INFRA-787 - switch publish.yml to shared workflow

stmpn · stmpn · commit ec62e2400fd9 · 2026-01-27T19:45:14.000+01:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,73 +4,79 @@ on:
   push:
     branches:
       - main
+  workflow_dispatch:
+
+env:
+  ECR_REPOSITORY_URI: ${{ secrets.AWS_ECR_ACCOUNT }}.dkr.ecr.eu-west-1.amazonaws.com/${{ secrets.ECR_REPOSITORY }}
 
 jobs:
-  publish:
-    runs-on: ubuntu-24.04
+  prepare-variables:
+    name: Prepare variables
+    runs-on: ubuntu-22.04
     permissions:
-      id-token: write # needed by aws-actions/configure-aws-credentials
       contents: read
-    env:
-      AWS_REGION: eu-west-1
-
+    outputs:
+      image_tags: ${{ steps.generate_image_tags.outputs.image_tags }}
+      unique_image_tag: ${{ steps.generate_image_tags.outputs.unique_image_tag }}
+      ecr_repo_uri: ${{ steps.generate_image_tags.outputs.ecr_repo_uri }}
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-      
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-        with:
-          platforms: arm64
+      # Required by generate_image_tags
+      - name: Checkout
+        uses: actions/checkout@v6
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-        with:
-          install: true
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
-        with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_STAGING_ACCOUNT_ID }}:role/${{ secrets.AWS_APPS_SALEOR_MCP_STAGING_CICD_ROLE_NAME }}
-          aws-region: ${{ env.AWS_REGION }}
-
-      - id: ecr-login
-        name: Login to Amazon ECR
-        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
-        with:
-          registries: ${{ secrets.AWS_ECR_ACCOUNT }}
-
-      - name: Evaluate image tags
+      - name: Generate image tags
+        id: generate_image_tags
         env:
-          IMAGE_REPOSITORY: ${{ steps.ecr-login.outputs.registry }}/${{ secrets.ECR_REPOSITORY }}
+          IMAGE_REPOSITORY: ${{ env.ECR_REPOSITORY_URI }}
           BRANCH_IMAGE_TAG: ${{ github.ref_name }}
         run: |
-          UNIQUE_IMAGE_TAG=${BRANCH_IMAGE_TAG}-$(git rev-parse --short HEAD)
+          unique_image_tag="${BRANCH_IMAGE_TAG}-$(git rev-parse --short HEAD)"
 
-          IMAGE_TAGS=${IMAGE_REPOSITORY}:${BRANCH_IMAGE_TAG},${IMAGE_REPOSITORY}:${UNIQUE_IMAGE_TAG}
+          image_tags="${IMAGE_REPOSITORY}:${BRANCH_IMAGE_TAG},${IMAGE_REPOSITORY}:${unique_image_tag}"
 
-          echo "UNIQUE_IMAGE_TAG=${UNIQUE_IMAGE_TAG}" >> $GITHUB_ENV
-          echo "IMAGE_TAGS=${IMAGE_TAGS}" >> $GITHUB_ENV
+          echo "unique_image_tag=${unique_image_tag}" >> $GITHUB_OUTPUT
+          echo "image_tags=${image_tags}" >> $GITHUB_OUTPUT
+          echo "ecr_repo_uri=${IMAGE_REPOSITORY}" >> $GITHUB_OUTPUT
 
-      - name: Build and push
-        timeout-minutes: 20
-        uses: docker/build-push-action@v4
+
+  build-push:
+    needs: prepare-variables
+    uses: saleor/saleor-internal-actions/.github/workflows/build-push-image-multi-platform.yaml@92c29aa0e4545de579b892b2ef9f2d6366c29c11 # v1.5.2
+    permissions:
+      contents: read
+      id-token: write # needed for AWS/ECR login
+      packages: write # needed for GHCR (not used, but required permission)
+    with:
+      checkout-ref: ${{ github.ref_name }}
+
+      enable-aws-ecr: true
+      aws-ecr-region: eu-west-1
+      oci-full-repository: ${{ needs.prepare-variables.outputs.ecr_repo_uri }}
+      tags: ${{ needs.prepare-variables.outputs.image_tags }}
+
+      amd64-runner-image: ubuntu-24.04
+      arm64-runner-image: ubuntu-24.04-arm
+
+    secrets:
+      aws-ecr-role-to-assume: arn:aws:iam::${{ secrets.AWS_STAGING_ACCOUNT_ID }}:role/${{ secrets.AWS_APPS_SALEOR_MCP_STAGING_CICD_ROLE_NAME }}
+      aws-ecr-registries: ${{ secrets.AWS_ECR_ACCOUNT }}
+
+  deploy:
+    needs: [prepare-variables, build-push]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Get Token
+        id: get-token
+        uses: saleor/saleor-internal-actions/request-vault-token@6a0fa7c073b3857a11d414f25a149065fe5a0fcf # v1.4.0
         with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ env.IMAGE_TAGS }}
-          cache-from: type=gha,scope=buildkit-master
-          cache-to: type=gha,scope=buildkit-master
+          vault-url: ${{ secrets.VAULT_URL }}
+          vault-jwt: ${{ secrets.VAULT_JWT }}
 
       - name: Trigger staging deployment
+        env:
+          GITHUB_TOKEN: ${{ steps.get-token.outputs.token }}
+          UNIQUE_IMAGE_TAG: ${{ needs.prepare-variables.outputs.unique_image_tag }}
         run: |
-          export GITHUB_TOKEN=$( \
-            curl --request GET --url ${{ secrets.VAULT_URL}} --header "Authorization: JWT ${{ secrets.VAULT_JWT }}" | jq -r .token \
-          )
-
-          echo "::add-mask::$GITHUB_TOKEN"
-
           payload=$(
             jq --arg image_tag "$UNIQUE_IMAGE_TAG" -n '{
               "event_type": "saleor-mcp-staging",
@@ -80,4 +86,4 @@ jobs:
             }'
           )
 
-          gh api /repos/saleor/saleor-cloud-deployments/dispatches --input <(echo "$payload")
+          gh api /repos/saleor/saleor-cloud-deployments/dispatches --input - <<< "$payload"
