33# ===============================================================
44#
55# This workflow:
6- # • Restores / updates a local BuildKit layer cache ❄️
7- # • Builds the Docker image ( Containerfile.lite) 🏗️
8- # • Pushes it to IBM Container Registry (ICR) 📤
9- # • Creates or updates a Code Engine app 🚀
6+ # • Restores / updates a local ** BuildKit layer cache** ❄️
7+ # • Builds the Docker image from ** Containerfile.lite** 🏗️
8+ # • Pushes the image to ** IBM Container Registry (ICR)** 📤
9+ # • Creates / updates an **IBM Cloud Code Engine** app 🚀
1010#
11- # All sensitive values are read from GitHub **repository secrets**
12- # ┌────────────────────────────┬────────────────────────────────┐
13- # │ Secret name │ Example value │
14- # ├────────────────────────────┼────────────────────────────────┤
15- # │ IBM_CLOUD_API_KEY │ abcdef-123456… │
16- # │ IBM_CLOUD_REGION │ us-south │
17- # │ ICR_NAMESPACE │ myspace │
18- # │ REGISTRY_HOSTNAME │ us.icr.io │
19- # │ APP_NAME │ mcpgateway │
20- # │ CODE_ENGINE_PROJECT │ my-ce-project │
21- # │ CODE_ENGINE_REGISTRY_SECRET│ my-registry-secret │
22- # │ CODE_ENGINE_PORT │ "4444" │
23- # └────────────────────────────┴────────────────────────────────┘
11+ # ---------------------------------------------------------------
12+ # Required repository **secret**
13+ # ---------------------------------------------------------------
14+ # ┌────────────────────┬──────────────────────────────────────┐
15+ # │ Secret name │ Example value │
16+ # ├────────────────────┼──────────────────────────────────────┤
17+ # │ IBM_CLOUD_API_KEY │ abcdef-1234567890abcdef-1234567890 │
18+ # └────────────────────┴──────────────────────────────────────┘
19+ #
20+ # ---------------------------------------------------------------
21+ # Required repository **variables**
22+ # ---------------------------------------------------------------
23+ # ┌────────────────────────────┬──────────────────────────────┐
24+ # │ Variable name │ Example value │
25+ # ├────────────────────────────┼──────────────────────────────┤
26+ # │ IBM_CLOUD_REGION │ us-south │
27+ # │ REGISTRY_HOSTNAME │ us.icr.io │
28+ # │ ICR_NAMESPACE │ myspace │
29+ # │ APP_NAME │ mcpgateway │
30+ # │ CODE_ENGINE_PROJECT │ my-ce-project │
31+ # │ CODE_ENGINE_REGISTRY_SECRET│ my-registry-secret │
32+ # │ CODE_ENGINE_PORT │ "4444" │
33+ # └────────────────────────────┴──────────────────────────────┘
34+ # * Note: CODE_ENGINE_REGISTRY_SECRET is the name of the secret,
35+ # not the secret value.
36+ # Triggers:
37+ # • Every push to `main`
2438# ---------------------------------------------------------------
2539
2640name : Deploy to IBM Code Engine
2943 push :
3044 branches : [ "main" ]
3145
46+ # -----------------------------------------------------------------
47+ # Minimal permissions (Principle of Least Privilege)
48+ # -----------------------------------------------------------------
3249permissions :
33- contents : read # least-privilege
50+ contents : read
3451
52+ # -----------------------------------------------------------------
53+ # Global environment (secrets & variables)
54+ # -----------------------------------------------------------------
3555env :
3656 # Build metadata
37- GITHUB_SHA : ${{ github.sha }}
38- CACHE_DIR : /tmp/.buildx-cache # BuildKit layer cache dir
57+ GITHUB_SHA : ${{ github.sha }}
58+ CACHE_DIR : /tmp/.buildx-cache # BuildKit layer cache dir
3959
40- # IBM Cloud auth / region
60+ # IBM Cloud authentication (secret) & region (variable)
4161 IBM_CLOUD_API_KEY : ${{ secrets.IBM_CLOUD_API_KEY }}
42- IBM_CLOUD_REGION : ${{ secrets .IBM_CLOUD_REGION }}
62+ IBM_CLOUD_REGION : ${{ vars .IBM_CLOUD_REGION }}
4363
44- # Registry coords
45- REGISTRY_HOSTNAME : ${{ secrets .REGISTRY_HOSTNAME }}
46- ICR_NAMESPACE : ${{ secrets .ICR_NAMESPACE }}
64+ # Registry coordinates (variables)
65+ REGISTRY_HOSTNAME : ${{ vars .REGISTRY_HOSTNAME }}
66+ ICR_NAMESPACE : ${{ vars .ICR_NAMESPACE }}
4767
48- # Image / app naming
49- IMAGE_NAME : ${{ secrets .APP_NAME }}
50- IMAGE_TAG : ${{ github.sha }}
68+ # Image / app naming (variables)
69+ IMAGE_NAME : ${{ vars .APP_NAME }}
70+ IMAGE_TAG : ${{ github.sha }}
5171
52- # Code Engine deployment
53- CODE_ENGINE_APP_NAME : ${{ secrets .APP_NAME }}
54- CODE_ENGINE_PROJECT : ${{ secrets .CODE_ENGINE_PROJECT }}
55- CODE_ENGINE_REGISTRY_SECRET : ${{ secrets .CODE_ENGINE_REGISTRY_SECRET }}
56- PORT : ${{ secrets .CODE_ENGINE_PORT }}
72+ # Code Engine deployment (variables)
73+ CODE_ENGINE_APP_NAME : ${{ vars .APP_NAME }}
74+ CODE_ENGINE_PROJECT : ${{ vars .CODE_ENGINE_PROJECT }}
75+ CODE_ENGINE_REGISTRY_SECRET : ${{ vars .CODE_ENGINE_REGISTRY_SECRET }}
76+ PORT : ${{ vars .CODE_ENGINE_PORT }}
5777
5878jobs :
5979 build-push-deploy :
96116 ibmcloud --version
97117
98118# -----------------------------------------------------------
99- # 4️⃣ Authenticate to IBM Cloud & select CE project
119+ # 4️⃣ Authenticate to IBM Cloud & select Code Engine project
100120 # -----------------------------------------------------------
101121 - name : 🔐 IBM Cloud login
102122 run : |
@@ -106,7 +126,7 @@ jobs:
106126 ibmcloud ce project select --name "$CODE_ENGINE_PROJECT"
107127
108128# -----------------------------------------------------------
109- # 5️⃣ Build & tag image (uses cache, updates cache dir )
129+ # 5️⃣ Build & tag image (cache-aware )
110130 # -----------------------------------------------------------
111131 - name : 🏗️ Build Docker image (with cache)
112132 run : |
0 commit comments