Bump cryptography from 45.0.6 to 46.0.5 (#37) #43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build image from main and deploy to staging | |
| on: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| prepare-variables: | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 5 | |
| permissions: | |
| contents: read | |
| outputs: | |
| image_tag: ${{ steps.prepare-variables.outputs.IMAGE_TAG }} | |
| ecr_tags: ${{ steps.prepare-variables.outputs.ECR_TAGS }} | |
| steps: | |
| # Required by prepare-variables | |
| - uses: actions/checkout@v6 | |
| - name: Prepare variables | |
| id: prepare-variables | |
| env: | |
| # github.ref_name = plain (no prefix) branch name that | |
| # triggered the workflow (e.g. "main", "v1.2.3"). | |
| # We are passing it through env to prevent script injection via crafted | |
| # branch names (e.g. a branch named `; rm -rf /` would be interpolated | |
| # directly into the shell script if using ${{ }} inline). | |
| REF_NAME: ${{ github.ref_name }} | |
| run: | | |
| set -u | |
| image_tag_unique="${REF_NAME}-$(git rev-parse --short HEAD)" | |
| ecr_tags="${image_tag_unique},${REF_NAME}-latest" | |
| echo "IMAGE_TAG=${image_tag_unique}" >> $GITHUB_OUTPUT | |
| echo "ECR_TAGS=${ecr_tags}" >> $GITHUB_OUTPUT | |
| build-push: | |
| needs: [prepare-variables] | |
| uses: saleor/saleor-internal-actions/.github/workflows/build-push-image-multi-platform.yaml@9c7a814c011945f26f0aa1191fc9c62de45477c2 # v1.7.0 | |
| permissions: | |
| contents: read | |
| id-token: write # needed for AWS/ECR login | |
| packages: write # needed for GHCR (not used, but required permission) | |
| with: | |
| tags: ${{ needs.prepare-variables.outputs.ecr_tags }} | |
| enable-aws-ecr: true | |
| aws-ecr-region: eu-west-1 | |
| secrets: | |
| oci-full-repository: ${{ secrets.AWS_ECR_ACCOUNT }}.dkr.ecr.eu-west-1.amazonaws.com/${{ secrets.ECR_REPOSITORY }} | |
| aws-ecr-role-to-assume: arn:aws:iam::${{ secrets.AWS_STAGING_ACCOUNT_ID }}:role/${{ secrets.AWS_APPS_SALEOR_MCP_STAGING_CICD_ROLE_NAME }} | |
| aws-ecr-registries: ${{ secrets.AWS_ECR_ACCOUNT }} | |
| deploy: | |
| needs: [prepare-variables, build-push] | |
| runs-on: ubuntu-24.04 | |
| permissions: {} | |
| steps: | |
| - name: Get Token | |
| id: get-token | |
| uses: saleor/saleor-internal-actions/request-vault-token@6a0fa7c073b3857a11d414f25a149065fe5a0fcf # v1.4.0 | |
| with: | |
| vault-url: ${{ secrets.VAULT_URL }} | |
| vault-jwt: ${{ secrets.VAULT_JWT }} | |
| - name: Trigger staging deployment | |
| env: | |
| GITHUB_TOKEN: ${{ steps.get-token.outputs.token }} | |
| IMAGE_TAG: ${{ needs.prepare-variables.outputs.image_tag }} | |
| run: | | |
| payload=$( | |
| jq -n --arg image_tag "$IMAGE_TAG" '{ | |
| "event_type": "saleor-mcp-staging", | |
| "client_payload": { | |
| "image_tag": $image_tag | |
| } | |
| }' | |
| ) | |
| gh api /repos/saleor/saleor-cloud-deployments/dispatches --input - <<< "$payload" |