dev: publish images to ghcr on merge to main (#968)

tefkah · web-flow · commit 3a613681c762 · 2025-02-12T16:39:25.000+01:00
* dev: push images to ghcr on main

* dev: add same thing to on_pr as test

* fix: require secrets

* fix: swap order (duh)

* fix: REALLY fix the credentials

* fix: remove on_pr

* fix: push to ecr on build completion instead

* fix: pass variables

* temp: run publish on pr for test

* fix: actually login to ghcr

* chore: remove on_pr publishing to ghcr bc of succesful test-n
diff --git a/.github/workflows/ecrbuild-all.yml b/.github/workflows/ecrbuild-all.yml
@@ -9,6 +9,20 @@ on:
                 required: true
             AWS_SECRET_ACCESS_KEY:
                 required: true
+        inputs:
+            publish_to_ghcr:
+                type: boolean
+                default: false
+        outputs:
+            core-image:
+                description: "Core image SHA"
+                value: ${{ jobs.build-core.outputs.image-sha}}
+            base-image:
+                description: "Base image SHA"
+                value: ${{ jobs.build-base.outputs.image-sha }}
+            jobs-image:
+                description: "Jobs image SHA"
+                value: ${{ jobs.build-jobs.outputs.image-sha }}
 
 jobs:
     emit-sha-tag:
@@ -26,6 +40,9 @@ jobs:
 
     build-base:
         uses: ./.github/workflows/ecrbuild-template.yml
+        with:
+            publish_to_ghcr: ${{ inputs.publish_to_ghcr }}
+            ghcr_image_name: platform-migrations
         secrets:
             AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
             AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -36,6 +53,8 @@ jobs:
         #   - build-base
         with:
             package: core
+            publish_to_ghcr: ${{ inputs.publish_to_ghcr }}
+            ghcr_image_name: platform
             # we require a bigger lad
             # We are now public, default public runner is big enough
             # runner: ubuntu-latest-m
@@ -50,6 +69,8 @@ jobs:
         with:
             package: jobs
             target: jobs
+            publish_to_ghcr: ${{ inputs.publish_to_ghcr }}
+            ghcr_image_name: platform-jobs
         secrets:
             AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
             AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
diff --git a/.github/workflows/ecrbuild-template.yml b/.github/workflows/ecrbuild-template.yml
@@ -12,6 +12,16 @@ on:
                 default: ubuntu-latest
             target:
                 type: string
+            publish_to_ghcr:
+                type: boolean
+                default: false
+            ghcr_image_name:
+                type: string
+                required: false
+        outputs:
+            image-sha:
+                description: "Image SHA"
+                value: ${{ jobs.build.outputs.image-sha }}
         secrets:
             AWS_ACCESS_KEY_ID:
                 required: true
@@ -28,6 +38,8 @@ jobs:
     build:
         name: Build
         runs-on: ${{ inputs.runner }}
+        outputs:
+            image-sha: ${{ steps.label.outputs.label }}
 
         steps:
             - name: Checkout
@@ -45,6 +57,13 @@ jobs:
               id: login-ecr
               uses: aws-actions/amazon-ecr-login@v2
 
+            - name: Login to GitHub Container Registry
+              uses: docker/login-action@v3
+              with:
+                  registry: ghcr.io
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
               # necessary in order to upload build source maps to sentry
             - name: Get sentry token
               id: sentry-token
@@ -75,6 +94,16 @@ jobs:
                     echo "target=${TARGET:-next-app-${PACKAGE}}" >> $GITHUB_OUTPUT
                   fi
                   echo "label=$ECR_REGISTRY/$ECR_REPOSITORY_PREFIX$package_suffix:$sha_short" >> $GITHUB_OUTPUT
+                  if [[ ${{ inputs.publish_to_ghcr }} == "true" && -n ${{ inputs.ghcr_image_name }} ]]
+                  then
+                    TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+
+                    echo "ghcr_latest_label=ghcr.io/pubpub/${{ inputs.ghcr_image_name }}:latest" >> $GITHUB_OUTPUT
+
+                    echo "ghcr_sha_label=ghcr.io/pubpub/${{ inputs.ghcr_image_name }}:$sha_short" >> $GITHUB_OUTPUT
+
+                    echo "ghcr_timestamp_label=ghcr.io/pubpub/${{ inputs.ghcr_image_name }}:$TIMESTAMP" >> $GITHUB_OUTPUT
+                  fi
 
             - name: Check if SENTRY_AUTH_TOKEN is set
               run: |
@@ -103,6 +132,10 @@ jobs:
                   secrets: |
                       SENTRY_AUTH_TOKEN=${{ env.SENTRY_AUTH_TOKEN }}
                   target: ${{ steps.label.outputs.target }}
-                  tags: ${{ steps.label.outputs.label }}
+                  tags: |
+                      ${{ steps.label.outputs.label }}
+                      ${{ steps.label.outputs.ghcr_latest_label }}
+                      ${{ steps.label.outputs.ghcr_sha_label }}
+                      ${{ steps.label.outputs.ghcr_timestamp_label }}
                   platforms: linux/amd64
                   push: true
diff --git a/.github/workflows/on_main.yml b/.github/workflows/on_main.yml
@@ -14,6 +14,8 @@ jobs:
     build-all:
         needs: ci
         uses: ./.github/workflows/ecrbuild-all.yml
+        with:
+            publish_to_ghcr: true
         secrets:
             AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
             AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml
@@ -14,6 +14,7 @@ env:
 jobs:
     ci:
         uses: ./.github/workflows/ci.yml
+
     build-all:
         uses: ./.github/workflows/ecrbuild-all.yml
         secrets:
