feat(workflows): add database build workflow

Projecte-UrbanTree · Dec 11, 2024 · 672bed9 · 672bed9
1 parent ddab5b7
commit 672bed9
Show file tree

Hide file tree

Showing 3 changed files with 113 additions and 4 deletions.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -67,10 +67,23 @@ jobs:
       version: ${{ needs.foundation.outputs.version }}
     secrets: inherit
 
+  database:
+    name: 🏗️ Build database
+    needs: foundation
+    uses: ./.github/workflows/database.yml
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    with:
+      version: ${{ needs.foundation.outputs.version }}
+    secrets: inherit
+
   release:
     name: 🚀 Release
-    needs: build
-    if: ${{ needs.build.outputs.version }}
+    needs: [build, database]
+    if: ${{ needs.build.outputs.version && needs.database.outputs.version }}
     runs-on: ubuntu-latest
     environment: Production
 

diff --git a/.github/workflows/database.yml b/.github/workflows/database.yml
@@ -0,0 +1,96 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: 🏗️ Build database
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        type: string
+    outputs:
+      version:
+        value: ${{ inputs.version }}
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build:
+    name: 🐳 Docker
+    runs-on: ubuntu-latest
+
+    steps:
+      # https://github.com/actions/checkout/tree/11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      # https://github.com/docker/setup-buildx-action/tree/c47758b77c9736f4b2ef4073d4d51994fabfe349
+      - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
+
+      # https://github.com/sigstore/cosign-installer/tree/dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
+      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
+        if: inputs.version
+        with:
+          cosign-release: "v2.2.4"
+
+      # https://github.com/docker/login-action/tree/7ca345011ac4304463197fac0e56eab1bc7e6af0
+      - name: 🪪 Log into registry ${{ env.REGISTRY }}
+        uses: docker/login-action@7ca345011ac4304463197fac0e56eab1bc7e6af0
+        if: inputs.version
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      # https://github.com/docker/metadata-action/tree/b53be03109c4ef6f6cc7aa545b84b17a7fe51c1e
+      - uses: docker/metadata-action@b53be03109c4ef6f6cc7aa545b84b17a7fe51c1e
+        id: meta
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/database
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}},value=${{ inputs.version }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ inputs.version }}
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,manifest-descriptor,index,index-descriptor
+
+      # https://github.com/docker/build-push-action/tree/48aba3b46d1b1fec4febb7c5d0c644b249a11355
+      - name: 🏗️ Build final stage ${{ inputs.version && 'and push to registry' }}
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
+        id: build-and-push
+        with:
+          build-args: |
+            IMAGE_VERSION=${{ inputs.version }}
+          context: ./database
+          push: ${{ !!inputs.version }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: 🖋️ Sign the published Docker image
+        if: inputs.version
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+      # https://github.com/actions/attest-build-provenance/tree/7668571508540a607bdfd90a87a560489fe372eb
+      - name: 📝 Attest the build provenance
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb
+        if: inputs.version
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/database
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true
diff --git a/compose.prod.yml b/compose.prod.yml
@@ -59,7 +59,7 @@ services:
       timeout: 5s
       interval: 10s
       retries: 5
-    image: mariadb:lts
+    image: ghcr.io/projecte-urbantree/database:main
     secrets:
       - db_pass
       - db_root_pass
@@ -91,7 +91,7 @@ services:
     image: ghcr.io/projecte-urbantree/urbantree:main
     ports:
       - mode: host
-        target: 8000
+        target: 80
         published: 8000
     secrets:
       - source: db_pass