Skip to content

feat: add cookie notice #49

feat: add cookie notice

feat: add cookie notice #49

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: 🌳 CI/CD
on:
push:
branches: ["main"]
tags: ["v*"]
pull_request:
env:
REGISTRY: ghcr.io
jobs:
changes:
name: 🔄 Detect changes
runs-on: ubuntu-latest
permissions:
pull-requests: read
outputs:
images: ${{ steps.filter.outputs.changes }}
steps:
# https://github.com/actions/checkout/tree/11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
# https://github.com/dorny/paths-filter/tree/de90cc6fb38fc0963ad72b210f1f284cd68cea36
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
id: filter
with:
filters: .github/file-filters.yml
tests:
name: 🧪 Tests
needs: changes
uses: ./.github/workflows/tests.yml
with:
images: ${{ needs.changes.outputs.images }}
secrets: inherit
build:
name: 🐳 Docker
runs-on: ubuntu-latest
needs: [changes, tests]
strategy:
fail-fast: false
# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow#example-adding-configurations
matrix:
image: ${{ fromJSON(needs.changes.outputs.images) }}
include:
- image: urbantree
context: ./app
- image: api
context: ./api
permissions:
contents: read
packages: write
attestations: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
# https://github.com/actions/checkout/tree/11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
# https://github.com/sigstore/cosign-installer/tree/dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
if: github.event_name != 'pull_request'
with:
cosign-release: "v2.2.4"
# https://github.com/docker/setup-buildx-action/tree/c47758b77c9736f4b2ef4073d4d51994fabfe349
- uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
# https://github.com/docker/login-action/tree/7ca345011ac4304463197fac0e56eab1bc7e6af0
- name: 🪪 Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
if: github.event_name != 'pull_request'
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# https://github.com/docker/metadata-action/tree/b53be03109c4ef6f6cc7aa545b84b17a7fe51c1e
- uses: docker/metadata-action@b53be03109c4ef6f6cc7aa545b84b17a7fe51c1e
id: meta
with:
images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,manifest-descriptor,index,index-descriptor
# https://github.com/actions/cache/tree/6849a6489940f00c2f30c0fb92c6274307ccb58a
- name: 📦 Cache Docker layers
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a
with:
path: |
composer-cache
python-cache
key: ${{ runner.os }}-docker-${{ hashFiles('**/Dockerfile') }}
# https://github.com/reproducible-containers/buildkit-cache-dance/tree/5b6db76d1da5c8b307d5d2e0706d266521b710de
- name: 📦 Load cache
uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de
with:
cache-map: |
{
"composer-cache": "/tmp/cache",
"python-cache": "/root/.cache/pip"
}
skip-extraction: ${{ steps.cache.outputs.cache-hit }}
# https://github.com/docker/build-push-action/tree/48aba3b46d1b1fec4febb7c5d0c644b249a11355
- name: 🏗️ Build final stage and push to ${{ env.REGISTRY }}
id: build-and-push
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
with:
context: ${{ matrix.context }}
push: ${{ github.event_name != 'pull_request' }}
target: final
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
cache-from: type=gha
cache-to: type=gha,mode=max
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign/
- name: 🖋️ Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
# https://github.com/actions/attest-build-provenance/tree/ef244123eb79f2f7a7e75d99086184180e6d0018
- name: 📝 Attest the build provenance
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018
if: ${{ github.event_name != 'pull_request' }}
with:
subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}
push-to-registry: true
deploy:
name: 🚀 Deploy to production
runs-on: ubuntu-latest
needs: build
if: ${{ github.event_name != 'pull_request' }}
steps:
# https://github.com/appleboy/ssh-action/tree/7eaf76671a0d7eec5d98ee897acda4f968735a17
- name: 🚚 SSH into production server
uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17
with:
host: ${{ secrets.SSH_MANAGER_HOST }}
username: ${{ secrets.SSH_MANAGER_USER }}
password: ${{ secrets.SSH_MANAGER_PASS }}
port: ${{ secrets.SSH_MANAGER_PORT }}
script: |
docker stack deploy --with-registry-auth -c compose.prod.yml urbantree
- name: 🕵️ Check the deployment
run: |
# curl -sSf http://${{ vars.WEB_URL }}/
curl -sSf http://${{ vars.API_URL }}/