From e72b6330c2525b3107556068af3c58bf5bffec21 Mon Sep 17 00:00:00 2001 From: Lucien Cartier-Tilet Date: Thu, 27 Nov 2025 15:39:36 +0100 Subject: [PATCH] chore: better action workflow --- .github/workflows/action.yml | 124 +++++++++++++++++++++++++ .github/workflows/publish-docker.yml | 132 --------------------------- 2 files changed, 124 insertions(+), 132 deletions(-) create mode 100644 .github/workflows/action.yml delete mode 100644 .github/workflows/publish-docker.yml diff --git a/.github/workflows/action.yml b/.github/workflows/action.yml new file mode 100644 index 0000000..913e79b --- /dev/null +++ b/.github/workflows/action.yml @@ -0,0 +1,124 @@ +name: Publish Docker Images + +on: + push: + branches: + - main + - develop + tags: + - 'v*.*.*' + pull_request: + types: [opened, synchronize, reopened] + +env: + CACHIX_NAME: devenv + DOCKER_REGISTRY: labs.phundrak.com # Override in repository settings if needed + IMAGE_NAME: phundrak/bakit + +jobs: + coverage-and-sonar: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install Nix + uses: cachix/install-nix-action@v27 + with: + nix_path: nixpkgs=channel:nixos-unstable + + - name: Setup Cachix + uses: cachix/cachix-action@v15 + with: + name: '${{ env.CACHIX_NAME }}' + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + skipPush: ${{ github.event_name == 'pull_request' }} + + - name: Coverage + run: | + nix develop --no-pure-eval --accept-flake-config --command just coverage + + - name: Sonar analysis + uses: SonarSource/sonarqube-scan-action@v6 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + + build-docker: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Required for pushing to Phundrak Labs registry + pull-requests: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: cachix/install-nix-action@v27 + with: + nix_path: nixpkgs=channel:nixos-unstable + + - name: Setup Cachix + uses: cachix/cachix-action@v15 + with: + name: '${{ env.CACHIX_NAME }}' + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + skipPush: ${{ github.event_name == 'pull_request' }} + + - name: Build Docker image with Nix + run: | + echo "Building Docker image..." + nix build .#backendDockerLatest --accept-flake-config + cp -L result docker-image.tar.gz + + - name: Upload Docker image artifact + uses: actions/upload-artifact@v3 + with: + name: docker-image + path: docker-image.tar.gz + retention-days: 1 + + push-docker: + needs: [coverage-and-sonar, build-docker] + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Required for pushing to Phundrak Labs registry + + steps: + - name: Download Docker image artifact + uses: actions/download-artifact@v3 + with: + name: docker-image + + - name: Load Docker image + run: | + echo "Loading Docker image into Docker daemon..." + docker load < docker-image.tar.gz + + - name: Push Docker tags + id: push + uses: https://labs.phundrak.com/phundrak/docker-push-action@v1 + with: + registry: ${{ env.DOCKER_REGISTRY }} + registry-username: ${{ secrets.DOCKER_USERNAME }} + registry-password: ${{ secrets.DOCKER_PASSWORD }} + image-name: ${{ env.IMAGE_NAME }} + local-image: phundrak/bakit:latest + event-name: ${{ github.event_name }} + ref: ${{ github.ref }} + ref-type: ${{ github.ref_type }} + ref-name: ${{ github.ref_name }} + pr-number: ${{ github.event.pull_request.number }} + + - name: Image published successfully + run: | + echo "✅ Docker image(s) published successfully to ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}" diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml deleted file mode 100644 index afb3b12..0000000 --- a/.github/workflows/publish-docker.yml +++ /dev/null @@ -1,132 +0,0 @@ -name: Publish Docker Images - -on: - push: - branches: - - main - - develop - tags: - - 'v*.*.*' - pull_request: - types: [opened, synchronize, reopened] - -env: - CACHIX_NAME: devenv - DOCKER_REGISTRY: labs.phundrak.com # Override in repository settings if needed - IMAGE_NAME: phundrak/phundrak-dot-com-backend - -jobs: - build-and-publish: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write # Required for pushing to Phundrak Labs registry - pull-requests: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Install Nix - uses: cachix/install-nix-action@v27 - with: - nix_path: nixpkgs=channel:nixos-unstable - - - name: Setup Cachix - uses: cachix/cachix-action@v15 - with: - name: '${{ env.CACHIX_NAME }}' - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - skipPush: ${{ github.event_name == 'pull_request' }} - - - name: Coverage - run: | - nix develop --no-pure-eval --command just coverage - - - name: Sonar analysis - uses: SonarSource/sonarqube-scan-action@v6 - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - - - name: Build Docker image with Nix - run: | - echo "Building Docker image..." - nix build .#backendDockerLatest --accept-flake-config - - - name: Load Docker image - run: | - echo "Loading Docker image into Docker daemon..." - docker load < result - - - name: Log in to Docker Registry - run: | - echo "${{ secrets.DOCKER_PASSWORD }}" | docker login ${{ env.DOCKER_REGISTRY }} -u ${{ secrets.DOCKER_USERNAME }} --password-stdin - - - name: Determine tags and push images - run: | - set -euo pipefail - - REGISTRY="${{ env.DOCKER_REGISTRY }}" - IMAGE_NAME="${{ env.IMAGE_NAME }}" - - # The locally built image from Nix (name comes from Cargo.toml package.name) - LOCAL_IMAGE="phundrak/phundrak-dot-com-backend:latest" - - echo "Event: ${{ github.event_name }}" - echo "Ref: ${{ github.ref }}" - echo "Ref type: ${{ github.ref_type }}" - - # Determine which tags to push based on the event - if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_type }}" == "tag" ]]; then - # Tag push on main branch → publish 'latest' and versioned tag - echo "Tag push detected" - TAG_VERSION="${{ github.ref_name }}" - # Remove 'v' prefix if present (v1.0.0 → 1.0.0) - TAG_VERSION="${TAG_VERSION#v}" - - echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:latest" - docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:latest" - docker push "${REGISTRY}/${IMAGE_NAME}:latest" - - echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:${TAG_VERSION}" - docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:${TAG_VERSION}" - docker push "${REGISTRY}/${IMAGE_NAME}:${TAG_VERSION}" - - elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/develop" ]]; then - # Push on develop branch → publish 'develop' tag - echo "Push to develop branch detected" - - echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:develop" - docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:develop" - docker push "${REGISTRY}/${IMAGE_NAME}:develop" - - elif [[ "${{ github.event_name }}" == "pull_request" ]]; then - # Pull request → publish 'pr' tag - echo "Pull request detected" - PR_NUMBER="${{ github.event.pull_request.number }}" - - echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:pr${PR_NUMBER}" - docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:pr${PR_NUMBER}" - docker push "${REGISTRY}/${IMAGE_NAME}:pr${PR_NUMBER}" - - elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then - # Push to main branch (not a tag) → publish 'latest' - echo "Push to main branch detected" - - echo "Tagging and pushing: ${REGISTRY}/${IMAGE_NAME}:latest" - docker tag "${LOCAL_IMAGE}" "${REGISTRY}/${IMAGE_NAME}:latest" - docker push "${REGISTRY}/${IMAGE_NAME}:latest" - - else - echo "Unknown event or ref, skipping push" - exit 1 - fi - - - name: Log out from Docker Registry - if: always() - run: docker logout ${{ env.DOCKER_REGISTRY }} - - - name: Image published successfully - run: | - echo "✅ Docker image(s) published successfully to ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}"