Add APNs VoIP send path for Transport=voip notifications #186

Workflow file for this run

	name: Build and Test

	on:
	push:
	branches:
	- master
	pull_request:

	concurrency:
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| github.ref }}
	cancel-in-progress: true

	permissions:
	contents: read
	id-token: write # Required for OIDC authentication with Chainguard identity

	env:
	GO_VERSION: 1.24.6
	FIPS_ENABLED: true

	jobs:
	lint:
	name: Lint
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0
	- name: Lint
	run: make lint

	test:
	name: Test
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0
	- name: Test
	run: make test

	package:
	name: Package
	runs-on: ubuntu-latest
	needs: [lint, test]
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0
	- name: build-package/package
	run: make package

	build-amd64:
	name: Build AMD64
	runs-on: ubuntu-latest
	needs: [lint, test]
	if: github.actor != 'dependabot[bot]'
	timeout-minutes: 30
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0
	- name: Build Docker Image for AMD64
	run: make build-image-amd64-with-tags

	build-arm64:
	name: Build ARM64
	runs-on: ubuntu-24.04-arm
	needs: [lint, test]
	if: github.actor != 'dependabot[bot]'
	timeout-minutes: 30
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0
	- name: Build Docker Image for ARM64
	run: make build-image-arm64-with-tags

	fips-build-amd64:
	name: FIPS Build AMD64
	runs-on: ubuntu-latest
	needs: [lint, test]
	if: github.actor != 'dependabot[bot]'
	timeout-minutes: 30
	permissions:
	contents: read
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Setup Chainguard
	uses: chainguard-dev/setup-chainctl@c125f765e82b09a42af3185f3214465314d75c5d # v0.5.0
	with:
	identity: ${{ secrets.CHAINGUARD_IDENTITY }}

	- name: Build FIPS Docker Image for AMD64
	run: make build-image-fips-amd64-with-tags

	fips-build-arm64:
	name: FIPS Build ARM64
	runs-on: ubuntu-24.04-arm
	needs: [lint, test]
	if: github.actor != 'dependabot[bot]'
	timeout-minutes: 30
	permissions:
	contents: read
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Setup Chainguard
	uses: chainguard-dev/setup-chainctl@c125f765e82b09a42af3185f3214465314d75c5d # v0.5.0
	with:
	identity: ${{ secrets.CHAINGUARD_IDENTITY }}

	- name: Build FIPS Docker Image for ARM64
	run: make build-image-fips-arm64-with-tags

	fips-security-scan:
	name: FIPS Security Scan
	runs-on: ubuntu-latest
	needs: [lint, test]
	if: github.actor != 'dependabot[bot]'
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Setup Chainguard
	uses: chainguard-dev/setup-chainctl@c125f765e82b09a42af3185f3214465314d75c5d # v0.5.0
	with:
	identity: ${{ secrets.CHAINGUARD_IDENTITY }}

	- name: Build FIPS Docker image for scanning
	run: make build-image-fips-amd64-with-tags

	- name: Run Grype vulnerability scanner
	uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
	with:
	image: "mattermost/mattermost-push-proxy-fips:${{ github.ref == 'refs/heads/master' && 'master' \|\| format('dev-{0}', github.sha) }}"
	output-format: table
	fail-build: false

	security-scan:
	name: Security Scan
	runs-on: ubuntu-latest
	needs: [lint, test]
	if: github.actor != 'dependabot[bot]'
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Build Docker image for scanning
	run: make build-image-amd64-with-tags

	- name: Run Grype vulnerability scanner
	uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
	with:
	image: "mattermost-push-proxy:${{ github.ref == 'refs/heads/master' && 'master' \|\| format('dev-{0}', github.sha) }}"
	output-format: table
	fail-build: false

	pr-deploy-amd64:
	name: PR Deploy AMD64
	runs-on: ubuntu-latest
	needs: [security-scan, build-amd64]
	if: github.event_name == 'pull_request' && github.repository_owner == 'mattermost' && github.actor != 'dependabot[bot]'
	permissions:
	contents: read
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build and push AMD64 PR images
	run: \|
	# Build with default APP_NAME (avoids filesystem issues)
	make build-image-amd64-with-tags

	# Retag with correct namespace for pushing
	docker tag mattermost-push-proxy:dev-${{ github.sha }}-amd64 mattermost/mattermost-push-proxy:dev-${{ github.sha }}-amd64
	docker tag mattermost-push-proxy:dev-${{ github.sha }} mattermost/mattermost-push-proxy:dev-${{ github.sha }}

	# Push to correct namespace
	docker push mattermost/mattermost-push-proxy:dev-${{ github.sha }}-amd64
	echo "✅ AMD64 image pushed: mattermost/mattermost-push-proxy:dev-${{ github.sha }}-amd64"

	pr-deploy-arm64:
	name: PR Deploy ARM64
	runs-on: ubuntu-24.04-arm
	needs: [security-scan, build-arm64]
	if: github.event_name == 'pull_request' && github.repository_owner == 'mattermost' && github.actor != 'dependabot[bot]'
	permissions:
	contents: read
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build and push ARM64 PR images
	run: \|
	# Build with default APP_NAME (avoids filesystem issues)
	make build-image-arm64-with-tags

	# Retag with correct namespace for pushing
	docker tag mattermost-push-proxy:dev-${{ github.sha }}-arm64 mattermost/mattermost-push-proxy:dev-${{ github.sha }}-arm64
	docker tag mattermost-push-proxy:dev-${{ github.sha }} mattermost/mattermost-push-proxy:dev-${{ github.sha }}

	# Push to correct namespace
	docker push mattermost/mattermost-push-proxy:dev-${{ github.sha }}-arm64
	echo "✅ ARM64 image pushed: mattermost/mattermost-push-proxy:dev-${{ github.sha }}-arm64"

	pr-deploy-manifest:
	name: PR Deploy Manifest
	runs-on: ubuntu-latest
	needs: [pr-deploy-amd64, pr-deploy-arm64]
	if: github.event_name == 'pull_request' && github.repository_owner == 'mattermost' && github.actor != 'dependabot[bot]'
	permissions:
	contents: read
	id-token: write
	steps:
	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Create and push multi-arch manifest
	run: \|
	# Create multi-platform manifest for PR testing
	docker manifest create mattermost/mattermost-push-proxy:dev-${{ github.sha }} \
	--amend mattermost/mattermost-push-proxy:dev-${{ github.sha }}-amd64 \
	--amend mattermost/mattermost-push-proxy:dev-${{ github.sha }}-arm64
	docker manifest push mattermost/mattermost-push-proxy:dev-${{ github.sha }}

	# Clean up intermediate architecture-specific tags (like production)
	echo "Cleaning up intermediate architecture-specific tags..."
	docker rmi mattermost/mattermost-push-proxy:dev-${{ github.sha }}-amd64 2>/dev/null \|\| true
	docker rmi mattermost/mattermost-push-proxy:dev-${{ github.sha }}-arm64 2>/dev/null \|\| true
	echo "✅ Multi-arch PR image available (arch-specific tags removed):"
	echo " docker pull mattermost/mattermost-push-proxy:dev-${{ github.sha }}"

	pr-deploy-fips-amd64:
	name: PR Deploy FIPS AMD64
	runs-on: ubuntu-latest
	needs: [fips-security-scan, fips-build-amd64]
	if: github.event_name == 'pull_request' && github.repository_owner == 'mattermost' && github.actor != 'dependabot[bot]'
	permissions:
	contents: read
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Setup Chainguard Identity
	uses: chainguard-dev/setup-chainctl@c125f765e82b09a42af3185f3214465314d75c5d # v0.5.0
	with:
	identity: ${{ secrets.CHAINGUARD_IDENTITY }}

	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build and push FIPS AMD64 PR images
	run: \|
	# Build with default APP_NAME (avoids filesystem issues)
	make build-image-fips-amd64-with-tags

	# Retag with correct namespace for pushing
	docker tag mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-amd64 mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-amd64
	docker tag mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }} mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}

	# Push to correct namespace
	docker push mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-amd64
	echo "✅ FIPS AMD64 image pushed: mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-amd64"

	pr-deploy-fips-arm64:
	name: PR Deploy FIPS ARM64
	runs-on: ubuntu-24.04-arm
	needs: [fips-security-scan, fips-build-arm64]
	if: github.event_name == 'pull_request' && github.repository_owner == 'mattermost' && github.actor != 'dependabot[bot]'
	permissions:
	contents: read
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Setup Chainguard Identity
	uses: chainguard-dev/setup-chainctl@c125f765e82b09a42af3185f3214465314d75c5d # v0.5.0
	with:
	identity: ${{ secrets.CHAINGUARD_IDENTITY }}

	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build and push FIPS ARM64 PR images
	run: \|
	# Build with default APP_NAME (avoids filesystem issues)
	make build-image-fips-arm64-with-tags

	# Retag with correct namespace for pushing
	docker tag mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-arm64 mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-arm64
	docker tag mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }} mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}

	# Push to correct namespace
	docker push mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-arm64
	echo "✅ FIPS ARM64 image pushed: mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-arm64"

	pr-deploy-fips-manifest:
	name: PR Deploy FIPS Manifest
	runs-on: ubuntu-latest
	needs: [pr-deploy-fips-amd64, pr-deploy-fips-arm64]
	if: github.event_name == 'pull_request' && github.repository_owner == 'mattermost' && github.actor != 'dependabot[bot]'
	permissions:
	contents: read
	id-token: write
	steps:
	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Create and push FIPS multi-arch manifest
	run: \|
	# Create multi-platform FIPS manifest for PR testing
	docker manifest create mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }} \
	--amend mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-amd64 \
	--amend mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-arm64
	docker manifest push mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}

	# Clean up intermediate FIPS architecture-specific tags (like production)
	echo "Cleaning up intermediate FIPS architecture-specific tags..."
	docker rmi mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-amd64 2>/dev/null \|\| true
	docker rmi mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}-arm64 2>/dev/null \|\| true
	echo "✅ Multi-arch FIPS PR image available (arch-specific tags removed):"
	echo " docker pull mattermost/mattermost-push-proxy-fips:dev-${{ github.sha }}"



	deploy-amd64:
	name: Deploy AMD64
	runs-on: ubuntu-latest
	needs: [security-scan, build-amd64]
	if: github.repository_owner == 'mattermost' && (github.ref == 'refs/heads/master' \|\| startsWith(github.ref, 'refs/tags/v')) && github.actor != 'dependabot[bot]'
	permissions:
	contents: write
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build and push AMD64 image
	run: \|
	# Build AMD64 image with temp tag for cleanup
	SHORT_SHA=${GITHUB_SHA:0:7}
	make build-image-amd64-with-tags
	# Retag with temp namespace for later cleanup
	docker tag mattermost-push-proxy:master-amd64 mattermost/mattermost-push-proxy:temp-${GITHUB_SHA}-amd64
	# Push temp AMD64 image
	docker push mattermost/mattermost-push-proxy:temp-${GITHUB_SHA}-amd64

	deploy-arm64:
	name: Deploy ARM64
	runs-on: ubuntu-24.04-arm
	needs: [security-scan, build-arm64]
	if: github.repository_owner == 'mattermost' && (github.ref == 'refs/heads/master' \|\| startsWith(github.ref, 'refs/tags/v')) && github.actor != 'dependabot[bot]'
	permissions:
	contents: write
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build and push ARM64 image
	run: \|
	# Build ARM64 image with temp tag for cleanup
	SHORT_SHA=${GITHUB_SHA:0:7}
	make build-image-arm64-with-tags
	# Retag with temp namespace for later cleanup
	docker tag mattermost-push-proxy:master-arm64 mattermost/mattermost-push-proxy:temp-${GITHUB_SHA}-arm64
	# Push temp ARM64 image
	docker push mattermost/mattermost-push-proxy:temp-${GITHUB_SHA}-arm64

	deploy:
	name: Deploy
	runs-on: ubuntu-latest
	needs: [deploy-amd64, deploy-arm64]
	if: github.repository_owner == 'mattermost' && (github.ref == 'refs/heads/master' \|\| startsWith(github.ref, 'refs/tags/v')) && github.actor != 'dependabot[bot]'
	permissions:
	contents: write
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Create and push multi-arch manifest
	run: \|
	# Create multi-platform manifest using commit SHA
	SHORT_SHA=${GITHUB_SHA:0:7}
	docker manifest create mattermost/mattermost-push-proxy:${SHORT_SHA} \
	--amend mattermost/mattermost-push-proxy:temp-${GITHUB_SHA}-amd64 \
	--amend mattermost/mattermost-push-proxy:temp-${GITHUB_SHA}-arm64
	docker manifest push mattermost/mattermost-push-proxy:${SHORT_SHA}

	echo "✅ Clean unified multi-arch tag: mattermost/mattermost-push-proxy:${SHORT_SHA}"

	# Cleanup temp tags using Docker Hub API with org-level cleanup token
	echo "🗑️ Cleaning up temp tags from Docker Hub..."

	# Delete temp tags using Docker Hub API
	TEMP_AMD64_TAG="temp-${GITHUB_SHA}-amd64"
	TEMP_ARM64_TAG="temp-${GITHUB_SHA}-arm64"

	# Get Docker Hub API token using org-level cleanup token
	DOCKER_HUB_TOKEN=$(curl -s -X POST \
	-H "Content-Type: application/json" \
	-d '{"username": "matterbuild", "password": "${{ secrets.DOCKERHUB_CLEANUP_TOKEN }}"}' \
	https://hub.docker.com/v2/users/login/ \| jq -r .token)

	# Delete AMD64 temp tag
	curl -X DELETE \
	-H "Authorization: JWT ${DOCKER_HUB_TOKEN}" \
	"https://hub.docker.com/v2/repositories/mattermost/mattermost-push-proxy/tags/${TEMP_AMD64_TAG}/" \
	&& echo "✅ Deleted AMD64 temp tag" \|\| echo "⚠️ AMD64 temp tag not found or already deleted"

	# Delete ARM64 temp tag
	curl -X DELETE \
	-H "Authorization: JWT ${DOCKER_HUB_TOKEN}" \
	"https://hub.docker.com/v2/repositories/mattermost/mattermost-push-proxy/tags/${TEMP_ARM64_TAG}/" \
	&& echo "✅ Deleted ARM64 temp tag" \|\| echo "⚠️ ARM64 temp tag not found or already deleted"

	echo "✅ Temp tags cleaned up from Docker Hub"

	- name: Create release
	if: startsWith(github.ref, 'refs/tags/v')
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: make github-release

	fips-deploy-amd64:
	name: FIPS Deploy AMD64
	runs-on: ubuntu-latest
	needs: [fips-security-scan, fips-build-amd64]
	if: github.repository_owner == 'mattermost' && (github.ref == 'refs/heads/master' \|\| startsWith(github.ref, 'refs/tags/v')) && github.actor != 'dependabot[bot]'
	permissions:
	contents: write
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Setup Chainguard Identity
	uses: chainguard-dev/setup-chainctl@c125f765e82b09a42af3185f3214465314d75c5d # v0.5.0
	with:
	identity: ${{ secrets.CHAINGUARD_IDENTITY }}

	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build and push FIPS AMD64 image
	run: \|
	# Build FIPS AMD64 image with temp tag for cleanup
	SHORT_SHA=${GITHUB_SHA:0:7}
	make build-image-fips-amd64-with-tags
	# Retag with temp namespace for later cleanup
	docker tag mattermost/mattermost-push-proxy-fips:master-amd64 mattermost/mattermost-push-proxy-fips:temp-${GITHUB_SHA}-amd64
	# Push temp FIPS AMD64 image
	docker push mattermost/mattermost-push-proxy-fips:temp-${GITHUB_SHA}-amd64

	fips-deploy-arm64:
	name: FIPS Deploy ARM64
	runs-on: ubuntu-24.04-arm
	needs: [fips-security-scan, fips-build-arm64]
	if: github.repository_owner == 'mattermost' && (github.ref == 'refs/heads/master' \|\| startsWith(github.ref, 'refs/tags/v')) && github.actor != 'dependabot[bot]'
	permissions:
	contents: write
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Setup Chainguard Identity
	uses: chainguard-dev/setup-chainctl@c125f765e82b09a42af3185f3214465314d75c5d # v0.5.0
	with:
	identity: ${{ secrets.CHAINGUARD_IDENTITY }}

	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build and push FIPS ARM64 image
	run: \|
	# Build FIPS ARM64 image with temp tag for cleanup
	SHORT_SHA=${GITHUB_SHA:0:7}
	make build-image-fips-arm64-with-tags
	# Retag with temp namespace for later cleanup
	docker tag mattermost/mattermost-push-proxy-fips:master-arm64 mattermost/mattermost-push-proxy-fips:temp-${GITHUB_SHA}-arm64
	# Push temp FIPS ARM64 image
	docker push mattermost/mattermost-push-proxy-fips:temp-${GITHUB_SHA}-arm64

	fips-deploy:
	name: FIPS Deploy
	runs-on: ubuntu-latest
	needs: [fips-deploy-amd64, fips-deploy-arm64]
	if: github.repository_owner == 'mattermost' && (github.ref == 'refs/heads/master' \|\| startsWith(github.ref, 'refs/tags/v')) && github.actor != 'dependabot[bot]'
	permissions:
	contents: write
	id-token: write
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Login to Docker Hub
	uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
	with:
	username: matterbuild
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Create and push FIPS multi-arch manifest
	run: \|
	# Create multi-platform manifest for FIPS using commit SHA
	SHORT_SHA=${GITHUB_SHA:0:7}
	docker manifest create mattermost/mattermost-push-proxy-fips:${SHORT_SHA} \
	--amend mattermost/mattermost-push-proxy-fips:temp-${GITHUB_SHA}-amd64 \
	--amend mattermost/mattermost-push-proxy-fips:temp-${GITHUB_SHA}-arm64
	docker manifest push mattermost/mattermost-push-proxy-fips:${SHORT_SHA}

	echo "✅ Clean unified FIPS multi-arch tag: mattermost/mattermost-push-proxy-fips:${SHORT_SHA}"

	# Cleanup temp FIPS tags using Docker Hub API
	echo "🗑️ Cleaning up temp FIPS tags from Docker Hub..."

	# Delete temp FIPS tags using Docker Hub API
	TEMP_AMD64_TAG="temp-${GITHUB_SHA}-amd64"
	TEMP_ARM64_TAG="temp-${GITHUB_SHA}-arm64"

	# Get Docker Hub API token using org-level cleanup token
	DOCKER_HUB_TOKEN=$(curl -s -X POST \
	-H "Content-Type: application/json" \
	-d '{"username": "matterbuild", "password": "${{ secrets.DOCKERHUB_CLEANUP_TOKEN }}"}' \
	https://hub.docker.com/v2/users/login/ \| jq -r .token)

	# Delete FIPS AMD64 temp tag
	curl -X DELETE \
	-H "Authorization: JWT ${DOCKER_HUB_TOKEN}" \
	"https://hub.docker.com/v2/repositories/mattermost/mattermost-push-proxy-fips/tags/${TEMP_AMD64_TAG}/" \
	&& echo "✅ Deleted FIPS AMD64 temp tag" \|\| echo "⚠️ FIPS AMD64 temp tag not found or already deleted"

	# Delete FIPS ARM64 temp tag
	curl -X DELETE \
	-H "Authorization: JWT ${DOCKER_HUB_TOKEN}" \
	"https://hub.docker.com/v2/repositories/mattermost/mattermost-push-proxy-fips/tags/${TEMP_ARM64_TAG}/" \
	&& echo "✅ Deleted FIPS ARM64 temp tag" \|\| echo "⚠️ FIPS ARM64 temp tag not found or already deleted"

	echo "✅ Temp FIPS tags cleaned up from Docker Hub"

	- name: Create FIPS release
	if: startsWith(github.ref, 'refs/tags/v')
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: make github-release-fips

	- name: Cleanup
	run: make clean

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add APNs VoIP send path for Transport=voip notifications #186

Workflow file

Add APNs VoIP send path for Transport=voip notifications #186

Uh oh!

Workflow file for this run