Skip to content

1.1.9

1.1.9 #27

Workflow file for this run

name: CD
on:
release:
types:
[published]
# trigger only on new release
jobs:
verify_version:
name: Verify version
runs-on: ubuntu-latest
outputs:
# export to be used in other jobs
version: ${{ steps.get_version_tag.outputs.version }}
steps:
- uses: actions/checkout@v4
name: Check out code
- uses: actions/setup-python@v5
name: Set up Python 3.12
with:
python-version: '3.12'
- id: get_version_tag
name: Get version tag
run: |
TAG_VER="${GITHUB_REF##*/}"
# set as output:
echo "version: ${TAG_VER}"
echo "version=${TAG_VER}" >> $GITHUB_OUTPUT
- id: verify_semantic_tag_format
name: Verify tag format
# format must be compatible with semantic versioning
run: |
SEMVER_REGEX="^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(?:-((?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$"
if echo "${{ steps.get_version_tag.outputs.version }}" | grep -Eq "$SEMVER_REGEX"; then
echo "Tag format is valid"
else
echo "Invalid tag format: ${{ steps.get_version_tag.outputs.version }}"
exit 1
fi
- id: verify_package_version
name: Verify package version vs tag version
# package version must be same with tag version
run: |
PKG_VER="$(jq -r .version package.json)"
echo "Package version is $PKG_VER" >&2
echo "Tag version is ${{ steps.get_version_tag.outputs.version }}" >&2
if [ "$PKG_VER" != "${{ steps.get_version_tag.outputs.version }}" ]; then
echo "Package version and tag name mismatch." >&2
exit 1
fi
push_to_docker_hub:
name: Push to Docker Hub
runs-on: ubuntu-latest
needs: verify_version
steps:
- uses: actions/checkout@v4
name: Check out code
- uses: docker/setup-qemu-action@v2
name: Set up QEMU
- uses: docker/setup-buildx-action@v2
name: Set up Docker Buildx
- uses: docker/login-action@v2
name: Login to DockerHub
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- uses: docker/build-push-action@v4
name: Build and push
id: docker_build
with:
push: true
platforms: linux/amd64,linux/arm64
tags: "ghga/${{ github.event.repository.name }}:${{ needs.verify_version.outputs.version }}"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/ghga/${{ github.event.repository.name }}:${{ needs.verify_version.outputs.version }}"
format: "table"
exit-code: "0"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}
# Please uncomment and adapt the DEPLOYMENT_CONFIG_REPO to trigger automatic
# updates of helm charts:
update_deployment_repo:
name: Update deployment repo
runs-on: ubuntu-latest
needs:
- verify_version
- push_to_docker_hub
env:
DEPLOYMENT_CONFIG_REPO: ghga-de/helm
steps:
- name: trigger update in deployment repo
run: |
# access token needs to be of format: <username>:<personal_access_token>
curl -X POST \
"https://api.github.com/repos/${DEPLOYMENT_CONFIG_REPO}/dispatches" \
-H 'Accept: application/vnd.github.everest-preview+json' \
-u '${{ secrets.DEPLOYMENT_UPDATE_TOKEN }}' \
--data '{
"event_type": "new_app_version",
"client_payload": {
"deploy_filename": "${{ github.event.repository.name }}",
"app_name": "${{ github.event.repository.name }}",
"context": "${{ needs.verify_version.outputs.version }}",
"new_image_tag": "${{ needs.verify_version.outputs.version }}"
}
}'