Add versioning to main branch (#29)

.github/workflows/build.yml

@@ -4,7 +4,6 @@ on:
   push:
     ignore-branches:
       - main
-      - future
 
 jobs:
   deployment:
@@ -23,7 +22,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
 
-      - name: Build and push the image
+      - name: Test if image can be built with buildx
         uses: docker/build-push-action@v3
         with:
           push: false
@@ -32,12 +31,12 @@ jobs:
 
       # Can't use the output of the previous step because it's
       # a multiplatform build, so we need to build it again.
-      - name: Test if terragrunt & infracost works (AMD64)
+      - name: Test if terragrunt & infracost are executable (AMD64)
         run: |
           docker build --build-arg TARGETARCH=amd64 -t runner-terraform-test .
           docker run --rm runner-terraform-test sh -c "terragrunt --version && infracost --version"
 
-      - name: Test if terragrunt & infracost works (ARM64)
+      - name: Test if terragrunt & infracost are executable (ARM64)
         run: |
           docker build --build-arg TARGETARCH=arm64 -t runner-terraform-test .
           docker run --rm runner-terraform-test sh -c "terragrunt --version && infracost --version"

.github/workflows/publish/action.yml

@@ -0,0 +1,88 @@
+name: Publish
+description: Builds and pushes the Docker image to the public ECR and GitHub registry
+
+inputs:
+  aws_role_to_assume:
+    description: The AWS role to assume. Used to authenticate with ECR.
+    required: true
+  github_token:
+    description: The GitHub token. Used to authenticate with GitHub registry.
+    required: true
+  git_tag:
+    description: Git tag to use for the GitHub Release
+    required: false
+  image_tags:
+    description: The tags of the Docker image to push
+    required: true
+  publish_release:
+    description: Whether to publish a GitHub Release
+    required: true
+    default: false
+  release_title:
+    description: The title of the GitHub Release.
+    required: false
+  release_body:
+    description: The body of the GitHub Release. If not provided, the body will be auto-generated.
+    required: false
+  checkout_ref:
+    description: The ref to checkout. If not provided, the basic checkout action will be used.
+    required: false
+
+runs:
+  using: composite
+  steps:
+      - name: Check out repository code
+        uses: actions/checkout@main
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.checkout_ref }}
+
+      - name: Install the latest AWS CLI
+        shell: sh
+        run: |
+          apk add --no-cache python3 py3-pip
+          pip3 install --upgrade pip
+          pip3 install awscli
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ inputs.aws_role_to_assume }}
+          role-duration-seconds: 900
+
+      - name: Log in to Amazon public ECR
+        run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+
+      - name: Log in to GitHub registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ inputs.github_token }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: linux/arm64
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build and push the image
+        uses: docker/build-push-action@v3
+        with:
+          push: true
+          context: .
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ inputs.image_tags }}
+
+      - name: Create release
+        uses: ncipollo/release-action@v1
+        if: inputs.publish_release == 'true'
+        with:
+          name: ${{ inputs.release_title }}
+          tag: ${{ inputs.git_tag }}
+          body: ${{ inputs.release_body }}
+          generateReleaseNotes: true
+          allowUpdates: true

.github/workflows/publish_future.yml

@@ -0,0 +1,32 @@
+name: Deploy future tag
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  deployment:
+    name: Build and publish future tag
+    runs-on: ubuntu-latest
+    container: docker
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+
+    steps:
+      - name: Checkout publish workflow
+        uses: Bhacaz/checkout-files@v2
+        with:
+          files: .github/workflows/publish/action.yml
+
+      - name: Build and push future image
+        uses: ./.github/workflows/publish
+        with:
+          aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_release: false
+          image_tags: |
+            ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:future
+            ghcr.io/spacelift-io/runner-terraform:future

.github/workflows/publish_scheduled.yml

@@ -0,0 +1,53 @@
+name: Scheduled publish
+
+on:
+  schedule:
+    - cron: '20 8 * * 1'
+
+jobs:
+  deployment:
+    name: Rebuild and publish the latest tagged image
+    runs-on: ubuntu-latest
+    container: docker
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+
+    steps:
+      - name: Get latest tag
+        uses: oprypin/find-latest-tag@v1
+        id: latest-tag
+        with:
+          repository: ${{ github.repository }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set current date as env variable
+        run: echo "TODAY=$(date +'%Y%m%d')" >> $GITHUB_ENV
+
+      - name: Set nicely formatted current date as env variable
+        run: echo "TODAY_FORMATTED=$(date +'%Y-%m-%d')" >> $GITHUB_ENV
+
+      - name: Checkout publish workflow
+        uses: Bhacaz/checkout-files@v2
+        with:
+          files: .github/workflows/publish/action.yml
+
+      - name: Build and push weekly image
+        uses: ./.github/workflows/publish
+        with:
+          aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_tag: ${{ steps.latest-tag.outputs.tag }}
+          publish_release: true
+          release_title: ${{ steps.latest-tag.outputs.tag }} - weekly release (${{ env.TODAY_FORMATTED }})
+          release_body: |
+            ## Weekly rebuild
+            This is a weekly rebuild of the latest image (`${{ steps.latest-tag.outputs.tag }}`).
+            The image is rebuilt to ensure that it is up to date with the latest security patches.
+          checkout_ref: ${{ steps.latest-tag.outputs.tag }}
+          image_tags: |
+            ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:latest
+            ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }}
+            ghcr.io/spacelift-io/runner-terraform:latest
+            ghcr.io/spacelift-io/runner-terraform:${{ steps.latest-tag.outputs.tag }}_${{ env.TODAY }}

.github/workflows/publish_tagged.yml

@@ -0,0 +1,43 @@
+name: Deploy tagged
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  deployment:
+    name: Build and publish the newly tagged image
+    runs-on: ubuntu-latest
+    container: docker
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+
+    steps:
+      - name: Get latest tag
+        uses: oprypin/find-latest-tag@v1
+        id: latest-tag
+        with:
+          repository: ${{ github.repository }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Checkout publish workflow
+        uses: Bhacaz/checkout-files@v2
+        with:
+          files: .github/workflows/publish/action.yml
+
+      - name: Build and push latest image
+        uses: ./.github/workflows/publish
+        with:
+          aws_role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          git_tag: ${{ steps.latest-tag.outputs.tag }}
+          publish_release: true
+          release_title: ${{ steps.latest-tag.outputs.tag }}
+          image_tags: |
+            ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:latest
+            ${{ secrets.PUBLIC_RUNNER_TERRAFORM_ECR_REPOSITORY_URL }}:${{ steps.latest-tag.outputs.tag }}
+            ghcr.io/spacelift-io/runner-terraform:latest
+            ghcr.io/spacelift-io/runner-terraform:${{ steps.latest-tag.outputs.tag }}

.github/workflows/trivy.yml

@@ -2,9 +2,9 @@ name: Trivy
 
 on:
   push:
-    branches: ["main", "future"]
+    branches: [main]
   pull_request:
-    branches: ["main", "future"]
+    branches: [main]
   schedule:
     - cron: "19 7 * * 0"
 

README.md

@@ -10,11 +10,14 @@ with ECR.
 
 ## Branch Model
 
-This repository uses two main branches:
+All changes merged to `main` branch are automatically built and pushed to the Docker repository with the `future` tag.
 
-- `main` - contains the production version of the runner image.
-- `future` - used to test development changes.
+Once it is considered stable, we can release it as `latest` by creating a tag (semver) and pushing it to the
+repository. Example:
 
-Pushes to `main` deploy to the `latest` tag, whereas pushes to `future` deploy to the `future`
-tag. This means that to use the development version you can use the `public.ecr.aws/spacelift/runner-terraform:future`
-image.
+```bash
+$ git tag -a v1.1.0 -m "Release v1.1.0"
+$ git push origin v1.1.0
+```
+
+Note: we also have a weekly cron job that re-runs the `main` branch just to have the latest package updates.