Skip to content

Split publish and deploy workflows #4057

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Split publish and deploy workflows #4057

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
049209d
Copy .github/workflows/deploy.yml
dskloetc Sep 26, 2025
4a9ad8a
Split publish and deploy workflows
dskloetc Sep 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 12 additions & 94 deletions .github/workflows/deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,12 @@
name: Deploy

on:
push:
pull_request:
branches:
- main
# The only commits that will contain changes to the masterlist will be releases
paths-ignore:
paths:
- 'MASTERLIST.md'
- 'package.json'
- '.changeset/**'
- 'packages/**/CHANGELOG.md'
- 'packages/**/README.md'
- 'packages/**/package.json'
workflow_dispatch:
inputs:
# For this workflow, BUILD_ALL will cause all adapters to have their image built and deployed
Expand All @@ -39,82 +34,13 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 2
- name: Set up and install dependencies
uses: ./.github/actions/setup
with:
skip-setup: true
- name: Build list of changed packages and changed adapters
id: changed-adapters
env:
UPSTREAM_BRANCH: HEAD~1
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# The deployment will overwrite existing ones, so in order to calculate all adapters that have been changed,
# we can mock running the changesets version command to have them present in the diff.
# Additionally, running the changeset version will cause the images we publish here to have the proper increased version.
yarn changeset version

# If there are changes, commit them and calculate the adapters.
# If there are no changes, we don't need to deploy anything :)
if [[ `git status --porcelain` ]]; then
git commit -am "Mock changesets"
fi

./.github/scripts/changed-adapters.sh
# Since we want to publish with the versions updated, we need to store the changes we've made to a temporary branch
- name: Publish branch
id: push-branch
if: steps.changed-adapters.outputs.CHANGED_ADAPTERS != '[]'
run: |
export TMP_BRANCH="tmp-deploy-$(git rev-parse HEAD)"
git checkout -b tmp-deploy-$(git rev-parse HEAD)
git push origin tmp-deploy-$(git rev-parse HEAD)
echo "TMP_BRANCH=$TMP_BRANCH" >> $GITHUB_OUTPUT

publish-adapter-images:
name: Build and publish ${{ matrix.adapter.shortName }}
runs-on: ubuntu-latest
needs:
- calculate-changes
if: needs.calculate-changes.outputs.adapter-list != '[]'
environment: release
permissions: # These are needed for the configure-aws-credentials action
id-token: write
contents: read
strategy:
max-parallel: 20
matrix: ${{fromJson(needs.calculate-changes.outputs.adapter-list)}}
env:
ECR_URL: ${{ secrets.SDLC_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION_ECR_PRIVATE }}.amazonaws.com
ECR_REPO: adapters/${{ matrix.adapter.shortName }}-adapter
IMAGE_VERSION: ${{ matrix.adapter.version }}
steps:
- name: Check out code
uses: actions/checkout@v4
with:
ref: ${{ needs.calculate-changes.outputs.tmp-branch }}
- name: Build the adapter image
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: .
push: false
tags: ${{ env.ECR_URL }}/${{ env.ECR_REPO }}:${{ matrix.adapter.version }}
build-args: |
package=${{ matrix.adapter.name }}
location=${{ matrix.adapter.location }}
- name: Debug
run: docker image ls
- name: Publish adapter image
uses: ./.github/actions/publish-image
with:
image-version: ${{ matrix.adapter.version }}
aws-ecr-url: ${{ env.ECR_URL }}
aws-ecr-repo: ${{ env.ECR_REPO }}
aws-region: ${{ secrets.AWS_REGION_ECR_PRIVATE }}
aws-role: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
aws-ecr-account-ids: ${{ secrets.AWS_PRIVATE_ECR_SECONDARY_ACCOUNT_ACCESS_IDS }}
aws-ecr-private: true
latest: true

deploy:
name: Trigger infra deployment
Expand All @@ -124,7 +50,6 @@ jobs:
runs-on: ubuntu-latest
needs:
- calculate-changes
- publish-adapter-images
if: needs.calculate-changes.outputs.adapter-list != '[]'
environment: InfraK8s
env:
Expand All @@ -139,28 +64,21 @@ jobs:
aws-lambda-url: ${{ secrets.GATI_LAMBDA_DATA_FEEDS_URL }}
aws-region: ${{ secrets.AWS_REGION }}
aws-role-duration-seconds: '1800' # this is optional and defaults to 900
- name: Determine branch name suffix
id: suffix
run: |
echo "github.event.pull_request.head.ref = ${{ github.event.pull_request.head.ref }}"
if [[ "${{ github.event.pull_request.head.ref }}" = "changeset-release/main" ]]; then
echo "SUFFIX=" >> $GITHUB_OUTPUT
else
echo "SUFFIX=-pr${{ github.event.number }}" >> $GITHUB_OUTPUT
fi
- name: Trigger Image Dispatcher
run: >
gh workflow run
--repo smartcontractkit/infra-k8s
--ref main "Infra-k8s Image Dispatcher"
-F imageRepos="$(echo $CHANGED_ADAPTERS | jq -r "\"$ECR_URL/adapters/\" + (.adapter | .[].shortName) + \"-adapter\"" | tr '\n' ' ')"
-F gitRepo=${{ github.event.repository.name }}
-F gitRepo="${{ github.event.repository.name }}${{ steps.suffix.outputs.SUFFIX }}"
env:
GITHUB_TOKEN: ${{ steps.setup-github-token.outputs.access-token }}

cleanup:
name: Clean up ephemeral items
runs-on: ubuntu-latest
needs:
- calculate-changes
- deploy
if: always() && needs.calculate-changes.outputs.adapter-list != '[]'
steps:
- name: Check out code
uses: actions/checkout@v4
with:
ref: ${{ needs.calculate-changes.outputs.tmp-branch }}
- name: Delete ephemeral branch
run: |
git push origin --delete ${{ needs.calculate-changes.outputs.tmp-branch }}
133 changes: 133 additions & 0 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
# This workflow publishes docker images to ECR.
name: Publish

on:
push:
branches:
- main
# The only commits that will contain changes to the masterlist will be releases
paths-ignore:
- 'MASTERLIST.md'
- 'package.json'
- '.changeset/**'
- 'packages/**/CHANGELOG.md'
- 'packages/**/README.md'
- 'packages/**/package.json'
workflow_dispatch:
inputs:
# For this workflow, BUILD_ALL will cause all adapters to have their image built and deployed
build-all:
description: whether to run steps for all adapters, regardless of whether they were changed in this event
required: false
default: 'false'

concurrency:
group: deploy-and-release
cancel-in-progress: false

jobs:
calculate-changes:
name: Compute changed adapters
runs-on: [ubuntu-latest]
permissions:
contents: read
outputs:
adapter-list: ${{ steps.changed-adapters.outputs.CHANGED_ADAPTERS }}
tmp-branch: ${{ steps.push-branch.outputs.TMP_BRANCH }}
steps:
- name: Checkout Repo
uses: actions/checkout@v4
with:
fetch-depth: 2
- name: Set up and install dependencies
uses: ./.github/actions/setup
with:
skip-setup: true
- name: Build list of changed packages and changed adapters
id: changed-adapters
env:
UPSTREAM_BRANCH: HEAD~1
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# The deployment will overwrite existing ones, so in order to calculate all adapters that have been changed,
# we can mock running the changesets version command to have them present in the diff.
# Additionally, running the changeset version will cause the images we publish here to have the proper increased version.
yarn changeset version

# If there are changes, commit them and calculate the adapters.
# If there are no changes, we don't need to deploy anything :)
if [[ `git status --porcelain` ]]; then
git commit -am "Mock changesets"
fi

./.github/scripts/changed-adapters.sh
# Since we want to publish with the versions updated, we need to store the changes we've made to a temporary branch
- name: Publish branch
id: push-branch
if: steps.changed-adapters.outputs.CHANGED_ADAPTERS != '[]'
run: |
export TMP_BRANCH="tmp-deploy-$(git rev-parse HEAD)"
git checkout -b tmp-deploy-$(git rev-parse HEAD)
git push origin tmp-deploy-$(git rev-parse HEAD)
echo "TMP_BRANCH=$TMP_BRANCH" >> $GITHUB_OUTPUT

publish-adapter-images:
name: Build and publish ${{ matrix.adapter.shortName }}
runs-on: ubuntu-latest
needs:
- calculate-changes
if: needs.calculate-changes.outputs.adapter-list != '[]'
environment: release
permissions: # These are needed for the configure-aws-credentials action
id-token: write
contents: read
strategy:
max-parallel: 20
matrix: ${{fromJson(needs.calculate-changes.outputs.adapter-list)}}
env:
ECR_URL: ${{ secrets.SDLC_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION_ECR_PRIVATE }}.amazonaws.com
ECR_REPO: adapters/${{ matrix.adapter.shortName }}-adapter
IMAGE_VERSION: ${{ matrix.adapter.version }}
steps:
- name: Check out code
uses: actions/checkout@v4
with:
ref: ${{ needs.calculate-changes.outputs.tmp-branch }}
- name: Build the adapter image
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: .
push: false
tags: ${{ env.ECR_URL }}/${{ env.ECR_REPO }}:${{ matrix.adapter.version }}
build-args: |
package=${{ matrix.adapter.name }}
location=${{ matrix.adapter.location }}
- name: Debug
run: docker image ls
- name: Publish adapter image
uses: ./.github/actions/publish-image
with:
image-version: ${{ matrix.adapter.version }}
aws-ecr-url: ${{ env.ECR_URL }}
aws-ecr-repo: ${{ env.ECR_REPO }}
aws-region: ${{ secrets.AWS_REGION_ECR_PRIVATE }}
aws-role: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
aws-ecr-account-ids: ${{ secrets.AWS_PRIVATE_ECR_SECONDARY_ACCOUNT_ACCESS_IDS }}
aws-ecr-private: true
latest: true

cleanup:
name: Clean up ephemeral items
runs-on: ubuntu-latest
needs:
- calculate-changes
- publish-adapter-images
if: always() && needs.calculate-changes.outputs.adapter-list != '[]'
steps:
- name: Check out code
uses: actions/checkout@v4
with:
ref: ${{ needs.calculate-changes.outputs.tmp-branch }}
- name: Delete ephemeral branch
run: |
git push origin --delete ${{ needs.calculate-changes.outputs.tmp-branch }}
Comment on lines +120 to +133

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 23 days ago

To fix the problem, add an explicit permissions block under the cleanup job in .github/workflows/publish.yml. This block should specify the minimal required permissions for the steps it performs. Since the job deletes a branch—an operation that requires write access to repository contents—the permissions should be set to contents: write. This change should be added directly under the runs-on and needs listings in the cleanup job (after line 121 and before line 125 for style consistency). No additional imports or dependencies are required.

Suggested changeset 1
.github/workflows/publish.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -119,6 +119,8 @@
   cleanup:
     name: Clean up ephemeral items
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     needs:
       - calculate-changes
       - publish-adapter-images
EOF
@@ -119,6 +119,8 @@
cleanup:
name: Clean up ephemeral items
runs-on: ubuntu-latest
permissions:
contents: write
needs:
- calculate-changes
- publish-adapter-images
Copilot is powered by AI and may make mistakes. Always verify output.
Loading