Skip to content
Build Apollo Runtime Container

Make repo more autonomous #318

Sign in to view logs

Make repo more autonomous

Make repo more autonomous #318

Workflow file for this run

.github/workflows/main.yml at 753436e
name: Build Apollo Runtime Container
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
on:
push:
branches: ['main']
paths-ignore:
- '*.md'
- 'examples/**'
pull_request:
paths-ignore:
- '*.md'
- 'examples/**'
env:
REGISTRY: ghcr.io
NAMESPACED_REGISTRY: ghcr.io/apollographql/apollo-runtime
NAMESPACED_DOCKERHUB_REGISTRY: apollograph/apollo-runtime
PLATFORMS: linux/arm64,linux/amd64
jobs:
build-and-push-image:
name: Build and Push Docker Image
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
attestations: write
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
with:
fetch-depth: 0
- name: Add Tool To Parse Dockerfiles
uses: taiki-e/install-action@parse-dockerfile
- name: Get Versions From Dockerfile
id: get-versions
run: |
VERSIONS=$(parse-dockerfile Dockerfile | jq -cr '[.instructions[] | select(.kind=="LABEL" or .kind=="ARG") | select(.arguments.value | contains("org.opencontainers.image") or startswith("APOLLO_")).arguments.value | match("([^=]*)=(.*)") | .captures | {(.[0].string) : .[1].string}] | add')
echo "versions=$VERSIONS" >> "$GITHUB_OUTPUT"
- name: Get Latest Version Tag
id: get-latest-version
run: |
LATEST_VERSION=$(git tag -l '0.0.*' | grep -oE '^[0-9]+\.[0-9]+\.[0-9]+' | sort -uV | tail -1)
echo "version=${LATEST_VERSION}" >> "$GITHUB_OUTPUT"
- name: Compute Next Semver
id: next-semver
if: steps.get-latest-version.outputs.version != ''
uses: WyriHaximus/github-action-next-semvers@18aa9ed4152808ab99b88d71f5481e41f8d89930
with:
version: ${{ steps.get-latest-version.outputs.version }}
- name: Compute Runtime Version
id: compute-runtime-version
run: |
if [ -z "${{ steps.get-latest-version.outputs.version }}" ]; then
NEXT_VERSION="0.0.1"
else
NEXT_VERSION="${{ steps.next-semver.outputs.patch }}"
fi
if [ "${{ github.event_name }}" = "pull_request" ]; then
echo "runtime_version=${NEXT_VERSION}-PR${{ github.event.number }}" >> "$GITHUB_OUTPUT"
else
echo "runtime_version=${NEXT_VERSION}" >> "$GITHUB_OUTPUT"
fi
- name: Remove Quotes From Title & Description
env:
DESCRIPTION: ${{ fromJSON(steps.get-versions.outputs.versions)['org.opencontainers.image.description'] }}
TITLE: ${{ fromJSON(steps.get-versions.outputs.versions)['org.opencontainers.image.title'] }}
id: remove-quotes
run: |
STRIPPED_DESCRIPTION=${DESCRIPTION//\"/}
echo "description=$STRIPPED_DESCRIPTION" >> "$GITHUB_OUTPUT"
STRIPPED_TITLE=${TITLE//\"/}
echo "title=$STRIPPED_TITLE" >> "$GITHUB_OUTPUT"
- name: Get Docker Metadata
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
env:
DOCKER_METADATA_PR_HEAD_SHA: true
with:
images: |
${{ env.NAMESPACED_REGISTRY }}
apollograph/apollo-runtime
tags: |
type=semver,pattern={{version}},value=${{ steps.compute-runtime-version.outputs.runtime_version }}
type=raw,value=${{ steps.compute-runtime-version.outputs.runtime_version }}_router${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_ROUTER_VERSION }}
type=raw,value=${{ steps.compute-runtime-version.outputs.runtime_version }}_mcp-server${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_MCP_SERVER_VERSION }}
type=raw,value=${{ steps.compute-runtime-version.outputs.runtime_version }}_router${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_ROUTER_VERSION }}_mcp-server${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_MCP_SERVER_VERSION }}
type=raw,value=latest,enable={{is_default_branch}}
type=raw,value=latest_router${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_ROUTER_VERSION }},enable={{is_default_branch}}
type=raw,value=latest_mcp-server${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_MCP_SERVER_VERSION }},enable={{is_default_branch}}
type=raw,value=latest_router${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_ROUTER_VERSION }}_mcp-server${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_MCP_SERVER_VERSION }},enable={{is_default_branch}}
labels: |
org.opencontainers.image.version=${{ steps.compute-runtime-version.outputs.runtime_version }}
org.opencontainers.image.description=${{ steps.remove-quotes.outputs.description }}
org.opencontainers.image.title=${{ steps.remove-quotes.outputs.title }}
annotations: |
org.opencontainers.image.version=${{ steps.compute-runtime-version.outputs.runtime_version }}
org.opencontainers.image.description=${{ steps.remove-quotes.outputs.description }}
org.opencontainers.image.title=${{ steps.remove-quotes.outputs.title }}
- name: Log in to the Container Registry
uses: docker/login-action@6862ffc5ab2cdb4405cf318a62a6f4c066e2298b
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker
uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4
with:
daemon-config: |
{
"features": {
"containerd-snapshotter": true
}
}
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
- name: Build and Load Docker Image For Testing
id: build-for-testing
uses: docker/build-push-action@9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d
with:
load: true
tags: ${{ env.NAMESPACED_REGISTRY }}:test
platforms: ${{ env.PLATFORMS }}
- name: Install Wiz CLI
shell: bash
working-directory: ${{ runner.temp }}
run: |
sudo apt-get update
sudo apt-get install gpg
curl -Lo wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64
curl -Lo wizcli-sha256 https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64-sha256
curl -Lo wizcli-sha256.sig https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64-sha256.sig
curl -Lo wiz_public_key.asc https://downloads.wiz.io/wizcli/public_key.asc
gpg --import wiz_public_key.asc
gpg --verify wizcli-sha256.sig wizcli-sha256
echo "$(cat wizcli-sha256) wizcli" | sha256sum --check
chmod +x wizcli
- name: Authenticate Wiz CLI
shell: bash
working-directory: ${{ runner.temp }}
run: |
./wizcli auth --id ${{ secrets.WIZ_CLIENT_ID }} --secret ${{ secrets.WIZ_CLIENT_SECRET }}
- name: Scan Image
shell: bash
working-directory: ${{ runner.temp }}
run: |
./wizcli docker scan \
--image ${{ env.NAMESPACED_REGISTRY }}:test \
--dockerfile ${{ github.workspace }}/Dockerfile \
--policy "Apollo-Default-Vulnerabilities-Policy" \
--sbom-format spdx-json \
--sbom-output-file sbom.json \
--timeout "0h9m0s" \
--sensitive-data
- name: Log in to the GitHub Container Registry
uses: docker/login-action@6862ffc5ab2cdb4405cf318a62a6f4c066e2298b
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Authenticate With GCP
id: auth
uses: "google-github-actions/auth@fc2174804b84f912b1f6d334e9463f484f1c552d"
with:
token_format: "access_token"
project_id: "platform-mgmt-service-e0izz"
service_account: "runtime-container-ci@platform-mgmt-service-e0izz.iam.gserviceaccount.com"
workload_identity_provider: "projects/865738624352/locations/global/workloadIdentityPools/github-d8bck/providers/github-d8bck"
- name: Fetch DockerHub Credential
id: gsm
uses: google-github-actions/get-secretmanager-secrets@bc9c54b29fdffb8a47776820a7d26e77b379d262
with:
secrets: |-
token:platform-prod-service-q8dyj/docker_hub_push_token
- name: Docker Auth
uses: docker/login-action@6862ffc5ab2cdb4405cf318a62a6f4c066e2298b
with:
username: "apollograph"
password: "${{ steps.gsm.outputs.token }}"
- name: Build and Push Docker image
id: push
uses: docker/build-push-action@9e436ba9f2d7bcd1d038c8e55d039d37896ddc5d
with:
push: true
tags: ${{ steps.meta.outputs.tags }}
annotations: ${{ steps.meta.outputs.annotations }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ env.PLATFORMS }}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v4
with:
subject-name: index.docker.io/${{ env.NAMESPACED_DOCKERHUB_REGISTRY }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
- name: Create GitHub Release
if: ${{ github.event_name != 'pull_request' }}
uses: comnoco/create-release-action@6ac85b5a67d93e181c1a8f97072e2e3ffc582ec4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ steps.compute-runtime-version.outputs.runtime_version }}_router${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_ROUTER_VERSION }}_mcp-server${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_MCP_SERVER_VERSION }}
release_name: Apollo Runtime Container - v${{ steps.compute-runtime-version.outputs.runtime_version }} (Router - v${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_ROUTER_VERSION }}, MCP Server - v${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_MCP_SERVER_VERSION }})
body: Find the latest release at ${{ env.NAMESPACED_REGISTRY }}:${{ steps.compute-runtime-version.outputs.runtime_version }}_router${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_ROUTER_VERSION }}_mcp-server${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_MCP_SERVER_VERSION }} or ${{ env.NAMESPACED_DOCKERHUB_REGISTRY }}:${{ steps.compute-runtime-version.outputs.runtime_version }}_router${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_ROUTER_VERSION }}_mcp-server${{ fromJSON(steps.get-versions.outputs.versions).APOLLO_MCP_SERVER_VERSION }}.