trigger.dev/.github/workflows/publish-webapp.yml at 93199f28d0c85998f3c013913a2b2e5766aa528a · triggerdotdev/trigger.dev · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
name: "🐳 Publish Webapp"

permissions:
  contents: read
  packages: write
  id-token: write
  attestations: write

on:
  workflow_call:
    inputs:
      image_tag:
        description: The image tag to publish
        type: string
        required: false
        default: ""
    outputs:
      version:
        description: The published image tag
        value: ${{ jobs.publish.outputs.version }}
      short_sha:
        description: Short commit SHA of the published build
        value: ${{ jobs.publish.outputs.short_sha }}
    secrets:
      SENTRY_AUTH_TOKEN:
        required: false

jobs:
  publish:
    runs-on: ubuntu-latest
    env:
      PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING: 1
    outputs:
      version: ${{ steps.get_tag.outputs.tag }}
      short_sha: ${{ steps.get_commit.outputs.sha_short }}
    steps:
      - name: 🏭 Setup Depot CLI
        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1

      - name: ⬇️ Checkout repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: recursive
          persist-credentials: false

      - name: "#️⃣ Get the image tag"
        id: get_tag
        uses: ./.github/actions/get-image-tag
        with:
          tag: ${{ inputs.image_tag }}

      - name: 🔢 Get the commit hash
        id: get_commit
        run: |
          echo "sha_short=$(echo "${GITHUB_SHA}" | cut -c1-7)" >> "$GITHUB_OUTPUT"

      - name: 📛 Set the tags
        id: set_tags
        run: |
          ref_without_tag=ghcr.io/triggerdotdev/trigger.dev
          image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}

          # when pushing the mutable main tag, also push an immutable-by-convention
          # full-commit-sha tag so a commit can be resolved to a specific digest
          if [[ "${STEPS_GET_TAG_OUTPUTS_TAG}" == "main" ]]; then
            image_tags=$image_tags,$ref_without_tag:${GITHUB_SHA}
          fi

          echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
        env:
          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}

      - name: 📝 Set the build info
        id: set_build_info
        run: |
          {
            tag="${STEPS_GET_TAG_OUTPUTS_TAG}"
            if [[ "${STEPS_GET_TAG_OUTPUTS_IS_SEMVER}" == true ]]; then
              echo "BUILD_APP_VERSION=${tag}"
            fi
            echo "BUILD_GIT_SHA=${GITHUB_SHA}"
            echo "BUILD_GIT_REF_NAME=${GITHUB_REF_NAME}"
            echo "BUILD_TIMESTAMP_SECONDS=$(date +%s)"
            echo "BUILD_TIMESTAMP_RFC3339=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
          } >> "$GITHUB_OUTPUT"
        env:
          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}

      - name: 🐙 Login to GitHub Container Registry
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: 🐳 Build image and push to GitHub Container Registry
        id: build_push
        uses: depot/build-push-action@98e78adca7817480b8185f474a400b451d74e287 # v1.18.0
        with:
          file: ./docker/Dockerfile
          platforms: linux/amd64,linux/arm64
          tags: ${{ steps.set_tags.outputs.image_tags }}
          push: true
          build-args: |
            BUILD_APP_VERSION=${{ steps.set_build_info.outputs.BUILD_APP_VERSION }}
            BUILD_GIT_SHA=${{ steps.set_build_info.outputs.BUILD_GIT_SHA }}
            BUILD_GIT_REF_NAME=${{ steps.set_build_info.outputs.BUILD_GIT_REF_NAME }}
            BUILD_TIMESTAMP_SECONDS=${{ steps.set_build_info.outputs.BUILD_TIMESTAMP_SECONDS }}
            BUILD_TIMESTAMP_RFC3339=${{ steps.set_build_info.outputs.BUILD_TIMESTAMP_RFC3339 }}
            SENTRY_RELEASE=${{ steps.set_build_info.outputs.BUILD_GIT_SHA }}
            SENTRY_ORG=triggerdev
            SENTRY_PROJECT=trigger-cloud
          secrets: |
            sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}

      - name: 🪪 Attest build provenance
        # Image is already pushed by this point — don't fail releases (and the
        # downstream publish-helm job) on a Sigstore/GHCR-referrer hiccup. Real
        # config errors still surface as a step warning in the workflow run.
        continue-on-error: true
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-name: ghcr.io/triggerdotdev/trigger.dev
          subject-digest: ${{ steps.build_push.outputs.digest }}
          push-to-registry: true