/syncserver-postgres:latest"
112+ fi
113+ echo "IMAGE_TAGS<<EOF" >> "$GITHUB_ENV"
114+ echo "$TAGS" >> "$GITHUB_ENV"
115+ echo "EOF" >> "$GITHUB_ENV"
116+
117+ name : Build and push to prod GAR and ghcr
118+ uses : docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
119+ with :
120+ context : .
121+ push : true
122+ build-args : |
123+ SYNCSTORAGE_DATABASE_BACKEND=postgres
124+ TOKENSERVER_DATABASE_BACKEND=postgres
125+ tags : ${{ env.IMAGE_TAGS }}
126+ cache-from : type=gha
127+ cache-to : type=gha,mode=max
128+
129+ - name : GCP auth (enterprise)
130+ id : gcp_auth_ent
131+ uses : google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
132+ with :
133+ workload_identity_provider : ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
134+ service_account : " ${{ vars.SERVICE_ACCOUNT_NAME || 'artifact-writer' }}@moz-fx-fx-enterprise-prod.iam.gserviceaccount.com"
135+ token_format : access_token
136+
137+ - name : Log in to enterprise GAR
138+ uses : docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
139+ with :
140+ registry : us-docker.pkg.dev
141+ username : oauth2accesstoken
142+ password : ${{ steps.gcp_auth_ent.outputs.access_token }}
143+
144+ - name : Build and push to enterprise GAR
145+ uses : docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
146+ with :
147+ context : .
148+ push : true
149+ build-args : |
150+ SYNCSTORAGE_DATABASE_BACKEND=postgres
151+ TOKENSERVER_DATABASE_BACKEND=postgres
152+ tags : us-docker.pkg.dev/moz-fx-fx-enterprise-prod/fx-enterprise-private/syncserver-postgres:${{ steps.setup.outputs.image_tag }}
153+ cache-from : type=gha
91154
92155 # Note: we are moving towards renaming all images `syncserver`, the union of sync and tokenserver.
93156 # This presently remains for the time being to simplify deploys by maintaining `image_name: syncstorage-rs-spanner-python-utils`.
@@ -98,56 +161,154 @@ jobs:
98161 contents : read
99162 id-token : write
100163 packages : write
101- uses : mozilla-it/deploy-actions/.github/workflows/build-and-push.yml@4784cb70739a4f32ce010921f60fb1ebbc791a38 # v6.2.2
102- with :
103- image_name : syncstorage-rs-spanner-python-utils
104- gar_name : sync-prod
105- project_id : moz-fx-sync-prod
106- dockerfile_path : tools/spanner/Dockerfile
107- image_build_context : tools/spanner
108- should_tag_ghcr : true
164+ runs-on : ubuntu-latest
165+ steps :
166+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
167+ with :
168+ persist-credentials : false
169+
170+ - uses : ./.github/actions/setup-build-and-push
171+ id : setup
172+ with :
173+ workload_identity_provider : ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
174+ gcp_service_account : " ${{ vars.SERVICE_ACCOUNT_NAME || 'artifact-writer' }}@moz-fx-sync-prod.iam.gserviceaccount.com"
175+ version_json_path : ./tools/spanner/version.json
176+
177+ - name : Compute tags
178+ run : |
179+ TAGS=$(cat <<EOF
180+ us-docker.pkg.dev/moz-fx-sync-prod/sync-prod/syncstorage-rs-spanner-python-utils:${{ steps.setup.outputs.image_tag }}
181+ ghcr.io/${{ github.repository }}/syncstorage-rs-spanner-python-utils:${{ steps.setup.outputs.image_tag }}
182+ EOF
183+ )
184+ if [[ "${{ steps.setup.outputs.push_latest }}" == "true" ]]; then
185+ TAGS="$TAGS
186+ us-docker.pkg.dev/moz-fx-sync-prod/sync-prod/syncstorage-rs-spanner-python-utils:latest
187+ ghcr.io/${{ github.repository }}/syncstorage-rs-spanner-python-utils:latest"
188+ fi
189+ echo "IMAGE_TAGS<<EOF" >> "$GITHUB_ENV"
190+ echo "$TAGS" >> "$GITHUB_ENV"
191+ echo "EOF" >> "$GITHUB_ENV"
192+
193+ uses : docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
194+ with :
195+ context : tools/spanner
196+ file : tools/spanner/Dockerfile
197+ push : true
198+ tags : ${{ env.IMAGE_TAGS }}
199+ cache-from : type=gha
200+ cache-to : type=gha,mode=max
109201
110202 build-and-push-syncserver-postgres-python-utils :
111203 needs : check
112204 permissions :
113205 contents : read
114206 id-token : write
115207 packages : write
116- uses : mozilla-it/deploy-actions/.github/workflows/build-and-push.yml@4784cb70739a4f32ce010921f60fb1ebbc791a38 # v6.2.2
117- with :
118- image_name : syncserver-postgres-python-utils
119- gar_name : sync-prod
120- project_id : moz-fx-sync-prod
121- dockerfile_path : tools/postgres/Dockerfile
122- image_build_context : tools/postgres
123- should_tag_ghcr : true
124-
125- build-and-push-syncserver-postgres-python-utils-enterprise-gar :
126- needs : check
127- permissions :
128- contents : read
129- id-token : write
130- packages : write
131- uses : mozilla-it/deploy-actions/.github/workflows/build-and-push.yml@4784cb70739a4f32ce010921f60fb1ebbc791a38 # v6.2.2
132- with :
133- image_name : syncserver-postgres-python-utils
134- gar_name : fx-enterprise-private
135- project_id : moz-fx-fx-enterprise-prod
136- dockerfile_path : tools/postgres/Dockerfile
137- image_build_context : tools/postgres
208+ runs-on : ubuntu-latest
209+ steps :
210+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
211+ with :
212+ persist-credentials : false
213+
214+ - uses : ./.github/actions/setup-build-and-push
215+ id : setup
216+ with :
217+ workload_identity_provider : ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
218+ gcp_service_account : " ${{ vars.SERVICE_ACCOUNT_NAME || 'artifact-writer' }}@moz-fx-sync-prod.iam.gserviceaccount.com"
219+ version_json_path : ./tools/postgres/version.json
220+
221+ - name : Compute tags
222+ run : |
223+ TAGS=$(cat <<EOF
224+ us-docker.pkg.dev/moz-fx-sync-prod/sync-prod/syncserver-postgres-python-utils:${{ steps.setup.outputs.image_tag }}
225+ ghcr.io/${{ github.repository }}/syncserver-postgres-python-utils:${{ steps.setup.outputs.image_tag }}
226+ EOF
227+ )
228+ if [[ "${{ steps.setup.outputs.push_latest }}" == "true" ]]; then
229+ TAGS="$TAGS
230+ us-docker.pkg.dev/moz-fx-sync-prod/sync-prod/syncserver-postgres-python-utils:latest
231+ ghcr.io/${{ github.repository }}/syncserver-postgres-python-utils:latest"
232+ fi
233+ echo "IMAGE_TAGS<<EOF" >> "$GITHUB_ENV"
234+ echo "$TAGS" >> "$GITHUB_ENV"
235+ echo "EOF" >> "$GITHUB_ENV"
236+
237+ name : Build and push to prod GAR and ghcr
238+ uses : docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
239+ with :
240+ context : tools/postgres
241+ file : tools/postgres/Dockerfile
242+ push : true
243+ tags : ${{ env.IMAGE_TAGS }}
244+ cache-from : type=gha
245+ cache-to : type=gha,mode=max
246+
247+ - name : GCP auth (enterprise)
248+ id : gcp_auth_ent
249+ uses : google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
250+ with :
251+ workload_identity_provider : ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
252+ service_account : " ${{ vars.SERVICE_ACCOUNT_NAME || 'artifact-writer' }}@moz-fx-fx-enterprise-prod.iam.gserviceaccount.com"
253+ token_format : access_token
254+
255+ - name : Log in to enterprise GAR
256+ uses : docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
257+ with :
258+ registry : us-docker.pkg.dev
259+ username : oauth2accesstoken
260+ password : ${{ steps.gcp_auth_ent.outputs.access_token }}
261+
262+ - name : Build and push to enterprise GAR
263+ uses : docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
264+ with :
265+ context : tools/postgres
266+ file : tools/postgres/Dockerfile
267+ push : true
268+ tags : us-docker.pkg.dev/moz-fx-fx-enterprise-prod/fx-enterprise-private/syncserver-postgres-python-utils:${{ steps.setup.outputs.image_tag }}
269+ cache-from : type=gha
138270
139271 build-and-push-syncserver-mysql :
140272 needs : check
141273 permissions :
142274 contents : read
143275 id-token : write
144276 packages : write
145- uses : mozilla-it/deploy-actions/.github/workflows/build-and-push.yml@4784cb70739a4f32ce010921f60fb1ebbc791a38 # v6.2.2
146- with :
147- image_name : syncserver-mysql
148- gar_name : sync-prod
149- project_id : moz-fx-sync-prod
150- docker_build_args : |
151- SYNCSTORAGE_DATABASE_BACKEND=mysql
152- TOKENSERVER_DATABASE_BACKEND=mysql
153- should_tag_ghcr : true
277+ runs-on : ubuntu-latest
278+ steps :
279+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
280+ with :
281+ persist-credentials : false
282+
283+ - uses : ./.github/actions/setup-build-and-push
284+ id : setup
285+ with :
286+ workload_identity_provider : ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
287+ gcp_service_account : " ${{ vars.SERVICE_ACCOUNT_NAME || 'artifact-writer' }}@moz-fx-sync-prod.iam.gserviceaccount.com"
288+
289+ - name : Compute tags
290+ run : |
291+ TAGS=$(cat <<EOF
292+ us-docker.pkg.dev/moz-fx-sync-prod/sync-prod/syncserver-mysql:${{ steps.setup.outputs.image_tag }}
293+ ghcr.io/${{ github.repository }}/syncserver-mysql:${{ steps.setup.outputs.image_tag }}
294+ EOF
295+ )
296+ if [[ "${{ steps.setup.outputs.push_latest }}" == "true" ]]; then
297+ TAGS="$TAGS
298+ us-docker.pkg.dev/moz-fx-sync-prod/sync-prod/syncserver-mysql:latest
299+ ghcr.io/${{ github.repository }}/syncserver-mysql:latest"
300+ fi
301+ echo "IMAGE_TAGS<<EOF" >> "$GITHUB_ENV"
302+ echo "$TAGS" >> "$GITHUB_ENV"
303+ echo "EOF" >> "$GITHUB_ENV"
304+
305+ uses : docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
306+ with :
307+ context : .
308+ push : true
309+ build-args : |
310+ SYNCSTORAGE_DATABASE_BACKEND=mysql
311+ TOKENSERVER_DATABASE_BACKEND=mysql
312+ tags : ${{ env.IMAGE_TAGS }}
313+ cache-from : type=gha
314+ cache-to : type=gha,mode=max
0 commit comments