trigger.dev/.github/workflows/publish-webapp.yml at e8e50a41dfb0bd97d2e4b85caba7600c9bfba984 · triggerdotdev/trigger.dev · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: "🐳 Publish Webapp"

permissions:
  contents: read
  packages: write
  id-token: write
  attestations: write

on:
  workflow_call:
    inputs:
      image_tag:
        description: The image tag to publish
        type: string
        required: false
        default: ""
    outputs:
      version:
        description: The published image tag
        value: ${{ jobs.publish.outputs.version }}
      short_sha:
        description: Short commit SHA of the published build
        value: ${{ jobs.publish.outputs.short_sha }}
      image_repo:
        description: The image repository the build was published to (without tag)
        value: ${{ jobs.publish.outputs.image_repo }}
    secrets:
      SENTRY_AUTH_TOKEN:
        required: false

jobs:
  publish:
    runs-on: ubuntu-latest
    env:
      PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING: 1
    outputs:
      version: ${{ steps.get_tag.outputs.tag }}
      short_sha: ${{ steps.get_commit.outputs.sha_short }}
      image_repo: ${{ steps.set_tags.outputs.image_repo }}
    steps:
      - name: 🏭 Setup Depot CLI
        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1

      - name: ⬇️ Checkout repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: recursive
          persist-credentials: false

      - name: "#️⃣ Get the image tag"
        id: get_tag
        uses: ./.github/actions/get-image-tag
        with:
          tag: ${{ inputs.image_tag }}

      - name: 🔢 Get the commit hash
        id: get_commit
        run: |
          echo "sha_short=$(echo "${GITHUB_SHA}" | cut -c1-7)" >> "$GITHUB_OUTPUT"

      - name: 📛 Set the tags
        id: set_tags
        run: |
          # The image repo defaults to ghcr.io/<owner>/<repo>, so a fork publishes
          # to its own package automatically with no extra config. Set the
          # WEBAPP_IMAGE_REPO repository variable to override it with any
          # registry/path.
          image_tags=$REF_WITHOUT_TAG:${STEPS_GET_TAG_OUTPUTS_TAG}

          # when pushing the mutable main tag, also push an immutable-by-convention
          # full-commit-sha tag so a commit can be resolved to a specific digest
          if [[ "${STEPS_GET_TAG_OUTPUTS_TAG}" == "main" ]]; then
            image_tags=$image_tags,$REF_WITHOUT_TAG:${GITHUB_SHA}
          fi

          echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
          echo "image_repo=${REF_WITHOUT_TAG}" >> "$GITHUB_OUTPUT"
        env:
          REF_WITHOUT_TAG: ${{ vars.WEBAPP_IMAGE_REPO || format('ghcr.io/{0}', github.repository) }}
          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}

      - name: 📝 Set the build info
        id: set_build_info
        run: |
          {
            tag="${STEPS_GET_TAG_OUTPUTS_TAG}"
            if [[ "${STEPS_GET_TAG_OUTPUTS_IS_SEMVER}" == true ]]; then
              echo "BUILD_APP_VERSION=${tag}"
            fi
            echo "BUILD_GIT_SHA=${GITHUB_SHA}"
            echo "BUILD_GIT_REF_NAME=${GITHUB_REF_NAME}"
            echo "BUILD_TIMESTAMP_SECONDS=$(date +%s)"
            echo "BUILD_TIMESTAMP_RFC3339=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
          } >> "$GITHUB_OUTPUT"
        env:
          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}

      - name: 🐙 Login to GitHub Container Registry
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: 🐳 Build image and push to GitHub Container Registry
        id: build_push
        uses: depot/build-push-action@98e78adca7817480b8185f474a400b451d74e287 # v1.18.0
        with:
          file: ./docker/Dockerfile
          platforms: linux/amd64,linux/arm64
          tags: ${{ steps.set_tags.outputs.image_tags }}
          push: true
          build-args: |
            BUILD_APP_VERSION=${{ steps.set_build_info.outputs.BUILD_APP_VERSION }}
            BUILD_GIT_SHA=${{ steps.set_build_info.outputs.BUILD_GIT_SHA }}
            BUILD_GIT_REF_NAME=${{ steps.set_build_info.outputs.BUILD_GIT_REF_NAME }}
            BUILD_TIMESTAMP_SECONDS=${{ steps.set_build_info.outputs.BUILD_TIMESTAMP_SECONDS }}
            BUILD_TIMESTAMP_RFC3339=${{ steps.set_build_info.outputs.BUILD_TIMESTAMP_RFC3339 }}
            SENTRY_RELEASE=${{ steps.set_build_info.outputs.BUILD_GIT_SHA }}
            SENTRY_ORG=triggerdev
            SENTRY_PROJECT=trigger-cloud
          secrets: |
            sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}

      - name: 🪪 Attest build provenance
        # Image is already pushed by this point — don't fail releases (and the
        # downstream publish-helm job) on a Sigstore/GHCR-referrer hiccup. Real
        # config errors still surface as a step warning in the workflow run.
        continue-on-error: true
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-name: ${{ steps.set_tags.outputs.image_repo }}
          subject-digest: ${{ steps.build_push.outputs.digest }}
          push-to-registry: true