Build and publish Docker images to GitHub Container Registry

[Snyk] Security upgrade python from 3.10.12-bookworm to 3.13.0b3-bookworm #259

Workflow file for this run

	name: Build and publish Docker images to GitHub Container Registry

	on:
	push:
	tags:
	- "v[0-9]+.[0-9]+.[0-9]+"
	branches:
	- main
	- production
	pull_request:

	jobs:
	golangci:
	name: Run golangci-lint
	runs-on: ubuntu-latest
	timeout-minutes: 10
	steps:
	# Required: setup-go, for all versions v3.0.0+ of golangci-lint
	- uses: actions/setup-go@v3
	with:
	go-version: 1.18
	check-latest: true
	- uses: actions/checkout@v3
	- uses: technote-space/[email protected]
	with:
	PATTERNS: \|
	/.go
	go.mod
	go.sum
	- uses: golangci/[email protected]
	with:
	# Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
	version: v1.54.2
	args: --timeout 10m
	github-token: ${{ secrets.github_token }}
	# Check only if there are differences in the source code
	if: env.GIT_DIFF

	test-unit:
	needs: golangci
	runs-on: ubuntu-latest
	steps:
	- uses: actions/setup-go@v4
	with:
	go-version: "1.19"
	check-latest: true
	- uses: actions/checkout@v3
	- uses: technote-space/[email protected]
	with:
	PATTERNS: \|
	/.sol
	/.go
	go.mod
	go.sum
	- name: Test
	run: \|
	make test
	if: env.GIT_DIFF

	set-environment:
	runs-on: ubuntu-latest
	needs: [golangci, test-unit]
	outputs:
	env-variable: ${{ steps.set-env-var.outputs.patch_env }}
	steps:
	- name: Checkout
	uses: actions/checkout@v3
	with:
	fetch-depth: 0 # Note: This fetches all branches and tags

	- name: Check base ref
	run: \|
	BASE_REF=$(git describe --contains --all HEAD)
	echo "BASE_REF=$BASE_REF" >> $GITHUB_ENV

	- name: Set ENV variable
	id: set-env-var
	run: \|
	PATCH_ENV="unknown" # Default value
	case $GITHUB_REF in
	refs/tags/*)
	TAG_COMMIT=$(git rev-list -n 1 ${{ github.ref }})
	BRANCH=$(git branch -r --contains $TAG_COMMIT \| sed 's/ *origin\///' \| grep -v "HEAD" \| grep "main")
	if [ "$BRANCH" == "main" ]; then
	PATCH_ENV="production"
	fi
	;;
	refs/heads/main)
	PATCH_ENV="non-production"
	;;
	esac
	echo "PATCH_ENV=$PATCH_ENV" >> $GITHUB_ENV
	echo "BRANCH=$BRANCH" >> $GITHUB_ENV
	echo "::set-output name=patch_env::$PATCH_ENV"

	build:
	if: (github.event_name == 'push') && (needs.set-environment.outputs.env-variable == 'non-production')
	needs: [set-environment]
	permissions:
	contents: read
	id-token: write
	packages: write
	runs-on: ubuntu-latest
	strategy:
	matrix:
	component:
	- name: "api"
	path: "."
	dockerfile: "dockerfile"
	image_name: "dashboard-backend_api"
	- name: "cron"
	path: "./cronjobs"
	dockerfile: "dockerfile"
	image_name: "dashboard-backend_cron"
	steps:
	- name: Checkout
	uses: actions/checkout@v3

	- name: Docker metadata
	id: metadata
	uses: docker/[email protected]
	with:
	images: \|
	ghcr.io/${{ github.repository }}/${{ matrix.component.name }}
	tags: \|
	type=semver,pattern={{version}}
	type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }}
	flavor: \|
	latest=${{ github.ref == 'refs/heads/main' }}

	# Login to GitHub Container Registry (GHCR)
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v2
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build and push
	uses: docker/[email protected]
	with:
	push: true
	tags: ${{ steps.metadata.outputs.tags }}
	context: ${{ matrix.component.path }}
	file: ${{ matrix.component.path }}/${{ matrix.component.dockerfile }}
	platforms: linux/amd64

	- name: Write image tag to file
	run: \|
	echo "${{ matrix.component.name }} ${{ steps.metadata.outputs.tags }}" >> metadata-${{ matrix.component.name }}.txt

	- name: Upload image tags
	uses: actions/upload-artifact@v2
	with:
	name: image-tag-${{ matrix.component.name }}
	path: metadata-${{ matrix.component.name }}.txt

	- name: Prune old images on ghcr.io
	uses: vlaurin/[email protected]
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	organization: ${{ github.repository_owner }}
	container: backend/${{ matrix.component.name }}
	dry-run: false
	keep-younger-than: 14 # days
	keep-last: 5
	prune-untagged: true
	prune-tags-regexes: ^[a-zA-Z0-9-\.]+$

	retag-and-push:
	if: needs.set-environment.outputs.env-variable == 'production'
	needs: [set-environment]
	runs-on: ubuntu-latest
	strategy:
	matrix:
	component:
	- name: "api"
	path: "."
	dockerfile: "Dockerfile"
	image_name: "dashboard-backend_api"
	- name: "cron"
	path: "./cronjobs"
	dockerfile: "Dockerfile"
	image_name: "dashboard-backend_cron"
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	# Login to GitHub Container Registry (GHCR)
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v2
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Re-tag image
	run: \|
	COMMIT_HASH=$(git rev-parse --short "$GITHUB_REF_NAME")
	docker pull ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${COMMIT_HASH}
	docker tag ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${COMMIT_HASH} ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${GITHUB_REF_NAME}
	docker push ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:${GITHUB_REF_NAME}
	echo "${{ matrix.component.name }} ghcr.io/${{ github.repository }}/${{ matrix.component.name }}:$GITHUB_REF_NAME" > metadata-${{ matrix.component.name }}.txt

	- name: Upload image tags
	uses: actions/upload-artifact@v2
	with:
	name: image-tag-${{ matrix.component.name }}
	path: metadata-${{ matrix.component.name }}.txt

	update-deployment-tags:
	if: always() && (needs.set-environment.outputs.env-variable != 'unknown' && needs.set-environment.outputs.env-variable != '')
	needs: [set-environment,build,retag-and-push]
	runs-on: ubuntu-latest
	environment:
	name: ${{ needs.set-environment.outputs.env-variable }}
	steps:
	- name: Use environment
	run: \|
	echo "Deploying to environment ${{ needs.set-environment.outputs.env-variable }}"
	echo "K8S_MANIFEST: ${{ vars.K8S_MANIFEST }}"

	- name: Download all artifacts
	uses: actions/download-artifact@v2
	with:
	path: build-artifacts

	- name: Clone argo-apps repo
	run: \|
	git clone https://x-access-token:${ARGOCD_APPS_TOKEN}@${ARGOCD_APPS_REPO} APPS
	env:
	ARGOCD_APPS_TOKEN: ${{ secrets.ARGOCD_APPS_TOKEN }}
	ARGOCD_APPS_REPO: ${{ secrets.ARGOCD_APPS_REPO }}

	- name: Update k8s deployment
	run: \|
	find build-artifacts -name "*.txt" \| while read filename; do
	while read line; do
	COMPONENT=$(echo $line \| cut -d' ' -f1)
	NEW_IMAGE=$(echo $line \| cut -d' ' -f2-)
	sed -i "s\|ghcr.io/${{ github.repository }}/${COMPONENT}:[^ ]*\|${NEW_IMAGE}\|" APPS/${{ vars.K8S_MANIFEST }}
	done < $filename
	done

	- name: Commit and push if it's necessary
	run: \|
	cd APPS
	git diff
	git config --global user.email "[email protected]"
	git config --global user.name "GitHub Action"
	git commit -am "Update tags (pipeline #${{ github.run_number }})" \|\| echo "No changes to commit"
	git push

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade python from 3.10.12-bookworm to 3.13.0b3-bookworm #259

Workflow file

[Snyk] Security upgrade python from 3.10.12-bookworm to 3.13.0b3-bookworm #259

Jobs

Run details

Workflow file for this run