test #202
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Deploy Image | |
on: | |
workflow_dispatch: | |
inputs: | |
service: | |
description: 'Service to build and deploy' | |
required: true | |
default: "" | |
push: | |
branches: | |
- inputs | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
GITHUB_IMAGE_REPO: ghcr.io/bcgov/dts-endorser-service/ | |
OPENSHIFT_IMAGE_REPO: image-registry.apps.silver.devops.gov.bc.ca/4a9599-tools/ | |
APP_NAMES: aries-endorser-agent,aries-endorser-db,aries-endorser-backup,aries-endorser-proxy,aries-endorser-api | |
JSON_INPUT: ${{ github.event.inputs.service }} | |
jobs: | |
build: | |
if: (github.repository == 'bcgov/dts-endorser-service') || (github.event_name == 'workflow_dispatch' && github.event.inputs.service) | |
name: Build Image | |
permissions: | |
packages: write | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
include: | |
- service: aries-endorser-agent | |
GIT_REPO_URL: ${{ inputs.service.endoser-agent.git_repo_url || 'hyperledger/aries-endorser-service' }} | |
GIT_REF: ${{ inputs.service.endoser-agent.git_ref || '' }} | |
DOCKER_FILE_PATH: ${{ inputs.service.endoser-agent.docker_file_path || 'Dockerfile.acapy' }} # The docker path, file, is the relative path to the docker file from the root of the repo. | |
SOURCE_CONTEXT_DIR: ${{ inputs.service.endoser-agent.source_context_dir || 'docker/acapy' }} # The context dir, context, sets the context for the build. i.e. where the build will source files from | |
SOURCE_IMAGE_REGISTRY: ${{ inputs.service.endoser-agent.source_image_registry || '' }} | |
SOURCE_IMAGE_NAME: ${{ inputs.service.endoser-agent.source_image_name || '' }} | |
SOURCE_IMAGE_TAG: ${{ inputs.service.endoser-agent.source_image_tag || '' }} | |
REGISTRY_USERNAME_SECRET_NAME: ${{ inputs.service.endoser-agent.username_secret_name || '' }} | |
REGISTRY_PASSWORD_SECRET_NAME: ${{ inputs.service.endoser-agent.password_secret_name || '' }} | |
- service: aries-endorser-db | |
GIT_REPO_URL: ${{ inputs.service.endoser-db.git_repo_url || 'hyperledger/aries-endorser-db' }} | |
GIT_REF: ${{ inputs.service.endoser-db.git_ref || '' }} | |
SOURCE_CONTEXT_DIR: docker/wallet/config | |
SOURCE_IMAGE_REGISTRY: "quay.io/" | |
SOURCE_IMAGE_NAME: "fedora/postgresql-13" | |
SOURCE_IMAGE_TAG: "13" | |
- service: aries-endorser-backup | |
GIT_REPO_URL: BCDevOps/backup-container | |
GIT_REF: 2.5.1 | |
DOCKER_FILE_PATH: Dockerfile # The docker path, file, is the relative path to the docker file from the root of the repo. | |
SOURCE_CONTEXT_DIR: docker # The context dir, context, sets the context for the build. i.e. where the build will source files from | |
SOURCE_IMAGE_REGISTRY: artifacts.developer.gov.bc.ca/docker-remote/ | |
SOURCE_IMAGE_NAME: centos/postgresql-13-centos7 | |
SOURCE_IMAGE_TAG: 20210722-70dc4d3 | |
REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME | |
REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD | |
- service: aries-endorser-proxy | |
GIT_REF: "" | |
DOCKER_FILE_PATH: Dockerfile # The docker path, file, is the relative path to the docker file from the root of the repo. | |
SOURCE_CONTEXT_DIR: proxy # The context dir, context, sets the context for the build. i.e. where the build will source files from | |
SOURCE_IMAGE_REGISTRY: "artifacts.developer.gov.bc.ca/docker-remote/" | |
SOURCE_IMAGE_NAME: caddy | |
SOURCE_IMAGE_TAG: latest | |
REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME | |
REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD | |
- service: aries-endorser-api | |
GIT_REPO_URL: hyperledger/aries-endorser-service | |
GIT_REF: "" | |
DOCKER_FILE_PATH: Dockerfile.endorser # The docker path, file, is the relative path to the docker file from the root of the repo. | |
SOURCE_CONTEXT_DIR: endorser # The context dir, context, sets the context for the build. i.e. where the build will source files from | |
SOURCE_IMAGE_REGISTRY: artifacts.developer.gov.bc.ca/docker-remote/ | |
SOURCE_IMAGE_NAME: python | |
SOURCE_IMAGE_TAG: 3.10-slim-buster | |
REGISTRY_USERNAME_SECRET_NAME: ARTIFACTORY_USERNAME | |
REGISTRY_PASSWORD_SECRET_NAME: ARTIFACTORY_PASSWORD | |
outputs: | |
aries-endorser-agent_digest: ${{ steps.digest.outputs.aries-endorser-agent_digest }} | |
aries-endorser-backup_digest: ${{ steps.digest.outputs.aries-endorser-backup_digest }} | |
aries-endorser-api_digest: ${{ steps.digest.outputs.aries-endorser-api_digest }} | |
aries-endorser-proxy_digest: ${{ steps.digest.outputs.aries-endorser-proxy_digest }} | |
aries-endorser-db_digest: ${{ steps.digests.outputs.aries-endorser-db_digest }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
repository: ${{ matrix.GIT_REPO_URL }} | |
ref: ${{ matrix.GIT_REF }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to image registry | |
if: matrix.REGISTRY_USERNAME_SECRET_NAME != ''&& matrix.SOURCE_IMAGE_REGISTRY != '' | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ matrix.SOURCE_IMAGE_REGISTRY }} | |
username: ${{ secrets[matrix.REGISTRY_USERNAME_SECRET_NAME]}} | |
password: ${{ secrets[matrix.REGISTRY_PASSWORD_SECRET_NAME]}} | |
- name: Create Dockerfile for ${{ matrix.service }} | |
if: contains(fromJSON('["aries-endorser-proxy"]'), matrix.service) | |
run: | | |
BASE_IMAGE="${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" | |
echo "$BASE_IMAGE" | |
mkdir "${{ matrix.SOURCE_CONTEXT_DIR }}" && cd "${{ matrix.SOURCE_CONTEXT_DIR }}" | |
echo "FROM ${BASE_IMAGE}" > Dockerfile | |
echo "RUN chown 1001:root /usr/bin/caddy" >> Dockerfile | |
- name: Prepare docker tags for image | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} | |
flavor: | | |
latest=true | |
tags: | | |
type=schedule | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}} | |
type=sha,value=latest | |
labels: | | |
ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} | |
ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} | |
- name: Update Docker base image | |
if: matrix.SOURCE_IMAGE_REGISTRY != '' && contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) | |
run: | | |
BASE_IMAGE="${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" | |
sed -i -e "s;FROM .*;FROM ${BASE_IMAGE};g" "${{ matrix.SOURCE_CONTEXT_DIR }}/${{ matrix.DOCKER_FILE_PATH }}" | |
- name: Extract Tags | |
id: extract | |
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | |
run: | | |
tags=$(echo "${{ steps.meta.outputs.tags }}" | grep -oE ':([^[:space:]]+)' | sed '/label/d' | sed 's/://g' | tr '\n' ' ') | |
single_tag=$(echo "$tags" | cut -d " " -f 1) | |
remaining_tags=$(echo "$tags" | cut -d' ' -f2-) | |
echo "tags=$tags" >> $GITHUB_OUTPUT | |
echo "single_tag=$single_tag" >> $GITHUB_OUTPUT | |
echo "remaining_tags=$remaining_tags" >> $GITHUB_OUTPUT | |
- name: Pull database image | |
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | |
run: | | |
docker pull ${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }} | |
# The docs for redhat-actions/s2i-build imply that the pull should not be needed, yet in practice the build fails if the pull is not done first to make the image local. | |
- name: Build database image | |
id: build_image | |
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | |
uses: redhat-actions/s2i-build@v2 | |
with: | |
path_context: ${{ matrix.SOURCE_CONTEXT_DIR}} | |
builder_image: "${{ matrix.SOURCE_IMAGE_REGISTRY }}${{ matrix.SOURCE_IMAGE_NAME }}:${{ matrix.SOURCE_IMAGE_TAG }}" | |
image: ${{ matrix.service }} | |
tags: ${{ steps.extract.outputs.single_tag }} | |
# labels would have to be added to the image after the S2I build | |
- name: Apply Labels and tags to Database Image | |
id: apply_labels | |
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | |
run: | | |
echo "FROM ${{ steps.build_image.outputs.image }}:${{ steps.extract.outputs.single_tag }}" | docker build -t ${{ steps.build_image.outputs.image }}:${{ steps.extract.outputs.single_tag }} --label ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} --label ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} - | |
- name: Apply Tags to Docker Image | |
run: | | |
remaining_tags="${{ steps.extract.outputs.remaining_tags }}" | |
image_name="${{ steps.build_image.outputs.image }}" | |
IFS=' ' read -r -a tags_array <<< "$remaining_tags" | |
# Loop through the tags and apply each one to the Docker image | |
for tag in "${tags_array[@]}"; do | |
docker tag "$image_name:${{ steps.extract.outputs.single_tag }}" "$image_name:$tag" | |
done | |
- name: Push database image | |
id: push | |
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | |
uses: redhat-actions/push-to-registry@v2 | |
with: | |
tags: ${{ steps.build_image.outputs.tags }} | |
image: ${{ steps.build_image.outputs.image }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
registry: ${{ env.GITHUB_IMAGE_REPO }} | |
- name: Log in to the GHCR | |
if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push Docker image | |
id: docker_build | |
if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) | |
uses: docker/build-push-action@v5 | |
with: | |
context: ${{ matrix.SOURCE_CONTEXT_DIR }} | |
file: ${{ matrix.SOURCE_CONTEXT_DIR }}/${{ matrix.DOCKER_FILE_PATH }} | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
outputs: type=image,name=target | |
labels: | | |
ca.bc.gov.digitaltrust.build.source-location=${{ github.repositoryUrl }} | |
ca.bc.gov.digitaltrust.build.commit.id=${{ github.sha }} | |
- name: Display ${{ matrix.service }} image results | |
id: digests | |
if: contains(fromJSON('["aries-endorser-db"]'), matrix.service) | |
run: | | |
echo "registry_path=${{ steps.push.outputs.registry-paths }}" | |
digest=${{ steps.push.outputs.digest }} | |
echo "digest=${digest}" | |
echo "${{ matrix.service }}_digest=${digest}" >> $GITHUB_OUTPUT | |
- name: Display ${{ matrix.service}} image results | |
id: digest | |
if: contains(fromJSON('["aries-endorser-agent","aries-endorser-backup","aries-endorser-api","aries-endorser-proxy"]'), matrix.service) | |
run: | | |
echo 'imageid=${{ steps.docker_build.outputs.imageid }}' | |
digest=${{ steps.docker_build.outputs.digest }} | |
echo "digest=${digest}" | |
echo "${{ matrix.service }}_digest=${digest}" >> $GITHUB_OUTPUT | |
cat $GITHUB_OUTPUT | |
# deploy2dev: | |
# needs: build | |
# env: | |
# ENVIRONMENT: dev | |
# permissions: | |
# packages: write | |
# runs-on: ubuntu-latest | |
# environment: dev | |
# strategy: | |
# # Serialize the deployments | |
# max-parallel: 1 | |
# matrix: | |
# include: | |
# - service: aries-endorser-db | |
# - service: aries-endorser-agent | |
# - service: aries-endorser-backup | |
# - service: aries-endorser-proxy | |
# - service: aries-endorser-api | |
# steps: | |
# - name: Checkout | |
# uses: actions/checkout@v4 | |
# - name: Deploy to ${{ env.ENVIRONMENT }} | |
# uses: ./.github/workflows/actions/deploy | |
# with: | |
# environment: ${{ env.ENVIRONMENT }} | |
# ghcr_token: ${{ secrets.GITHUB_TOKEN }} | |
# github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} | |
# image_digest: ${{ needs.build.outputs[format ('{0}_digest', matrix.service)] }} | |
# openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ matrix.service }} | |
# openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} | |
# namespace: ${{ vars.NAMESPACE }} | |
# deployment_configuration: ${{ matrix.service }} | |
# openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
# rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }} | |
# deploy2test: | |
# needs: [build, deploy2dev] | |
# env: | |
# ENVIRONMENT: test | |
# permissions: | |
# packages: write | |
# runs-on: ubuntu-latest | |
# environment: test | |
# steps: | |
# - name: Checkout | |
# uses: actions/checkout@v3 | |
# - name: deploy to ${{ env.ENVIRONMENT }} | |
# uses: ./.github/workflows/actions/deploy | |
# with: | |
# environment: ${{ env.ENVIRONMENT }} | |
# ghcr_token: ${{ secrets.GITHUB_TOKEN }} | |
# github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ matrix.service }} | |
# image_digest: ${{ needs.build.outputs[format ('{0}_digest', matrix.service)] }} | |
# openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ matrix.service }} | |
# openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} | |
# namespace: ${{ vars.NAMESPACE }} | |
# deployment_configuration: ${{ matrix.service }} | |
# openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
# rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }} | |
# # deploy2prod: | |
# # needs: [build, deploy2dev, deploy2test] | |
# # env: | |
# # ENVIRONMENT: prod | |
# # permissions: | |
# # packages: write | |
# # runs-on: ubuntu-latest | |
# # environment: prod | |
# # steps: | |
# # - name: Checkout | |
# # uses: actions/checkout@v3 | |
# # - name: deploy to prod | |
# # uses: ./.github/workflows/actions/deploy | |
# # with: | |
# # environment: ${{ env.ENVIRONMENT }} | |
# # ghcr_token: ${{ secrets.GITHUB_TOKEN }} | |
# # github_image_name: ${{ env.GITHUB_IMAGE_REPO }}${{ env.APP_NAME }} | |
# # image_digest: ${{ needs.build.outputs.image_digest }} | |
# # openshift_image_name: ${{ env.OPENSHIFT_IMAGE_REPO }}${{ env.APP_NAME }} | |
# # openshift_server_url: ${{ vars.OPENSHIFT_SERVER_URL }} | |
# # namespace: ${{ vars.NAMESPACE }} | |
# # deployment_configuration: ${{ env.APP_NAME }} | |
# # openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} | |
# # rocketchat_webhook: ${{ secrets.ROCKETCHAT_WEBHOOK }}`` |