-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
163 lines (151 loc) · 5.49 KB
/
Copy pathpublish.yml
File metadata and controls
163 lines (151 loc) · 5.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: 🚀 Publish Trigger.dev Docker
on:
workflow_dispatch:
workflow_call:
inputs:
image_tag:
description: The image tag to publish
required: true
type: string
secrets:
DOCKERHUB_USERNAME:
required: false
DOCKERHUB_TOKEN:
required: false
SENTRY_AUTH_TOKEN:
required: false
CROSS_REPO_PAT:
required: false
push:
branches:
- main
tags:
- "v.docker.*"
- "build-*"
paths:
- ".github/actions/**/*.yml"
- ".github/workflows/publish.yml"
- ".github/workflows/typecheck.yml"
- ".github/workflows/unit-tests.yml"
- ".github/workflows/e2e.yml"
- ".github/workflows/publish-webapp.yml"
- ".github/workflows/publish-worker.yml"
- "packages/**"
- "!packages/**/*.md"
- "!packages/**/*.eslintrc"
- "internal-packages/**"
- "apps/**"
- "!apps/**/*.md"
- "!apps/**/*.eslintrc"
- "pnpm-lock.yaml"
- "pnpm-workspace.yaml"
- "turbo.json"
- "docker/Dockerfile"
- "docker/scripts/**"
- "tests/**"
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
env:
AWS_REGION: us-east-1
jobs:
typecheck:
uses: ./.github/workflows/typecheck.yml
units:
uses: ./.github/workflows/unit-tests.yml
secrets:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
publish-webapp:
needs: [typecheck]
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/publish-webapp.yml
secrets:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
with:
image_tag: ${{ inputs.image_tag }}
# Target registry namespace. Defaults to ghcr.io/<owner> so a fork publishes
# to its own namespace; set the IMAGE_REGISTRY repository variable to override.
image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
publish-worker:
needs: [typecheck]
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-worker.yml
secrets:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
with:
image_tag: ${{ inputs.image_tag }}
image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
publish-worker-v4:
needs: [typecheck]
permissions:
contents: read
packages: write
id-token: write
uses: ./.github/workflows/publish-worker-v4.yml
with:
image_tag: ${{ inputs.image_tag }}
image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
# OS-level CVE scan of the image just published above. Report-only (writes to
# the run summary); runs alongside the worker publishes and never blocks them.
scan-webapp:
needs: [publish-webapp]
permissions:
contents: read
packages: read # pull the just-published image from GHCR
uses: ./.github/workflows/trivy-image-webapp.yml
with:
image-ref: ${{ needs.publish-webapp.outputs.image_repo }}:${{ needs.publish-webapp.outputs.version }}
# Announce the freshly published mutable `main` webapp image to subscriber
# repos via repository_dispatch, handing them a digest-pinned ref to build or
# deploy from. The repo, ref prefix, and dispatch target all default to the
# canonical values and can be overridden by repository variables.
#
# `push` only: release builds reach publish.yml via workflow_call (from
# release.yml) with an explicit image_tag while github.ref_name is still
# `main`, so gate on the event to avoid dispatching — and failing on the
# absent CROSS_REPO_PAT — during a release.
dispatch-main-image:
name: 📣 Dispatch main image
needs: [publish-webapp]
if: github.repository == (vars.MAIN_IMAGE_DISPATCH_REPO || 'triggerdotdev/trigger.dev') && github.event_name == 'push' && startsWith(github.ref_name, vars.MAIN_IMAGE_DISPATCH_REF_PREFIX || 'main')
runs-on: ubuntu-latest
permissions: {}
steps:
- name: Build dispatch payload
id: payload
env:
IMAGE_REPO: ${{ needs.publish-webapp.outputs.image_repo }}
DIGEST: ${{ needs.publish-webapp.outputs.digest }}
COMMIT: ${{ github.sha }}
run: |
set -euo pipefail
# Pin to the exact multi-arch index just pushed so subscribers resolve a
# single immutable artifact rather than chasing the moving `main` tag.
if [[ -z "${DIGEST}" ]]; then
echo "::error::publish-webapp produced no image digest; refusing to dispatch"
exit 1
fi
image="${IMAGE_REPO}@${DIGEST}"
# jq --arg JSON-escapes every value, so the ref/commit can't break out of
# or inject into the client payload.
payload=$(jq -nc \
--arg img "$image" \
--arg c "$COMMIT" \
'{image: $img, commit: $c}')
echo "client_payload=$payload" >> "$GITHUB_OUTPUT"
- name: Send repository_dispatch
uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
with:
token: ${{ secrets.CROSS_REPO_PAT }}
repository: ${{ vars.MAIN_IMAGE_DISPATCH_TARGET || 'triggerdotdev/cloud' }}
event-type: main-image-published
client-payload: ${{ steps.payload.outputs.client_payload }}