Create docker image #495
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create docker image | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
on: | |
push: | |
env: | |
REGISTRY: europe-north1-docker.pkg.dev/nais-io/nais/images | |
IMAGE_NAME: dataproduct-apps | |
EARTHLY_USE_INLINE_CACHE: true | |
EARTHLY_SAVE_INLINE_CACHE: true | |
EARTHLY_VERBOSE: true | |
EARTHLY_FULL_TARGET: true | |
EARTHLY_OUTPUT: true | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: "read" | |
id-token: "write" | |
packages: "write" | |
steps: | |
- name: Install earthly | |
uses: earthly/actions-setup@43211c7a0eae5344d6d79fb4aaf209c8f8866203 # ratchet:earthly/actions-setup@v1 | |
with: | |
version: "latest" # or pin to an specific version, e.g. "v0.6.10" | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 | |
- id: "auth" | |
name: "Authenticate to Google Cloud" | |
if: github.ref == 'refs/heads/main' | |
uses: "google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f" # ratchet:google-github-actions/[email protected] | |
with: | |
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: "[email protected]" | |
token_format: "access_token" | |
- name: Login to Google Artifact Registry | |
if: github.ref == 'refs/heads/main' | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # ratchet:docker/login-action@v2 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: "oauth2accesstoken" | |
password: "${{ steps.auth.outputs.access_token }}" | |
- name: Login to GitHub Packages Docker Registry for cache images | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # Use commit-sha1 instead of tag for security concerns | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: "Set image version" | |
id: set-image-tag | |
run: | | |
export IMAGE_TAG="$(date +%Y%m%d%H%M%S)-$(git describe --always --dirty --exclude '*')" | |
echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV | |
export IMAGE="${REGISTRY}/${IMAGE_NAME}" | |
echo "IMAGE=${IMAGE}" >> $GITHUB_ENV | |
echo "image=${IMAGE}:${IMAGE_TAG}" >> ${GITHUB_OUTPUT} | |
- name: Build and possibly push | |
env: | |
EARTHLY_PUSH: "${{ github.ref == 'refs/heads/main' }}" | |
run: | | |
earthly --verbose +docker --IMAGE_TAG="${IMAGE_TAG}" --IMAGE="${IMAGE}" | |
- name: Install cosign | |
if: github.ref == 'refs/heads/main' | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # ratchet:sigstore/cosign-installer@main | |
with: | |
cosign-release: "v2.2.1" | |
- name: Retrieve image digest | |
id: imgdigest | |
if: github.ref == 'refs/heads/main' | |
run: | | |
docker pull ${{ steps.set-image-tag.outputs.image }} | |
echo "digest=$(docker inspect ${{ steps.set-image-tag.outputs.image }} | jq -r '.[].RepoDigests[0]')" >> $GITHUB_OUTPUT | |
- name: Sign the container image | |
if: github.ref == 'refs/heads/main' | |
run: cosign sign --yes ${{ steps.imgdigest.outputs.digest }} | |
- name: "Setup Python, Poetry and Dependencies" | |
if: github.ref == 'refs/heads/main' | |
uses: packetcoders/action-setup-cache-python-poetry@main | |
with: | |
python-version: 3.9 | |
poetry-version: 1.5.1 | |
install-args: --only=sbom-tools | |
- name: Create SBOM | |
if: github.ref == 'refs/heads/main' | |
run: | | |
poetry run cyclonedx-py poetry -o sbom.json | |
- name: Attest image | |
if: github.ref == 'refs/heads/main' | |
run: cosign attest --yes --predicate sbom.json --type cyclonedx ${{ steps.imgdigest.outputs.digest }} | |
outputs: | |
image: "${{ steps.set-image-tag.outputs.image }}" | |
deploy-topics: | |
name: Deploy Topic collector | |
runs-on: ubuntu-latest | |
needs: build | |
if: github.ref == 'refs/heads/main' | |
strategy: | |
matrix: | |
cluster: | |
- dev-gcp | |
- prod-gcp | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 | |
- uses: nais/deploy/actions/deploy@v2 | |
name: Deploy topic collector | |
env: | |
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} | |
CLUSTER: ${{ matrix.cluster }} | |
RESOURCE: nais/dataproduct-apps-topics.yaml | |
VAR: image=${{ needs.build.outputs.image }},clusterName=prod-gcp | |
deploy-collector-gcp: | |
name: Deploy Collector | |
runs-on: ubuntu-latest | |
needs: build | |
if: github.ref == 'refs/heads/main' | |
strategy: | |
matrix: | |
cluster: | |
- dev-gcp | |
- prod-gcp | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 | |
- uses: nais/deploy/actions/deploy@v2 | |
name: Deploy to ${{ matrix.cluster }} | |
env: | |
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} | |
CLUSTER: ${{ matrix.cluster }} | |
RESOURCE: nais/dataproduct-apps-collect-gcp.yaml,nais/prometheusrule-collect.yaml | |
VAR: image=${{ needs.build.outputs.image }},clusterName=${{ matrix.cluster }} | |
deploy-collector-onprem: | |
name: Deploy Collector | |
runs-on: ubuntu-latest | |
needs: build | |
if: github.ref == 'refs/heads/main' | |
strategy: | |
matrix: | |
cluster: | |
- dev-fss | |
- prod-fss | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 | |
- uses: nais/deploy/actions/deploy@v2 | |
name: Deploy to ${{ matrix.cluster }} | |
env: | |
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} | |
CLUSTER: ${{ matrix.cluster }} | |
RESOURCE: nais/dataproduct-apps-collect-onprem.yaml,nais/prometheusrule-collect.yaml | |
VAR: image=${{ needs.build.outputs.image }},clusterName=${{ matrix.cluster }} | |
deploy-other: | |
name: Deploy Persistor and Topic | |
runs-on: ubuntu-latest | |
needs: build | |
if: github.ref == 'refs/heads/main' | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 | |
- uses: nais/deploy/actions/deploy@v2 | |
name: Deploy topic and persist application to prod-gcp | |
env: | |
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} | |
CLUSTER: prod-gcp | |
RESOURCE: nais/topic.yaml,nais/dataproduct-apps-persist.yaml,nais/prometheusrule-persist.yaml | |
VAR: image=${{ needs.build.outputs.image }},clusterName=prod-gcp |