Skip to content

Merge pull request #80 from nais/dependabot/github_actions/google-git… #242

Merge pull request #80 from nais/dependabot/github_actions/google-git…

Merge pull request #80 from nais/dependabot/github_actions/google-git… #242

Workflow file for this run

name: Create docker image
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
push:
env:
REGISTRY: europe-north1-docker.pkg.dev/nais-io/nais/images
IMAGE_NAME: dataproduct-apps
EARTHLY_USE_INLINE_CACHE: true
EARTHLY_SAVE_INLINE_CACHE: true
EARTHLY_VERBOSE: true
EARTHLY_FULL_TARGET: true
EARTHLY_OUTPUT: true
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
packages: "write"
steps:
- name: Install earthly
uses: earthly/actions-setup@be3fe0c1f84e9776b5a184d21bf7a4a779ea2e6b # ratchet:earthly/actions-setup@v1
with:
version: "latest" # or pin to an specific version, e.g. "v0.6.10"
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/checkout@v4
- id: "auth"
name: "Authenticate to Google Cloud"
if: github.ref == 'refs/heads/main'
uses: "google-github-actions/auth@67e9c72af6e0492df856527b474995862b7b6591" # ratchet:google-github-actions/[email protected]
with:
workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
service_account: "[email protected]"
token_format: "access_token"
- name: Login to Google Artifact Registry
if: github.ref == 'refs/heads/main'
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # ratchet:docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
- name: Login to GitHub Packages Docker Registry for cache images
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # Use commit-sha1 instead of tag for security concerns
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: "Set image version"
id: set-image-tag
run: |
export IMAGE_TAG="$(date +%Y%m%d%H%M%S)-$(git describe --always --dirty --exclude '*')"
echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV
export IMAGE="${REGISTRY}/${IMAGE_NAME}"
echo "IMAGE=${IMAGE}" >> $GITHUB_ENV
echo "image=${IMAGE}:${IMAGE_TAG}" >> ${GITHUB_OUTPUT}
- name: Build and possibly push
env:
EARTHLY_PUSH: "${{ github.ref == 'refs/heads/main' }}"
run: |
earthly --verbose +docker --IMAGE_TAG="${IMAGE_TAG}" --IMAGE="${IMAGE}"
- name: Install cosign
if: github.ref == 'refs/heads/main'
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # ratchet:sigstore/cosign-installer@main
with:
cosign-release: 'v2.2.1'
- name: Retrieve image digest
id: imgdigest
if: github.ref == 'refs/heads/main'
run: |
docker pull ${{ steps.set-image-tag.outputs.image }}
echo "digest=$(docker inspect ${{ steps.set-image-tag.outputs.image }} | jq -r '.[].RepoDigests[0]')" >> $GITHUB_OUTPUT
- name: Sign the container image
if: github.ref == 'refs/heads/main'
run: cosign sign --yes ${{ steps.imgdigest.outputs.digest }}
- name: Create SBOM
if: github.ref == 'refs/heads/main'
run: |
sudo apt-get update && sudo apt-get install -y python3-pip
pip3 install cyclonedx-bom
cyclonedx-py -p --format json -o sbom.json
- name: Attest image
if: github.ref == 'refs/heads/main'
run: cosign attest --yes --predicate sbom.json --type cyclonedx ${{ steps.imgdigest.outputs.digest }}
outputs:
image: "${{ steps.set-image-tag.outputs.image }}"
deploy-topics:
name: Deploy Topic collector
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
strategy:
matrix:
cluster:
- dev-gcp
- prod-gcp
steps:
- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
- uses: nais/deploy/actions/deploy@v1
name: Deploy topic collector
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: ${{ matrix.cluster }}
RESOURCE: nais/dataproduct-apps-topics.yaml,nais/network-policy-apiserver-topics.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=prod-gcp
deploy-collector-gcp:
name: Deploy Collector
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
strategy:
matrix:
cluster:
- dev-gcp
- prod-gcp
steps:
- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
- uses: nais/deploy/actions/deploy@v1
name: Deploy to ${{ matrix.cluster }}
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: ${{ matrix.cluster }}
RESOURCE: nais/dataproduct-apps-collect-gcp.yaml,nais/network-policy-apiserver-collect.yaml,nais/prometheusrule-collect.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=${{ matrix.cluster }}
deploy-collector-onprem:
name: Deploy Collector
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
strategy:
matrix:
cluster:
- dev-fss
- prod-fss
steps:
- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
- uses: nais/deploy/actions/deploy@v1
name: Deploy to ${{ matrix.cluster }}
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: ${{ matrix.cluster }}
RESOURCE: nais/dataproduct-apps-collect-onprem.yaml,nais/network-policy-apiserver-collect.yaml,nais/prometheusrule-collect.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=${{ matrix.cluster }}
deploy-other:
name: Deploy Persistor and Topic
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
steps:
- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
- uses: nais/deploy/actions/deploy@v1
name: Deploy topic and persist application to prod-gcp
env:
APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
CLUSTER: prod-gcp
RESOURCE: nais/topic.yaml,nais/dataproduct-apps-persist.yaml,nais/prometheusrule-persist.yaml
VAR: image=${{ needs.build.outputs.image }},clusterName=prod-gcp