Skip to content

Publish and Deploy #316

Publish and Deploy

Publish and Deploy #316

Workflow file for this run

name: Publish and Deploy
on:
schedule:
- cron: '25 21 * * *'
push:
branches: [ "main" ]
paths-ignore:
- '*.md'
# Publish semver tags as releases.
tags: [ 'v*.*.*' ]
pull_request:
branches: [ "main" ]
env:
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
jobs:
setenv:
name: Set environment name
runs-on: ubuntu-latest
outputs:
environment: ${{ steps.setenv.outputs.environment }}
steps:
- name: Set environment variables
id: setenv
run: |
if [ ${{ github.event_name }} == "pull_request" ]; then
echo "environment=staging" >> $GITHUB_OUTPUT
else
echo "environment=production" >> $GITHUB_OUTPUT
fi
setlogin:
name: Set target login
runs-on: ubuntu-latest
needs: setenv
environment: ${{ needs.setenv.outputs.environment }}
outputs:
login: ${{ steps.setlogin.outputs.login }}
steps:
- name: Set environment variables
id: setlogin
run: |
echo "Target login: ${{ vars.LOGIN }}"
echo "login=${{ vars.LOGIN }}" >> $GITHUB_OUTPUT
build:
name: Build and test
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.20.4
cache: true
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: go
- name: Build
run: go build -v ./...
- name: Test
run: go test -v ./...
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:go"
publish:
name: Publish to GitHub Container Registry
runs-on: ubuntu-latest
needs:
- build
outputs:
tag: ${{ steps.tag.outputs.value }}
permissions:
contents: read
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 # v2.6.0
with:
cosign-release: 'v1.13.1'
- name: Set up QEMU
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
# Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx
uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Get a single tag
id: tag
run: |
echo "Tags were ${{ steps.meta.outputs.tags }}"
tag=$(echo "${{ steps.meta.outputs.tags }}" | cut -d':' -f2 | head -n 1)
echo "Tag is now $tag"
echo "value=$tag" >> "$GITHUB_OUTPUT"
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign
- name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
COSIGN_EXPERIMENTAL: "true"
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
deploy:
name: Deploy
needs:
- publish
- setenv
concurrency:
group: ${{ github.workflow }}-${{ needs.setenv.outputs.environment }}
cancel-in-progress: true
uses: ./.github/workflows/deploy-azure-container-app.yml
secrets: inherit
permissions:
id-token: write
packages: read
actions: write
with:
environment: ${{ needs.setenv.outputs.environment }}
tag: ${{ needs.publish.outputs.tag }}
wakeup:
name: Wakeup container app
runs-on: ubuntu-latest
needs:
- deploy
steps:
- run: curl ${{ needs.deploy.outputs.ping }}
test:
uses: ./.github/workflows/deployment-test.yml
needs:
- wakeup
- setenv
- setlogin
- deploy
permissions:
id-token: write
with:
endpoint: ${{ needs.deploy.outputs.endpoint }}
login: ${{ needs.setlogin.outputs.login }}
environment: ${{ needs.setenv.outputs.environment }}