-
Notifications
You must be signed in to change notification settings - Fork 4
133 lines (117 loc) · 6.44 KB
/
go-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# Experimental go release workflow with ghcr.io packages
#
# How build and push multiple docker image with same repo and same version, but different name? #561
# https://github.com/docker/build-push-action/issues/561
# Matrix build with multiple vars per matrix: https://stackoverflow.com/a/76547617/4292075
#
# GH Packages About inheritance of access permissions
# https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#about-inheritance-of-access-permissions
name: go-release
on:
pull_request:
paths: [ 'go/**', '.github/workflows/go-release.yml' ]
push:
# If at least one path matches a pattern in the paths filter, the workflow runs
paths: [ 'go/**', '.github/workflows/go-release.yml' ]
branches: [ main ]
env:
REGISTRY: ghcr.io # default is docker.io
IMAGE_NAME: ${{ github.repository }}-tools # # e.g. user/fancy-project[-suffix]
jobs:
publish-ghcr:
name: go release to ghcr.io
# publish to registry only on merge into main branch. we can also use 'if' on steps
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
# if: ${{ ! startsWith(github.ref, 'refs/tags/') }} # ! is reserved notation in YAML format, so we need {{}}
runs-on: ubuntu-latest
permissions:
packages: write # required to write to container registry
# contents: write # for releases (e.g. go-releaser)
strategy:
matrix:
include:
- goos: linux
goarch: arm64
#- goos: linux
# arch: amd64
steps:
# checkout is essential if you use a different context than "."
- name: Checkout
uses: actions/checkout@v4
# todo use different approach, get rid of ssm dependency (only works on main branch)
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1
# todo use different approach, get rid of ssm dependency (only works on main branch)
- name: Pull Environment Config from AWS SSM ParamStore
run: |
echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV
echo "RELEASE_NAME=$(aws ssm get-parameter --name /angkor/prod/RELEASE_NAME --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
echo "RELEASE_VERSION=$(aws ssm get-parameter --name /angkor/prod/RELEASE_VERSION --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
- name: Build with Go and run Sonar Scanner
working-directory: ./go
run: |
make build
env:
GOOS: ${{ matrix.goos }}
# todo refactor Makefile to use GOARCH
ARCH: ${{ matrix.goarch }}
CI: true
RELEASE_NAME: ${{ env.RELEASE_NAME }}
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
# required for tags and labels as input for docker-build-push
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# or you get Error: buildx failed with: ERROR: unauthorized: unauthenticated: User cannot be authenticated with the token provided.
- name: Login to GitHub container registry (ghcr.io)
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Multi-platform image with GitHub Actions
# https://docs.docker.com/build/ci/github-actions/multi-platform/
# QEMU is a generic and open source machine & userspace emulator and virtualizer.
# to emulating a complete machine in software without any need for hardware virtualization support
# it's required at least if you RUN things in your docker build and the target platform
# is *NOT* the platform of the runner (or you get messages like "exec /bin/sh: exec format error")
- name: Set up QEMU static binaries
uses: docker/setup-qemu-action@v3
with:
# since we run platform specific builds in parallel, we only need the current platform
platforms: ${{ matrix.goos }}/${{ matrix.goarch }}
# explicit setup-buildx action required? No, at least standard worker comes with cli plugin
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@v3
# https://github.com/docker/build-push-action?tab=readme-ov-file#usage
- name: Build docker image and push to ghcr.io
id: build # so we can reference this step as ${{ steps.build.outputs.digest }} in export step
uses: docker/build-push-action@v6
with:
#${{ matrix.platform }}
platforms: ${{ matrix.goos }}/${{ matrix.goarch }}
context: ./go
# for none-multistage use true and merge manifest in 2nd job, otherwise false
push: true
# for multistage O NOT specify 'tags' here (error "get can't push tagged ref by digest")
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# why provenance: false? See "GitHub Action produces unknown architecture and OS": https://github.com/docker/build-push-action/issues/820
provenance: false
build-args: |
RELEASE_NAME: ${{ env.RELEASE_NAME }}
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
- name: Send Kafka Publish Event about ghcr.io release
id: send-kafka-pub-event # becomes $GITHUB_ACTION
run: |
docker run -e KAFKA_PRODUCER_TOPIC_URL="${{secrets.KAFKA_PRODUCER_TOPIC_URL}}" -e KAFKA_PRODUCER_API_SECRET="${{secrets.KAFKA_PRODUCER_API_SECRET}}" ghcr.io/tillkuhn/rubin:latest \
-ce -key "$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" -header "producer=rubin/cli latest" \
-source "urn:ci:$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" \
-type "net.timafe.event.ci.published.v1" -subject "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}" \
-record "{\"action\":\"$GITHUB_ACTION\",\"actor\":\"$GITHUB_ACTOR\",\"commit\":\"$GITHUB_SHA\",\"run_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\",\"version\":\"${GITHUB_REF#refs/*/}\"}"