ci: bump the github-actions group with 3 updates #1229
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: dogfood | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "dogfood/**" | |
| - ".github/workflows/dogfood.yaml" | |
| - "flake.lock" | |
| - "flake.nix" | |
| pull_request: | |
| paths: | |
| - "dogfood/**" | |
| - ".github/workflows/dogfood.yaml" | |
| - "flake.lock" | |
| - "flake.nix" | |
| workflow_dispatch: | |
| permissions: | |
| # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage) | |
| id-token: write | |
| jobs: | |
| build_image: | |
| if: github.actor != 'dependabot[bot]' # Skip Dependabot PRs | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
| - name: Get branch name | |
| id: branch-name | |
| uses: tj-actions/branch-names@6871f53176ad61624f978536bbf089c574dc19a2 # v8.0.1 | |
| - name: "Branch name to Docker tag name" | |
| id: docker-tag-name | |
| run: | | |
| tag=${{ steps.branch-name.outputs.current_branch }} | |
| # Replace / with --, e.g. user/feature => user--feature. | |
| tag=${tag//\//--} | |
| echo "tag=${tag}" >> $GITHUB_OUTPUT | |
| - name: Set up Depot CLI | |
| uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 | |
| - name: Login to DockerHub | |
| if: github.ref == 'refs/heads/main' | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Build and push Non-Nix image | |
| uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0 | |
| with: | |
| project: b4q6ltmpzh | |
| token: ${{ secrets.DEPOT_TOKEN }} | |
| buildx-fallback: true | |
| context: "{{defaultContext}}:dogfood/contents" | |
| pull: true | |
| save: true | |
| push: ${{ github.ref == 'refs/heads/main' }} | |
| tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest" | |
| - name: Build and push Nix image | |
| uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0 | |
| with: | |
| project: b4q6ltmpzh | |
| token: ${{ secrets.DEPOT_TOKEN }} | |
| buildx-fallback: true | |
| context: "." | |
| file: "dogfood/contents/Dockerfile.nix" | |
| pull: true | |
| save: true | |
| push: ${{ github.ref == 'refs/heads/main' }} | |
| tags: "codercom/oss-dogfood-nix:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood-nix:latest" | |
| deploy_template: | |
| needs: build_image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
| - name: Setup Terraform | |
| uses: ./.github/actions/setup-tf | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
| with: | |
| workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github | |
| service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com | |
| - name: Terraform init and validate | |
| run: | | |
| cd dogfood | |
| terraform init -upgrade | |
| terraform validate | |
| cd contents | |
| terraform init -upgrade | |
| terraform validate | |
| - name: Get short commit SHA | |
| if: github.ref == 'refs/heads/main' | |
| id: vars | |
| run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| - name: Get latest commit title | |
| if: github.ref == 'refs/heads/main' | |
| id: message | |
| run: echo "pr_title=$(git log --format=%s -n 1 ${{ github.sha }})" >> $GITHUB_OUTPUT | |
| - name: "Push template" | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| cd dogfood | |
| terraform apply -auto-approve | |
| env: | |
| # Consumed by coderd provider | |
| CODER_URL: https://dev.coder.com | |
| CODER_SESSION_TOKEN: ${{ secrets.CODER_SESSION_TOKEN }} | |
| # Template source & details | |
| TF_VAR_CODER_TEMPLATE_NAME: ${{ secrets.CODER_TEMPLATE_NAME }} | |
| TF_VAR_CODER_TEMPLATE_VERSION: ${{ steps.vars.outputs.sha_short }} | |
| TF_VAR_CODER_TEMPLATE_DIR: ./contents | |
| TF_VAR_CODER_TEMPLATE_MESSAGE: ${{ steps.message.outputs.pr_title }} | |
| TF_LOG: info |