feat(ci): Phase 1: Cutover to gha for prod images (#471)

hubertdeng123 · web-flow · commit 53ff8d307961 · 2025-08-26T16:56:39.000-07:00
* publish to ar from gha
diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
@@ -61,6 +61,50 @@ jobs:
             ghcr.io/getsentry/taskbroker:${{ github.event.pull_request.head.sha || github.sha }}-amd64 \
             ghcr.io/getsentry/taskbroker:${{ github.event.pull_request.head.sha || github.sha }}-arm64
 
+  build-production:
+    runs-on: ubuntu-24.04
+    if: github.ref_name == github.event.repository.default_branch
+    name: Build and push production images
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Build and push taskbroker image
+        uses: getsentry/action-build-and-push-images@a53f146fc1ea3cb404f2dcf7378f5b60dd98d3ca
+        with:
+          image_name: 'taskbroker'
+          platforms: linux/amd64
+          dockerfile_path: './Dockerfile'
+          build_args: TASKBROKER_GIT_REVISION=${{ github.sha }}
+          ghcr: false
+          google_ar: true
+          tag_nightly: false
+          tag_latest: true
+          # TODO: remove this once we cut over GoCD to using gha for prod images
+          tag_suffix: -gha
+          google_ar_image_name: us-central1-docker.pkg.dev/sentryio/taskbroker/image
+          google_workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool
+          google_service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com
+
+      - name: Build and push taskworker image
+        uses: getsentry/action-build-and-push-images@a53f146fc1ea3cb404f2dcf7378f5b60dd98d3ca
+        with:
+          image_name: 'taskworker'
+          platforms: linux/amd64
+          dockerfile_path: './python/Dockerfile'
+          build_context: './python'
+          ghcr: false
+          google_ar: true
+          tag_nightly: false
+          tag_latest: true
+          # TODO: remove this once we cut over GoCD to using gha for prod images
+          tag_suffix: -gha
+          google_ar_image_name: us-central1-docker.pkg.dev/sentryio/taskworker/image
+          google_workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool
+          google_service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com
+
   self-hosted-end-to-end:
     needs: [assemble-taskbroker-image]
     runs-on: ubuntu-latest
