Skip to content

chore(version): v0.4.2 #27

chore(version): v0.4.2

chore(version): v0.4.2 #27

Workflow file for this run

name: Docker build and publish
on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
version:
description: Build with the given version.
default: 0.1.0
required: true
app:
type: choice
description: Target application
default: 'console'
required: true
options:
- web
- docs
- console
dryrun:
description: Build with dey-run.
type: boolean
default: false
required: false
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
env:
GHCR_REGISTRY: ghcr.io
SCOPE: ${{ inputs.app || 'console' }}
IMAGE_NAME: ${{ github.repository }}/${{ inputs.app || 'console' }}
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
TURBO_TEAM: ${{ vars.TURBO_TEAM }}
## app build time environment variables
VERCEL_ENV: ${{ vars.VERCEL_ENV }}
PUBLIC_TERMS_PRIVACY_COMPANY: ${{ vars.PUBLIC_TERMS_PRIVACY_COMPANY }}
PUBLIC_TERMS_PRIVACY_EFFECTIVE_DATE: ${{ vars.PUBLIC_TERMS_PRIVACY_EFFECTIVE_DATE }}
PUBLIC_TERMS_PRIVACY_WEBSITE: ${{ vars.PUBLIC_TERMS_PRIVACY_WEBSITE }}
PUBLIC_TERMS_PRIVACY_CONTACT_EMAIL: ${{ vars.PUBLIC_TERMS_PRIVACY_CONTACT_EMAIL }}
PUBLIC_TERMS_PRIVACY_APP_NAME: ${{ vars.PUBLIC_TERMS_PRIVACY_APP_NAME }}
PUBLIC_TERMS_PRIVACY_APP_PRICING_AND_SUBSCRIPTIONS: ${{ vars.PUBLIC_TERMS_PRIVACY_APP_PRICING_AND_SUBSCRIPTIONS }}
PUBLIC_TERMS_PRIVACY_COUNTRY: ${{ vars.PUBLIC_TERMS_PRIVACY_COUNTRY }}
RATE_LIMIT_SECRET: ${{ secrets.RATE_LIMIT_SECRET }}
permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
attestations: write # needed for ghcr to sign artifacts
jobs:
build-and-push-image:
runs-on: ubuntu-latest
env:
COREPACK_ENABLE_STRICT: 0
steps:
- name: Checkout
uses: actions/checkout@v4
# - name: Install cosign
# uses: sigstore/cosign-installer@v2.5.0
# - name: Install syft
# uses: anchore/sbom-action/download-syft@v0.11.0
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: login to GitHub Artifact Registry
uses: docker/login-action@v3
with:
registry: ${{ env.GHCR_REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: |
name=${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }},enable=true
labels: |
org.opencontainers.image.vendor=MyCompany
org.opencontainers.image.licenses=MIT
org.opencontainers.image.documentation=docker run -it -e NODE_ENV=production -p 3000:3000 ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
org.opencontainers.image.name=${{ env.IMAGE_NAME }}
org.opencontainers.image.title=${{ env.SCOPE }}
org.opencontainers.image.authors=Sumanth
tags: |
## only enabled for v* tags:
type=semver,pattern={{ version }},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
## only enabled on workflow_dispatch:
type=semver,pattern={{version}},prefix=v,value=${{ github.event.inputs.version }},enable=${{ github.event_name == 'workflow_dispatch' }}
## only enabled in main branch:
# type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
id: push
uses: docker/build-push-action@v6
with:
context: .
push: ${{ !inputs.dryrun }}
platforms: linux/amd64,linux/arm64
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
BUILD_TIME=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
BUILD_VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
BUILD_REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
SCOPE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.title'] }}
# Ref: https://github.blog/security/supply-chain-security/configure-github-artifact-attestations-for-secure-cloud-native-delivery/
- name: Generate Artifact Attestation
id: attest
uses: actions/attest-build-provenance@v1.0.0
with:
subject-name: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
# subject-path: ${{ github.workspace }}/apps/${{ env.SCOPE }}/*