Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 in /go/imagine #61
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Experimental go release workflow with ghcr.io packages | |
| # | |
| # How build and push multiple docker image with same repo and same version, but different name? #561 | |
| # https://github.com/docker/build-push-action/issues/561 | |
| # Matrix build with multiple vars per matrix: https://stackoverflow.com/a/76547617/4292075 | |
| # | |
| # GH Packages About inheritance of access permissions | |
| # https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#about-inheritance-of-access-permissions | |
| name: go-release | |
| on: | |
| pull_request: | |
| paths: [ 'go/**', '.github/workflows/go-release.yml' ] | |
| push: | |
| # If at least one path matches a pattern in the paths filter, the workflow runs | |
| paths: [ 'go/**', '.github/workflows/go-release.yml' ] | |
| branches: [ main ] | |
| env: | |
| REGISTRY: ghcr.io # default is docker.io | |
| IMAGE_NAME: ${{ github.repository }}-tools # # e.g. user/fancy-project[-suffix] | |
| jobs: | |
| publish-ghcr: | |
| name: go release to ghcr.io | |
| # publish to registry only on merge into main branch. we can also use 'if' on steps | |
| if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
| # if: ${{ ! startsWith(github.ref, 'refs/tags/') }} # ! is reserved notation in YAML format, so we need {{}} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write # required to write to container registry | |
| # contents: write # for releases (e.g. go-releaser) | |
| strategy: | |
| matrix: | |
| include: | |
| - goos: linux | |
| goarch: arm64 | |
| #- goos: linux | |
| # arch: amd64 | |
| steps: | |
| # checkout is essential if you use a different context than "." | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| # todo use different approach, get rid of ssm dependency (only works on main branch) | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: eu-central-1 | |
| # todo use different approach, get rid of ssm dependency (only works on main branch) | |
| - name: Pull Environment Config from AWS SSM ParamStore | |
| run: | | |
| echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV | |
| echo "RELEASE_NAME=$(aws ssm get-parameter --name /angkor/prod/RELEASE_NAME --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV | |
| echo "RELEASE_VERSION=$(aws ssm get-parameter --name /angkor/prod/RELEASE_VERSION --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV | |
| - name: Build with Go and run Sonar Scanner | |
| working-directory: ./go | |
| run: | | |
| make build | |
| env: | |
| GOOS: ${{ matrix.goos }} | |
| # todo refactor Makefile to use GOARCH | |
| ARCH: ${{ matrix.goarch }} | |
| CI: true | |
| RELEASE_NAME: ${{ env.RELEASE_NAME }} | |
| RELEASE_VERSION: ${{ env.RELEASE_VERSION }} | |
| # required for tags and labels as input for docker-build-push | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| # or you get Error: buildx failed with: ERROR: unauthorized: unauthenticated: User cannot be authenticated with the token provided. | |
| - name: Login to GitHub container registry (ghcr.io) | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Multi-platform image with GitHub Actions | |
| # https://docs.docker.com/build/ci/github-actions/multi-platform/ | |
| # QEMU is a generic and open source machine & userspace emulator and virtualizer. | |
| # to emulating a complete machine in software without any need for hardware virtualization support | |
| # it's required at least if you RUN things in your docker build and the target platform | |
| # is *NOT* the platform of the runner (or you get messages like "exec /bin/sh: exec format error") | |
| - name: Set up QEMU static binaries | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| # since we run platform specific builds in parallel, we only need the current platform | |
| platforms: ${{ matrix.goos }}/${{ matrix.goarch }} | |
| # explicit setup-buildx action required? No, at least standard worker comes with cli plugin | |
| # - name: Set up Docker Buildx | |
| # uses: docker/setup-buildx-action@v3 | |
| # https://github.com/docker/build-push-action?tab=readme-ov-file#usage | |
| - name: Build docker image and push to ghcr.io | |
| id: build # so we can reference this step as ${{ steps.build.outputs.digest }} in export step | |
| uses: docker/build-push-action@v6 | |
| with: | |
| #${{ matrix.platform }} | |
| platforms: ${{ matrix.goos }}/${{ matrix.goarch }} | |
| context: ./go | |
| # for none-multistage use true and merge manifest in 2nd job, otherwise false | |
| push: true | |
| # for multistage O NOT specify 'tags' here (error "get can't push tagged ref by digest") | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| # why provenance: false? See "GitHub Action produces unknown architecture and OS": https://github.com/docker/build-push-action/issues/820 | |
| provenance: false | |
| build-args: | | |
| RELEASE_NAME: ${{ env.RELEASE_NAME }} | |
| RELEASE_VERSION: ${{ env.RELEASE_VERSION }} | |
| - name: Send Kafka Publish Event about ghcr.io release | |
| id: send-kafka-pub-event # becomes $GITHUB_ACTION | |
| run: | | |
| docker run -e KAFKA_PRODUCER_TOPIC_URL="${{secrets.KAFKA_PRODUCER_TOPIC_URL}}" -e KAFKA_PRODUCER_API_SECRET="${{secrets.KAFKA_PRODUCER_API_SECRET}}" ghcr.io/tillkuhn/rubin:latest \ | |
| -ce -key "$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" -header "producer=rubin/cli latest" \ | |
| -source "urn:ci:$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" \ | |
| -type "net.timafe.event.ci.published.v1" -subject "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}" \ | |
| -record "{\"action\":\"$GITHUB_ACTION\",\"actor\":\"$GITHUB_ACTOR\",\"commit\":\"$GITHUB_SHA\",\"run_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\",\"version\":\"${GITHUB_REF#refs/*/}\"}" |