diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml index b5bb725098d..b992edfbf7d 100644 --- a/.github/actions/build-sign-publish-chainlink/action.yml +++ b/.github/actions/build-sign-publish-chainlink/action.yml @@ -68,6 +68,13 @@ inputs: description: When set to the string boolean value of "true", the resulting build image signature will be verified default: "false" required: false +outputs: + docker-image-tag: + description: The docker image tag that was built and pushed + value: ${{ steps.save-non-root-image-name-env.outputs.image-tag }} + docker-image-digest: + description: The docker image digest that was built and pushed + value: ${{ steps.save-non-root-image-name-env.outputs.image-digest }} runs: using: composite @@ -208,10 +215,13 @@ runs: IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['image.name'] }} IMAGE_DIGEST=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['containerimage.digest'] }} IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1) + IMAGE_TAG=$(echo "$IMAGES_NAME_RAW" | cut -d":" -f2) echo "nonroot_image_name=${IMAGE_NAME}" >> $GITHUB_ENV echo '### Docker Image' >> $GITHUB_STEP_SUMMARY echo "Image Name: ${IMAGE_NAME}" >> $GITHUB_STEP_SUMMARY echo "Image Digest: ${IMAGE_DIGEST}" >> $GITHUB_STEP_SUMMARY + echo "image-tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT + echo "image-digest=${IMAGE_DIGEST}" >> $GITHUB_OUTPUT - name: Check if non-root image runs as root id: check-nonroot-runs-root diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index ef0f641db1b..d692285f689 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -8,6 +8,10 @@ on: branches: - "release/**" +env: + ECR_HOSTNAME: public.ecr.aws + ECR_IMAGE_NAME: chainlink/chainlink + jobs: checks: name: "Checks" @@ -30,17 +34,23 @@ jobs: permissions: id-token: write contents: read + outputs: + docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }} + docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }} steps: - name: Checkout repository uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: Build, sign and publish chainlink image + id: build-sign-publish uses: ./.github/actions/build-sign-publish-chainlink with: publish: true aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} aws-region: ${{ secrets.AWS_REGION }} + ecr-hostname: ${{ env.ECR_HOSTNAME }} + ecr-image-name: ${{ env.ECR_IMAGE_NAME }} sign-images: true sign-method: "keypair" cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} @@ -60,3 +70,44 @@ jobs: hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }} this-job-name: build-sign-publish-chainlink continue-on-error: true + + # Notify Slack channel for new git tags. + slack-notify: + if: github.ref_type == 'tag' + needs: [build-sign-publish-chainlink] + runs-on: ubuntu-24.04 + environment: build-publish + steps: + - name: Checkout repository + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: Notify Slack + uses: smartcontractkit/.github/actions/slack-notify-git-ref@7fa90bbeff35aa6ce3a9054f542bcf10b7d47cec # slack-notify-git-ref@0.1.0 + with: + slack-channel-id: ${{ secrets.SLACK_CHANNEL_RELEASE_NOTIFICATIONS }} + slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN_RELENG }} # Releng Bot + git-ref: ${{ github.ref_name }} + git-ref-type: ${{ github.ref_type }} + changelog-url: >- + ${{ + github.ref_type == 'tag' && + format( + 'https://github.com/{0}/blob/{1}/CHANGELOG.md', + github.repository, + github.ref_name, + ) || '' + }} + docker-image-name: >- + ${{ + github.ref_type == 'tag' && + format( + '{0}/{1}:{2}', + env.ECR_HOSTNAME, + env.ECR_IMAGE_NAME, + needs.build-sign-publish-chainlink.outputs.docker-image-tag + ) || '' + }} + docker-image-digest: >- + ${{ + github.ref_type == 'tag' && + needs.build-sign-publish-chainlink.outputs.docker-image-digest || '' + }}