Release docker image #93
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Build and maybe release conda-store-ui" | ||
| on: | ||
| release: | ||
| types: [published] | ||
| push: | ||
| branches: [main] | ||
| tags: ["*"] | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| workflow_dispatch: | ||
| env: | ||
| FORCE_COLOR: "1" | ||
| PACKAGE_FILE: "conda-store-ui.tgz" | ||
| jobs: | ||
| # always build and verify | ||
| build-application: | ||
| name: "Build conda-store-ui" | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: "Checkout repository 🛎" | ||
| uses: actions/checkout@v4 | ||
| - name: "Set Yarn to correct version 📌" | ||
| run: corepack enable | ||
| # Setup .npmrc file to publish to npm | ||
| - name: "Set up Node.js 🧶" | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "22.x" | ||
| registry-url: "https://registry.npmjs.org" | ||
| scope: "@conda-store-ui" | ||
| cache: "yarn" | ||
| - name: "Install dependencies 📦" | ||
| run: yarn | ||
| - name: "Lint code 🔍" | ||
| run: yarn eslint:check | ||
| - name: "Build source code (library) 🏗" | ||
| run: yarn run build | ||
| - name: "Build source code (web app) 🏗" | ||
| # ensure we use the prod target to minimise assets | ||
| run: yarn run webpack:prod bundle | ||
| - name: "Generate package tarball 📦" | ||
| run: yarn pack --filename ${{ env.PACKAGE_FILE }} | ||
| - name: "Upload package tarball 📤" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: conda-store-ui-package | ||
| path: ${{ env.PACKAGE_FILE }} | ||
| verify-build: | ||
| name: "Verify conda-store-ui build" | ||
| runs-on: ubuntu-latest | ||
| needs: build-application | ||
| steps: | ||
| - name: "Checkout repository 🛎" | ||
| uses: actions/checkout@v4 | ||
| - name: "Download build artefacts 📦" | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: conda-store-ui-package | ||
| # (setup-node workaround https://github.com/actions/setup-node/issues/763) otherwise the authentication fails for npmjs | ||
| - name: "Set npmjs scope" | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| run: | | ||
| npm config delete @conda-store-ui:registry --location project | ||
| npm config set @conda-store-ui:registry 'https://registry.npmjs.org' --location project | ||
| npm config set //registry.npmjs.org/:_authToken '${NODE_AUTH_TOKEN}' --location project | ||
| - name: "Check publish (dry run) 📤" | ||
| run: | | ||
| echo "Publishing dry run..." | ||
| npm publish --verbose --access public ${{ env.PACKAGE_FILE }} --dry-run | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| release-to-npmjs: | ||
| name: "Release conda-store-ui to npmjs 📦" | ||
| runs-on: ubuntu-latest | ||
| needs: | ||
| - build-application | ||
| - verify-build | ||
| if: github.repository_owner == 'conda-incubator' && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/') | ||
| # needed for attestations | ||
| permissions: | ||
| id-token: write | ||
| attestations: write | ||
| contents: read | ||
| steps: | ||
| - name: "Checkout repository 🛎" | ||
| uses: actions/checkout@v4 | ||
| # Set registry in .npmrc and set up auth to read in from | ||
| # env.NODE_AUTH_TOKEN. | ||
| - name: "Set up Node.js 🧶" | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: "20.x" | ||
| registry-url: "https://registry.npmjs.org" | ||
| scope: "@conda-store-ui" | ||
| - name: "Download build artefacts 📦" | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: conda-store-ui-package | ||
| # Create an attestation with GitHub to track build provenance | ||
| # More info: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds | ||
| - name: "Attest Build Provenance ✨" | ||
| uses: actions/attest-build-provenance@v1 | ||
| if: github.repository_owner == 'conda-incubator' && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/') | ||
| with: | ||
| subject-path: ${{ env.PACKAGE_FILE }} | ||
| # (setup-node workaround https://github.com/actions/setup-node/issues/763) otherwise the authentication fails for npmjs | ||
| - name: "Set npmjs scope" | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| run: | | ||
| npm config delete @conda-store-ui:registry --location project | ||
| npm config set @conda-store-ui:registry 'https://registry.npmjs.org' --location project | ||
| npm config set //registry.npmjs.org/:_authToken '${NODE_AUTH_TOKEN}' --location project | ||
| - name: "Check npmjs/conda-store-ui scope" | ||
| run: npm show | ||
| - name: "Publish to npm 📤" | ||
| run: | | ||
| npm publish --verbose --access public ${{ env.PACKAGE_FILE }} | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| build_and_push_docker_image: | ||
| name: "Build Docker Images 🛠" | ||
| runs-on: ubuntu-latest | ||
| needs: release-to-npmjs: | ||
| permissions: | ||
| id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | ||
| steps: | ||
| - name: "Checkout Repository 🛎" | ||
| uses: actions/checkout@v4 | ||
| - name: "Retrieve secret from Vault 🗝" | ||
| uses: hashicorp/vault-action@v2 | ||
| with: | ||
| method: jwt | ||
| url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200" | ||
| namespace: "admin/quansight" | ||
| role: "repository-conda-incubator-conda-store-role" | ||
| secrets: | | ||
| kv/data/repository/conda-incubator/conda-store/shared_secrets DOCKER_QUANSIGHT_USERNAME | DOCKER_USERNAME; | ||
| kv/data/repository/conda-incubator/conda-store/shared_secrets DOCKER_QUANSIGHT_PASSWORD | DOCKER_PASSWORD; | ||
| kv/data/repository/conda-incubator/conda-store/shared_secrets QUAY_QUANSIGHT_USERNAME | QUAY_USERNAME; | ||
| kv/data/repository/conda-incubator/conda-store/shared_secrets QUAY_QUANSIGHT_PASSWORD | QUAY_PASSWORD; | ||
| - name: "Set up Docker Buildx 🏗" | ||
| uses: docker/setup-buildx-action@v3 | ||
| - name: "Login to Docker Hub 🐳" | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ env.DOCKER_USERNAME }} | ||
| password: ${{ env.DOCKER_PASSWORD }} | ||
| - name: "Login to quay.io 🐳" | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: quay.io | ||
| username: ${{ env.QUAY_USERNAME }} | ||
| password: ${{ env.QUAY_PASSWORD }} | ||
| - name: "Add Docker metadata 📝" | ||
| id: meta | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: | | ||
| quansight/conda-store-ui | ||
| tags: | | ||
| type=ref,event=tag | ||
| type=ref,event=branch | ||
| type=sha | ||
| - name: "Publish Docker image 🚀" | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: . | ||
| target: "prod" | ||
| tags: | | ||
| ${{ steps.meta.outputs.tags }} | ||
| push: true | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max | ||
| if: github.repository_owner == 'conda-incubator' && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/') | ||
