-
Notifications
You must be signed in to change notification settings - Fork 0
177 lines (159 loc) · 7 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: 🌳 CI/CD
on:
push:
branches: ["main"]
tags: ["v*"]
pull_request:
env:
REGISTRY: ghcr.io
jobs:
changes:
name: 🔄 Detect changes
runs-on: ubuntu-latest
permissions:
pull-requests: read
outputs:
images: ${{ steps.filter.outputs.changes }}
steps:
# https://github.com/actions/checkout/tree/11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
# https://github.com/dorny/paths-filter/tree/de90cc6fb38fc0963ad72b210f1f284cd68cea36
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
id: filter
with:
filters: .github/file-filters.yml
tests:
name: 🧪 Tests
needs: changes
uses: ./.github/workflows/tests.yml
with:
images: ${{ needs.changes.outputs.images }}
secrets: inherit
build:
name: 🐳 Docker
runs-on: ubuntu-latest
needs: [changes, tests]
strategy:
fail-fast: false
# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow#example-adding-configurations
matrix:
image: ${{ fromJSON(needs.changes.outputs.images) }}
include:
- image: urbantree
context: .
- image: api
context: ./api
permissions:
contents: read
packages: write
attestations: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
# https://github.com/actions/checkout/tree/11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
# https://github.com/sigstore/cosign-installer/tree/dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
if: github.event_name != 'pull_request'
with:
cosign-release: "v2.2.4"
# https://github.com/docker/setup-buildx-action/tree/c47758b77c9736f4b2ef4073d4d51994fabfe349
- uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
# https://github.com/docker/login-action/tree/7ca345011ac4304463197fac0e56eab1bc7e6af0
- name: 🪪 Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
if: github.event_name != 'pull_request'
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# https://github.com/docker/metadata-action/tree/b53be03109c4ef6f6cc7aa545b84b17a7fe51c1e
- uses: docker/metadata-action@b53be03109c4ef6f6cc7aa545b84b17a7fe51c1e
id: meta
with:
images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,manifest-descriptor,index,index-descriptor
# https://github.com/actions/cache/tree/6849a6489940f00c2f30c0fb92c6274307ccb58a
- name: 📦 Cache Docker layers
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a
with:
path: |
composer-cache
python-cache
key: ${{ runner.os }}-docker-${{ hashFiles('**/Dockerfile') }}
# https://github.com/reproducible-containers/buildkit-cache-dance/tree/5b6db76d1da5c8b307d5d2e0706d266521b710de
- name: 📦 Load cache
uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de
with:
cache-map: |
{
"composer-cache": "/tmp/cache",
"python-cache": "/root/.cache/pip"
}
skip-extraction: ${{ steps.cache.outputs.cache-hit }}
# https://github.com/docker/build-push-action/tree/48aba3b46d1b1fec4febb7c5d0c644b249a11355
- name: 🏗️ Build final stage and push to ${{ env.REGISTRY }}
id: build-and-push
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
with:
context: ${{ matrix.context }}
push: ${{ github.event_name != 'pull_request' }}
target: final
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
cache-from: type=gha
cache-to: type=gha,mode=max
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign/
- name: 🖋️ Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
# https://github.com/actions/attest-build-provenance/tree/ef244123eb79f2f7a7e75d99086184180e6d0018
- name: 📝 Attest the build provenance
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018
if: ${{ github.event_name != 'pull_request' }}
with:
subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}
push-to-registry: true
deploy:
name: 🚀 Deploy to production
runs-on: ubuntu-latest
needs: build
if: ${{ github.event_name != 'pull_request' }}
steps:
# https://github.com/appleboy/ssh-action/tree/7eaf76671a0d7eec5d98ee897acda4f968735a17
- name: 🚚 SSH into production server
uses: appleboy/ssh-action@7eaf76671a0d7eec5d98ee897acda4f968735a17
with:
host: ${{ secrets.SSH_MANAGER_HOST }}
username: ${{ secrets.SSH_MANAGER_USER }}
password: ${{ secrets.SSH_MANAGER_PASS }}
port: ${{ secrets.SSH_MANAGER_PORT }}
script: |
docker stack deploy --with-registry-auth -c compose.prod.yml urbantree
- name: 🕵️ Check the deployment
run: |
# curl -sSf http://${{ env.WEB_URL }}/
curl -sSf http://${{ env.API_URL }}/