fix(controlplane): honor per-org image pin in warm-pool reserve fallb… #258
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Container Image CD | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| env: | |
| ECR_REGISTRY: 795637471508.dkr.ecr.us-east-1.amazonaws.com | |
| GHCR_REGISTRY: ghcr.io | |
| IMAGE_NAME: duckgres | |
| jobs: | |
| build: | |
| name: Build ${{ matrix.platform }} | |
| if: github.repository == 'PostHog/duckgres' | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - platform: linux/arm64 | |
| runner: ubuntu-24.04-arm | |
| - platform: linux/amd64 | |
| runner: ubuntu-24.04 | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Check out | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ECR_PUBLISH_IAM_ROLE }} | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| id: aws-ecr | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| - name: Login to GHCR | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: ${{ env.GHCR_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Prepare platform slug | |
| id: slug | |
| run: echo "arch=${PLATFORM#linux/}" >> "$GITHUB_OUTPUT" | |
| env: | |
| PLATFORM: ${{ matrix.platform }} | |
| - name: Build and push by digest | |
| id: build | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 | |
| with: | |
| context: . | |
| push: true | |
| platforms: ${{ matrix.platform }} | |
| tags: | | |
| ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ steps.slug.outputs.arch }} | |
| ${{ env.GHCR_REGISTRY }}/posthog/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ steps.slug.outputs.arch }} | |
| build-args: | | |
| VERSION=build-${{ github.sha }} | |
| COMMIT=${{ github.sha }} | |
| BUILD_TAGS=kubernetes | |
| cache-from: type=gha,scope=${{ steps.slug.outputs.arch }} | |
| cache-to: type=gha,mode=max,scope=${{ steps.slug.outputs.arch }} | |
| manifest: | |
| name: Create multi-arch manifest | |
| needs: build | |
| if: github.repository == 'PostHog/duckgres' | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| id-token: write | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ECR_PUBLISH_IAM_ROLE }} | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| - name: Login to GHCR | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: ${{ env.GHCR_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Create and push ECR manifest | |
| id: ecr-manifest | |
| run: | | |
| docker buildx imagetools create --tag ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} \ | |
| ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64 \ | |
| ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64 | |
| digest=$(docker buildx imagetools inspect --raw ${{ env.ECR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} | sha256sum | awk '{print "sha256:"$1}') | |
| echo "digest=${digest}" >> "$GITHUB_OUTPUT" | |
| - name: Create and push GHCR manifests | |
| run: | | |
| for tag in "${{ github.sha }}" "latest"; do | |
| docker buildx imagetools create --tag ${{ env.GHCR_REGISTRY }}/posthog/${{ env.IMAGE_NAME }}:${tag} \ | |
| ${{ env.GHCR_REGISTRY }}/posthog/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64 \ | |
| ${{ env.GHCR_REGISTRY }}/posthog/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64 | |
| done | |
| - name: Get deployer token | |
| id: deployer | |
| uses: getsentry/action-github-app-token@d4b5da6c5e37703f8c3b3e43abb5705b46e159cc # v3.0.0 | |
| with: | |
| app_id: ${{ secrets.GH_APP_CHARTS_DEPLOYER_APP_ID }} | |
| private_key: ${{ secrets.GH_APP_CHARTS_DEPLOYER_PRIVATE_KEY }} | |
| - name: Trigger deployment via Charts repo | |
| uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 | |
| with: | |
| token: ${{ steps.deployer.outputs.token }} | |
| repository: PostHog/charts | |
| event-type: commit_state_update | |
| client-payload: | | |
| { | |
| "values": { | |
| "image": { | |
| "sha": "${{ github.sha }}@${{ steps.ecr-manifest.outputs.digest }}" | |
| } | |
| }, | |
| "release": "duckgres", | |
| "commit": ${{ toJson(github.event.head_commit) }}, | |
| "repository": ${{ toJson(github.repository) }}, | |
| "labels": [], | |
| "timestamp": "${{ github.event.head_commit.timestamp }}" | |
| } |