ActivityPub/.github/workflows/push.yml at 2e8040218ee0a45087eb06058877f4672bc2a10f · TryGhost/ActivityPub · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: Test

on:
  workflow_call:
    inputs:
      activitypub-private-tags:
        description: ActivityPub Docker image tags for private registry
        required: true
        type: string
      activitypub-public-tags:
        description: ActivityPub Docker image tags for public registry
        required: false
        type: string
      activitypub-public-labels:
        description: ActivityPub Docker image labels for public registry
        required: false
        type: string
      activitypub-migrations-private-tags:
        description: ActivityPub Migrations Docker image tags for private registry
        required: true
        type: string
      activitypub-migrations-public-tags:
        description: ActivityPub Migrations Docker image tags for public registry
        required: false
        type: string
      activitypub-migrations-public-labels:
        description: ActivityPub Migrations Docker image tags for public registry
        required: false
        type: string

permissions:
  id-token: write
  packages: write

jobs:
  push-main-images:
    name: Push Docker Images
    runs-on: ubuntu-latest
    steps:
      - name: Download ActivityPub image
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: activitypub-amd64
          path: /tmp

      - name: Download Migrations image
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: activitypub-migrations-amd64
          path: /tmp

      - name: Authenticate with GCP
        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
        id: gcp-auth
        with:
          token_format: access_token
          workload_identity_provider: projects/687476608778/locations/global/workloadIdentityPools/github-oidc-activitypub/providers/github-provider-activitypub
          service_account: cicd-activitypub-terraform@ghost-activitypub.iam.gserviceaccount.com

      - name: Login to GCP Artifact Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: europe-docker.pkg.dev
          username: oauth2accesstoken
          password: ${{ steps.gcp-auth.outputs.access_token }}

      - name: Login to GitHub Container Registry"
        if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push ActivityPub Docker image to private registry
        run: |
          docker load < /tmp/activitypub-amd64.tar
          echo "${{ inputs.activitypub-private-tags }}" | while read -r tag; do
            docker push $tag
          done

      - name: Push ActivityPub Docker image to public registry
        if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
        run: |
          source_tag=$(printf '%s\n' "${{ inputs.activitypub-private-tags }}" | awk 'NF { print; exit }')

          if [ -z "$source_tag" ]; then
            echo "Failed to find a private ActivityPub image tag to retag for GHCR"
            exit 1
          fi

          echo "${{ inputs.activitypub-public-tags }}" | while read -r tag; do
            [ -n "$tag" ] || continue
            docker tag "$source_tag" "$tag"
            docker push "$tag"
          done

      - name: Push Migrations Docker image to private registry
        run: |
          docker load < /tmp/activitypub-migrations-amd64.tar
          echo "${{ inputs.activitypub-migrations-private-tags }}" | while read -r tag; do
            docker push $tag
          done

      - name: Push Migrations Docker image to public registry
        if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
        run: |
          source_tag=$(printf '%s\n' "${{ inputs.activitypub-migrations-private-tags }}" | awk 'NF { print; exit }')

          if [ -z "$source_tag" ]; then
            echo "Failed to find a private migrations image tag to retag for GHCR"
            exit 1
          fi

          echo "${{ inputs.activitypub-migrations-public-tags }}" | while read -r tag; do
            [ -n "$tag" ] || continue
            docker tag "$source_tag" "$tag"
            docker push "$tag"
          done