-
Notifications
You must be signed in to change notification settings - Fork 72
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
161 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
|
|
||
| name: Fly Deploy (staging) | ||
|
|
||
| on: | ||
| workflow_run: | ||
| workflows: ["Publish to ghcr (staging)"] | ||
| types: | ||
| - completed | ||
|
|
||
| jobs: | ||
| deploy: | ||
| name: Deploy staging app | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: 'true' | ||
|
|
||
| - name: Use flyctl | ||
| uses: superfly/flyctl-actions/setup-flyctl@master | ||
|
|
||
| - name: Deploy to fly.io | ||
| run: flyctl deploy --local-only | ||
| env: | ||
| FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }} | ||
| working-directory: ./staging |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,134 @@ | ||
|
|
||
| name: Publish to ghcr (staging) | ||
|
|
||
| on: | ||
| push: | ||
| branches: ["v3"] | ||
|
|
||
| env: | ||
| REGISTRY_IMAGE: ghcr.io/sourcebot-dev/sourcebot | ||
|
|
||
| jobs: | ||
| build: | ||
| runs-on: ${{ matrix.runs-on}} | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| strategy: | ||
| matrix: | ||
| platform: [linux/amd64, linux/arm64] | ||
| include: | ||
| - platform: linux/amd64 | ||
| runs-on: ubuntu-latest | ||
| - platform: linux/arm64 | ||
| runs-on: ubuntu-24.04-arm | ||
|
|
||
| steps: | ||
| - name: Prepare | ||
| run: | | ||
| platform=${{ matrix.platform }} | ||
| echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: "true" | ||
|
|
||
| - name: Extract Docker metadata | ||
| id: meta | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: ${{ env.REGISTRY_IMAGE }} | ||
| tags: staging | ||
|
|
||
| - name: Install cosign | ||
| uses: sigstore/[email protected] | ||
| with: | ||
| cosign-release: "v2.2.4" | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Login to GitHub Packages Docker Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Build Docker image | ||
| id: build | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: . | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max | ||
| platforms: ${{ matrix.platform }} | ||
| outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true | ||
| build-args: | | ||
| SOURCEBOT_VERSION=${{ github.ref_name }} | ||
| POSTHOG_PAPIK=${{ secrets.POSTHOG_PAPIK }} | ||
| SOURCEBOT_ENCRYPTION_KEY=${{ secrets.STAGING_SOURCEBOT_ENCRYPTION_KEY }} | ||
| - name: Export digest | ||
| run: | | ||
| mkdir -p /tmp/digests | ||
| digest="${{ steps.build.outputs.digest }}" | ||
| touch "/tmp/digests/${digest#sha256:}" | ||
| - name: Upload digest | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: digests-${{ env.PLATFORM_PAIR }} | ||
| path: /tmp/digests/* | ||
| if-no-files-found: error | ||
| retention-days: 1 | ||
|
|
||
| - name: Sign the published Docker image | ||
| env: | ||
| TAGS: ${{ steps.meta.outputs.tags }} | ||
| DIGEST: ${{ steps.build.outputs.digest }} | ||
| run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} | ||
|
|
||
| merge: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| packages: write | ||
| needs: | ||
| - build | ||
| steps: | ||
| - name: Download digests | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| path: /tmp/digests | ||
| pattern: digests-* | ||
| merge-multiple: true | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Extract Docker metadata | ||
| id: meta | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: ${{ env.REGISTRY_IMAGE }} | ||
| tags: staging | ||
|
|
||
| - name: Login to GitHub Packages Docker Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Create manifest list and push | ||
| working-directory: /tmp/digests | ||
| run: | | ||
| docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | ||
| $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) | ||
| - name: Inspect image | ||
| run: | | ||
| docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} |