chore: better action workflow

2025-11-27 15:39:36 +01:00
parent ce28426075
commit 72bbb8b648
1 changed files with 128 additions and 64 deletions
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@@ -16,7 +16,41 @@ env:
  IMAGE_NAME: phundrak/phundrak-dot-com-backend

 jobs:
-  build-and-publish:
+  coverage-and-sonar:
+    runs-on: ubuntu-latest
+    permissions:
+      content: read
+      pull-requests: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: Setup Cachix
+        uses: cachix/cachix-action@v15
+        with:
+          name: '${{ env.CACHIX_NAME }}'
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          skipPush: ${{ github.event_name == 'pull_request' }}
+
+      - name: Coverage
+        run: |
+            nix develop --no-pure-eval --accept-flake-config --command just coverage
+
+      - name: Sonar analysis
+        uses: SonarSource/sonarqube-scan-action@v6
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+
+  build-docker:
    runs-on: ubuntu-latest
    permissions:
      contents: read
@@ -39,93 +73,123 @@ jobs:
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
          skipPush: ${{ github.event_name == 'pull_request' }}

-      - name: Coverage
-        run: |
-            nix develop --no-pure-eval --command just coverage
-
-      - name: Sonar analysis
-        uses: SonarSource/sonarqube-scan-action@v6
-        env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
-
      - name: Build Docker image with Nix
        run: |
          echo "Building Docker image..."
          nix build .#backendDockerLatest --accept-flake-config
+          cp -L result docker-image.tar.gz
+
+      - name: Upload Docker image artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: docker-image
+          path: docker-image.tar.gz
+          retention-days: 1
+
+  push-docker:
+    needs: [coverage-and-sonar, build-docker]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write  # Required for pushing to Phundrak Labs registry
+
+    steps:
+      - name: Download Docker image artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: docker-image

      - name: Load Docker image
        run: |
          echo "Loading Docker image into Docker daemon..."
-          docker load < result
+          docker load < docker-image.tar.gz

-      - name: Log in to Docker Registry
-        run: |
-          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.DOCKER_REGISTRY }} -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
+      - name: Push Docker tags
+        id: push
+        uses: https://labs.phundrak.com/phundrak/docker-push-action@v1
+        with:
+          registry: ${{ env.DOCKER_REGISTRY }}
+          registry-username: ${{ secrets.DOCKER_USERNAME }}
+          registry-password: ${{ secrets.DOCKER_PASSWORD }}
+          image-name: ${{ env.IMAGE_NAME }}
+          local-image-name: phundrak/phundrak-dot-com-backend:latest
+          event-name: ${{ github.event_name }}
+          ref: ${{ github.ref }}
+          ref-type: ${{ github.ref_type }}
+          ref-name: ${{ github.ref_name }}
+          pr-number: ${{ github.event.pull_request.number }}
+      # - name: Log in to Docker Registry
+      #   run: |
+      #     echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.DOCKER_REGISTRY }} -u ${{ secrets.DOCKER_USERNAME }} --password-stdin

-      - name: Determine tags and push images
-        run: |
-          set -euo pipefail
+      # - name: Determine tags and push images
+      #   run: |
+      #     set -euo pipefail

-          REGISTRY="${{ env.DOCKER_REGISTRY }}"
-          IMAGE_NAME="${{ env.IMAGE_NAME }}"
+      #     REGISTRY="${{ env.DOCKER_REGISTRY }}"
+      #     IMAGE_NAME="${{ env.IMAGE_NAME }}"

-          # The locally built image from Nix (name comes from Cargo.toml package.name)
-          LOCAL_IMAGE="phundrak/phundrak-dot-com-backend:latest"
+      #     # The locally built image from Nix (name comes from Cargo.toml package.name)
+      #     LOCAL_IMAGE="phundrak/phundrak-dot-com-backend:latest"

-          echo "Event: ${{ github.event_name }}"
-          echo "Ref: ${{ github.ref }}"
-          echo "Ref type: ${{ github.ref_type }}"
+      #     echo "Event: ${{ github.event_name }}"
+      #     echo "Ref: ${{ github.ref }}"
+      #     echo "Ref type: ${{ github.ref_type }}"

-          # Determine which tags to push based on the event
-          if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_type }}" == "tag" ]]; then
-            # Tag push on main branch → publish 'latest' and versioned tag
-            echo "Tag push detected"
-            TAG_VERSION="${{ github.ref_name }}"
-            # Remove 'v' prefix if present (v1.0.0 → 1.0.0)
-            TAG_VERSION="${TAG_VERSION#v}"
+      #     # Determine which tags to push based on the event
+      #     if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_type }}" == "tag" ]]; then
+      #       # Tag push on main branch → publish 'latest' and versioned tag
+      #       echo "Tag push detected"
+      #       TAG_VERSION="${{ github.ref_name }}"
+      #       # Remove 'v' prefix if present (v1.0.0 → 1.0.0)
+      #       TAG_VERSION="${TAG_VERSION#v}"

-            echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:latest"
-            docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:latest"
-            docker push "${REGISTRY}/${IMAGE_NAME}:latest"
+      #       echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:latest"
+      #       docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:latest"
+      #       docker push "${REGISTRY}/${IMAGE_NAME}:latest"

-            echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:${TAG_VERSION}"
-            docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:${TAG_VERSION}"
-            docker push "${REGISTRY}/${IMAGE_NAME}:${TAG_VERSION}"
+      #       echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:${TAG_VERSION}"
+      #       docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:${TAG_VERSION}"
+      #       docker push "${REGISTRY}/${IMAGE_NAME}:${TAG_VERSION}"

-          elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/develop" ]]; then
-            # Push on develop branch → publish 'develop' tag
-            echo "Push to develop branch detected"
+      #     elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/develop" ]]; then
+      #       # Push on develop branch → publish 'develop' tag
+      #       echo "Push to develop branch detected"

-            echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:develop"
-            docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:develop"
-            docker push "${REGISTRY}/${IMAGE_NAME}:develop"
+      #       echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:develop"
+      #       docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:develop"
+      #       docker push "${REGISTRY}/${IMAGE_NAME}:develop"

-          elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            # Pull request → publish 'pr<number>' tag
-            echo "Pull request detected"
-            PR_NUMBER="${{ github.event.pull_request.number }}"
+      #     elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
+      #       # Pull request → publish 'pr<number>' tag
+      #       echo "Pull request detected"
+      #       PR_NUMBER="${{ github.event.pull_request.number }}"

-            echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:pr${PR_NUMBER}"
-            docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:pr${PR_NUMBER}"
-            docker push "${REGISTRY}/${IMAGE_NAME}:pr${PR_NUMBER}"
+      #       echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:pr${PR_NUMBER}"
+      #       docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:pr${PR_NUMBER}"
+      #       docker push "${REGISTRY}/${IMAGE_NAME}:pr${PR_NUMBER}"

-          elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then
-            # Push to main branch (not a tag) → publish 'latest'
-            echo "Push to main branch detected"
+      #     elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then
+      #       # Push to main branch (not a tag) → publish 'latest'
+      #       echo "Push to main branch detected"

-            echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:latest"
-            docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:latest"
-            docker push "${REGISTRY}/${IMAGE_NAME}:latest"
+      #       echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:latest"
+      #       docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:latest"
+      #       docker push "${REGISTRY}/${IMAGE_NAME}:latest"

-          else
-            echo "Unknown event or ref, skipping push"
-            exit 1
-          fi
+      #     else
+      #       echo "Unknown event or ref, skipping push"
+      #       exit 1
+      #     fi

-      - name: Log out from Docker Registry
-        if: always()
-        run: docker logout ${{ env.DOCKER_REGISTRY }}
+      # - name: Log out from Docker Registry
+      #   if: always()
+      #   run: docker logout ${{ env.DOCKER_REGISTRY }}
+
+      - name: Delete Docker image artifact
+        uses: geekyeggo/delete-artifact@v2
+        with:
+          name: docker-image

      - name: Image published successfully
        run: |