1.4.0 #42
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CD | |
on: | |
release: | |
types: | |
[published] | |
# trigger only on new release | |
jobs: | |
verify_version: | |
name: Verify version | |
runs-on: ubuntu-latest | |
outputs: | |
# export to be used in other jobs | |
version: ${{ steps.get_version_tag.outputs.version }} | |
steps: | |
- uses: actions/checkout@v4 | |
name: Check out code | |
- uses: actions/setup-python@v5 | |
name: Set up Python 3.12 | |
with: | |
python-version: '3.12' | |
- id: get_version_tag | |
name: Get version tag | |
run: | | |
TAG_VER="${GITHUB_REF##*/}" | |
# set as output: | |
echo "version: ${TAG_VER}" | |
echo "version=${TAG_VER}" >> $GITHUB_OUTPUT | |
- id: verify_semantic_tag_format | |
name: Verify tag format | |
# format must be compatible with semantic versioning | |
run: | | |
SEMVER_REGEX="^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$" | |
if echo "${{ steps.get_version_tag.outputs.version }}" | grep -Eq "$SEMVER_REGEX"; then | |
echo "Tag format is valid" | |
else | |
echo "Invalid tag format: ${{ steps.get_version_tag.outputs.version }}" | |
exit 1 | |
fi | |
- id: verify_package_version | |
name: Verify package version vs tag version | |
# package version must be same with tag version | |
run: | | |
PKG_VER="$(jq -r .version package.json)" | |
echo "Package version is $PKG_VER" >&2 | |
echo "Tag version is ${{ steps.get_version_tag.outputs.version }}" >&2 | |
if [ "$PKG_VER" != "${{ steps.get_version_tag.outputs.version }}" ]; then | |
echo "Package version and tag name mismatch." >&2 | |
exit 1 | |
fi | |
push_to_docker_hub: | |
name: Push to Docker Hub | |
runs-on: ubuntu-latest | |
needs: verify_version | |
steps: | |
- uses: actions/checkout@v4 | |
name: Check out code | |
- uses: docker/setup-qemu-action@v2 | |
name: Set up QEMU | |
- uses: docker/setup-buildx-action@v2 | |
name: Set up Docker Buildx | |
- uses: docker/login-action@v2 | |
name: Login to DockerHub | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- uses: docker/build-push-action@v4 | |
name: Build and push | |
id: docker_build | |
with: | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
tags: "ghga/${{ github.event.repository.name }}:${{ needs.verify_version.outputs.version }}" | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/ghga/${{ github.event.repository.name }}:${{ needs.verify_version.outputs.version }}" | |
format: "table" | |
exit-code: "0" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
- name: Image digest | |
run: echo ${{ steps.docker_build.outputs.digest }} | |
# Please uncomment and adapt the DEPLOYMENT_CONFIG_REPO to trigger automatic | |
# updates of helm charts: | |
update_deployment_repo: | |
name: Update deployment repo | |
runs-on: ubuntu-latest | |
needs: | |
- verify_version | |
- push_to_docker_hub | |
env: | |
DEPLOYMENT_CONFIG_REPO: ghga-de/helm | |
steps: | |
- name: trigger update in deployment repo | |
run: | | |
# access token needs to be of format: <username>:<personal_access_token> | |
curl -X POST \ | |
"https://api.github.com/repos/${DEPLOYMENT_CONFIG_REPO}/dispatches" \ | |
-H 'Accept: application/vnd.github.everest-preview+json' \ | |
-u '${{ secrets.DEPLOYMENT_UPDATE_TOKEN }}' \ | |
--data '{ | |
"event_type": "new_app_version", | |
"client_payload": { | |
"deploy_filename": "${{ github.event.repository.name }}", | |
"app_name": "${{ github.event.repository.name }}", | |
"context": "${{ needs.verify_version.outputs.version }}", | |
"new_image_tag": "${{ needs.verify_version.outputs.version }}" | |
} | |
}' |