badblocks/pkmntrade.club
1
1
Fork 0
Code Issues 14 Pull requests Projects 1 Releases Packages Wiki Activity

If we push to a registry in the future, we need to pin by sha for security reasons

Browse source
This commit is contained in:
badblocks 2025-05-21 09:48:23 -07:00
parent f530790f6c
commit 5c912de307
No known key found for this signature in database
1 changed files with 64 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

74
.github/workflows/build_deploy.yml vendored
View file

@ -13,28 +13,42 @@ jobs:
steps: steps:
- name: Checkout the repo - name: Checkout the repo
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: 🏗 Set up yq
uses: frenck/action-setup-yq@v1
- name: Get full and partial repository name - name: Get full and partial repository name
id: meta id: meta
run: | run: |
echo "GITHUB_REPOSITORY: ${{ github.repository }}" echo "GITHUB_REPOSITORY: ${{ github.repository }}"
if [[ "${{ github.repository }}" == *".git" ]]; then repo_temp=""
if [[ "${{ github.repository }}" == "https://"* ]]; then
echo "GITHUB_REPOSITORY ends in .git and is a URL" if [[ "${{ github.repository }}" == git@* && "${{ github.repository }}" == *:* && "${{ github.repository }}" == *.git ]]; then
REPO=$(echo "${{ github.repository }}" | sed 's/\.git$//' | cut -d'/' -f4-5 | sed 's/[^a-zA-Z0-9\/-]/-/g') echo "Detected SSH style git remote (e.g. git@host:owner/repo.git)"
else # Extracts 'owner/repo' from 'git@host:owner/repo.git'
echo "GITHUB_REPOSITORY ends in .git and is not a URL" repo_temp=$(echo "${{ github.repository }}" | sed 's/\.git$//' | awk -F: '{print $2}')
REPO=$(echo "${{ github.repository }}" | sed 's/\.git$//' | sed 's/[^a-zA-Z0-9\/-]/-/g') elif [[ "${{ github.repository }}" == "https://"* && "${{ github.repository }}" == *.git ]]; then
fi echo "Detected HTTPS URL ending in .git (e.g. https://host/owner/repo.git)"
# Extracts 'owner/repo' from 'https://host/owner/repo.git'
repo_temp=$(echo "${{ github.repository }}" | sed 's/\.git$//' | awk -F/ '{print $(NF-1)"/"$(NF)}')
elif [[ "${{ github.repository }}" == *.git ]]; then # Catches other cases ending in .git, like owner/repo.git or other path based .git repos
echo "Detected path-like git repo ending in .git (e.g. owner/repo.git)"
# Extracts 'owner/repo' from 'owner/repo.git'
repo_temp=$(echo "${{ github.repository }}" | sed 's/\.git$//')
else else
echo "GITHUB_REPOSITORY is not a URL" echo "Assuming owner/repo format (e.g. owner/repo)"
REPO=$(echo "${{ github.repository }}" | sed 's/[^a-zA-Z0-9\/-]/-/g') repo_temp="${{ github.repository }}"
fi fi
# Sanitize and lowercase for Docker image naming conventions
REPO=$(echo "$repo_temp" | tr '[:upper:]' '[:lower:]' | sed -e 's/[^a-z0-9\/-]/-/g' -e 's/--\+/-/g' -e 's/^-//g' -e 's/-$//g')
echo "REPO (image base name): $REPO"
echo "REPO=$REPO" >> $GITHUB_OUTPUT echo "REPO=$REPO" >> $GITHUB_OUTPUT
REPO_NAME_ONLY=$(echo "$REPO" | cut -d'/' -f2) REPO_NAME_ONLY=$(echo "$REPO" | cut -d'/' -f2)
echo "REPO_NAME_ONLY (project name): $REPO_NAME_ONLY"
echo "REPO_NAME_ONLY=$REPO_NAME_ONLY" >> $GITHUB_OUTPUT echo "REPO_NAME_ONLY=$REPO_NAME_ONLY" >> $GITHUB_OUTPUT
REPO_PROJECT_PATH=/srv/$(echo "$REPO_NAME_ONLY") REPO_PROJECT_PATH=/srv/$(echo "$REPO_NAME_ONLY")
echo "REPO_PROJECT_PATH: $REPO_PROJECT_PATH"
echo "REPO_PROJECT_PATH=$REPO_PROJECT_PATH" >> $GITHUB_OUTPUT echo "REPO_PROJECT_PATH=$REPO_PROJECT_PATH" >> $GITHUB_OUTPUT
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
@ -176,6 +190,7 @@ jobs:
# with: # with:
# cache-source: ${{ runner.temp }}/.cache/buildx-cache # cache-source: ${{ runner.temp }}/.cache/buildx-cache
- name: Build container - name: Build container
id: build_container
uses: docker/build-push-action@v6 uses: docker/build-push-action@v6
with: with:
outputs: type=docker,dest=${{ runner.temp }}/${{ steps.meta.outputs.REPO_NAME_ONLY }}-${{ github.ref_name }}_${{ github.sha }}.tar outputs: type=docker,dest=${{ runner.temp }}/${{ steps.meta.outputs.REPO_NAME_ONLY }}-${{ github.ref_name }}_${{ github.sha }}.tar
@ -195,6 +210,45 @@ jobs:
# path: ${{ runner.temp }}/${{ steps.meta.outputs.REPO_NAME_ONLY }}-${{ github.ref_name }}_${{ github.sha }}.tar # path: ${{ runner.temp }}/${{ steps.meta.outputs.REPO_NAME_ONLY }}-${{ github.ref_name }}_${{ github.sha }}.tar
# if-no-files-found: error # if-no-files-found: error
# compression-level: 0 # compression-level: 0
- name: Update docker compose and "pin" just built image by adding image digest to tag
env:
IMAGE_DIGEST: ${{ steps.build_container.outputs.DIGEST }}
IMAGE_BASE_NAME: ${{ steps.meta.outputs.REPO }}
run: |
set -eu -o pipefail
echo "PROD_STATUS: ${PROD}"
echo "IMAGE_DIGEST: ${IMAGE_DIGEST}"
echo "IMAGE_BASE_NAME (for compose update): ${IMAGE_BASE_NAME}"
TARGET_COMPOSE_FILE=""
SERVICE_YQ_PATH=""
IMAGE_TAG=""
echo "Checking yq version..."
yq --version
if [ "${PROD}" = "true" ]; then
TARGET_COMPOSE_FILE="./server/docker-compose_web.yml"
SERVICE1_YQ_PATH=".services.web"
SERVICE2_YQ_PATH=".services.celery"
IMAGE_TAG="stable"
echo "Updating PROD configuration in $TARGET_COMPOSE_FILE for service $SERVICE_YQ_PATH"
yq -i "${SERVICE1_YQ_PATH}.image = \"${IMAGE_BASE_NAME}:${IMAGE_TAG}@${IMAGE_DIGEST}\"" "$TARGET_COMPOSE_FILE"
yq -i "${SERVICE2_YQ_PATH}.image = \"${IMAGE_BASE_NAME}:${IMAGE_TAG}@${IMAGE_DIGEST}\"" "$TARGET_COMPOSE_FILE"
else
TARGET_COMPOSE_FILE="./server/docker-compose_staging.yml"
SERVICE1_YQ_PATH=".services.\"web-staging\""
SERVICE2_YQ_PATH=".services.\"celery-staging\""
IMAGE_TAG="staging"
echo "Updating STAGING configuration in $TARGET_COMPOSE_FILE for service $SERVICE_YQ_PATH"
yq -i "${SERVICE1_YQ_PATH}.image = \"${IMAGE_BASE_NAME}:${IMAGE_TAG}@${IMAGE_DIGEST}\"" "$TARGET_COMPOSE_FILE"
yq -i "${SERVICE2_YQ_PATH}.image = \"${IMAGE_BASE_NAME}:${IMAGE_TAG}@${IMAGE_DIGEST}\"" "$TARGET_COMPOSE_FILE"
fi
echo "Successfully updated $TARGET_COMPOSE_FILE. Image pinned to:"
yq "${SERVICE_YQ_PATH}.image" "$TARGET_COMPOSE_FILE"
- name: Get Deploy Secrets - name: Get Deploy Secrets
uses: bitwarden/sm-action@v2 uses: bitwarden/sm-action@v2
with: with: