feat(jans-pycloudlib): add support for connecting to cloudsql via clo… #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Publish Cloud SQL Socket Factory | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "automation/cloudsql-socket-factory/**" | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - "automation/cloudsql-socket-factory/**" | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Cloud SQL Socket Factory version to build (e.g., 1.27.0)' | |
| required: false | |
| default: '' | |
| schedule: | |
| - cron: "0 0 * * 0" | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }}/cloudsql-socket-factory | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| outputs: | |
| digest: ${{ steps.build.outputs.digest }} | |
| version: ${{ steps.version.outputs.version }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
| with: | |
| egress-policy: audit | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Get version | |
| id: version | |
| run: | | |
| if [ -n "${{ github.event.inputs.version }}" ]; then | |
| VERSION="${{ github.event.inputs.version }}" | |
| else | |
| VERSION=$(cat automation/cloudsql-socket-factory/version.txt | tr -d '\n') | |
| fi | |
| if [ -z "$VERSION" ]; then | |
| echo "::error::Failed to determine version" | |
| exit 1 | |
| fi | |
| echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
| echo "Building Cloud SQL Socket Factory version: ${VERSION}" | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
| with: | |
| image: tonistiigi/binfmt:qemu-v8.1.5 | |
| platforms: all | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
| - name: Login to GHCR | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=raw,value=${{ steps.version.outputs.version }} | |
| type=raw,value=latest | |
| - name: Build and push | |
| id: build | |
| uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
| with: | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: automation/cloudsql-socket-factory | |
| file: automation/cloudsql-socket-factory/Dockerfile | |
| build-args: | | |
| CLOUDSQL_SOCKET_FACTORY_VERSION=${{ steps.version.outputs.version }} | |
| platforms: linux/amd64,linux/arm64 | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| sbom: true | |
| provenance: true | |
| cache-from: type=gha,scope=cloudsql-socket-factory | |
| cache-to: type=gha,mode=max,scope=cloudsql-socket-factory | |
| - name: Sign the image with GitHub OIDC Token | |
| if: github.event_name != 'pull_request' | |
| env: | |
| DIGEST: ${{ steps.build.outputs.digest }} | |
| TAGS: ${{ steps.meta.outputs.tags }} | |
| run: | | |
| images="" | |
| for tag in ${TAGS}; do | |
| images+="${tag}@${DIGEST} " | |
| done | |
| if [[ -n $images ]]; then | |
| cosign sign --yes -a author=JanssenProject ${images} | |
| fi | |
| - name: Image digest | |
| run: echo ${{ steps.build.outputs.digest }} |