-
Notifications
You must be signed in to change notification settings - Fork 74
119 lines (104 loc) · 4.42 KB
/
publish_docker.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: Publish Docker Images
on:
push:
branches:
- main
tags:
- "*"
env:
# Docker auth with read-write (publish) permissions. Set as env in workflow root as auth is required in multiple jobs.
DOCKER_USER: ${{ secrets.DOCKER_USER }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
jobs:
ParseTags:
runs-on: ubuntu-latest
outputs:
prod_tag: ${{ steps.check-prod-tag.outputs.match }}
rc_tag: ${{ steps.check-rc-tag.outputs.match }}
alpha_tag: ${{ steps.check-alpha-tag.outputs.match }}
beta_tag: ${{ steps.check-beta-tag.outputs.match }}
steps:
- name: Check Prod Tag
id: check-prod-tag
run: |
if [[ ${{ github.event.ref }} =~ ^refs/tags/[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "match=true" >> $GITHUB_OUTPUT
else
echo "match=false" >> $GITHUB_OUTPUT
fi
- name: Check RC Tag
id: check-rc-tag
run: |
if [[ ${{ github.event.ref }} =~ ^refs/tags/[0-9]+\.[0-9]+\.[0-9]+rc[0-9]+$ ]]; then
echo "match=true" >> $GITHUB_OUTPUT
else
echo "match=false" >> $GITHUB_OUTPUT
fi
- name: Check alpha Tag
id: check-alpha-tag
run: |
if [[ ${{ github.event.ref }} =~ ^refs/tags/[0-9]+\.[0-9]+\.[0-9]+a[0-9]+$ ]]; then
echo "match=true" >> $GITHUB_OUTPUT
else
echo "match=false" >> $GITHUB_OUTPUT
fi
- name: Check beta Tag
id: check-beta-tag
run: |
if [[ ${{ github.event.ref }} =~ ^refs/tags/[0-9]+\.[0-9]+\.[0-9]+b[0-9]+$ ]]; then
echo "match=true" >> $GITHUB_OUTPUT
else
echo "match=false" >> $GITHUB_OUTPUT
fi
Push:
runs-on: ubuntu-latest
needs: ParseTags
strategy:
# This matrix will effectively _try_ to run every permutation in parallel,
# skipping all of the tasks that don't match. This leaves a ton of "skipped" jobs
# but is the fastest way to get this working without overhauling the tag check logic.
matrix:
application: ["fides", "sample_app", "privacy_center"]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # This is required to properly tag images
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKER_USER }}
password: ${{ env.DOCKER_TOKEN }}
- name: Install Dev Requirements
run: pip install -r dev-requirements.txt
# if neither prod, rc, beta or alpha git tag, then push images with the ":dev" tag
# these dev images do not need a versioned/git-tagged image
- name: Push Fides Dev Tag
if: needs.ParseTags.outputs.prod_tag == 'false' && needs.ParseTags.outputs.rc_tag == 'false' && needs.ParseTags.outputs.beta_tag == 'false' && needs.ParseTags.outputs.alpha_tag == 'false'
run: nox -s "push(${{ matrix.application }},dev)"
# if a prod git tag, then we run the prod job to publish images tagged with the version number and a constant ":latest" tag
# prod pushes a versioned image, git-tagged images not needed
- name: Push Fides Prod Tags
if: needs.ParseTags.outputs.prod_tag == 'true'
run: nox -s "push(${{ matrix.application }},prod)"
# if an RC git tag, then we run the rc job to publish images with an ":rc" tag
# git-tagged images are also pushed
- name: Push Fides RC Tags
if: needs.ParseTags.outputs.rc_tag == 'true'
run: nox -s "push(${{ matrix.application }},rc)" -- git_tag
# if an alpha or beta git tag, then we run the prerelease job to publish images with an ":prerelease" tag
# git-tagged images are also pushed
- name: Push Fides prerelease Tags
if: needs.ParseTags.outputs.alpha_tag == 'true' || needs.ParseTags.outputs.beta_tag == 'true'
run: nox -s "push(${{ matrix.application }},prerelease)" -- git_tag
NotifyRedeploy:
runs-on: ubuntu-latest
needs: Push
steps:
# if an RC git tag, also notify Fidesinfra to trigger a redeploy of rc env, to pick up our newly published images
- name: Send Repository Dispatch Event (RC redeploy)
if: needs.ParseTags.outputs.rc_tag == 'true'
uses: peter-evans/repository-dispatch@v2
with:
event-type: trigger-fidesinfra-deploy-fides-rc
repository: ethyca/fidesinfra
token: ${{ secrets.DISPATCH_ACCESS_TOKEN }}