From dd1c09fe0cff5f4fd94553784ac2153ea856c4ae Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Wed, 19 Jun 2024 20:05:28 -0400 Subject: [PATCH] fix(ci): updates existing ci job to work with new docker publishing. (#30) --- .../{tag.yaml => binaries-publish.yaml} | 34 +------ .../workflows/docker-publish-rootless.yaml | 15 ---- .github/workflows/docker-publish.yaml | 15 ---- .github/workflows/partial-publish.yaml | 89 ------------------- .github/workflows/publish.yaml | 29 ------ 5 files changed, 2 insertions(+), 180 deletions(-) rename .github/workflows/{tag.yaml => binaries-publish.yaml} (59%) delete mode 100644 .github/workflows/partial-publish.yaml delete mode 100644 .github/workflows/publish.yaml diff --git a/.github/workflows/tag.yaml b/.github/workflows/binaries-publish.yaml similarity index 59% rename from .github/workflows/tag.yaml rename to .github/workflows/binaries-publish.yaml index 1a9c4212..6ae98954 100644 --- a/.github/workflows/tag.yaml +++ b/.github/workflows/binaries-publish.yaml @@ -1,12 +1,8 @@ -name: Publish Release +name: Publish Release Binaries on: push: - tags: - - v* - -env: - FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }} + tags: [ 'v*.*.*' ] jobs: backend-tests: @@ -49,29 +45,3 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - publish-tag: - name: "Publish Tag" - uses: sysadminsmedia/homebox/.github/workflows/partial-publish.yaml@main - with: - release: true - tag: ${{ github.ref_name }} - secrets: - GH_TOKEN: ${{ secrets.CR_PAT }} - - deploy-docs: - name: Deploy docs - needs: - - publish-tag - - goreleaser - runs-on: ubuntu-latest - steps: - - name: Checkout main - uses: actions/checkout@v4 - - - name: Deploy docs - uses: mhausenblas/mkdocs-deploy-gh-pages@master - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CONFIG_FILE: docs/mkdocs.yml - EXTRA_PACKAGES: build-base diff --git a/.github/workflows/docker-publish-rootless.yaml b/.github/workflows/docker-publish-rootless.yaml index eea71e4a..e8fbc315 100644 --- a/.github/workflows/docker-publish-rootless.yaml +++ b/.github/workflows/docker-publish-rootless.yaml @@ -88,21 +88,6 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.metadata.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} - - name: Attest uses: actions/attest-build-provenance@v1 id: attest diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml index 55322876..41ac851b 100644 --- a/.github/workflows/docker-publish.yaml +++ b/.github/workflows/docker-publish.yaml @@ -85,21 +85,6 @@ jobs: platforms: linux/amd64,linux/arm64,linux/arm/v7 cache-from: type=gha cache-to: type=gha,mode=max - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} - name: Attest uses: actions/attest-build-provenance@v1 diff --git a/.github/workflows/partial-publish.yaml b/.github/workflows/partial-publish.yaml deleted file mode 100644 index 2adea6fb..00000000 --- a/.github/workflows/partial-publish.yaml +++ /dev/null @@ -1,89 +0,0 @@ -name: Frontend / E2E - -on: - workflow_call: - inputs: - tag: - required: true - type: string - release: - required: false - type: boolean - default: false - - secrets: - GH_TOKEN: - required: true - -jobs: - publish: - name: "Publish Homebox" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: "1.20" - - - name: Set up QEMU - id: qemu - uses: docker/setup-qemu-action@v3 - with: - image: tonistiigi/binfmt:latest - platforms: all - - - name: install buildx - id: buildx - uses: docker/setup-buildx-action@v3 - with: - install: true - - - name: login to container registry - run: docker login ghcr.io --username hay-kot --password $CR_PAT - env: - CR_PAT: ${{ secrets.GH_TOKEN }} - - - name: build nightly image - if: ${{ inputs.release == false }} - run: | - docker build --push --no-cache \ - --tag=ghcr.io/sysadminsmedia/homebox:${{ inputs.tag }} \ - --build-arg=COMMIT=$(git rev-parse HEAD) \ - --build-arg=BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \ - --platform=linux/amd64,linux/arm64,linux/arm/v7 . - - - name: build nightly-rootless image - if: ${{ inputs.release == false }} - run: | - docker build --push --no-cache \ - --tag=ghcr.io/sysadminsmedia/homebox:${{ inputs.tag }}-rootless \ - --build-arg=COMMIT=$(git rev-parse HEAD) \ - --build-arg=BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \ - --file Dockerfile.rootless \ - --platform=linux/amd64,linux/arm64,linux/arm/v7 . - - - name: build release tagged the image - if: ${{ inputs.release == true }} - run: | - docker build --push --no-cache \ - --tag ghcr.io/sysadminsmedia/homebox:nightly \ - --tag ghcr.io/sysadminsmedia/homebox:latest \ - --tag ghcr.io/sysadminsmedia/homebox:${{ inputs.tag }} \ - --build-arg VERSION=${{ inputs.tag }} \ - --build-arg COMMIT=$(git rev-parse HEAD) \ - --build-arg BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \ - --platform linux/amd64,linux/arm64,linux/arm/v7 . - - - name: build release tagged the rootless image - if: ${{ inputs.release == true }} - run: | - docker build --push --no-cache \ - --tag ghcr.io/sysadminsmedia/homebox:nightly-rootless \ - --tag ghcr.io/sysadminsmedia/homebox:latest-rootless \ - --tag ghcr.io/sysadminsmedia/homebox:${{ inputs.tag }}-rootless \ - --build-arg VERSION=${{ inputs.tag }} \ - --build-arg COMMIT=$(git rev-parse HEAD) \ - --build-arg BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \ - --platform linux/amd64,linux/arm64,linux/arm/v7 \ - --file Dockerfile.rootless . diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml deleted file mode 100644 index fa885e98..00000000 --- a/.github/workflows/publish.yaml +++ /dev/null @@ -1,29 +0,0 @@ -name: Publish Dockers - -on: - push: - branches: - - main - -env: - FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }} - -jobs: - deploy: - name: "Deploy Nightly to Fly.io" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: superfly/flyctl-actions/setup-flyctl@master - - run: flyctl deploy --remote-only - - publish-nightly: - name: "Publish Nightly" - if: github.event_name != 'release' - uses: sysadminsmedia/homebox/.github/workflows/partial-publish.yaml@main - with: - tag: nightly - secrets: - GH_TOKEN: ${{ secrets.CR_PAT }} - -