fix: added image signing and updated Postgres DOC-964 (#4) #7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release to Production | |
| on: | |
| push: | |
| branches: [main] | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| jobs: | |
| docker: | |
| name: "Release Docker image" | |
| runs-on: ubuntu-latest | |
| outputs: | |
| VERSION: ${{ steps.version.outputs.version }} | |
| steps: | |
| - id: checkout | |
| name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Nodejs | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 18 | |
| - name: Install dependencies | |
| run: npm ci | |
| - id: version | |
| name: Determine Release Version | |
| run: | | |
| npm ci | |
| npx semantic-release --dry-run | |
| cat VERSION.env | |
| source VERSION.env | |
| echo "::set-output name=version::$VERSION" | |
| - name: Set up QEMU | |
| if: ${{ steps.version.outputs.VERSION != ''}} | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Set up Docker Buildx | |
| if: ${{ steps.version.outputs.VERSION != ''}} | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Login to GHCR | |
| if: ${{ steps.version.outputs.VERSION != ''}} | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and Push Docker Image | |
| if: ${{ steps.version.outputs.VERSION != ''}} | |
| id: build-and-push | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: . | |
| build-args: VERSION=${{steps.version.outputs.VERSION}} | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ghcr.io/${{ github.repository }}:${{steps.version.outputs.VERSION}} | |
| - uses: sigstore/[email protected] | |
| - name: Image Signing | |
| run: | | |
| cosign sign --yes \ | |
| -a "repo=${{ github.repository }}" \ | |
| -a "workflow=${{ github.workflow }}" \ | |
| -a "ref=${{ github.sha }}" \ | |
| -a "owner=Spectro Cloud" \ | |
| --key env://COSIGN_PRIVATE_KEY --recursive "${TAGS}@${DIGEST}" | |
| env: | |
| TAGS: ghcr.io/${{ github.repository }}:${{steps.dependencies.outputs.VERSION}} | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
| - name: "release" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| npx semantic-release |