-
Notifications
You must be signed in to change notification settings - Fork 0
136 lines (111 loc) · 3.96 KB
/
build-release.yml
File metadata and controls
136 lines (111 loc) · 3.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Build and Release
on:
pull_request:
branches:
- main
push:
branches:
- main
tags:
- "v*"
workflow_dispatch:
permissions:
contents: read
packages: write
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
validate-helm:
name: Validate Helm chart
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up Helm
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
- name: Lint chart
run: helm lint deploy/helm/digest-engine
- name: Render chart
run: helm template digest-engine deploy/helm/digest-engine -f
deploy/helm/digest-engine/values-minikube.yaml >
/tmp/digest-engine-chart.yaml
- name: Render staging overlay
run: helm template digest-engine-staging deploy/helm/digest-engine -f
deploy/helm/digest-engine/values-staging.yaml >
/tmp/digest-engine-staging-chart.yaml
build-frontend:
name: Build frontend
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
with:
version: 11.1.2
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: "24"
cache: pnpm
cache-dependency-path: pnpm-lock.yaml
- name: Install frontend dependencies
run: pnpm install --filter=@digestengine/frontend --frozen-lockfile
- name: Prepare frontend env
working-directory: frontend
run: |
cp .env.example .env.local
echo "NEXTAUTH_SECRET=ci-build-secret" >> .env.local
- name: Build frontend
env:
NEXT_PUBLIC_API_URL: http://localhost:8000
NEXTAUTH_URL: http://localhost:3000
NEXTAUTH_SECRET: ci-build-secret
run: pnpm --filter=@digestengine/frontend run build
build-backend:
name: Build and scan backend image
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Build backend image
env:
DOCKER_BUILDKIT: "1"
run: docker build -t digest-engine-ci:${{ github.sha }} -f
docker/web/Dockerfile .
- name: Scan backend image with Trivy
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: digest-engine-ci:${{ github.sha }}
scan-type: image
scanners: vuln
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: "1"
- name: Log in to GHCR
if: github.event_name == 'push'
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Publish backend image
if: github.event_name == 'push'
env:
IMAGE_REPOSITORY: ghcr.io/${{ github.repository_owner }}/digest-engine
run: |
set -euo pipefail
docker tag digest-engine-ci:${GITHUB_SHA} ${IMAGE_REPOSITORY}:${GITHUB_SHA}
docker push ${IMAGE_REPOSITORY}:${GITHUB_SHA}
if [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then
docker tag digest-engine-ci:${GITHUB_SHA} ${IMAGE_REPOSITORY}:main
docker push ${IMAGE_REPOSITORY}:main
fi
if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
version_tag="${GITHUB_REF#refs/tags/}"
docker tag digest-engine-ci:${GITHUB_SHA} ${IMAGE_REPOSITORY}:${version_tag}
docker push ${IMAGE_REPOSITORY}:${version_tag}
docker tag digest-engine-ci:${GITHUB_SHA} ${IMAGE_REPOSITORY}:latest
docker push ${IMAGE_REPOSITORY}:latest
fi