Skip to content

Add token permissions to build + publish workflow (#1498) #325

Add token permissions to build + publish workflow (#1498)

Add token permissions to build + publish workflow (#1498) #325

name: Build and Publish Docker image
on:
pull_request:
branches:
- main
push:
branches:
- main
tags:
- v[0-9]+.[0-9]+.[0-9]+
jobs:
build-and-publish:
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
env:
DOCKERHUB_IMAGE_NAME: mozilla/telescope
TEST_CONTAINER_NAME: container-healthcheck
GAR_LOCATION: us
GCP_PROJECT_ID: telescope-prod
GAR_REPOSITORY: moz-fx-telescope-prod
IMAGE: telescope
steps:
- name: Check out the repo
uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch everything (tags)
- id: determine_tag
name: determine tag
run: |-
TAG=$(git describe --tags)
printf "\e[1;36m[INFO]\e[0m \$TAG=\"${TAG}\"\n"
echo TAG=${TAG} >> ${GITHUB_OUTPUT}
- name: Build `version.json` file
run: |
printf '{\n "commit": "%s",\n "version": "%s",\n "source": "%s",\n "build": "%s"\n}\n' \
"$GITHUB_SHA" \
"${{ steps.determine_tag.outputs.TAG }}" \
"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" \
"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > ./version.json
cat version.json
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.DOCKERHUB_IMAGE_NAME }}
${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY }}/${{ env.IMAGE }}
# https://github.com/marketplace/actions/docker-metadata-action#tags-input
tags: |
type=raw,value=latest
type=raw,value=${{ steps.determine_tag.outputs.TAG }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- id: gcp_auth
name: gcp auth
if: github.event_name != 'pull_request'
uses: google-github-actions/auth@v2
with:
token_format: access_token
service_account: artifact-writer@${{ env.GCP_PROJECT_ID }}.iam.gserviceaccount.com
workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
- name: Login to GAR
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.gcp_auth.outputs.access_token }}
- name: Login to Docker Hub
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and export to Docker
uses: docker/build-push-action@v6
with:
context: .
load: true
push: false
tags: ${{ env.DOCKERHUB_IMAGE_NAME }}:test
- name: Test from Docker
run: |
docker run \
--name ${{ env.TEST_CONTAINER_NAME }}-test \
--user root \
${{ env.DOCKERHUB_IMAGE_NAME }}:test \
test
- name: Spin up container
run: |
docker run \
--name ${{ env.TEST_CONTAINER_NAME }} \
--detach \
--env CONFIG_FILE=/app/tests/checks/remotesettings/config.toml \
--publish 8000:8000 \
${{ env.DOCKERHUB_IMAGE_NAME }}:test
- name: Check that container is running
run: |
docker exec ${{ env.TEST_CONTAINER_NAME }} curl --retry 10 --retry-delay 1 --retry-connrefused http://0.0.0.0:8000/checks | grep remotesettings
- name: Spin down container
run: |
docker rm -f ${{ env.TEST_CONTAINER_NAME }}
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max