final version (fingers crossed)

stmpn · stmpn · commit 2bde51ac8955 · 2026-02-04T15:25:10.000+01:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,70 +1,74 @@
-name: Publish image and deploy to staging
+name: Build image from main and deploy to staging
 
 on:
   push:
     branches:
       - main
   workflow_dispatch:
 
-env:
-  ECR_REPOSITORY_URI: ${{ secrets.AWS_ECR_ACCOUNT }}.dkr.ecr.eu-west-1.amazonaws.com/${{ secrets.ECR_REPOSITORY }}
-
 jobs:
   prepare-variables:
-    name: Prepare variables
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     permissions:
       contents: read
+
     outputs:
-      image_tags: ${{ steps.generate_image_tags.outputs.image_tags }}
-      unique_image_tag: ${{ steps.generate_image_tags.outputs.unique_image_tag }}
-      ecr_repo_uri: ${{ steps.generate_image_tags.outputs.ecr_repo_uri }}
+      image_tag: ${{ steps.prepare-variables.outputs.IMAGE_TAG }}
+      ecr_tags: ${{ steps.prepare-variables.outputs.ECR_TAGS }}
+
     steps:
-      # Required by generate_image_tags
-      - name: Checkout
-        uses: actions/checkout@v6
+      # Required by prepare-variables
+      - uses: actions/checkout@v6
 
-      - name: Generate image tags
-        id: generate_image_tags
+      - name: Prepare variables
+        id: prepare-variables
         env:
-          IMAGE_REPOSITORY: ${{ env.ECR_REPOSITORY_URI }}
-          BRANCH_IMAGE_TAG: ${{ github.ref_name }}
+          # github.ref_name is the plain (no prefix) branch or tag name that
+          # triggered the workflow (e.g. "main", "v1.2.3").
+          # We are passing it through env to prevent script injection via crafted
+          # branch names (e.g. a branch named `; rm -rf /` would be interpolated
+          # directly into the shell script if using ${{ }} inline).
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          unique_image_tag="${BRANCH_IMAGE_TAG}-$(git rev-parse --short HEAD)"
+          set -x
 
-          image_tags="${IMAGE_REPOSITORY}:${BRANCH_IMAGE_TAG},${IMAGE_REPOSITORY}:${unique_image_tag}"
+          image_tag_unique="${REF_NAME}-$(git rev-parse --short HEAD)"
+          ecr_tags="${image_tag_unique},${REF_NAME}-latest"
 
-          echo "unique_image_tag=${unique_image_tag}" >> $GITHUB_OUTPUT
-          echo "image_tags=${image_tags}" >> $GITHUB_OUTPUT
-          echo "ecr_repo_uri=${IMAGE_REPOSITORY}" >> $GITHUB_OUTPUT
+          echo "IMAGE_TAG=${image_tag_unique}" >> $GITHUB_OUTPUT
+          echo "ECR_TAGS=${ecr_tags}" >> $GITHUB_OUTPUT
 
 
   build-push:
-    needs: prepare-variables
-    uses: saleor/saleor-internal-actions/.github/workflows/build-push-image-multi-platform.yaml@92c29aa0e4545de579b892b2ef9f2d6366c29c11 # v1.5.2
+    needs: [prepare-variables]
+    uses: saleor/saleor-internal-actions/.github/workflows/build-push-image-multi-platform.yaml@9c7a814c011945f26f0aa1191fc9c62de45477c2 # v1.7.0
+
     permissions:
       contents: read
       id-token: write # needed for AWS/ECR login
       packages: write # needed for GHCR (not used, but required permission)
+
     with:
-      checkout-ref: ${{ github.ref_name }}
+      tags: ${{ needs.prepare-variables.outputs.ecr_tags }}
 
       enable-aws-ecr: true
       aws-ecr-region: eu-west-1
-      oci-full-repository: ${{ needs.prepare-variables.outputs.ecr_repo_uri }}
-      tags: ${{ needs.prepare-variables.outputs.image_tags }}
 
-      amd64-runner-image: ubuntu-24.04
-      arm64-runner-image: ubuntu-24.04-arm
+      # NOTE: we use 2 cores instead of 4 because it's cheaper and doesn't impact
+      #       the speed.
+      arm64-runner-image: ubuntu-24.04-arm64-2cores
 
     secrets:
+      oci-full-repository: ${{ secrets.AWS_ECR_ACCOUNT }}.dkr.ecr.eu-west-1.amazonaws.com/${{ secrets.ECR_REPOSITORY }}
       aws-ecr-role-to-assume: arn:aws:iam::${{ secrets.AWS_STAGING_ACCOUNT_ID }}:role/${{ secrets.AWS_APPS_SALEOR_MCP_STAGING_CICD_ROLE_NAME }}
       aws-ecr-registries: ${{ secrets.AWS_ECR_ACCOUNT }}
 
   deploy:
     needs: [prepare-variables, build-push]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions: {}
+
     steps:
       - name: Get Token
         id: get-token
@@ -76,15 +80,14 @@ jobs:
       - name: Trigger staging deployment
         env:
           GITHUB_TOKEN: ${{ steps.get-token.outputs.token }}
-          UNIQUE_IMAGE_TAG: ${{ needs.prepare-variables.outputs.unique_image_tag }}
+          IMAGE_TAG: ${{ needs.prepare-variables.outputs.image_tag }}
         run: |
           payload=$(
-            jq --arg image_tag "$UNIQUE_IMAGE_TAG" -n '{
+            jq -n --arg image_tag "$IMAGE_TAG" '{
               "event_type": "saleor-mcp-staging",
               "client_payload": {
                 "image_tag": $image_tag
               }
             }'
           )
-
           gh api /repos/saleor/saleor-cloud-deployments/dispatches --input - <<< "$payload"
