ensure decode_password
function properly handles plaintext but vali…
#3007
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish Docker Images | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- "*" | |
env: | |
# Docker auth with read-write (publish) permissions. Set as env in workflow root as auth is required in multiple jobs. | |
DOCKER_USER: ${{ secrets.DOCKER_USER }} | |
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} | |
DEFAULT_PYTHON_VERSION: "3.10.13" | |
jobs: | |
ParseTags: | |
runs-on: ubuntu-latest | |
outputs: | |
prod_tag: ${{ steps.check-prod-tag.outputs.match }} | |
rc_tag: ${{ steps.check-rc-tag.outputs.match }} | |
alpha_tag: ${{ steps.check-alpha-tag.outputs.match }} | |
beta_tag: ${{ steps.check-beta-tag.outputs.match }} | |
steps: | |
- name: Check Prod Tag | |
id: check-prod-tag | |
run: | | |
if [[ ${{ github.event.ref }} =~ ^refs/tags/[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
echo "match=true" >> $GITHUB_OUTPUT | |
else | |
echo "match=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Check RC Tag | |
id: check-rc-tag | |
run: | | |
if [[ ${{ github.event.ref }} =~ ^refs/tags/[0-9]+\.[0-9]+\.[0-9]+rc[0-9]+$ ]]; then | |
echo "match=true" >> $GITHUB_OUTPUT | |
else | |
echo "match=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Check alpha Tag | |
id: check-alpha-tag | |
run: | | |
if [[ ${{ github.event.ref }} =~ ^refs/tags/[0-9]+\.[0-9]+\.[0-9]+a[0-9]+$ ]]; then | |
echo "match=true" >> $GITHUB_OUTPUT | |
else | |
echo "match=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Check beta Tag | |
id: check-beta-tag | |
run: | | |
if [[ ${{ github.event.ref }} =~ ^refs/tags/[0-9]+\.[0-9]+\.[0-9]+b[0-9]+$ ]]; then | |
echo "match=true" >> $GITHUB_OUTPUT | |
else | |
echo "match=false" >> $GITHUB_OUTPUT | |
fi | |
Push: | |
runs-on: ubuntu-latest | |
needs: ParseTags | |
strategy: | |
# This matrix will effectively _try_ to run every permutation in parallel, | |
# skipping all of the tasks that don't match. This leaves a ton of "skipped" jobs | |
# but is the fastest way to get this working without overhauling the tag check logic. | |
matrix: | |
application: ["fides", "sample_app", "privacy_center"] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # This is required to properly tag images | |
- name: Set Up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.DEFAULT_PYTHON_VERSION }} | |
cache: "pip" | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ env.DOCKER_USER }} | |
password: ${{ env.DOCKER_TOKEN }} | |
- name: Install Dev Requirements | |
run: pip install -r dev-requirements.txt | |
# if neither prod, rc, beta or alpha git tag, then push images with the ":dev" tag | |
# these dev images do not need a versioned/git-tagged image | |
- name: Push Fides Dev Tag | |
if: needs.ParseTags.outputs.prod_tag == 'false' && needs.ParseTags.outputs.rc_tag == 'false' && needs.ParseTags.outputs.beta_tag == 'false' && needs.ParseTags.outputs.alpha_tag == 'false' | |
run: nox -s "push(${{ matrix.application }},dev)" | |
# if a prod git tag, then we run the prod job to publish images tagged with the version number and a constant ":latest" tag | |
# prod pushes a versioned image, git-tagged images not needed | |
- name: Push Fides Prod Tags | |
if: needs.ParseTags.outputs.prod_tag == 'true' | |
run: nox -s "push(${{ matrix.application }},prod)" | |
# if an RC git tag, then we run the rc job to publish images with an ":rc" tag | |
# git-tagged images are also pushed | |
- name: Push Fides RC Tags | |
if: needs.ParseTags.outputs.rc_tag == 'true' | |
run: nox -s "push(${{ matrix.application }},rc)" -- git_tag | |
# if an alpha or beta git tag, then we run the prerelease job to publish images with an ":prerelease" tag | |
# git-tagged images are also pushed | |
- name: Push Fides prerelease Tags | |
if: needs.ParseTags.outputs.alpha_tag == 'true' || needs.ParseTags.outputs.beta_tag == 'true' | |
run: nox -s "push(${{ matrix.application }},prerelease)" -- git_tag | |
NotifyRedeploy: | |
runs-on: ubuntu-latest | |
needs: Push | |
steps: | |
# if an RC git tag, also notify Fidesinfra to trigger a redeploy of rc env, to pick up our newly published images | |
- name: Send Repository Dispatch Event (RC redeploy) | |
if: needs.ParseTags.outputs.rc_tag == 'true' | |
uses: peter-evans/repository-dispatch@v2 | |
with: | |
event-type: trigger-fidesinfra-deploy-fides-rc | |
repository: ethyca/fidesinfra | |
token: ${{ secrets.DISPATCH_ACCESS_TOKEN }} |