ci: enable docker publish only when new tag is released #53

Workflow file for this run

.github/workflows/release.yml at bc357f9

	name: Release

	on:
	push:
	branches: master
	tags:
	- 'v*'
	paths:
	- '.github/workflows/release.yml'
	- 'api/*.py'
	- 'pyproject.toml'
	- 'Dockerfile'

	jobs:
	release:
	name: Release
	if: \|
	github.actor != 'dependabot[bot]' &&
	github.actor != 'github-actions[bot]' &&
	github.actor != 'protected-auto-commits[bot]'
	runs-on: ubuntu-latest
	concurrency: release
	permissions:
	id-token: write
	contents: write
	issues: write
	pull-requests: write
	outputs:
	new_release_version: ${{ steps.semantic.outputs.version }}
	steps:
	- name: GitHub App Token
	uses: actions/create-github-app-token@v1
	id: app-token
	with:
	app-id: ${{ secrets.GH_APP_ID }}
	private-key: ${{ secrets.GH_PRIVATE_KEY }}

	- name: Checkout Repo
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	token: ${{ steps.app-token.outputs.token }}

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: '3.12'
	cache: "pip"

	- name: Cache Dependencies
	uses: actions/cache@v4
	with:
	path: ~/.cache/pip
	key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
	restore-keys: \|
	${{ runner.os }}-pip-

	- name: Install Dependencies
	run: \|
	python -m pip install --upgrade pip
	pip install python-semantic-release

	- name: Setup Git
	run: \|
	git fetch origin
	git reset --hard origin/${{ github.ref_name }}

	- name: Semantic Release
	uses: python-semantic-release/python-semantic-release@v9.11.0
	id: semantic
	with:
	github_token: ${{ steps.app-token.outputs.token }}

	docker:
	name: Docker
	runs-on: ubuntu-latest
	if: needs.semantic-release.outputs.new_release_version != ''
	permissions:
	contents: read
	attestations: write
	id-token: write
	packages: write
	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
	needs: release
	steps:
	- name: GitHub App Token
	uses: actions/create-github-app-token@v1
	id: app-token
	with:
	app-id: ${{ secrets.GH_APP_ID }}
	private-key: ${{ secrets.GH_PRIVATE_KEY }}

	- name: Checkout Repo
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	fetch-tags: true
	token: ${{ steps.app-token.outputs.token }}

	- name: Install CoSign
	if: github.event_name != 'pull_request'
	uses: sigstore/cosign-installer@v3.7.0
	with:
	cosign-release: 'v2.4.0'

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Log in to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ vars.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_TOKEN }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Get latest Release
	id: get_latest_release
	run: \|
	latest_release=$(gh release list --limit 1 --json tagName --jq '.[0].tagName')
	echo "LATEST_RELEASE=${latest_release}" >> $GITHUB_ENV
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract Docker Metadata
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards
	ghcr.io/${{ github.repository_owner }}/Wakatime-Leaderboards
	tags: \|
	type=raw,value=master
	type=raw,value=${{ env.LATEST_RELEASE }}

	- name: Build & Push Docker Image
	id: push
	uses: docker/build-push-action@v6
	with:
	context: .
	file: ./Dockerfile
	push: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	platforms: linux/amd64
	cache-from: type=gha
	cache-to: type=gha,mode=max
	secrets: \|
	GITHUB_TOKEN=${{ steps.app-token.outputs.token }}

	- name: Sign the published Docker Image
	if: ${{ github.event_name != 'pull_request' }}
	env:
	TAGS: ${{ steps.meta.outputs.tags }}
	DIGEST: ${{ steps.push.outputs.digest }}
	run: echo "${TAGS}" \| xargs -I {} cosign sign --yes {}@${DIGEST}

	- name: Generate Artifact Attestation
	uses: actions/attest-build-provenance@v1
	with:
	subject-name: ghcr.io/${{ github.repository_owner }}/Wakatime-Leaderboards
	subject-digest: ${{ steps.push.outputs.digest }}
	push-to-registry: true

	- name: Docker Scout Scan
	uses: docker/scout-action@v1.14.0
	with:
	command: quickview, cves
	image: ${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards:master
	write-comment: true
	github-token: ${{ secrets.GITHUB_TOKEN }}
	sarif-file: docker-scout-results.sarif

	- name: Upload Scout Scan Results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: docker-scout-results
	path: docker-scout-results.sarif

	cleanup:
	runs-on: ubuntu-latest
	needs: docker
	name: Cleanup
	permissions:
	contents: read
	packages: write
	steps:
	- name: Checkout Repo
	uses: actions/checkout@v4

	- name: Login to Docker Hub
	uses: docker/login-action@v3
	with:
	username: ${{ vars.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_TOKEN }}

	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Delete Old Docker Hub Tags
	run: \|
	echo "Fetching Docker Hub tags..."
	tags=$(curl -s -H "Authorization: Bearer ${{ secrets.DOCKER_TOKEN }}" "https://hub.docker.com/v2/repositories/${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards/tags" \| jq -r '.results[].name')
	echo "Tags found in Docker Hub:"
	echo "$tags"
	latest_tag=$(echo "$tags" \| grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \| sort -rV \| head -n 1)
	echo "Latest semantic version tag is $latest_tag"
	for tag in $tags; do
	if [[ "$tag" != "master" && "$tag" != "$latest_tag" ]]; then
	echo "Deleting tag $tag from Docker Hub"
	curl -X DELETE -H "Authorization: Bearer ${{ secrets.DOCKER_TOKEN }}" "https://hub.docker.com/v2/repositories/${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards/tags/$tag/"
	else
	echo "Keeping tag $tag"
	fi
	done

	- name: Delete Old GHCR Tags
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	REPO_OWNER: ${{ github.repository_owner }}
	PACKAGE_NAME: "wakatime-leaderboards"
	run: \|
	echo "Fetching GHCR tags..."
	page=1
	all_tags=""
	while true; do
	tags=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \
	"https://api.github.com/user/packages/container/$PACKAGE_NAME/versions?per_page=100&page=$page" \| jq -r '.[].metadata.container.tags[]')
	if [ -z "$tags" ]; then
	break
	fi
	all_tags="$all_tags $tags"
	((page++))
	done
	echo "Tags found in GHCR:"
	echo "$all_tags"
	latest_tag=$(echo "$all_tags" \| grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \| sort -rV \| head -n 1)
	echo "Latest semantic version tag is $latest_tag"
	for tag in $all_tags; do
	if [[ "$tag" != "master" && "$tag" != "$latest_tag" ]]; then
	echo "Deleting tag $tag from GHCR"
	version_id=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \
	"https://api.github.com/user/packages/container/$PACKAGE_NAME/versions" \| \
	jq -r ".[] \| select(.metadata.container.tags[] == \"$tag\") \| .id")
	if [ -n "$version_id" ]; then
	curl -X DELETE -H "Authorization: Bearer $GITHUB_TOKEN" \
	"https://api.github.com/user/packages/container/$PACKAGE_NAME/versions/$version_id"
	else
	echo "Warning: Could not find version ID for tag $tag"
	fi
	else
	echo "Keeping tag $tag"
	fi
	done

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: enable docker publish only when new tag is released #53

Workflow file

ci: enable docker publish only when new tag is released #53

Jobs

Run details

Workflow file for this run