help and bus format #791

Summary
Jobs
- build
- deploy
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/docker-publish.yml at a5cc7e8

	name: Docker

	# This workflow uses actions that are not certified by GitHub.
	# They are provided by a third-party and are governed by
	# separate terms of service, privacy policy, and support
	# documentation.

	on:
	schedule:
	- cron: '0 5 /7 *'
	push:
	branches:
	- main
	- 'feature/**'
	# Publish semver tags as releases.
	tags: ['v..*']
	pull_request:
	branches:
	- main

	env:
	# Use docker.io for Docker Hub if empty
	REGISTRY: ghcr.io
	# github.repository as <account>/<repo>
	IMAGE_NAME: ${{ github.repository }}

	jobs:
	build:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	# This is used to complete the identity challenge
	# with sigstore/fulcio when running outside of PRs.
	id-token: write

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	# Install the cosign tool except on PR
	# https://github.com/sigstore/cosign-installer
	- name: Install cosign
	if: github.event_name != 'pull_request'
	uses: sigstore/cosign-installer@v3.3.0
	with:
	cosign-release: 'v2.2.2'

	# Set up BuildKit Docker container builder to be able to build
	# multi-platform images and export cache
	# https://github.com/docker/setup-buildx-action
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

	- name: Load secret
	id: op-load-secret
	uses: 1password/load-secrets-action@v2
	with:
	export-env: true
	env:
	OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
	GITHUB_TOKEN: op://end.works/GitHub Token/credential

	# Login against a Docker registry except on PR
	# https://github.com/docker/login-action
	- name: Log into registry ${{ env.REGISTRY }}
	if: github.event_name != 'pull_request'
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ env.GITHUB_TOKEN }}

	# Extract metadata (tags, labels) for Docker
	# https://github.com/docker/metadata-action
	- name: Extract Docker metadata
	id: meta
	uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
	tags: \|
	type=schedule
	type=ref,event=branch
	type=ref,event=pr
	type=semver,pattern={{version}}
	type=semver,pattern={{major}}.{{minor}}
	type=semver,pattern={{major}}
	type=sha
	type=raw,value=latest,enable={{is_default_branch}}

	# Build and push Docker image with Buildx (don't push on PR)
	# https://github.com/docker/build-push-action
	- name: Build and push Docker image
	id: build-and-push
	uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
	with:
	context: .
	push: ${{ github.event_name != 'pull_request' }}
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

	# Sign the resulting Docker image digest except on PRs.
	# This will only write to the public Rekor transparency log when the Docker
	# repository is public to avoid leaking data. If you would like to publish
	# transparency data even for private images, pass --force to cosign below.
	# https://github.com/sigstore/cosign
	- name: Sign the published Docker image
	if: ${{ github.event_name != 'pull_request' }}
	env:
	# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
	TAGS: ${{ steps.meta.outputs.tags }}
	DIGEST: ${{ steps.build-and-push.outputs.digest }}
	# This step uses the identity token to provision an ephemeral certificate
	# against the sigstore community Fulcio instance.
	run: echo "${TAGS}" \| xargs -I {} cosign sign --yes {}@${DIGEST}
	deploy:
	if: ${{ github.event_name != 'pull_request' }}
	runs-on: ubuntu-latest
	needs: build
	steps:
	- name: Set environment variables
	id: set-env-vars
	run: \|
	OWNER=${{github.repository_owner}}
	REPO=${{github.repository}}

	CONTAINER_NAME="${REPO#$OWNER}"
	CONTAINER_NAME="${CONTAINER_NAME#/}"

	TAG=$(echo "${{github.sha}}" \| cut -c1-7)
	TAG="sha-$TAG"
	VERSION=$(echo "${{ github.ref }}" \| sed -e 's,./$.$,\1,')

	[ "$VERSION" != "main" ] && CONTAINER_NAME="${CONTAINER_NAME}-$VERSION"
	[ "$VERSION" == "main" ] && TAG=latest

	echo "CONTAINER_NAME=$CONTAINER_NAME" >> "$GITHUB_ENV"
	echo "TAG=$TAG" >> "$GITHUB_ENV"

	- name: Load secret
	id: op-load-secret
	uses: 1password/load-secrets-action@v2
	with:
	export-env: true
	env:
	OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
	HOST: op://end.works/wired/URL
	PORT: op://end.works/wired/port
	USERNAME: op://end.works/wired/username
	KEY: op://end.works/SSH Key/private key
	FINGERPRINT: op://end.works/SSH Key/fingerprint
	MONGODB_URI: op://end.works/Polaris Config/mongodb uri

	- name: Run container on host
	uses: appleboy/ssh-action@v1.0.3
	with:
	host: ${{ env.HOST }}
	port: ${{ env.PORT }}
	username: ${{ env.USERNAME }}
	key: ${{ env.KEY }}
	script: \|
	docker pull ghcr.io/${{ github.repository }}:${{ env.TAG }}
	docker stop ${{ env.CONTAINER_NAME }}
	docker rm ${{ env.CONTAINER_NAME }}
	docker run -e MONGODB_URI=${{ env.MONGODB_URI }} -v $PWD/logs:/usr/src/app/logs -p 8040:8080 -e TZ=Europe/Madrid -ti -d --restart unless-stopped --name ${{ env.CONTAINER_NAME }} ghcr.io/${{ github.repository }}:${{ env.TAG }}

	- name: Generate summary
	id: generate-summary
	run: \|
	echo "### Deployment done! :rocket:" > $GITHUB_STEP_SUMMARY
	echo "Started container ``${{ env.CONTAINER_NAME }}`` running ``${{ github.repository }}@${{ env.TAG }}``" >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

help and bus format #791

Workflow file

help and bus format #791

Jobs

Run details

Workflow file for this run