fxa/.github/workflows/docker.yml at 2fac79702080a20b3a72d7038799a5cdf0aa976f · mozilla/fxa · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Docker

on:
  check_run:
    types:
      - completed
  workflow_dispatch:
    inputs:
      git_tag:
        type: string
        required: true

jobs:
  tag:
    name: Determine tag to build
    runs-on: ubuntu-latest
    permissions: {}
    outputs:
      TAG: ${{ steps.determine.outputs.tag }}
    if: |
      github.event_name == 'workflow_dispatch'
      || (
        github.event_name == 'check_run'
        && github.event.check_run.conclusion == 'success'
        && github.event.check_run.app.client_id == 'Iv1.44befee49e3e76a4'
        && github.event.check_run.name == 'test_and_deploy_tag'
      )
    env:
      CIRCLECI_EXTERNAL_ID: ${{ github.event.check_run.external_id }}
      GIT_TAG: ${{ inputs.git_tag }}
    steps:
      - id: determine
        run: |
          tag=""

          # Use the provided git tag
          if [[ "${GITHUB_EVENT_NAME:-}" == "workflow_dispatch" && "${GIT_TAG:-}" != "" ]]; then
            tag="${GIT_TAG}"
          elif [[ "${GITHUB_EVENT_NAME:-}" == "check_run" ]]; then
            CIRCLECI_WORKFLOW_ID=$(echo "${CIRCLECI_EXTERNAL_ID}" | jq -r '."workflow-id"')
            CIRCLECI_WORKFLOW_DATA=$(curl "https://circleci.com/api/v2/workflow/${CIRCLECI_WORKFLOW_ID}")
            CIRCLECI_PIPELINE_ID=$(echo "${CIRCLECI_WORKFLOW_DATA}" | jq -r '.pipeline_id')
            CIRCLECI_PIPELINE_DATA=$(curl "https://circleci.com/api/v2/pipeline/${CIRCLECI_PIPELINE_ID}")
            TAG=$(echo "${CIRCLECI_PIPELINE_DATA}" | jq -r '.vcs.tag')
            if [[ "${TAG}" != "" ]]; then
              tag="${TAG}"
            fi
          fi

          if [[ "${tag}" =~ ^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-rc[0-9]+)?$ ]]; then
            echo "tag=${tag}" >> "$GITHUB_OUTPUT"
            echo "Trigger docker build & push on ${GITHUB_EVENT_NAME} and found tag ${tag}" >> "$GITHUB_STEP_SUMMARY"
            exit 0
          else
            echo "Cannot determine valid tag"
            echo "Trigger docker build & push on ${GITHUB_EVENT_NAME} and cannot determine tag" >> "$GITHUB_STEP_SUMMARY"
            exit 1
          fi

  docker:
    name: Docker build and push to GAR
    runs-on: ubuntu-latest
    environment: build
    permissions:
      contents: read
      id-token: write
    env:
      GAR_LOCATION: us
      GAR_REPOSITORY: fxa-prod
      GCP_PROJECT_ID: moz-fx-fxa-prod
      IMAGE: fxa-mono
      RUN_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
      GIT_TAG: ${{ needs.tag.outputs.TAG }}
    needs:
      - tag
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ env.GIT_TAG }}

      - name: Verify tag checkout and commit
        shell: bash
        run: |
          set -euo pipefail
          echo "GIT_TAG=${GIT_TAG}"
          echo "GITHUB_SHA=${GITHUB_SHA}"
          echo "Checked out HEAD=$(git rev-parse HEAD)"
          git describe --tags --exact-match | grep -Fx "$GIT_TAG"
          git show -s --format='%H %D' HEAD

      - uses: actions/setup-node@v6
        with:
          cache: yarn

      - run: ./_scripts/l10n/clone.sh

      - run: ./.circleci/base-install.sh

      - run: ./_scripts/create-version-json.sh

      - name: Show generated version.json (sanity check)
        shell: bash
        run: |
          set -euo pipefail
          echo "packages/version.json:"
          cat ./packages/version.json
          echo
          echo "apps/version.json:"
          cat ./apps/version.json

      - uses: docker/setup-buildx-action@v3

      - id: meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY}}/${{ env.IMAGE}}
            ${{ vars.DOCKERHUB_REPOSITORY }}
          tags: |
            type=raw,${{ env.GIT_TAG }}

      - id: gcp-auth
        uses: google-github-actions/auth@v3
        with:
          token_format: 'access_token'
          service_account: artifact-writer@${{ env.GCP_PROJECT_ID}}.iam.gserviceaccount.com
          workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}

      - id: dockerhub-auth
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - uses: docker/login-action@v3
        with:
          registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
          username: oauth2accesstoken
          password: ${{ steps.gcp-auth.outputs.access_token }}

      - id: build-and-push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: _dev/docker/mono/Dockerfile
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          push: true