move publishing image to separate job (#424)

This separates the act of publishing the image to Docker Hub (requires secrets) from the act of building and testing (does not require secrets). The command to publish is much simplified now that the job is only run on version-tagged commits. Secrets needed to publish are provided through CircleCI Context as recommended by Circle. Other changes: * reused filter definitions common in our other CI configs * declared the version of Go to build with in a single named executor
honeycombio · Sep 20, 2024 · d66ff70 · d66ff70
1 parent 989af99
commit d66ff70
Showing 1 changed file with 37 additions and 21 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,17 +1,26 @@
 # Use the latest 2.1 version of CircleCI pipeline processing engine, see https://circleci.com/docs/2.0/configuration-reference/
 version: 2.1
 
-# required as all of the jobs need to have a tag filter for some reason
-tag_filters: &tag_filters
+filters_always: &filters_always
   filters:
-      tags:
-        only: /.*/
+    tags:
+      only: /.*/
 
-jobs:
-  build_agent:
+filters_publish: &filters_publish
+  filters:
+    tags:
+      only: /^v[0-9].*/
+    branches:
+      ignore: /.*/
+
+executors:
+  docker-go:
     docker:
       - image: cimg/go:1.22
-    # needed to build docker images, attach mount points, etc
+
+jobs:
+  build_agent:
+    executor: docker-go
     steps:
       - setup_remote_docker
       - checkout
@@ -21,15 +30,21 @@ jobs:
       - run: ./build/build.sh
       - run: ./build/test.sh .
       - run: e2e-tests/test.sh
+
+  publish_dockerhub:
+    executor: docker-go
+    steps:
+      - setup_remote_docker
+      - checkout
+      - run: go install github.com/google/ko@latest
+      - run: echo "VERSION=$(cat version.txt | tr -d '\n')" >> $BASH_ENV
       - run:
-          name: "Deploy on tagged master push"
+          name: "publish image to Docker Hub"
+          environment:
+            KO_DOCKER_REPO: honeycombio
           command: |
-            if [ -z "${CIRCLE_PULL_REQUEST}" ] && [ -z "${CIRCLE_BRANCH}" ] && [ -n "${CIRCLE_TAG}" ]; then
-              echo "${DOCKER_PASSWORD}" | docker login -u "${DOCKER_USERNAME}" --password-stdin;
-              KO_DOCKER_REPO=honeycombio ./build/build.sh
-            else
-              echo "skipping push. CIRCLE_PULL_REQUEST=${CIRCLE_PULL_REQUEST}, CIRCLE_BRANCH=${CIRCLE_BRANCH}, CIRCLE_TAG=${CIRCLE_TAG}"
-            fi;
+            echo "${DOCKER_PASSWORD}" | docker login -u "${DOCKER_USERNAME}" --password-stdin;
+            ./build/build.sh
 
   publish_github:
     docker:
@@ -43,18 +58,19 @@ jobs:
             echo "about to publish to tag ${CIRCLE_TAG}"
             ghr --draft -n ${CIRCLE_TAG} -t ${GITHUB_TOKEN} -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -c ${CIRCLE_SHA1} ${CIRCLE_TAG}
 
-# Orchestrate or schedule a set of jobs, see https://circleci.com/docs/2.0/workflows/
 workflows:
   version: 2
   build:
     jobs:
-      - build_agent: *tag_filters
+      - build_agent:
+          <<: *filters_always
+      - publish_dockerhub:
+          <<: *filters_publish
+          context: Honeycomb Secrets for Public Repos
+          requires:
+            - build_agent
       - publish_github:
+          <<: *filters_publish
           context: Honeycomb Secrets for Public Repos
           requires:
             - build_agent
-          filters:
-            tags:
-              only: /^v.*/
-            branches:
-              ignore: /.*/