Deploy #363
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Deploy | |
# yamllint disable-line rule:truthy | |
on: | |
release: | |
types: | |
- published | |
workflow_run: | |
workflows: ["CI"] | |
branches: [main] | |
types: | |
- completed | |
concurrency: | |
group: deploy | |
jobs: | |
information: | |
if: | | |
github.event_name == 'release' | |
|| ( | |
github.event_name == 'workflow_run' | |
&& github.event.workflow_run.conclusion == 'success' | |
) | |
name: ℹ️ Gather add-on information | |
runs-on: ubuntu-latest | |
outputs: | |
architectures: ${{ steps.information.outputs.architectures }} | |
base_image_signer: ${{ steps.information.outputs.codenotary_base_image }} | |
build: ${{ steps.information.outputs.build }} | |
description: ${{ steps.information.outputs.description }} | |
environment: ${{ steps.release.outputs.environment }} | |
name: ${{ steps.information.outputs.name }} | |
signer: ${{ steps.information.outputs.codenotary_signer }} | |
slug: ${{ steps.override.outputs.slug }} | |
target: ${{ steps.information.outputs.target }} | |
version: ${{ steps.release.outputs.version }} | |
steps: | |
- name: ⤵️ Check out code from GitHub | |
uses: actions/checkout@v3 | |
- name: 🚀 Run add-on information action | |
id: information | |
uses: frenck/[email protected] | |
- name: 🚀 Process possible slug override | |
id: override | |
run: | | |
slug="${{ steps.information.outputs.slug }}" | |
if [[ ! -z "${{ inputs.slug }}" ]]; then | |
slug="${{ inputs.slug }}" | |
fi | |
echo "slug=$slug" >> $GITHUB_OUTPUT | |
- name: ℹ️ Gather version and environment | |
id: release | |
run: | | |
sha="${{ github.sha }}" | |
environment="edge" | |
version="${sha:0:7}" | |
if [[ "${{ github.event_name }}" = "release" ]]; then | |
version="${{ github.event.release.tag_name }}" | |
version="${version,,}" | |
version="${version#v}" | |
environment="stable" | |
if [[ "${{ github.event.release.prerelease }}" = "true" ]]; then | |
environment="beta" | |
fi | |
fi | |
echo "environment=$environment" >> $GITHUB_OUTPUT | |
echo "version=$version" >> $GITHUB_OUTPUT | |
deploy: | |
name: 👷 Build & Deploy ${{ matrix.architecture }} | |
needs: information | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
architecture: ${{ fromJson(needs.information.outputs.architectures) }} | |
steps: | |
- name: ⤵️ Check out code from GitHub | |
uses: actions/checkout@v3 | |
- name: 🏗 Set up QEMU | |
uses: docker/[email protected] | |
- name: 🏗 Set up Docker Buildx | |
uses: docker/[email protected] | |
- name: ℹ️ Compose build flags | |
id: flags | |
run: | | |
echo "date=$(date +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_OUTPUT | |
from=$(yq --no-colors eval ".build_from.${{ matrix.architecture }}" "${{ needs.information.outputs.build }}") | |
echo "from=$from" >> $GITHUB_OUTPUT | |
if [[ "${{ matrix.architecture}}" = "amd64" ]]; then | |
echo "platform=linux/amd64" >> $GITHUB_OUTPUT | |
elif [[ "${{ matrix.architecture }}" = "i386" ]]; then | |
echo "platform=linux/386" >> $GITHUB_OUTPUT | |
elif [[ "${{ matrix.architecture }}" = "armhf" ]]; then | |
echo "platform=linux/arm/v6" >> $GITHUB_OUTPUT | |
elif [[ "${{ matrix.architecture }}" = "armv7" ]]; then | |
echo "platform=linux/arm/v7" >> $GITHUB_OUTPUT | |
elif [[ "${{ matrix.architecture }}" = "aarch64" ]]; then | |
echo "platform=linux/arm64/v8" >> $GITHUB_OUTPUT | |
else | |
echo "::error ::Could not determine platform for architecture ${{ matrix.architecture }}" | |
exit 1 | |
fi | |
- name: 🏗 Login to GitHub Container Registry | |
uses: docker/[email protected] | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: ⤵️ Download base image | |
run: docker pull "${{ steps.flags.outputs.from }}" | |
- name: ✅ Verify authenticity of base image | |
if: needs.information.outputs.base_image_signer != 'null' | |
uses: codenotary/cas-authenticate-docker-image-github-action@main | |
with: | |
asset: docker://${{ steps.flags.outputs.from }} | |
signerID: ${{ needs.information.outputs.base_image_signer }} | |
- name: 🚀 Build | |
uses: docker/[email protected] | |
with: | |
load: true | |
# yamllint disable rule:line-length | |
tags: | | |
ghcr.io/${{ github.repository_owner }}/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.environment }} | |
ghcr.io/${{ github.repository_owner }}/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }} | |
# yamllint enable rule:line-length | |
context: ${{ needs.information.outputs.target }} | |
file: ${{ needs.information.outputs.target }}/Dockerfile | |
cache-from: type=gha,scope=${{ needs.information.outputs.slug }}-${{ matrix.architecture }} | |
cache-to: type=gha,mode=max,scope=${{ needs.information.outputs.slug }}-${{ matrix.architecture }} | |
platforms: ${{ steps.flags.outputs.platform }} | |
build-args: | | |
BUILD_ARCH=${{ matrix.architecture }} | |
BUILD_DATE=${{ steps.flags.outputs.date }} | |
BUILD_DESCRIPTION=${{ needs.information.outputs.description }} | |
BUILD_FROM=${{ steps.flags.outputs.from }} | |
BUILD_NAME=${{ needs.information.outputs.name }} | |
BUILD_REF=${{ github.sha }} | |
BUILD_REPOSITORY=${{ github.repository }} | |
BUILD_VERSION=${{ needs.information.outputs.version }} | |
# yamllint disable rule:line-length | |
- name: 🔐 Load 1Password CAS secret | |
uses: 1password/[email protected] | |
env: | |
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
CAS_API_KEY: "op://CI/CAS Codenotary/Anmeldedaten" | |
- name: 🔏 Notarize new image | |
if: needs.information.outputs.signer != 'null' | |
id: notarize_new_image | |
uses: codenotary/cas-notarize-docker-image-github-action@main | |
with: | |
asset: docker://ghcr.io/${{ github.repository_owner }}/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }} | |
cas_api_key: ${{ env.CAS_API_KEY }} | |
- name: 🚀 Push | |
run: | | |
docker push \ | |
"ghcr.io/${{ github.repository_owner }}/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.environment }}" | |
docker push \ | |
"ghcr.io/${{ github.repository_owner }}/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }}" | |
# yamllint enable rule:line-length | |
publish-edge: | |
name: 📢 Publish to edge repository | |
if: needs.information.outputs.environment == 'edge' | |
needs: | |
- information | |
- deploy | |
environment: | |
name: ${{ needs.information.outputs.environment }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: 🔐 Load 1Password Github App secret | |
uses: 1password/[email protected] | |
env: | |
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
APP_ID: "op://CI/Github App/Benutzername" | |
APP_SECRET: "op://CI/Github App/elcajon-token-app.2022-08-31.private-key.pem" | |
- name: 🔣 Generate App Token | |
uses: tibdex/github-app-token@v1 | |
id: token | |
with: | |
app_id: ${{ env.APP_ID }} | |
private_key: ${{ env.APP_SECRET }} | |
- name: 🚀 Dispatch repository updater update signal | |
uses: peter-evans/repository-dispatch@v2 | |
with: | |
token: ${{ steps.token.outputs.token }} | |
repository: ${{ github.repository_owner }}/repository-edge | |
event-type: update | |
client-payload: > | |
{ | |
"addon": "${{ needs.information.outputs.slug }}", | |
"name": "${{ needs.information.outputs.name }}", | |
"repository": "${{ github.repository }}", | |
"version": "${{ needs.information.outputs.version }}" | |
} | |
publish-stable: | |
name: 📢 Publish to stable repository | |
if: needs.information.outputs.environment == 'stable' | |
needs: | |
- information | |
- deploy | |
environment: | |
name: ${{ needs.information.outputs.environment }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: 🔐 Load 1Password Github App secret | |
uses: 1password/[email protected] | |
env: | |
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
APP_ID: "op://CI/Github App/Benutzername" | |
APP_SECRET: "op://CI/Github App/elcajon-token-app.2022-08-31.private-key.pem" | |
- name: 🔣 Generate App Token | |
uses: tibdex/github-app-token@v1 | |
id: token | |
with: | |
app_id: ${{ env.APP_ID }} | |
private_key: ${{ env.APP_SECRET }} | |
- name: 🚀 Dispatch repository updater update signal | |
uses: peter-evans/repository-dispatch@v2 | |
with: | |
token: ${{ steps.token.outputs.token }} | |
repository: ${{ github.repository_owner }}/repository-stable | |
event-type: update | |
client-payload: > | |
{ | |
"addon": "${{ needs.information.outputs.slug }}", | |
"name": "${{ needs.information.outputs.name }}", | |
"repository": "${{ github.repository }}", | |
"version": "${{ github.event.release.tag_name }}" | |
} |