nhs-notify-devcontainers/.github/workflows/cicd.yaml at main · NHSDigital/nhs-notify-devcontainers · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json

name: Create and publish a Docker image

# Configures this workflow to run every time a change is pushed to the branch called `release`.
on:
  workflow_dispatch:
  push:
    branches:
      - 'main'
      - 'releases/**'
    tags:
      - 'v*'
  pull_request:
    branches:
      - 'main'

env:
  # Sets the Docker image tag to use for the image built in this workflow.
  features_dir: src/features
  base_dir: src/devcontainers
  context: .devcontainer
  workspace_folder: .
  readme: README.md
  registry: ghcr.io
  dockerfile: Dockerfile
  server: https://github.com
  org: NHSDigital
  repository: nhs-notify-devcontainers
  vendor: NHS England
  node_version: 24
  temp_dockerfile: /tmp/Dockerfile.source
  image_prefix: nhsdigital/nhs-notify-devcontainer-
  workflow_path: .github/workflows/cicd.yaml

  # There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
jobs:
  deploy-nhs-notify-feature:
    if: ${{ github.ref == 'refs/heads/main' }}
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: write
      pull-requests: write

    steps:
      - uses: actions/checkout@v3
      - uses: dorny/paths-filter@v3
        id: changes
        with:
          filters: |
            src:
              - '${{ env.features_dir }}/**'
              - '${{ env.workflow_path }}'

      - if: ${{steps.changes.outputs.src == 'true' || startsWith(github.ref, 'refs/tags/v')}}
        name: "Publish Features"
        uses: devcontainers/action@v1
        with:
          publish-features: "true"
          base-path-to-features: "./${{ env.features_dir }}"
          generate-docs: "false"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  check-if-changed:
      needs: deploy-nhs-notify-feature
      if: ${{!cancelled() && (needs.deploy-nhs-notify-feature.result == 'success' || needs.deploy-nhs-notify-feature.result == 'skipped')}}
      permissions:
        contents: read
      runs-on: ubuntu-latest
      outputs:
        src: ${{ steps.changes.outputs.src }}
      steps:
      - uses: actions/checkout@v3
      - uses: dorny/paths-filter@v3
        id: changes
        with:
          filters: |
            src:
              - '${{env.base_dir}}/**'
              - '${{ env.workflow_path }}'

  build-and-push-image:
    if: ${{ !cancelled() && (needs.check-if-changed.outputs.src == 'true' || startsWith(github.ref, 'refs/tags/v')) }}
    needs: check-if-changed
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      max-parallel: 1

      matrix:
        include:
          - container_name: base
            title: NHS Notifiy Devcontainer Base Image
            description: Base development container for NHS Notify projects
          - container_name: default
            title: NHS Notifiy Devcontainer Default Image
            description: Default development container for NHS Notify projects
          - container_name: loaded-codespaces
            title: NHS Notifiy Devcontainer Loaded Image
            description: Loaded development container for NHS Notify projects for codespace development
          - container_name: loaded
            title: NHS Notifiy Devcontainer Loaded Image
            description: Loaded development container for NHS Notify projects for local development including useful local bind mounts
    permissions:
      contents: read
      packages: write
      attestations: write
      id-token: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v5

      - name: Log in to the Container registry
        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
        with:
          registry: ${{ env.registry }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: actions/setup-node@v6
        with:
          node-version: ${{ env.node_version }}

      - if: ${{!startsWith(github.ref, 'refs/tags/v')}}
        name: Build default
        working-directory: ${{env.base_dir}}/${{ matrix.container_name }}
        run: |
          BRANCH=${{ github.ref_name }}
          make build BASE_IMAGE_TAG=$BRANCH IMAGE_NAME=${{ env.registry }}/${{ env.image_prefix }}${{ matrix.container_name }} WORKSPACE_FOLDER=${{ env.workspace_folder }}

      - if: ${{startsWith(github.ref, 'refs/tags/v')}}
        name: Build lock base image tags to same version
        working-directory: ${{env.base_dir}}/${{ matrix.container_name }}
        run: |
          TAG=${{ github.ref_name }}
          TAG_VERSION=${TAG#v}
          make build BASE_IMAGE_TAG=$TAG_VERSION IMAGE_NAME=${{ env.registry }}/${{ env.image_prefix }}${{ matrix.container_name }} WORKSPACE_FOLDER=${{ env.workspace_folder }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
        with:
          images: ${{ env.registry }}/${{ env.image_prefix }}${{ matrix.container_name }}
          flavor: |
            latest=auto
          tags: |
            type=schedule
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=ref,event=branch
            type=ref,event=pr
            type=sha
          labels: |
            org.opencontainers.image.title= ${{ matrix.title }}
            org.opencontainers.image.description=${{ matrix.description }}
            org.opencontainers.image.vendor=${{ env.vendor }}
            org.opencontainers.image.url=${{ env.server }}/${{ env.org }}/${{ env.repository }}/blob/main/${{ env.base_dir }}/${{matrix.container_name}}/${{ env.readme }}
            org.opencontainers.image.source=${{ env.server }}/${{ env.org }}/${{ env.repository }}/tree/main/${{ env.base_dir }}/${{matrix.container_name}}/

      - name: create temp dockerfile source
        run: echo 'FROM ${{ env.registry }}/${{ env.image_prefix }}${{ matrix.container_name }}' > ${{ env.temp_dockerfile }}

      - name: Build and push Docker image
        id: push
        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
        with:
          context: .
          file: ${{ env.temp_dockerfile }}
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v3
        with:
          subject-name: ${{ env.registry }}/${{ env.image_prefix }}${{ matrix.container_name }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: false