build(deps): bump the aws-sdk-go-v2 group with 4 updates (#1088) #137
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- main | |
release: | |
types: | |
- released | |
jobs: | |
docker: | |
name: Docker Images | |
runs-on: ubuntu-22.04 | |
environment: build | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v4 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Setup Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Docker Metadata for Google Artifact Registry build | |
id: metagar | |
uses: docker/metadata-action@v5 | |
with: | |
flavor: | |
# don't automatically tag with `latest`; we do this conditionally in the `tags` section | |
latest=false | |
images: | | |
${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${{ vars.GAR_REPOSITORY}}/autograph | |
tags: | | |
type=sha,format=long,enable=${{ github.event_name == 'push' }} | |
type=raw,value=latest,enable=${{ github.event_name == 'push' }} | |
type=semver,pattern={{raw}},enable=${{ github.event_name == 'release' }} | |
- name: Docker Metadata for Docker Hub | |
id: metahub | |
uses: docker/metadata-action@v5 | |
with: | |
flavor: | |
# don't automatically tag with `latest`; we do this conditionally in the `tags` section | |
latest=false | |
images: | | |
${{ vars.DOCKERHUB_REPO }} | |
tags: | | |
type=semver,pattern={{raw}},enable=${{ github.event_name == 'release' }} | |
type=raw,value=latest,enable=${{ github.event_name == 'push' }} | |
- name: Generate version.json | |
shell: bash | |
run: make generate | |
- id: gcp-auth | |
uses: google-github-actions/auth@v2 | |
with: | |
token_format: "access_token" | |
service_account: artifact-writer@${{ vars.GCP_PROJECT_ID}}.iam.gserviceaccount.com | |
workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }} | |
- name: Login to Google Artifact Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ vars.GAR_LOCATION }}-docker.pkg.dev | |
username: oauth2accesstoken | |
password: ${{ steps.gcp-auth.outputs.access_token }} | |
- name: Login to Dockerhub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ vars.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
- name: Build and push to Google Artifact Registry for each commit on main | |
# On pushes to `main`, we build and push a new image, so we can simply | |
# use the `docker/build-push-action` action. | |
if: ${{ github.event_name == 'push' }} | |
uses: docker/build-push-action@v6 | |
with: | |
push: true | |
sbom: true | |
tags: ${{ steps.metagar.outputs.tags }} | |
labels: ${{ steps.metagar.outputs.labels }} | |
context: . | |
platforms: linux/amd64,linux/arm64 | |
# copypasta from https://github.com/imjasonh/setup-crane/blob/main/action.yml | |
- name: Set up crane | |
shell: bash | |
run: | | |
set -ex | |
out=crane | |
os=${{ runner.os }} | |
tag=$(curl -s -u "username:${{ github.token }}" https://api.github.com/repos/google/go-containerregistry/releases/latest | jq -r '.tag_name') | |
arch=$(uname -m) | |
tmp=$(mktemp -d) | |
cd ${tmp} | |
curl -fsL https://github.com/google/go-containerregistry/releases/download/${tag}/go-containerregistry_${os}_${arch}.tar.gz | tar xz ${out} | |
chmod +x ${tmp}/${out} | |
PATH=${PATH}:${tmp} | |
echo "${tmp}" >> $GITHUB_PATH | |
echo "${{ github.token }}" | crane auth login ghcr.io --username "dummy" --password-stdin | |
- name: Copy from Google Artifact Registory to Docker Hub | |
# We want to make sure that Docker Hub's latest tag is always up to | |
# date. For releases, we specifically do _not_ want to rebuild and | |
# instead only tag the existing image and push. There's no officially | |
# maintained action for this use case, but it's trivial enough to do | |
# ourselves. On builds on each commit of main ("push" events), the | |
# expectation is that only `latest` will be pushed to Docker Hub. For | |
# releases, the expectation is only the semver tag will be pushed. | |
env: | |
# Tags come in the form of a fully qualified image name and tag | |
# separated by newlines. | |
TAGS: | | |
${{ steps.metahub.outputs.tags }} | |
# This github.sha won't work if the tag is an annotated tag, but we'll | |
# hit that when we hit that. (We'll want to use github.object.sha but | |
# only in tags, not in pushes) | |
SRC: ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${{ vars.GAR_REPOSITORY}}/autograph:sha-${{ github.sha }} | |
run: | | |
crane digest $SRC | |
crane manifest $SRC | |
for tag in $TAGS; do | |
crane copy $SRC $tag | |
done | |
- name: Copy image from Google Artifact Registory to Google Artifact Registory as semver tag | |
# This is conditional because we only can do this correctly (that is, | |
# with the correct TAGS from the metagar step) and only need to do it at | |
# all on release. | |
if: ${{ github.event_name == 'release' }} | |
env: | |
TAGS: | | |
${{ steps.metagar.outputs.tags }} | |
# This github.sha won't work if the tag is an annotated tag, but we'll | |
# hit that when we hit that. (We'll want to use github.object.sha but | |
# only in tags, not in pushes) | |
SRC: ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${{ vars.GAR_REPOSITORY}}/autograph:sha-${{ github.sha }} | |
run: | | |
crane digest $SRC | |
crane manifest $SRC | |
for tag in $TAGS; do | |
crane copy $SRC $tag | |
done |