diff --git a/.github/workflows/docker_build_deploy.yml b/.github/workflows/docker_build_deploy.yml index 1ba06ad0266..3793b9a0101 100644 --- a/.github/workflows/docker_build_deploy.yml +++ b/.github/workflows/docker_build_deploy.yml @@ -1,67 +1,95 @@ -name: Build Docker image and publish +name: Build Docker image and publish to GAR permissions: {} on: push: - branches: [ main ] + branches: + - main + tags: + - "*" + jobs: - push_to_registry: - name: Push Docker image to Docker Hub + build_and_push_to_gar: + # Define permissions at the job level + permissions: + contents: "read" # Needed for checkout + id-token: "write" # Needed for GCP auth + packages: "none" # Explicitly disable package permissions + name: Build and Push Docker image to GAR runs-on: ubuntu-latest + environment: build + env: + GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }} # Base name for GAR image + GAR_REGISTRY: us-docker.pkg.dev steps: - name: Check out the repo uses: actions/checkout@v6 with: persist-credentials: false - - name: Log in to Docker Hub + - name: Authenticate to Google Cloud + id: gcp-auth + uses: google-github-actions/auth@v3 + with: + token_format: access_token + workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }} + + - name: Login to Artifact Registry + id: gar-login uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + registry: ${{ env.GAR_REGISTRY }} + username: oauth2accesstoken + password: ${{ steps.gcp-auth.outputs.access_token }} - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@v5 with: - images: mozilla/blurts-server + # Only generate the image name for GAR + images: ${{ env.GAR_IMAGE_BASE }} tags: | - type=semver,pattern={{raw}} - type=raw,value={{sha}},event=tag + # Generate tag based on short commit SHA + type=sha,format=short,prefix= - name: Create version.json run: | + # Use full sha here for version.json content echo "{\"commit\":\"$GITHUB_SHA\",\"version\":\"$GITHUB_REF_NAME\",\"source\":\"https://github.com/$GITHUB_REPOSITORY\",\"build\":\"$GITHUB_RUN_ID\"}" > version.json - - name: Check Docker Version - run: docker --version - - name: Install Latest Docker - run: | - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" - sudo apt-get update - sudo apt-get install docker-ce + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 - - name: Build Docker image + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push Docker image to GAR + id: build-and-push env: - UPLOAD_SENTRY_SOURCEMAPS: true - SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} - SENTRY_RELEASE: ${{ github.ref_name }} - NEXT_PUBLIC_SENTRY_DSN: ${{ secrets.SENTRY_DSN }} - S3_BUCKET: ${{ secrets.S3_BUCKET }} - run: | - docker build --tag blurts-server \ - --build-arg SENTRY_RELEASE="$SENTRY_RELEASE" \ - --build-arg NEXT_PUBLIC_SENTRY_DSN="$NEXT_PUBLIC_SENTRY_DSN" \ - --secret id=SENTRY_AUTH_TOKEN \ - . + TAGS: ${{ steps.meta.outputs.tags }} + uses: docker/build-push-action@v6 + with: + context: . + # Push is true to push to GAR after build + push: true + # Tags generated by the metadata action (only GAR tag) + tags: ${{ env.TAGS }} + # Pass build arguments + build-args: | + SENTRY_RELEASE=${{ github.sha }} + NEXT_PUBLIC_SENTRY_DSN=${{ secrets.SENTRY_DSN }} + # Pass secrets securely to the build + secrets: | + SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }} + # Enable build cache for faster builds (optional but recommended) + cache-from: type=gha + cache-to: type=gha,mode=max - - name: Deploy to Dockerhub + - name: Print Image URI env: - DOCKERHUB_REPO: ${{ env.DOCKERHUB_REPO }} TAGS: ${{ steps.meta.outputs.tags }} run: | - # deploy main - docker tag blurts-server $TAGS - docker push $TAGS + echo "Pushed GAR image: $TAGS" diff --git a/.github/workflows/docker_build_deploy_v2.yml b/.github/workflows/docker_build_deploy_v2.yml deleted file mode 100644 index 33310f7cbdb..00000000000 --- a/.github/workflows/docker_build_deploy_v2.yml +++ /dev/null @@ -1,96 +0,0 @@ -name: Build Docker image and publish to GAR - -permissions: {} - -on: - push: - branches: - - main - tags: - - "*" - -jobs: - build_and_push_to_gar: - # Define permissions at the job level - permissions: - contents: "read" # Needed for checkout - id-token: "write" # Needed for GCP auth - packages: "none" # Explicitly disable package permissions - name: Build and Push Docker image to GAR - runs-on: ubuntu-latest - environment: build - env: - GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }} # Base name for GAR image - GAR_REGISTRY: us-docker.pkg.dev - steps: - - name: Check out the repo - uses: actions/checkout@v6 - with: - persist-credentials: false - - - name: Authenticate to Google Cloud - id: gcp-auth - uses: google-github-actions/auth@v3 - with: - token_format: access_token - workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }} - - - name: Login to Artifact Registry - id: gar-login - uses: docker/login-action@v3 - with: - registry: ${{ env.GAR_REGISTRY }} - username: oauth2accesstoken - password: ${{ steps.gcp-auth.outputs.access_token }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v5 - with: - # Only generate the image name for GAR - images: ${{ env.GAR_IMAGE_BASE }} - tags: | - # Generate tag based on short commit SHA - type=sha,format=short,prefix= - - - name: Create version.json - run: | - # Use full sha here for version.json content - echo "{\"commit\":\"$GITHUB_SHA\",\"version\":\"$GITHUB_REF_NAME\",\"source\":\"https://github.com/$GITHUB_REPOSITORY\",\"build\":\"$GITHUB_RUN_ID\"}" > version.json - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - - name: Build and push Docker image to GAR - id: build-and-push - env: - TAGS: ${{ steps.meta.outputs.tags }} - uses: docker/build-push-action@v6 - with: - context: . - # Push is true to push to GAR after build - push: true - # Tags generated by the metadata action (only GAR tag) - tags: ${{ env.TAGS }} - # Pass build arguments - build-args: | - SENTRY_RELEASE=${{ github.sha }} - NEXT_PUBLIC_SENTRY_DSN=${{ secrets.SENTRY_DSN }} - SENTRY_DSN=${{ secrets.SENTRY_DSN }} - # Pass secrets securely to the build - secrets: | - SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }} - # Enable build cache for faster builds (optional but recommended) - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Print Image URI - env: - TAGS: ${{ steps.meta.outputs.tags }} - run: | - echo "Pushed GAR image: $TAGS" diff --git a/.github/workflows/production_deploy.yml b/.github/workflows/production_deploy.yml index 215b6ea97fe..04a47165272 100644 --- a/.github/workflows/production_deploy.yml +++ b/.github/workflows/production_deploy.yml @@ -39,12 +39,6 @@ jobs: uses: actions/checkout@v6 with: persist-credentials: false - - - name: Log in to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - name: Authenticate to Google Cloud id: gcp-auth @@ -62,15 +56,6 @@ jobs: username: oauth2accesstoken password: ${{ steps.gcp-auth.outputs.access_token }} - - name: Pull Docker Hub image - run: docker pull "$DOCKERHUB_IMAGE:$SAFE_IMAGE_TAG" - - - name: Retag Docker Hub image - run: docker tag "$DOCKERHUB_IMAGE:$SAFE_IMAGE_TAG" "$DOCKERHUB_IMAGE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG" - - - name: Push Docker Hub image - run: docker push "$DOCKERHUB_IMAGE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG" - - name: Pull GAR image run: docker pull "$GAR_IMAGE_BASE:$SAFE_IMAGE_TAG" diff --git a/.github/workflows/release_cron_daily.yml b/.github/workflows/release_cron_daily.yml index 4323bed789a..f4d38fb2dcd 100644 --- a/.github/workflows/release_cron_daily.yml +++ b/.github/workflows/release_cron_daily.yml @@ -17,7 +17,6 @@ jobs: env: GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }} GAR_REGISTRY: us-docker.pkg.dev - DOCKERHUB_IMAGE: mozilla/blurts-server # Define Docker Hub image name steps: - name: Checkout main branch @@ -50,16 +49,6 @@ jobs: "generate_release_notes": true }' - # We cannot rely on the release_retag.yaml workflow because of the - # auth scope of the default github token. It's a good security practice - # to prevent a github action being triggered by another. - # So we will deliberately push to dockerhub below - - name: Log in to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - name: Authenticate to Google Cloud id: gcp-auth uses: google-github-actions/auth@v3 @@ -80,22 +69,17 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.DOCKERHUB_IMAGE }} - tags: type=sha,format=short,prefix= + # Use the GAR image base + images: ${{ env.GAR_IMAGE_BASE }} + tags: | + # Only generate the tag based on short commit SHA + type=sha,format=short,prefix= - name: Pull Docker image from GAR with commit tag env: VERSION: ${{ steps.meta.outputs.version }} run: docker pull ${{ env.GAR_IMAGE_BASE }}:$VERSION - - name: Tag Docker image for Docker Hub with release tag - env: - VERSION: ${{ steps.meta.outputs.version }} - run: docker tag ${{ env.GAR_IMAGE_BASE }}:$VERSION ${{ env.DOCKERHUB_IMAGE }}:${{ env.CURRENT_DATE }} - - - name: Push Docker image to Docker Hub with release tag - run: docker push ${{ env.DOCKERHUB_IMAGE }}:${{ env.CURRENT_DATE }} - - name: Tag Docker image for GAR with release tag env: VERSION: ${{ steps.meta.outputs.version }} diff --git a/.github/workflows/release_retag.yaml b/.github/workflows/release_retag.yaml index 27a2c1b8717..c2306d76139 100644 --- a/.github/workflows/release_retag.yaml +++ b/.github/workflows/release_retag.yaml @@ -1,45 +1,83 @@ -name: Retag and Push Docker Image on Release +name: Retag and Push GAR Image on Release permissions: {} -# GH release should always create a tag automatically on: push: tags: - '*' jobs: - retag-and-push: + retag-and-push-gar: + permissions: + contents: "read" # Needed for checkout + id-token: "write" # Needed for GCP auth + packages: "none" # Explicitly disable package permissions + name: Retag and Push GAR image runs-on: ubuntu-latest - + environment: build + env: + GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }} steps: - name: Check out the repo uses: actions/checkout@v6 with: - persist-credentials: false + persist-credentials: false # Not strictly needed for retagging, but good practice + + - name: Authenticate to Google Cloud + id: gcp-auth + uses: google-github-actions/auth@v3 + with: + token_format: access_token + workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }} - - name: Log in to Docker Hub + - name: Login to Artifact Registry + id: gar-login uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + registry: us-docker.pkg.dev + username: oauth2accesstoken + password: ${{ steps.gcp-auth.outputs.access_token }} - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@v5 with: - images: mozilla/blurts-server - tags: type=sha,format=short,prefix= + # Use the GAR image base + images: ${{ env.GAR_IMAGE_BASE }} + tags: | + # Only generate the tag based on short commit SHA + type=sha,format=short,prefix= + + - name: Determine Release-tagged image name + id: release_tag_info + run: echo "name=${{ env.GAR_IMAGE_BASE }}:${{ github.ref_name }}" >> $GITHUB_OUTPUT - - name: Pull Docker image with commit tag + - name: Pull Docker image with commit tag from GAR env: TAGS: ${{ steps.meta.outputs.tags }} - run: docker pull $TAGS + run: | + echo "Pulling $TAGS" + docker pull $TAGS - name: Tag Docker image with release tag env: TAGS: ${{ steps.meta.outputs.tags }} - run: docker tag $TAGS mozilla/blurts-server:${{ github.ref_name }} + NAME: ${{ steps.release_tag_info.outputs.name }} + run: | + echo "Tagging $TAGS as $NAME" + docker tag $TAGS $NAME - - name: Push Docker image with release tag - run: docker push mozilla/blurts-server:${{ github.ref_name }} + - name: Push Docker image with release tag to GAR + env: + NAME: ${{ steps.release_tag_info.outputs.name }} + run: | + echo "Pushing $NAME" + docker push $NAME + + - name: Print Image URI + env: + NAME: ${{ steps.release_tag_info.outputs.name }} + run: | + echo "Retagged and pushed GAR image: $NAME" diff --git a/.github/workflows/release_retag_v2.yaml b/.github/workflows/release_retag_v2.yaml deleted file mode 100644 index 0dd0fc1837b..00000000000 --- a/.github/workflows/release_retag_v2.yaml +++ /dev/null @@ -1,83 +0,0 @@ -name: Retag and Push GAR Image on Release v2 - -permissions: {} - -on: - push: - tags: - - '*' - -jobs: - retag-and-push-gar: - permissions: - contents: "read" # Needed for checkout - id-token: "write" # Needed for GCP auth - packages: "none" # Explicitly disable package permissions - name: Retag and Push GAR image - runs-on: ubuntu-latest - environment: build - env: - GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }} - steps: - - name: Check out the repo - uses: actions/checkout@v6 - with: - persist-credentials: false # Not strictly needed for retagging, but good practice - - - name: Authenticate to Google Cloud - id: gcp-auth - uses: google-github-actions/auth@v3 - with: - token_format: access_token - workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }} - - - name: Login to Artifact Registry - id: gar-login - uses: docker/login-action@v3 - with: - registry: us-docker.pkg.dev - username: oauth2accesstoken - password: ${{ steps.gcp-auth.outputs.access_token }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v5 - with: - # Use the GAR image base - images: ${{ env.GAR_IMAGE_BASE }} - tags: | - # Only generate the tag based on short commit SHA - type=sha,format=short,prefix= - - - name: Determine Release-tagged image name - id: release_tag_info - run: echo "name=${{ env.GAR_IMAGE_BASE }}:${{ github.ref_name }}" >> $GITHUB_OUTPUT - - - name: Pull Docker image with commit tag from GAR - env: - TAGS: ${{ steps.meta.outputs.tags }} - run: | - echo "Pulling $TAGS" - docker pull $TAGS - - - name: Tag Docker image with release tag - env: - TAGS: ${{ steps.meta.outputs.tags }} - NAME: ${{ steps.release_tag_info.outputs.name }} - run: | - echo "Tagging $TAGS as $NAME" - docker tag $TAGS $NAME - - - name: Push Docker image with release tag to GAR - env: - NAME: ${{ steps.release_tag_info.outputs.name }} - run: | - echo "Pushing $NAME" - docker push $NAME - - - name: Print Image URI - env: - NAME: ${{ steps.release_tag_info.outputs.name }} - run: | - echo "Retagged and pushed GAR image: $NAME"