1- name : Docker
2-
3- # This workflow uses actions that are not certified by GitHub.
4- # They are provided by a third-party and are governed by
5- # separate terms of service, privacy policy, and support
6- # documentation.
1+ name : Docker push and deploy
72
83on :
9- schedule :
10- - cron : " 27 0 * * *"
114 push :
12- branches : ["main", "next"]
13- # Publish semver tags as releases.
14- tags : ["v*.*.*"]
5+ branches : ["main"]
156 pull_request :
16- branches : ["main", "next" ]
7+ branches : ["main"]
178
189env :
19- # Use docker.io for Docker Hub if empty
20- REGISTRY : ghcr.io
21- # github.repository as <account>/<repo>
22- IMAGE_NAME : ${{ github.repository }}
10+ REGISTRY : asia-docker.pkg.dev
11+ IMAGE_NAME : asia-docker.pkg.dev/prj-p-devops-services-tvwmrf63/zilliqa-private/github-mcp-server
2312
2413jobs :
2514 build :
26- runs-on : ubuntu-latest-xl
15+ runs-on : ubuntu-22.04
2716 permissions :
2817 contents : read
2918 packages : write
30- # This is used to complete the identity challenge
31- # with sigstore/fulcio when running outside of PRs.
3219 id-token : write
3320
3421 steps :
3522 - name : Checkout repository
3623 uses : actions/checkout@v4
37-
38- # Install the cosign tool except on PR
39- # https://github.com/sigstore/cosign-installer
40- - name : Install cosign
41- if : github.event_name != 'pull_request'
42- uses : sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
4324 with :
44- cosign-release : " v2.2.4"
25+ ref : ${{ github.event.pull_request.head.ref }}
26+ repository : ${{ github.event.pull_request.head.repo.full_name }}
27+ fetch-depth : 0
4528
46- # Set up BuildKit Docker container builder to be able to build
47- # multi-platform images and export cache
48- # https://github.com/docker/setup-buildx-action
4929 - name : Set up Docker Buildx
5030 uses : docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
5131
52- # Login against a Docker registry except on PR
53- # https://github.com/docker/login-action
54- - name : Log into registry ${{ env.REGISTRY }}
55- if : github.event_name != 'pull_request'
56- uses : docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
57- with :
58- registry : ${{ env.REGISTRY }}
59- username : ${{ github.actor }}
60- password : ${{ secrets.GITHUB_TOKEN }}
61-
62- # Extract metadata (tags, labels) for Docker
63- # https://github.com/docker/metadata-action
64- - name : Extract Docker metadata
65- id : meta
66- uses : docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
67- with :
68- images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
69- tags : |
70- type=schedule
71- type=ref,event=branch
72- type=ref,event=tag
73- type=ref,event=pr
74- type=semver,pattern={{version}}
75- type=semver,pattern={{major}}.{{minor}}
76- type=semver,pattern={{major}}
77- type=sha
78- type=edge
79- # Custom rule to prevent pre-releases from getting latest tag
80- type=raw,value=latest,enable=${{ github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-') }}
81-
8232 - name : Go Build Cache for Docker
8333 uses : actions/cache@v4
8434 with :
@@ -90,33 +40,64 @@ jobs:
9040 with :
9141 cache-source : go-build-cache
9242
93- # Build and push Docker image with Buildx (don't push on PR)
94- # https://github.com/docker/build-push-action
95- - name : Build and push Docker image
96- id : build-and-push
97- uses : docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
43+ - name : Docker build and push in production
44+ uses : Zilliqa/gh-actions-workflows/actions/ci-dockerized-app-build-push@v2
9845 with :
9946 context : .
100- push : ${{ github.event_name != 'pull_request' }}
101- tags : ${{ steps.meta.outputs.tags }}
102- labels : ${{ steps.meta.outputs.labels }}
103- cache-from : type=gha
104- cache-to : type=gha,mode=max
105- platforms : linux/amd64,linux/arm64
47+ push : ${{ github.ref_name == github.event.repository.default_branch }}
48+ tag : ${{ env.IMAGE_NAME }}
49+ tag-length : 8
50+ tag-latest : ${{ github.ref_name == github.event.repository.default_branch }}
51+ registry : ${{ env.REGISTRY }}
52+ workload-identity-provider : " ${{ secrets.GCP_PRD_GITHUB_WIF }}"
53+ service-account : " ${{ secrets.GCP_PRD_GITHUB_SA_DOCKER_REGISTRY }}"
54+ cache-key : ${{ env.IMAGE_NAME }}-cache
10655 build-args : |
10756 VERSION=${{ github.ref_name }}
10857
109- # Sign the resulting Docker image digest except on PRs.
110- # This will only write to the public Rekor transparency log when the Docker
111- # repository is public to avoid leaking data. If you would like to publish
112- # transparency data even for private images, pass --force to cosign below.
113- # https://github.com/sigstore/cosign
114- - name : Sign the published Docker image
115- if : ${{ github.event_name != 'pull_request' }}
116- env :
117- # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
118- TAGS : ${{ steps.meta.outputs.tags }}
119- DIGEST : ${{ steps.build-and-push.outputs.digest }}
120- # This step uses the identity token to provision an ephemeral certificate
121- # against the sigstore community Fulcio instance.
122- run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
58+ deploy :
59+ needs : [build]
60+ permissions :
61+ id-token : write
62+ contents : write
63+ runs-on : ubuntu-22.04
64+ if : github.ref_name == github.event.repository.default_branch
65+ strategy :
66+ fail-fast : false
67+ matrix :
68+ application :
69+ - github-mcp-server
70+ env :
71+ APP_NAME : ${{ matrix.application }}
72+ Z_ENV : z.yaml
73+ Z_SERVICE_ACCOUNT : ${{ secrets.GCP_PRD_GITHUB_SA_K8S_DEPLOY }}
74+ OP_SERVICE_ACCOUNT_TOKEN : ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN_PRD }}
75+ GITHUB_PAT : ${{ secrets.GH_PAT }}
76+ Z_IMAGE : asia-docker.pkg.dev/prj-p-devops-services-tvwmrf63/zilliqa-private/z:latest
77+ REGISTRY : asia-docker.pkg.dev
78+ steps :
79+ - name : Checkout repository
80+ uses : actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
81+
82+ - name : Authenticate to Google Cloud
83+ id : google-auth
84+ uses : google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa
85+ with :
86+ token_format : " access_token"
87+ workload_identity_provider : " ${{ secrets.GCP_PRD_GITHUB_WIF }}"
88+ service_account : ${{ env.Z_SERVICE_ACCOUNT }}
89+ create_credentials_file : true
90+
91+ - name : Deploy application
92+ run : |
93+ gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://${{ env.REGISTRY }}
94+ docker run --rm \
95+ -e ZQ_USER='${{ env.Z_SERVICE_ACCOUNT }}' \
96+ -e Z_ENV='/github-mcp-server/${{ env.Z_ENV }}' \
97+ -e OP_SERVICE_ACCOUNT_TOKEN='${{ env.OP_SERVICE_ACCOUNT_TOKEN }}' \
98+ -e GITHUB_PAT='${{ env.GITHUB_PAT }}' \
99+ -e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/google/application_default_credentials.json' \
100+ -v `pwd`:/github-mcp-server \
101+ -v ${{ steps.google-auth.outputs.credentials_file_path }}:/google/application_default_credentials.json \
102+ --name z_container ${{ env.Z_IMAGE }} \
103+ bash -c "gcloud config set account ${{ env.Z_SERVICE_ACCOUNT }} && z /app /github-mcp-server app sync --cache-dir .cache ${{ env.APP_NAME }}"
0 commit comments