Skip to content

Create docker image #495

Create docker image

Create docker image #495

Workflow file for this run

name: Create docker image
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
push:
env:
REGISTRY: europe-north1-docker.pkg.dev/nais-io/nais/images
IMAGE_NAME: dataproduct-apps
EARTHLY_USE_INLINE_CACHE: true
EARTHLY_SAVE_INLINE_CACHE: true
EARTHLY_VERBOSE: true
EARTHLY_FULL_TARGET: true
EARTHLY_OUTPUT: true
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
packages: "write"
steps:
- name: Install earthly
uses: earthly/actions-setup@43211c7a0eae5344d6d79fb4aaf209c8f8866203 # ratchet:earthly/actions-setup@v1
with:
version: "latest" # or pin to an specific version, e.g. "v0.6.10"
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
- id: "auth"
name: "Authenticate to Google Cloud"
if: github.ref == 'refs/heads/main'
uses: "google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f" # ratchet:google-github-actions/[email protected]
with:
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
service_account: "[email protected]"
token_format: "access_token"
- name: Login to Google Artifact Registry
if: github.ref == 'refs/heads/main'
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # ratchet:docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
- name: Login to GitHub Packages Docker Registry for cache images
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # Use commit-sha1 instead of tag for security concerns
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: "Set image version"
id: set-image-tag
run: |
export IMAGE_TAG="$(date +%Y%m%d%H%M%S)-$(git describe --always --dirty --exclude '*')"
echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV
export IMAGE="${REGISTRY}/${IMAGE_NAME}"
echo "IMAGE=${IMAGE}" >> $GITHUB_ENV
echo "image=${IMAGE}:${IMAGE_TAG}" >> ${GITHUB_OUTPUT}
- name: Build and possibly push
env:
EARTHLY_PUSH: "${{ github.ref == 'refs/heads/main' }}"
run: |
earthly --verbose +docker --IMAGE_TAG="${IMAGE_TAG}" --IMAGE="${IMAGE}"
- name: Install cosign
if: github.ref == 'refs/heads/main'
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # ratchet:sigstore/cosign-installer@main
with:
cosign-release: "v2.2.1"
- name: Retrieve image digest
id: imgdigest
if: github.ref == 'refs/heads/main'
run: |
docker pull ${{ steps.set-image-tag.outputs.image }}
echo "digest=$(docker inspect ${{ steps.set-image-tag.outputs.image }} | jq -r '.[].RepoDigests[0]')" >> $GITHUB_OUTPUT
- name: Sign the container image
if: github.ref == 'refs/heads/main'
run: cosign sign --yes ${{ steps.imgdigest.outputs.digest }}
- name: "Setup Python, Poetry and Dependencies"
if: github.ref == 'refs/heads/main'
uses: packetcoders/action-setup-cache-python-poetry@main
with:
python-version: 3.9
poetry-version: 1.5.1
install-args: --only=sbom-tools
- name: Create SBOM
if: github.ref == 'refs/heads/main'
run: |
poetry run cyclonedx-py poetry -o sbom.json
- name: Attest image
if: github.ref == 'refs/heads/main'
run: cosign attest --yes --predicate sbom.json --type cyclonedx ${{ steps.imgdigest.outputs.digest }}
outputs:
image: "${{ steps.set-image-tag.outputs.image }}"
deploy-topics:
name: Deploy Topic collector
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
strategy:
matrix:
cluster:
- dev-gcp
- prod-gcp
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
- uses: nais/deploy/actions/deploy@v2
name: Deploy topic collector
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: ${{ matrix.cluster }}
RESOURCE: nais/dataproduct-apps-topics.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=prod-gcp
deploy-collector-gcp:
name: Deploy Collector
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
strategy:
matrix:
cluster:
- dev-gcp
- prod-gcp
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
- uses: nais/deploy/actions/deploy@v2
name: Deploy to ${{ matrix.cluster }}
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: ${{ matrix.cluster }}
RESOURCE: nais/dataproduct-apps-collect-gcp.yaml,nais/prometheusrule-collect.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=${{ matrix.cluster }}
deploy-collector-onprem:
name: Deploy Collector
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
strategy:
matrix:
cluster:
- dev-fss
- prod-fss
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
- uses: nais/deploy/actions/deploy@v2
name: Deploy to ${{ matrix.cluster }}
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: ${{ matrix.cluster }}
RESOURCE: nais/dataproduct-apps-collect-onprem.yaml,nais/prometheusrule-collect.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=${{ matrix.cluster }}
deploy-other:
name: Deploy Persistor and Topic
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
- uses: nais/deploy/actions/deploy@v2
name: Deploy topic and persist application to prod-gcp
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: prod-gcp
RESOURCE: nais/topic.yaml,nais/dataproduct-apps-persist.yaml,nais/prometheusrule-persist.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=prod-gcp