-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
141 lines (128 loc) · 5.56 KB
/
Copy pathpublish-webapp.yml
File metadata and controls
141 lines (128 loc) · 5.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: "🐳 Publish Webapp"
permissions:
contents: read
packages: write
id-token: write
attestations: write
on:
workflow_call:
inputs:
image_tag:
description: The image tag to publish
type: string
required: false
default: ""
image_registry:
description: The registry namespace to publish under (e.g. ghcr.io/<owner>)
type: string
required: false
default: ""
outputs:
version:
description: The published image tag
value: ${{ jobs.publish.outputs.version }}
short_sha:
description: Short commit SHA of the published build
value: ${{ jobs.publish.outputs.short_sha }}
image_repo:
description: The image repository the build was published to (without tag)
value: ${{ jobs.publish.outputs.image_repo }}
secrets:
SENTRY_AUTH_TOKEN:
required: false
jobs:
publish:
runs-on: ubuntu-latest
env:
PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING: 1
outputs:
version: ${{ steps.get_tag.outputs.tag }}
short_sha: ${{ steps.get_commit.outputs.sha_short }}
image_repo: ${{ steps.set_tags.outputs.image_repo }}
steps:
- name: 🏭 Setup Depot CLI
uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
- name: ⬇️ Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
submodules: recursive
persist-credentials: false
- name: "#️⃣ Get the image tag"
id: get_tag
uses: ./.github/actions/get-image-tag
with:
tag: ${{ inputs.image_tag }}
- name: 🔢 Get the commit hash
id: get_commit
run: |
echo "sha_short=$(echo "${GITHUB_SHA}" | cut -c1-7)" >> "$GITHUB_OUTPUT"
- name: 📛 Set the tags
id: set_tags
run: |
# The registry namespace is resolved by the caller (defaulting to
# ghcr.io/<owner>, overridable via the IMAGE_REGISTRY repository
# variable); the webapp image lives at <registry>/<repo-name>. A fork
# therefore publishes to its own package automatically.
image_tags=$REF_WITHOUT_TAG:${STEPS_GET_TAG_OUTPUTS_TAG}
# when pushing the mutable main tag, also push an immutable-by-convention
# full-commit-sha tag so a commit can be resolved to a specific digest
if [[ "${STEPS_GET_TAG_OUTPUTS_TAG}" == "main" ]]; then
image_tags=$image_tags,$REF_WITHOUT_TAG:${GITHUB_SHA}
fi
echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
echo "image_repo=${REF_WITHOUT_TAG}" >> "$GITHUB_OUTPUT"
env:
REF_WITHOUT_TAG: ${{ format('{0}/{1}', inputs.image_registry || vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner), github.event.repository.name) }}
STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
- name: 📝 Set the build info
id: set_build_info
run: |
{
tag="${STEPS_GET_TAG_OUTPUTS_TAG}"
if [[ "${STEPS_GET_TAG_OUTPUTS_IS_SEMVER}" == true ]]; then
echo "BUILD_APP_VERSION=${tag}"
fi
echo "BUILD_GIT_SHA=${GITHUB_SHA}"
echo "BUILD_GIT_REF_NAME=${GITHUB_REF_NAME}"
echo "BUILD_TIMESTAMP_SECONDS=$(date +%s)"
echo "BUILD_TIMESTAMP_RFC3339=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
} >> "$GITHUB_OUTPUT"
env:
STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
- name: 🐙 Login to GitHub Container Registry
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: 🐳 Build image and push to GitHub Container Registry
id: build_push
uses: depot/build-push-action@98e78adca7817480b8185f474a400b451d74e287 # v1.18.0
with:
file: ./docker/Dockerfile
platforms: linux/amd64,linux/arm64
tags: ${{ steps.set_tags.outputs.image_tags }}
push: true
build-args: |
BUILD_APP_VERSION=${{ steps.set_build_info.outputs.BUILD_APP_VERSION }}
BUILD_GIT_SHA=${{ steps.set_build_info.outputs.BUILD_GIT_SHA }}
BUILD_GIT_REF_NAME=${{ steps.set_build_info.outputs.BUILD_GIT_REF_NAME }}
BUILD_TIMESTAMP_SECONDS=${{ steps.set_build_info.outputs.BUILD_TIMESTAMP_SECONDS }}
BUILD_TIMESTAMP_RFC3339=${{ steps.set_build_info.outputs.BUILD_TIMESTAMP_RFC3339 }}
SENTRY_RELEASE=${{ steps.set_build_info.outputs.BUILD_GIT_SHA }}
SENTRY_ORG=triggerdev
SENTRY_PROJECT=trigger-cloud
secrets: |
sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}
- name: 🪪 Attest build provenance
# Image is already pushed by this point — don't fail releases (and the
# downstream publish-helm job) on a Sigstore/GHCR-referrer hiccup. Real
# config errors still surface as a step warning in the workflow run.
continue-on-error: true
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ${{ steps.set_tags.outputs.image_repo }}
subject-digest: ${{ steps.build_push.outputs.digest }}
push-to-registry: true