This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Deploy Image | ||
on: | ||
workflow_dispatch: | ||
inputs: | ||
service: | ||
description: 'Service to build and deploy' | ||
required: true | ||
default: 'aries-endorser-agent' | ||
endorser_agent_git_repo_url: | ||
description: 'Git repository URL' | ||
required: true | ||
default: 'hyperledger/aries-endorser-service' | ||
endorser_agent_git_ref: | ||
description: 'Git reference (branch or tag)' | ||
required: false | ||
default: '' | ||
endorser_agent_docker_file_path: | ||
description: 'Path to Dockerfile' | ||
required: true | ||
default: 'Dockerfile.acapy' | ||
endorser_agent_source_context_dir: | ||
description: 'Source context directory for the build' | ||
required: true | ||
default: 'docker/acapy' | ||
endorser_agent_source_image_registry: | ||
description: 'Source image registry' | ||
required: false | ||
default: '' | ||
endorser_agent_source_image_name: | ||
description: 'Source image name' | ||
required: false | ||
default: '' | ||
endorser_agent_source_image_tag: | ||
description: 'Source image tag' | ||
required: false | ||
default: '' | ||
endorser_agent_registry_username_secret_name: | ||
description: 'Secret name for registry username' | ||
required: false | ||
default: 'ARTIFACTORY_USERNAME' | ||
endorser_agent_registry_password_secret_name: | ||
description: 'Secret name for registry password' | ||
required: false | ||
default: 'ARTIFACTORY_PASSWORD' | ||
endorser_db_git_repo_url: | ||
description: 'Git repository URL' | ||
required: true | ||
default: 'hyperledger/aries-endorser-service' | ||
endorser_db_git_ref: | ||
description: 'Git reference (branch or tag)' | ||
required: false | ||
default: '' | ||
endorser_db_docker_file_path: | ||
description: 'Path to Dockerfile' | ||
required: true | ||
default: 'Dockerfile.acapy' | ||
endorser_db_source_context_dir: | ||
description: 'Source context directory for the build' | ||
required: true | ||
default: 'docker/acapy' | ||
endorser_db_source_image_registry: | ||
description: 'Source image registry' | ||
required: false | ||
default: '' | ||
endorser_db_source_image_name: | ||
description: 'Source image name' | ||
required: false | ||
default: '' | ||
endorser_db_source_image_tag: | ||
description: 'Source image tag' | ||
required: false | ||
default: '' | ||
endorser_db_registry_username_secret_name: | ||
description: 'Secret name for registry username' | ||
required: false | ||
default: 'ARTIFACTORY_USERNAME' | ||
endorser_db_registry_password_secret_name: | ||
description: 'Secret name for registry password' | ||
required: false | ||
default: 'ARTIFACTORY_PASSWORD' | ||
endorser_backup_git_repo_url: | ||
description: 'Git repository URL' | ||
required: true | ||
default: 'hyperledger/aries-endorser-service' | ||
endorser_backup_git_ref: | ||
description: 'Git reference (branch or tag)' | ||
required: false | ||
default: '' | ||
endorser_backup_docker_file_path: | ||
description: 'Path to Dockerfile' | ||
required: true | ||
default: 'Dockerfile.acapy' | ||
endorser_backup_source_context_dir: | ||
description: 'Source context directory for the build' | ||
required: true | ||
default: 'docker/acapy' | ||
endorser_backup_source_image_registry: | ||
description: 'Source image registry' | ||
required: false | ||
default: '' | ||
endorser_backup_source_image_name: | ||
description: 'Source image name' | ||
required: false | ||
default: '' | ||
endorser_backup_source_image_tag: | ||
description: 'Source image tag' | ||
required: false | ||
default: '' | ||
endorser_backup_registry_username_secret_name: | ||
description: 'Secret name for registry username' | ||
required: false | ||
default: 'ARTIFACTORY_USERNAME' | ||
endorser_backup_registry_password_secret_name: | ||
description: 'Secret name for registry password' | ||
required: false | ||
default: 'ARTIFACTORY_PASSWORD' | ||
push: | ||
branches: | ||
- enhancement | ||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
env: | ||
GITHUB_IMAGE_REPO: ghcr.io/bcgov/dts-endorser-service/ | ||
OPENSHIFT_IMAGE_REPO: image-registry.apps.silver.devops.gov.bc.ca/4a9599-tools/ | ||
APP_NAMES: aries-endorser-agent,aries-endorser-db,aries-endorser-backup,aries-endorser-proxy,aries-endorser-api | ||
jobs: | ||
build: | ||
if: (github.repository == 'bcgov/dts-endorser-service') || (github.event_name == 'workflow_dispatch' && github.event.inputs.service) | ||
name: Build Image | ||
permissions: | ||
packages: write | ||
runs-on: ubuntu-latest | ||
strategy: | ||
matrix: | ||
include: | ||
- service: aries-endorser-agent | ||
GIT_REPO_URL: ${{ github.event.inputs.endorser_agent_git_repo_url || 'hyperledger/aries-endorser-service' }} | ||
GIT_REF: "" | ||
DOCKER_FILE_PATH: Dockerfile.acapy # The docker path, file, is the relative path to the docker file from the root of the repo. | ||
SOURCE_CONTEXT_DIR: docker/acapy # The context dir, context, sets the context for the build. i.e. where the build will source files from | ||
SOURCE_IMAGE_REGISTRY: "" | ||
SOURCE_IMAGE_NAME: "" | ||
SOURCE_IMAGE_TAG: "" | ||
REGISTRY_USERNAME_SECRET_NAME: "" | ||
REGISTRY_PASSWORD_SECRET_NAME: "" | ||
- service: aries-endorser-db | ||
GIT_REPO_URL: hyperledger/aries-endorser-service | ||
GIT_REF: "" | ||
SOURCE_CONTEXT_DIR: docker/wallet/config | ||
SOURCE_IMAGE_REGISTRY: "quay.io/" | ||
SOURCE_IMAGE_NAME: "fedora/postgresql-13" | ||
SOURCE_IMAGE_TAG: "13" | ||
- service: aries-endorser-backup | ||
GIT_REPO_URL: BCDevOps/backup-container | ||
GIT_REF: 2.5.1 | ||
DOCKER_FILE_PATH: Dockerfile # The docker path, file, is the relative path to the docker file from the root of the repo. | ||
SOURCE_CONTEXT_DIR: docker # The context dir, context, sets the context for the build. i.e. where the build will source files from | ||
SOURCE_IMAGE_REGISTRY: artifacts.developer.gov.bc.ca/docker-remote/ | ||
SOURCE_IMAGE_NAME: centos/postgresql-13-centos7 | ||
SOURCE_IMAGE_TAG: 20210722-70dc4d3 | ||
REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME | ||
REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD | ||
- service: aries-endorser-proxy | ||
GIT_REF: "" | ||
DOCKER_FILE_PATH: Dockerfile # The docker path, file, is the relative path to the docker file from the root of the repo. | ||
SOURCE_CONTEXT_DIR: proxy # The context dir, context, sets the context for the build. i.e. where the build will source files from | ||
SOURCE_IMAGE_REGISTRY: "artifacts.developer.gov.bc.ca/docker-remote/" | ||
SOURCE_IMAGE_NAME: caddy | ||
SOURCE_IMAGE_TAG: latest | ||
REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME | ||
REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD | ||
- service: aries-endorser-api | ||
GIT_REPO_URL: hyperledger/aries-endorser-service | ||
GIT_REF: "" | ||
DOCKER_FILE_PATH: Dockerfile.endorser # The docker path, file, is the relative path to the docker file from the root of the repo. | ||
SOURCE_CONTEXT_DIR: endorser # The context dir, context, sets the context for the build. i.e. where the build will source files from | ||
SOURCE_IMAGE_REGISTRY: artifacts.developer.gov.bc.ca/docker-remote/ | ||
SOURCE_IMAGE_NAME: python | ||
SOURCE_IMAGE_TAG: 3.10-slim-buster | ||
REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME | ||
REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD | ||
outputs: | ||
aries-endorser-agent_digest: ${{ steps.digest.outputs.aries-endorser-agent_digest }} | ||
aries-endorser-backup_digest: ${{ steps.digest.outputs.aries-endorser-backup_digest }} | ||
aries-endorser-api_digest: ${{ steps.digest.outputs.aries-endorser-api_digest }} | ||
aries-endorser-proxy_digest: ${{ steps.digest.outputs.aries-endorser-proxy_digest }} | ||
aries-endorser-db_digest: ${{ steps.digests.outputs.aries-endorser-db_digest }} | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
with: | ||
repository: ${{ matrix.GIT_REPO_URL }} | ||
ref: ${{ matrix.GIT_REF }} | ||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
- name: Login to image registry | ||
if: matrix.REGISTRY_USERNAME_SECRET_NAME != ''&& matrix.SOURCE_IMAGE_REGISTRY != '' | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ${{ matrix.SOURCE_IMAGE_REGISTRY }} | ||
username: ${{ secrets[matrix.REGISTRY_USERNAME_SECRET_NAME]}} | ||
password: ${{ secrets[matrix.REGISTRY_PASSWORD_SECRET_NAME]}} | ||
- name: Create Dockerfile for ${{ matrix.service }} | ||
if: contains(fromJSON('["aries-endorser-proxy"]'), matrix.service) | ||
run: | | ||
BASE_IMAGE="${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" | ||
echo "$BASE_IMAGE" | ||
mkdir "${{ matrix.SOURCE_CONTEXT_DIR }}" && cd "${{ matrix.SOURCE_CONTEXT_DIR }}" | ||
echo "FROM ${BASE_IMAGE}" > Dockerfile | ||
echo "RUN chown 1001:root /usr/bin/caddy" >> Dockerfile | ||
- name: Prepare docker tags for image | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} | ||
flavor: | | ||
latest=true | ||
tags: | | ||
type=schedule | ||
type=ref,event=branch | ||
type=ref,event=pr | ||
type=semver,pattern={{version}} | ||
type=semver,pattern={{major}}.{{minor}} | ||
type=semver,pattern={{major}} | ||
type=sha,value=latest | ||
labels: | | ||
ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} | ||
ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} | ||
- name: Update Docker base image | ||
if: matrix.SOURCE_IMAGE_REGISTRY != '' && contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) | ||
run: | | ||
BASE_IMAGE="${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" | ||
sed -i -e "s;FROM .*;FROM ${BASE_IMAGE};g" "${{ matrix.SOURCE_CONTEXT_DIR }}/${{ matrix.DOCKER_FILE_PATH }}" | ||
- name: Extract Tags | ||
id: extract | ||
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | ||
run: | | ||
echo "tags=$(echo '${{ steps.meta.outputs.tags }}' | grep -oE ':([^[:space:]]+)' | sed '/enhancement/d' | sed 's/://g' | tr '\n' ' ')" >> $GITHUB_OUTPUT | ||
single_tag=$( cut -d " " -f 1 << "$tags" ) >> $GITHUB_OUTPUT | ||
- name: Pull database image | ||
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | ||
run: | | ||
docker pull ${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }} | ||
# The docs for redhat-actions/s2i-build imply that the pull should not be needed, yet in practice the build fails if the pull is not done first to make the image local. | ||
- name: Build database image | ||
id: build_image | ||
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | ||
uses: redhat-actions/s2i-build@v2 | ||
with: | ||
path_context: ${{ matrix.SOURCE_CONTEXT_DIR}} | ||
builder_image: "${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" | ||
image: ${{ matrix.service }} | ||
tags: ${{ steps.extract.outputs.tags }} | ||
# labels would have to be added to the image after the S2I build | ||
- name: Apply Labels to Database Image | ||
id: apply_labels | ||
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | ||
run: | | ||
echo "FROM ${{ steps.build_image.outputs.image }}:${{ steps.extract.outputs.single_tag }} | --label ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} --label ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} - | ||
- name: Push database image | ||
id: push | ||
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | ||
uses: redhat-actions/push-to-registry@v2 | ||
with: | ||
tags: ${{ steps.build_image.outputs.tags }} | ||
image: ${{ steps.build_image.outputs.image }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
registry: ${{ env.GITHUB_IMAGE_REPO }} | ||
- name: Log in to the GHCR | ||
if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Build and push Docker image | ||
id: docker_build | ||
if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) | ||
uses: docker/build-push-action@v5 | ||
with: | ||
context: ${{ matrix.SOURCE_CONTEXT_DIR }} | ||
file: ${{ matrix.SOURCE_CONTEXT_DIR }}/${{ matrix.DOCKER_FILE_PATH }} | ||
push: true | ||
tags: ${{ steps.meta.outputs.tags }} | ||
outputs: type=image,name=target | ||
labels: | | ||
ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} | ||
ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} | ||
- name: Display ${{ matrix.service }} image results | ||
id: digests | ||
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | ||
run: | | ||
echo "registry_path=${{ steps.push.outputs.registry-paths }}" | ||
digest=${{ steps.push.outputs.digest }} | ||
echo "digest=${digest}" | ||
echo "${{ matrix.service }}_digest=${digest}" >> $GITHUB_OUTPUT | ||
- name: Display ${{ matrix.service}} image results | ||
id: digest | ||
if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) | ||
run: | | ||
echo 'imageid=${{ steps.docker_build.outputs.imageid }}' | ||
digest=${{ steps.docker_build.outputs.digest }} | ||
echo "digest=${digest}" | ||
echo "${{ matrix.service }}_digest=${digest}" >> $GITHUB_OUTPUT | ||
cat $GITHUB_OUTPUT | ||
# deploy2dev: | ||
# needs: build | ||
# env: | ||
# ENVIRONMENT: dev | ||
# permissions: | ||
# packages: write | ||
# runs-on: ubuntu-latest | ||
# environment: dev | ||
# strategy: | ||
# # Serialize the deployments | ||
# max-parallel: 1 | ||
# matrix: | ||
# include: | ||
# - service: aries-endorser-db | ||
# - service: aries-endorser-agent | ||
# - service: aries-endorser-backup | ||
# - service: aries-endorser-proxy | ||
# - service: aries-endorser-api | ||
# steps: | ||
# - name: Checkout | ||
# uses: actions/checkout@v4 | ||
# - name: Deploy to ${{ env.ENVIRONMENT }} | ||
# uses: ./.github/workflows/actions/deploy | ||
# with: | ||
# environment: ${{ env.ENVIRONMENT }} | ||
# ghcr_token: ${{ secrets.GITHUB_TOKEN }} | ||
# github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} | ||
# image_digest: ${{ needs.build.outputs[format ('{0}_digest', matrix.service)] }} | ||
# openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ matrix.service }} | ||
# openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} | ||
# namespace: ${{ vars.NAMESPACE }} | ||
# deployment_configuration: ${{ matrix.service }} | ||
# openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | ||
# rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }} | ||
# deploy2test: | ||
# needs: [build, deploy2dev] | ||
# env: | ||
# ENVIRONMENT: test | ||
# permissions: | ||
# packages: write | ||
# runs-on: ubuntu-latest | ||
# environment: test | ||
# steps: | ||
# - name: Checkout | ||
# uses: actions/checkout@v3 | ||
# - name: deploy to ${{ env.ENVIRONMENT }} | ||
# uses: ./.github/workflows/actions/deploy | ||
# with: | ||
# environment: ${{ env.ENVIRONMENT }} | ||
# ghcr_token: ${{ secrets.GITHUB_TOKEN }} | ||
# github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} | ||
# image_digest: ${{ needs.build.outputs[format ('{0}_digest', matrix.service)] }} | ||
# openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ matrix.service }} | ||
# openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} | ||
# namespace: ${{ vars.NAMESPACE }} | ||
# deployment_configuration: ${{ matrix.service }} | ||
# openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | ||
# rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }} | ||
# # deploy2prod: | ||
# # needs: [build, deploy2dev, deploy2test] | ||
# # env: | ||
# # ENVIRONMENT: prod | ||
# # permissions: | ||
# # packages: write | ||
# # runs-on: ubuntu-latest | ||
# # environment: prod | ||
# # steps: | ||
# # - name: Checkout | ||
# # uses: actions/checkout@v3 | ||
# # - name: deploy to prod | ||
# # uses: ./.github/workflows/actions/deploy | ||
# # with: | ||
# # environment: ${{ env.ENVIRONMENT }} | ||
# # ghcr_token: ${{ secrets.GITHUB_TOKEN }} | ||
# # github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ env.APP_NAME }} | ||
# # image_digest: ${{ needs.build.outputs.image_digest }} | ||
# # openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ env.APP_NAME }} | ||
# # openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} | ||
# # namespace: ${{ vars.NAMESPACE }} | ||
# # deployment_configuration: ${{ env.APP_NAME }} | ||
# # openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | ||
# # rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }}`` |