chore: Remove dependency on multierror #7703
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: atlantis-image | |
on: | |
push: | |
branches: | |
- 'main' | |
- 'release-**' | |
tags: | |
- v*.*.* | |
pull_request: | |
branches: | |
- 'main' | |
- 'release-**' | |
types: | |
- opened | |
- reopened | |
- synchronize | |
- ready_for_review | |
workflow_dispatch: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
changes: | |
outputs: | |
should-run-build: ${{ steps.changes.outputs.src == 'true' || startsWith(github.ref, 'refs/tags/') }} | |
if: github.event.pull_request.draft == false | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 | |
id: changes | |
with: | |
filters: | | |
src: | |
- 'Dockerfile' | |
- 'docker-entrypoint.sh' | |
- '.github/workflows/atlantis-image.yml' | |
- '**.go' | |
- 'go.*' | |
build: | |
needs: [changes] | |
if: needs.changes.outputs.should-run-build == 'true' | |
name: Build Image | |
permissions: | |
contents: read | |
id-token: write | |
packages: write | |
attestations: write | |
strategy: | |
matrix: | |
image_type: [alpine, debian] | |
runs-on: ubuntu-24.04 | |
env: | |
# Set docker repo to either the fork or the main repo where the branch exists | |
DOCKER_REPO: ghcr.io/${{ github.repository }} | |
# Push if not a pull request and references the main branch | |
PUSH: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
# Lint the Dockerfile first before setting anything up | |
- name: Lint Dockerfile | |
uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 | |
with: | |
dockerfile: "Dockerfile" | |
- name: Set up Go | |
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version-file: "go.mod" | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3 | |
with: | |
image: tonistiigi/binfmt:latest | |
platforms: arm64,arm | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3 | |
# https://github.com/docker/build-push-action/issues/761#issuecomment-1575006515 | |
with: | |
driver-opts: | | |
image=moby/buildkit:v0.14.0 | |
- name: "Install cosign" | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
if: env.PUSH == 'true' && github.event_name != 'pull_request' | |
# release version is the name of the tag i.e. v0.10.0 | |
# release version also has the image type appended i.e. v0.10.0-alpine | |
# release tag is either pre-release or latest i.e. latest | |
# release tag also has the image type appended i.e. latest-alpine | |
# if it's v0.10.0 and alpine, it will do v0.10.0, v0.10.0-alpine, latest, latest-alpine | |
# if it's v0.10.0 and debian, it will do v0.10.0-debian, latest-debian | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5 | |
env: | |
SUFFIX: ${{ format('-{0}', matrix.image_type) }} | |
with: | |
images: | | |
${{ env.DOCKER_REPO }} | |
labels: | | |
org.opencontainers.image.authors="@runatlantis Github Org" | |
org.opencontainers.image.licenses=Apache-2.0 | |
tags: | | |
# semver | |
type=semver,pattern={{version}},prefix=v,suffix=${{ env.SUFFIX }} | |
type=semver,pattern={{version}},prefix=v,enable=${{ matrix.image_type == 'alpine' }} | |
type=semver,pattern={{major}}.{{minor}},prefix=v,suffix=${{ env.SUFFIX }} | |
# dev | |
type=raw,event=push,value=dev,enable={{is_default_branch}},suffix=${{ env.SUFFIX }} | |
type=raw,event=push,value=dev,enable={{is_default_branch}},suffix=${{ env.SUFFIX }}-{{ sha }} | |
type=raw,event=push,value=dev,enable=${{ github.ref == format('refs/heads/{0}', 'main') && matrix.image_type == 'alpine' }},suffix= | |
# prerelease | |
type=raw,event=tag,value=prerelease-latest,enable=${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, 'pre') && matrix.image_type == 'alpine' }},suffix= | |
type=raw,event=tag,value=prerelease-latest,enable=${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, 'pre') }},suffix=${{ env.SUFFIX }} | |
# latest | |
type=raw,event=tag,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, 'pre') && matrix.image_type == 'alpine' }},suffix= | |
type=raw,event=tag,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, 'pre') }},suffix=${{ env.SUFFIX }} | |
# pr | |
type=ref,event=pr,suffix=${{ env.SUFFIX }} | |
flavor: | | |
# This is disabled here so we can use the raw form above | |
latest=false | |
# Suffix is not used here since there's no way to disable it above | |
- name: Login to Packages Container registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# Publish release to container registry | |
- name: Populate release version | |
if: contains(fromJson('["push", "pull_request"]'), github.event_name) | |
run: echo "RELEASE_VERSION=${{ startsWith(github.ref, 'refs/tags/') && '${GITHUB_REF#refs/*/}' || 'dev' }}" >> $GITHUB_ENV | |
- name: "Build ${{ env.PUSH == 'true' && 'and push' || '' }} ${{ env.DOCKER_REPO }} image" | |
id: build | |
if: contains(fromJson('["push", "pull_request"]'), github.event_name) | |
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6 | |
with: | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
context: . | |
build-args: | | |
ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }} | |
ATLANTIS_VERSION=${{ env.RELEASE_VERSION }} | |
ATLANTIS_COMMIT=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} | |
ATLANTIS_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} | |
platforms: linux/arm64/v8, linux/amd64, linux/arm/v7 | |
push: ${{ env.PUSH }} | |
tags: ${{ steps.meta.outputs.tags }} | |
target: ${{ matrix.image_type }} | |
labels: ${{ steps.meta.outputs.labels }} | |
outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} | |
- name: "Create Image Attestation" | |
if: env.PUSH == 'true' && github.event_name != 'pull_request' | |
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 | |
with: | |
subject-digest: ${{ steps.build.outputs.digest }} | |
subject-name: ghcr.io/${{ github.repository }} | |
push-to-registry: true | |
- name: "Sign images with environment annotations" | |
# no key needed, we're using the GitHub OIDC flow | |
if: env.PUSH == 'true' && github.event_name != 'pull_request' | |
run: | | |
# Sign dev tags, version tags, and latest tags | |
echo "${TAGS}" | xargs -I {} cosign sign \ | |
--yes \ | |
-a actor=${{ github.actor}} \ | |
-a ref_name=${{ github.ref_name}} \ | |
-a ref=${{ github.sha }} \ | |
{}@${DIGEST} | |
env: | |
TAGS: ${{ steps.meta.outputs.tags }} | |
DIGEST: ${{ steps.build.outputs.digest }} | |
test: | |
needs: [changes] | |
if: needs.changes.outputs.should-run-build == 'true' | |
name: Test Image With Goss | |
runs-on: ubuntu-24.04 | |
strategy: | |
matrix: | |
image_type: [alpine, debian] | |
platform: [linux/arm64/v8, linux/amd64, linux/arm/v7] | |
env: | |
# Set docker repo to either the fork or the main repo where the branch exists | |
DOCKER_REPO: ghcr.io/${{ github.repository }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3 | |
# https://github.com/docker/build-push-action/issues/761#issuecomment-1575006515 | |
with: | |
driver-opts: | | |
image=moby/buildkit:v0.14.0 | |
- name: "Build and load into Docker" | |
if: contains(fromJson('["push", "pull_request"]'), github.event_name) | |
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6 | |
with: | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
context: . | |
build-args: | | |
ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }} | |
push: false | |
load: true | |
tags: "${{ env.DOCKER_REPO }}:goss-test" | |
target: ${{ matrix.image_type }} | |
- name: "Setup Goss" | |
uses: e1himself/goss-installation-action@fbb6fb55d3e59c96045b2500eeb8ce0995d99ac1 # v1.2.1 | |
with: | |
version: "v0.4.7" | |
- name: Execute Goss tests | |
run: | | |
dgoss run --rm ${{ env.DOCKER_REPO }}:goss-test bash -c 'while true; do sleep 1; done;' | |
skip-build: | |
needs: [changes] | |
if: needs.changes.outputs.should-run-build == 'false' | |
name: Build Image | |
strategy: | |
matrix: | |
image_type: [alpine, debian] | |
platform: [linux/arm64/v8, linux/amd64, linux/arm/v7] | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
with: | |
egress-policy: audit | |
- run: 'echo "No build required"' | |