mirror of
https://github.com/vector-im/element-call.git
synced 2026-03-13 06:07:04 +00:00
6e0f48e99b
* Push docker images to oci.element.io * prettier * add id-token permission as its required by tailscale login
102 lines
3.8 KiB
YAML
102 lines
3.8 KiB
YAML
name: Build and publish docker image
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
docker_tags:
|
|
required: true
|
|
type: string
|
|
artifact_run_id:
|
|
required: false
|
|
type: string
|
|
default: ${{ github.run_id }}
|
|
|
|
env:
|
|
REGISTRY: ghcr.io
|
|
IMAGE_NAME: ${{ github.repository }}
|
|
|
|
jobs:
|
|
build_and_deploy:
|
|
name: Build & publish docker
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write # required to upload release asset
|
|
packages: write # needed for publishing packages to GHCR
|
|
id-token: write # needed for login into tailscale with GitHub OIDC Token
|
|
steps:
|
|
- name: Check it out
|
|
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
|
|
- name: 📥 Download artifact
|
|
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
run-id: ${{ inputs.artifact_run_id }}
|
|
name: build-output-full
|
|
path: dist
|
|
|
|
- name: Log in to container registry
|
|
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Connect to Tailscale
|
|
uses: tailscale/github-action@53acf823325fe9ca47f4cdaa951f90b4b0de5bb9 # v4
|
|
if: github.event_name != 'pull_request'
|
|
with:
|
|
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
|
|
audience: ${{ secrets.TS_AUDIENCE }}
|
|
tags: tag:github-actions
|
|
|
|
- name: Compute vault jwt role name
|
|
id: vault-jwt-role
|
|
if: github.event_name != 'pull_request'
|
|
run: |
|
|
echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Get team registry token
|
|
id: import-secrets
|
|
uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3
|
|
if: github.event_name != 'pull_request'
|
|
with:
|
|
url: https://vault.infra.ci.i.element.dev
|
|
role: ${{ steps.vault-jwt-role.outputs.role_name }}
|
|
path: service-management/github-actions
|
|
jwtGithubAudience: https://vault.infra.ci.i.element.dev
|
|
method: jwt
|
|
secrets: |
|
|
services/<team>-repositories/secret/data/oci.element.io username | OCI_USERNAME ;
|
|
services/<team>-repositories/secret/data/oci.element.io password | OCI_PASSWORD ;
|
|
|
|
- name: Login to oci.element.io Registry
|
|
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
|
|
if: github.event_name != 'pull_request'
|
|
with:
|
|
registry: oci-push.vpn.infra.element.io
|
|
username: ${{ steps.import-secrets.outputs.OCI_USERNAME }}
|
|
password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }}
|
|
|
|
- name: Extract metadata (tags, labels) for Docker
|
|
id: meta
|
|
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
|
|
with:
|
|
images: |
|
|
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
oci-push.vpn.infra.element.io/element-web
|
|
tags: ${{ inputs.docker_tags }}
|
|
labels: |
|
|
org.opencontainers.image.licenses=AGPL-3.0-only OR LicenseRef-Element-Commercial
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
|
|
|
|
- name: Build and push Docker image
|
|
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
|
|
with:
|
|
context: .
|
|
platforms: linux/amd64,linux/arm64
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|