mozilla · kschelonka · Jan 13, 2026 · Dec 18, 2025 · Jan 13, 2026
diff --git a/.github/workflows/docker_build_deploy.yml b/.github/workflows/docker_build_deploy.yml
@@ -1,67 +1,95 @@
-name: Build Docker image and publish
+name: Build Docker image and publish to GAR
 
 permissions: {}
 
 on:
   push:
-    branches: [ main ]
+    branches:
+      - main
+    tags:
+      - "*"
+
 jobs:
-  push_to_registry:
-    name: Push Docker image to Docker Hub
+  build_and_push_to_gar:
+    # Define permissions at the job level
+    permissions:
+      contents: "read" # Needed for checkout
+      id-token: "write" # Needed for GCP auth
+      packages: "none" # Explicitly disable package permissions
+    name: Build and Push Docker image to GAR
     runs-on: ubuntu-latest
+    environment: build
+    env:
+      GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }} # Base name for GAR image
+      GAR_REGISTRY: us-docker.pkg.dev
     steps:
       - name: Check out the repo
         uses: actions/checkout@v6
         with:
           persist-credentials: false
 
-      - name: Log in to Docker Hub
+      - name: Authenticate to Google Cloud
+        id: gcp-auth
+        uses: google-github-actions/auth@v3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }}
+
+      - name: Login to Artifact Registry
+        id: gar-login
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          registry: ${{ env.GAR_REGISTRY }}
+          username: oauth2accesstoken
+          password: ${{ steps.gcp-auth.outputs.access_token }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: mozilla/blurts-server
+          # Only generate the image name for GAR
+          images: ${{ env.GAR_IMAGE_BASE }}
           tags: |
-            type=semver,pattern={{raw}}
-            type=raw,value={{sha}},event=tag
+            # Generate tag based on short commit SHA
+            type=sha,format=short,prefix=
 
       - name: Create version.json
         run: |
+          # Use full sha here for version.json content
           echo "{\"commit\":\"$GITHUB_SHA\",\"version\":\"$GITHUB_REF_NAME\",\"source\":\"https://github.com/$GITHUB_REPOSITORY\",\"build\":\"$GITHUB_RUN_ID\"}" > version.json
 
-      - name: Check Docker Version
-        run: docker --version
-      - name: Install Latest Docker
-        run: |
-          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-          sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu  $(lsb_release -cs)  stable"
-          sudo apt-get update
-          sudo apt-get install docker-ce
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
 
-      - name: Build Docker image
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image to GAR
+        id: build-and-push
         env:
-          UPLOAD_SENTRY_SOURCEMAPS: true
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_RELEASE: ${{ github.ref_name }}
-          NEXT_PUBLIC_SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-          S3_BUCKET: ${{ secrets.S3_BUCKET }}
-        run: |
-          docker build --tag blurts-server \
-            --build-arg SENTRY_RELEASE="$SENTRY_RELEASE" \
-            --build-arg NEXT_PUBLIC_SENTRY_DSN="$NEXT_PUBLIC_SENTRY_DSN" \
-            --secret id=SENTRY_AUTH_TOKEN \
-            .
+          TAGS: ${{ steps.meta.outputs.tags }}
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          # Push is true to push to GAR after build
+          push: true
+          # Tags generated by the metadata action (only GAR tag)
+          tags: ${{ env.TAGS }}
+          # Pass build arguments
+          build-args: |
+            SENTRY_RELEASE=${{ github.sha }}
+            NEXT_PUBLIC_SENTRY_DSN=${{ secrets.SENTRY_DSN }}
+          # Pass secrets securely to the build
+          secrets: |
+            SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
+          # Enable build cache for faster builds (optional but recommended)
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-      - name: Deploy to Dockerhub
+      - name: Print Image URI
         env:
-          DOCKERHUB_REPO: ${{ env.DOCKERHUB_REPO }}
           TAGS: ${{ steps.meta.outputs.tags }}
         run: |
-          # deploy main
-          docker tag blurts-server $TAGS
-          docker push $TAGS
+          echo "Pushed GAR image: $TAGS"
diff --git a/.github/workflows/docker_build_deploy_v2.yml b/.github/workflows/docker_build_deploy_v2.yml
diff --git a/.github/workflows/production_deploy.yml b/.github/workflows/production_deploy.yml
@@ -39,12 +39,6 @@ jobs:
         uses: actions/checkout@v6
         with:
           persist-credentials: false
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Authenticate to Google Cloud
         id: gcp-auth
@@ -62,15 +56,6 @@ jobs:
           username: oauth2accesstoken
           password: ${{ steps.gcp-auth.outputs.access_token }}
 
-      - name: Pull Docker Hub image
-        run: docker pull "$DOCKERHUB_IMAGE:$SAFE_IMAGE_TAG"
-
-      - name: Retag Docker Hub image
-        run: docker tag "$DOCKERHUB_IMAGE:$SAFE_IMAGE_TAG" "$DOCKERHUB_IMAGE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"
-
-      - name: Push Docker Hub image
-        run: docker push "$DOCKERHUB_IMAGE:$SAFE_ENVIRONMENT-$SAFE_IMAGE_TAG"
-
       - name: Pull GAR image
         run: docker pull "$GAR_IMAGE_BASE:$SAFE_IMAGE_TAG"
 

diff --git a/.github/workflows/release_cron_daily.yml b/.github/workflows/release_cron_daily.yml
@@ -17,7 +17,6 @@ jobs:
     env:
       GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }}
       GAR_REGISTRY: us-docker.pkg.dev
-      DOCKERHUB_IMAGE: mozilla/blurts-server # Define Docker Hub image name
 
     steps:
     - name: Checkout main branch
@@ -50,16 +49,6 @@ jobs:
             "generate_release_notes": true
           }'
 
-    # We cannot rely on the release_retag.yaml workflow because of the
-    # auth scope of the default github token. It's a good security practice
-    # to prevent a github action being triggered by another.
-    # So we will deliberately push to dockerhub below
-    - name: Log in to Docker Hub
-      uses: docker/login-action@v3
-      with:
-        username: ${{ secrets.DOCKER_USERNAME }}
-        password: ${{ secrets.DOCKER_PASSWORD }}
-
     - name: Authenticate to Google Cloud
       id: gcp-auth
       uses: google-github-actions/auth@v3
@@ -80,22 +69,17 @@ jobs:
       id: meta
       uses: docker/metadata-action@v5
       with:
-        images: ${{ env.DOCKERHUB_IMAGE }}
-        tags: type=sha,format=short,prefix=
+        # Use the GAR image base
+        images: ${{ env.GAR_IMAGE_BASE }}
+        tags: |
+          # Only generate the tag based on short commit SHA
+          type=sha,format=short,prefix=
 
     - name: Pull Docker image from GAR with commit tag
       env:
         VERSION: ${{ steps.meta.outputs.version }}
       run: docker pull ${{ env.GAR_IMAGE_BASE }}:$VERSION
 
-    - name: Tag Docker image for Docker Hub with release tag
-      env:
-        VERSION: ${{ steps.meta.outputs.version }}
-      run: docker tag ${{ env.GAR_IMAGE_BASE }}:$VERSION ${{ env.DOCKERHUB_IMAGE }}:${{ env.CURRENT_DATE }}
-
-    - name: Push Docker image to Docker Hub with release tag
-      run: docker push ${{ env.DOCKERHUB_IMAGE }}:${{ env.CURRENT_DATE }}
-
     - name: Tag Docker image for GAR with release tag
       env:
         VERSION: ${{ steps.meta.outputs.version }}