feat(workflows): add release workflow for Docker images

Ansonhkg · Ansonhkg · commit 84edc9b3875a · 2025-09-26T15:42:39.000+01:00
diff --git a/.github/workflows/release-docker-images.yml b/.github/workflows/release-docker-images.yml
@@ -0,0 +1,96 @@
+name: Release Docker Images
+
+on:
+  workflow_dispatch:
+    inputs:
+      auth-server-released:
+        description: 'Set to true to push docker images.'
+        required: true
+        type: boolean
+        default: false
+      custom-tag:
+        description: 'Optional tag name to apply in addition to ref/sha tags.'
+        required: false
+        default: ''
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  NODE_VERSION: '22.18.0'
+  PNPM_VERSION: 9.15.0
+
+jobs:
+  docker-images:
+    name: Build and Push
+    if: ${{ github.event.inputs.auth-server-released == 'true' }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        app: [lit-auth-server, lit-login-server]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: Setup PNPM
+        uses: pnpm/action-setup@v4
+        with:
+          version: ${{ env.PNPM_VERSION }}
+
+      - name: Install project dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.GHCR_USERNAME || github.repository_owner }}
+          password: ${{ secrets.GHCR_TOKEN || secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/lit-protocol/${{ matrix.app }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=tag
+            type=sha
+            type=raw,value=latest
+
+      - name: Build image with Nx target
+        run: pnpm nx run ${{ matrix.app }}:docker-build
+
+      - name: Tag and push image
+        env:
+          IMAGE_NAME: ${{ matrix.app }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+          CUSTOM_TAG: ${{ github.event.inputs.custom-tag }}
+        run: |
+          tags_to_push="$TAGS"
+          if [ -n "$CUSTOM_TAG" ]; then
+            tags_to_push="$tags_to_push"$'\n'"ghcr.io/lit-protocol/${IMAGE_NAME}:$CUSTOM_TAG"
+          fi
+          echo "$tags_to_push" | while IFS= read -r tag; do
+            [ -z "$tag" ] && continue
+            docker tag "$IMAGE_NAME" "$tag"
+            docker push "$tag"
+          done
+
+  skip:
+    name: Skip Docker Release
+    if: ${{ github.event.inputs.auth-server-released != 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Skipping docker image publish because auth-server release flag is false."
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,6 +14,10 @@ permissions:
 jobs:
   release:
     runs-on: ubuntu-latest
+    # Enable this when we want to implement docker image release
+    # outputs:
+    #   published: ${{ steps.changesets.outputs.published }}
+    #   auth_server_published: ${{ steps.auth_server_release.outputs.published }}
     steps:
       - name: Check NPM Token
         run: |
@@ -78,3 +82,22 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+
+      # - Was lit-auth-server part of the most recent release?
+      # - Capture published packages
+      # - Fallback to empty array if nothing was published
+      # - Search for the specific package
+      # - Using jq, it inspects the JSON array of published packages, checking if any have a .name equal to either lit-auth-server or @lit-protocol/lit-auth-server.
+      # - If the package is found, it writes published=true into the GitHub Actions step output.
+      # - name: Check for lit-auth-server release
+      #   id: auth_server_release
+      #   run: |
+      #     packages='${{ steps.changesets.outputs.publishedPackages }}'
+      #     if [ -z "$packages" ]; then
+      #       packages='[]'
+      #     fi
+      #     if echo "$packages" | jq -e '.[] | select(.name == "lit-auth-server" or .name == "@lit-protocol/lit-auth-server")' > /dev/null; then
+      #       echo "published=true" >> "$GITHUB_OUTPUT"
+      #     else
+      #       echo "published=false" >> "$GITHUB_OUTPUT"
+      #     fi
diff --git a/README.md b/README.md
@@ -98,6 +98,13 @@ git commit -m "chore: release v0.0.1"
 bunx changeset publish
 ```
 
+## Releasing Docker Images
+
+- Trigger the `Release Docker Images` GitHub Action (`.github/workflows/release-docker-images.yml`) from the Actions tab once the desired changes are on the branch you want to release from.
+- When starting the workflow, select the branch ref, set `auth-server-released` to true, and optionally provide a `custom-tag` to add an extra image tag alongside the branch/commit/`latest` tags.
+- The job builds both `lit-auth-server` and `lit-login-server` via their Nx `docker-build` targets and pushes images to `ghcr.io/lit-protocol/<app>` using the repo's `GITHUB_TOKEN` (or the `GHCR_USERNAME`/`GHCR_TOKEN` secrets if you supply them).
+- Leave `auth-server-released` unchecked to perform a no-op dry run and confirm the workflow is available without publishing images.
+
 ## Keeping the contract address and ABIs in sync with the latest changes
 
 This command must be run manually and is NOT part of the build process, as it requires a GitHub API key.
