argus-docker-build.yaml

name: Docker Image Build

on:
  workflow_call:
    inputs:
      envs:
        description: The envs that this is building (rdev, staging, or prod), comma delimited
        required: true
        type: string
      images:
        description: 'JSON array of images to build (required keys: dockerfile, context, name, platform)'
        required: true
        type: string
      path_filters:
        description: 'Glob patterns to match against changed files in the repository, comma delimited'
        required: false
        type: string
        default: '**/*'
      path_filters_base:
        description: |
          Git reference (e.g. branch name) against which the changes will be detected. Defaults to the current branch.
          If it references same branch it was pushed to, changes are detected against the most recent commit before the push.
          This option is ignored if action is triggered by pull_request event.
        required: false
        type: string
        default: ${{ github.ref }}
      branch_filter:
        description: 'Regex to match against the branch name to determine if the job should run'
        required: false
        type: string
        default: '.*'

jobs:
  prep:
    name: Prep for Build
    runs-on: [ARM64,self-hosted,Linux]
    if: contains(github.event.head_commit.message, '[no-deploy]') == false
    outputs:
      image_tag: ${{ steps.build-tags.outputs.IMAGE_TAG }}
      image_tag_valid: ${{ steps.validate_image_tag.outputs.image_tag_valid }}
      images: ${{ steps.parse_inputs.outputs.images }}
      envs: ${{ steps.parse_inputs.outputs.envs }}
      branch_matched: ${{ steps.branch_filter.outputs.match }}
      files_matched: ${{ steps.file_filter.outputs.run_on }}
    permissions:
        id-token: write
        contents: read
    steps:
      - name: Check for matching branch
        id: branch_filter
        uses: actions/github-script@v7
        with:
          script: |
            const branchFilterRegex = new RegExp('${{ inputs.branch_filter }}');
            const shouldRun = '${{ github.ref }}'.match(branchFilterRegex) != null;
            if (shouldRun) {
              console.log('Job will run');
            } else {
              console.log('Job will be skipped because branch name "${{ github.ref }}" does not match the filter');
            }
            core.setOutput('match', shouldRun);

      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Parse inputs
        id: parse_inputs
        uses: actions/github-script@v7
        with:
          script: |
            const filters = `${{ inputs.path_filters }}`.split(',').map(f => f.trim());
            const filtersStr = "run_on:\n" + filters.map(f => `  - '${f}'`).join('\n');
            core.setOutput('filters', filtersStr);

            const images = JSON.parse(`${{ inputs.images }}`);
            core.setOutput('images', images);

            const envs = `${{ inputs.envs }}`.split(',').map(env => env.trim());
            core.setOutput('envs', envs.join(' '));

      - name: Check for matching file changes
        uses: dorny/paths-filter@v3
        id: file_filter
        with:
          filters: |
            ${{ steps.parse_inputs.outputs.filters }}
          base: ${{ inputs.path_filters_base }}
          list-files: json
      - name: Get build tag
        id: build-tags
        run: |
          echo "IMAGE_TAG=sha-$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
      - name: Validate build tag
        id: validate_image_tag
        uses: actions/github-script@v7
        with:
          script: |
            const imageTag = `${{ steps.build-tags.outputs.IMAGE_TAG }}`;
            core.setOutput('image_tag_valid', imageTag !== '' && imageTag !== 'sha-');

  build-docker:
    name: Build Docker Image
    needs: [prep]
    runs-on: 
      - self-hosted
      - Linux
      - ${{ matrix.image.platform == 'linux/amd64' && 'X64' || 'ARM64' }}
    env:
      IMAGE_TAG: ${{ needs.prep.outputs.image_tag }}
    if: needs.prep.outputs.branch_matched == 'true' && needs.prep.outputs.files_matched == 'true' && needs.prep.outputs.image_tag_valid == 'true' && needs.prep.outputs.images != '[]'
    permissions:
      id-token: write
      contents: read
    strategy:
      fail-fast: false
      matrix:
        image: ${{ fromJson(needs.prep.outputs.images) }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          path: ${{ github.event.repository.name }}
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-west-2
          role-to-assume: arn:aws:iam::533267185808:role/gh_actions_core_platform_infra_prod_eks
          role-session-name: ContainerBuildTest
      - name: Generate token
        id: generate_token
        uses: chanzuckerberg/github-app-token@v1.1.4
        with:
          app_id: ${{ secrets.CZI_GITHUB_HELPER_APP_ID }}
          private_key: ${{ secrets.CZI_GITHUB_HELPER_PK }}
      - uses: actions/checkout@v4
        with:
          repository: chanzuckerberg/core-platform-settings
          path: core-platform-settings
          token: ${{ steps.generate_token.outputs.token }}

      - name: Create ECR repo if necessary
        uses: int128/create-ecr-repository-action@v1
        with:
          repository: core-platform/${{ github.event.repository.name }}/${{ matrix.image.name }}
          lifecycle-policy: core-platform-settings/ecr/lifecycle-policy.json
          repository-policy: core-platform-settings/ecr/repository-policy.json
      - name: Build And Push
        uses: chanzuckerberg/github-actions/.github/actions/docker-build-push@docker-build-push-v1.6.0
        with:
          dockerfile: ${{ github.event.repository.name }}/${{ matrix.image.dockerfile }}
          context: ${{ github.event.repository.name }}/${{ matrix.image.context }}
          name: core-platform/${{ github.event.repository.name }}/${{ matrix.image.name }}
          registry: 533267185808.dkr.ecr.us-west-2.amazonaws.com 
          custom_tag: ${{ env.IMAGE_TAG }}
          platforms: ${{ matrix.image.platform == 'linux/amd64' && 'linux/amd64' || 'linux/arm64' }}
          build_args: IMAGE_TAG=${{ env.IMAGE_TAG }}

  update-manifests:
    name: Update ArgoCD manifests
    needs: [prep, build-docker]
    runs-on: [ARM64,self-hosted,Linux]
    env:
      IMAGE_TAG: ${{ needs.prep.outputs.image_tag }}
    if: needs.prep.outputs.image_tag_valid == 'true' && needs.prep.outputs.images != '[]'
    permissions:
        id-token: write
        contents: read
    steps:
      - run: |
          echo IMAGE_TAG=$IMAGE_TAG
      - name: Generate token
        id: generate_token
        uses: chanzuckerberg/github-app-token@v1.1.4
        with:
          app_id: ${{ secrets.CZI_RELEASE_PLEASE_APP_ID }}
          private_key: ${{ secrets.CZI_RELEASE_PLEASE_PK }}
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ steps.generate_token.outputs.token }}
      - name: Update Manifest
        shell: bash
        run: |
          for env in ${{ needs.prep.outputs.envs }}
          do
            sed -i 's/tag: sha-\w\+/tag: ${{ env.IMAGE_TAG }}/g' .infra/${env}/values.yaml
            cat .infra/${env}/values.yaml
          done
      - name: Update Argus manifests
        uses: EndBug/add-and-commit@v9
        with:
          add: -A
          message: 'chore: Updated [${{ needs.prep.outputs.envs }}] values.yaml image tags to ${{ env.IMAGE_TAG }}'