Add token permissions to build + publish workflow (#1498) #325
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Publish Docker image | |
on: | |
pull_request: | |
branches: | |
- main | |
push: | |
branches: | |
- main | |
tags: | |
- v[0-9]+.[0-9]+.[0-9]+ | |
jobs: | |
build-and-publish: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
env: | |
DOCKERHUB_IMAGE_NAME: mozilla/telescope | |
TEST_CONTAINER_NAME: container-healthcheck | |
GAR_LOCATION: us | |
GCP_PROJECT_ID: telescope-prod | |
GAR_REPOSITORY: moz-fx-telescope-prod | |
IMAGE: telescope | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # Fetch everything (tags) | |
- id: determine_tag | |
name: determine tag | |
run: |- | |
TAG=$(git describe --tags) | |
printf "\e[1;36m[INFO]\e[0m \$TAG=\"${TAG}\"\n" | |
echo TAG=${TAG} >> ${GITHUB_OUTPUT} | |
- name: Build `version.json` file | |
run: | | |
printf '{\n "commit": "%s",\n "version": "%s",\n "source": "%s",\n "build": "%s"\n}\n' \ | |
"$GITHUB_SHA" \ | |
"${{ steps.determine_tag.outputs.TAG }}" \ | |
"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \ | |
"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > ./version.json | |
cat version.json | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
${{ env.DOCKERHUB_IMAGE_NAME }} | |
${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY }}/${{ env.IMAGE }} | |
# https://github.com/marketplace/actions/docker-metadata-action#tags-input | |
tags: | | |
type=raw,value=latest | |
type=raw,value=${{ steps.determine_tag.outputs.TAG }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- id: gcp_auth | |
name: gcp auth | |
if: github.event_name != 'pull_request' | |
uses: google-github-actions/auth@v2 | |
with: | |
token_format: access_token | |
service_account: artifact-writer@${{ env.GCP_PROJECT_ID }}.iam.gserviceaccount.com | |
workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }} | |
- name: Login to GAR | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev | |
username: oauth2accesstoken | |
password: ${{ steps.gcp_auth.outputs.access_token }} | |
- name: Login to Docker Hub | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Build and export to Docker | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
load: true | |
push: false | |
tags: ${{ env.DOCKERHUB_IMAGE_NAME }}:test | |
- name: Test from Docker | |
run: | | |
docker run \ | |
--name ${{ env.TEST_CONTAINER_NAME }}-test \ | |
--user root \ | |
${{ env.DOCKERHUB_IMAGE_NAME }}:test \ | |
test | |
- name: Spin up container | |
run: | | |
docker run \ | |
--name ${{ env.TEST_CONTAINER_NAME }} \ | |
--detach \ | |
--env CONFIG_FILE=/app/tests/checks/remotesettings/config.toml \ | |
--publish 8000:8000 \ | |
${{ env.DOCKERHUB_IMAGE_NAME }}:test | |
- name: Check that container is running | |
run: | | |
docker exec ${{ env.TEST_CONTAINER_NAME }} curl --retry 10 --retry-delay 1 --retry-connrefused http://0.0.0.0:8000/checks | grep remotesettings | |
- name: Spin down container | |
run: | | |
docker rm -f ${{ env.TEST_CONTAINER_NAME }} | |
- name: Build and push | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
push: ${{ github.event_name != 'pull_request' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max |