From 86a150bab0a95c104a7b9d32587d61bd309cee54 Mon Sep 17 00:00:00 2001 From: Pascal Andy Date: Mon, 9 Jun 2025 09:02:03 -0400 Subject: [PATCH 1/6] Update ghostfire to version 5.111.0 --- .env | 2 +- v5/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.env b/.env index 6af76311..cd12e2a5 100644 --- a/.env +++ b/.env @@ -3,7 +3,7 @@ APP_NAME="ghostfire" GITHUB_USER="firepress-org" -APP_VERSION="5.120.3" +APP_VERSION="5.111.0" ### function options CFG_USE_GPG_SIGNATURE="false" diff --git a/v5/Dockerfile b/v5/Dockerfile index a44fd4e5..a5d11fc7 100755 --- a/v5/Dockerfile +++ b/v5/Dockerfile @@ -4,7 +4,7 @@ # 1a) ENV variables (core for all our projects at FirePress) # ---------------------------------------------- ARG APP_NAME="ghostfire" -ARG VERSION="5.120.3" +ARG VERSION="5.111.0" ARG GITHUB_USER="firepress-org" ARG DEFAULT_BRANCH="master" From fb3d5cc94176351a7b40857f60ecef229fb1fd25 Mon Sep 17 00:00:00 2001 From: Pascal Andy Date: Mon, 9 Jun 2025 09:09:01 -0400 Subject: [PATCH 2/6] Use bash and pipefail in Dockerfile (build stage) --- v5/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/v5/Dockerfile b/v5/Dockerfile index a5d11fc7..18ae9833 100755 --- a/v5/Dockerfile +++ b/v5/Dockerfile @@ -100,6 +100,9 @@ RUN apk upgrade # ---------------------------------------------- FROM mynode AS builder +# Use bash for shell commands, and fail builds if any command in a pipeline fails +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + RUN set -eux; \ npm install -g "ghost-cli@$GHOST_CLI_VERSION"; \ npm cache clean --force; \ From f49ae74b7eab7d86c7611c1621af1d558a83d261 Mon Sep 17 00:00:00 2001 From: Pascal Andy Date: Mon, 9 Jun 2025 09:11:46 -0400 Subject: [PATCH 3/6] Fix: Add SHELL directive to builder stage --- v5/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v5/Dockerfile b/v5/Dockerfile index 18ae9833..ad432716 100755 --- a/v5/Dockerfile +++ b/v5/Dockerfile @@ -100,7 +100,7 @@ RUN apk upgrade # ---------------------------------------------- FROM mynode AS builder -# Use bash for shell commands, and fail builds if any command in a pipeline fails +# Use bash for shell commands, and fail builds if any command in a pipeline fails. SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN set -eux; \ From c2f0fe2f2cec253ecd664772266d92a01f1a8cdc Mon Sep 17 00:00:00 2001 From: Pascal Andy Date: Mon, 9 Jun 2025 09:14:03 -0400 Subject: [PATCH 4/6] remove bash and pipefail in Dockerfile (build stage) --- v5/Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/v5/Dockerfile b/v5/Dockerfile index ad432716..a5d11fc7 100755 --- a/v5/Dockerfile +++ b/v5/Dockerfile @@ -100,9 +100,6 @@ RUN apk upgrade # ---------------------------------------------- FROM mynode AS builder -# Use bash for shell commands, and fail builds if any command in a pipeline fails. -SHELL ["/bin/bash", "-o", "pipefail", "-c"] - RUN set -eux; \ npm install -g "ghost-cli@$GHOST_CLI_VERSION"; \ npm cache clean --force; \ From f66764a4936584b3646ab546d90a14090bd01827 Mon Sep 17 00:00:00 2001 From: Pascal Andy Date: Mon, 9 Jun 2025 09:21:55 -0400 Subject: [PATCH 5/6] Use bash and pipefail in Dockerfile (build stage) --- v5/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/v5/Dockerfile b/v5/Dockerfile index a5d11fc7..ad432716 100755 --- a/v5/Dockerfile +++ b/v5/Dockerfile @@ -100,6 +100,9 @@ RUN apk upgrade # ---------------------------------------------- FROM mynode AS builder +# Use bash for shell commands, and fail builds if any command in a pipeline fails. +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + RUN set -eux; \ npm install -g "ghost-cli@$GHOST_CLI_VERSION"; \ npm cache clean --force; \ From accf8b252330243f5f43a2f06418ebd6fb837c99 Mon Sep 17 00:00:00 2001 From: Pascal Andy Date: Mon, 9 Jun 2025 09:24:56 -0400 Subject: [PATCH 6/6] Remove old Ghost v4 and v5 Debian workflows. --- .github/workflows/ghostv4.yml | 716 -------------------------- .github/workflows/ghostv5-debian.yml | 725 --------------------------- 2 files changed, 1441 deletions(-) delete mode 100755 .github/workflows/ghostv4.yml delete mode 100755 .github/workflows/ghostv5-debian.yml diff --git a/.github/workflows/ghostv4.yml b/.github/workflows/ghostv4.yml deleted file mode 100755 index 3a7494da..00000000 --- a/.github/workflows/ghostv4.yml +++ /dev/null @@ -1,716 +0,0 @@ -# The beauty of our CI setup is that it will build Dockerfile and set variables from the Dockerfile. -# by https://pascalandy.com at https://firepress.org -# GNU v3 https://github.com/firepress-org/ghostfire/blob/master/LICENSE - -# Difference between v4 and v5 ci -# pull_request branch = lts_v4 -# not push for standalone tags: edge or stable - -name: Ghost V4 alpine - -on: - pull_request: - branches: [lts_v4] - push: - tags: - - "4.*.*" - # branches: [master, main] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -env: - # needed to define path within 'uses' - SUB_DIR: "v4" - -defaults: - run: - shell: "bash -Eeuo pipefail -x {0}" - # works within 'run' but not with 'uses' - working-directory: "v4" - -jobs: - # ---------------------------------------------- - # SET VARIABLES - # More context about the way we set variables https://github.com/firepress-org/ghostfire/issues/46 - # ---------------------------------------------- - myvars: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: "0" - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Github Actions system status - uses: crazy-max/ghaction-github-status@v4.0.0 - with: - overall_threshold: minor - git_threshold: degraded_performance - actions_threshold: operational - - # Commits from a PR use docker image tag: edge - # When a PR is merge/rebase into master, the docker image tag: stable - - name: Create dir for our varz - run: mkdir -pv ~/varz - - name: edge | Set BRANCH_NAME - if: github.ref_type != 'tag' - run: echo "edge" > ~/varz/BRANCH_NAME - - name: stable | Set BRANCH_NAME - if: github.ref_type == 'tag' - run: echo "stable" > ~/varz/BRANCH_NAME - - - name: Define and save variables to disk - run: | - cat Dockerfile | grep APP_NAME= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/APP_NAME - cat Dockerfile | grep VERSION= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/VERSION - cat Dockerfile | grep DOCKERHUB_USER= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/DOCKERHUB_USER - cat Dockerfile | grep GITHUB_ORG= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/GITHUB_ORG - cat Dockerfile | grep GITHUB_REGISTRY= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/GITHUB_REGISTRY - echo "$(cat ~/varz/DOCKERHUB_USER)/$(cat ~/varz/APP_NAME)" > ~/varz/DKR_PREFIX - echo "ghcr.io/$(cat ~/varz/GITHUB_ORG)/$(cat ~/varz/GITHUB_REGISTRY)/$(cat ~/varz/APP_NAME)" > ~/varz/GPR_PREFIX - git rev-parse --short HEAD > ~/varz/SHORT_HASH_COMMIT - date "+%Y-%m-%d_%HH%M" > ~/varz/DATE - echo "$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)" > ~/varz/VERSION_HASH_ONLY - echo "$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)_$(cat ~/varz/DATE)" > ~/varz/VERSION_HASH_DATE - echo "$(cat ~/varz/APP_NAME):$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)" > ~/varz/_NOTI_MESSAGE - echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION)" > ~/varz/TAG_DKR_VERSION - echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/BRANCH_NAME)" > ~/varz/TAG_DKR_BRANCH_NAME - echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION_HASH_ONLY)" > ~/varz/TAG_DKR_VERSION_HASH_ONLY - echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION_HASH_DATE)" > ~/varz/TAG_DKR_VERSION_HASH_DATE - echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION)" > ~/varz/TAG_GPR_VERSION - echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/BRANCH_NAME)" > ~/varz/TAG_GPR_BRANCH_NAME - echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION_HASH_ONLY)" > ~/varz/TAG_GPR_VERSION_HASH_ONLY - echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION_HASH_DATE)" > ~/varz/TAG_GPR_VERSION_HASH_DATE - - name: Upload variables as artifact - uses: actions/upload-artifact@master - with: - name: variables_on_disk - path: ~/varz - - name: Expose variables to all jobs - id: myvars - run: | - echo "::set-output name=APP_NAME::$(cat ~/varz/APP_NAME)" - echo "::set-output name=VERSION::$(cat ~/varz/VERSION)" - echo "::set-output name=DOCKERHUB_USER::$(cat ~/varz/DOCKERHUB_USER)" - echo "::set-output name=GITHUB_ORG::$(cat ~/varz/GITHUB_ORG)" - echo "::set-output name=GITHUB_REGISTRY::$(cat ~/varz/GITHUB_REGISTRY)" - echo "::set-output name=DKR_PREFIX::$(cat ~/varz/DKR_PREFIX)" - echo "::set-output name=GPR_PREFIX::$(cat ~/varz/GPR_PREFIX)" - echo "::set-output name=SUB_DIR::$(cat ~/varz/SUB_DIR)" - echo "::set-output name=SHORT_HASH_COMMIT::$(cat ~/varz/SHORT_HASH_COMMIT)" - echo "::set-output name=DATE::$(cat ~/varz/DATE)" - echo "::set-output name=BRANCH_NAME::$(cat ~/varz/BRANCH_NAME)" - echo "::set-output name=VERSION_HASH_ONLY::$(cat ~/varz/VERSION_HASH_ONLY)" - echo "::set-output name=VERSION_HASH_DATE::$(cat ~/varz/VERSION_HASH_DATE)" - echo "::set-output name=_NOTI_MESSAGE::$(cat ~/varz/_NOTI_MESSAGE)" - echo "::set-output name=TAG_DKR_VERSION::$(cat ~/varz/TAG_DKR_VERSION)" - echo "::set-output name=TAG_DKR_BRANCH_NAME::$(cat ~/varz/TAG_DKR_BRANCH_NAME)" - echo "::set-output name=TAG_DKR_VERSION_HASH_ONLY::$(cat ~/varz/TAG_DKR_VERSION_HASH_ONLY)" - echo "::set-output name=TAG_DKR_VERSION_HASH_DATE::$(cat ~/varz/TAG_DKR_VERSION_HASH_DATE)" - echo "::set-output name=TAG_GPR_VERSION::$(cat ~/varz/TAG_GPR_VERSION)" - echo "::set-output name=TAG_GPR_BRANCH_NAME::$(cat ~/varz/TAG_GPR_BRANCH_NAME)" - echo "::set-output name=TAG_GPR_VERSION_HASH_ONLY::$(cat ~/varz/TAG_GPR_VERSION_HASH_ONLY)" - echo "::set-output name=TAG_GPR_VERSION_HASH_DATE::$(cat ~/varz/TAG_GPR_VERSION_HASH_DATE)" - outputs: - APP_NAME: ${{ steps.myvars.outputs.APP_NAME }} - VERSION: ${{ steps.myvars.outputs.VERSION }} - SUB_DIR: ${{ steps.myvars.outputs.SUB_DIR }} - DOCKERHUB_USER: ${{ steps.myvars.outputs.DOCKERHUB_USER }} - GITHUB_ORG: ${{ steps.myvars.outputs.GITHUB_ORG }} - GITHUB_REGISTRY: ${{ steps.myvars.outputs.GITHUB_REGISTRY }} - DKR_PREFIX: ${{ steps.myvars.outputs.DKR_PREFIX }} - GPR_PREFIX: ${{ steps.myvars.outputs.GPR_PREFIX }} - SHORT_HASH_COMMIT: ${{ steps.myvars.outputs.SHORT_HASH_COMMIT }} - DATE: ${{ steps.myvars.outputs.DATE }} - BRANCH_NAME: ${{ steps.myvars.outputs.BRANCH_NAME }} - VERSION_HASH_ONLY: ${{ steps.myvars.outputs.VERSION_HASH_ONLY }} - VERSION_HASH_DATE: ${{ steps.myvars.outputs.VERSION_HASH_DATE }} - _NOTI_MESSAGE: ${{ steps.myvars.outputs._NOTI_MESSAGE }} - TAG_DKR_VERSION: ${{ steps.myvars.outputs.TAG_DKR_VERSION }} - TAG_DKR_BRANCH_NAME: ${{ steps.myvars.outputs.TAG_DKR_BRANCH_NAME }} - TAG_DKR_VERSION_HASH_ONLY: ${{ steps.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} - TAG_DKR_VERSION_HASH_DATE: ${{ steps.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - TAG_GPR_VERSION: ${{ steps.myvars.outputs.TAG_GPR_VERSION }} - TAG_GPR_BRANCH_NAME: ${{ steps.myvars.outputs.TAG_GPR_BRANCH_NAME }} - TAG_GPR_VERSION_HASH_ONLY: ${{ steps.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} - TAG_GPR_VERSION_HASH_DATE: ${{ steps.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} - - # ---------------------------------------------- - # build / edge OR stable - # tags are not the same between edge or stable - # ---------------------------------------------- - build_edge: - needs: [myvars] - if: github.ref_type != 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 - with: - version: v0.6.0 - - uses: docker/login-action@v3.2.0 - with: - username: ${{ needs.myvars.outputs.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - uses: docker/login-action@v3.2.0 - with: - registry: ghcr.io - username: ${{ needs.myvars.outputs.GITHUB_ORG }} - password: ${{ secrets.TOKEN_GPR }} - - - name: Build and push image (edge) - uses: docker/build-push-action@v6 - with: - context: . - file: ./${{ env.SUB_DIR }}/Dockerfile - platforms: | - linux/amd64 - # linux/arm64/v8 - # linux/arm/v8 - # linux/arm/v7 - push: false - tags: | - ${{ github.run_id }} - # The order for matters for our CD down the line - cache-from: type=gha, scope=${{ github.workflow }} - cache-to: type=gha, scope=${{ github.workflow }}, mode=max - - - name: UAT run edge | Wait for container to run - timeout-minutes: 2 - # These two VAR are here to force SQLite over Mysql - # database__client=s - # database__connection__filename= - run: | - docker run -d --name ghostUAT -p 2368:2368 -e WEB_URL=http://localhost:2368 -e NODE_ENV=production -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db ${{ github.run_id }} - echo "--- Wait for ghostUAT --->" - until $(curl --output /dev/null --silent --head --fail http://localhost:2368); do - echo "--- ghostUAT is starting..." - sleep 1 - done; - echo "--- ghostUAT is running! --->" - - - name: UAT docker test edge | docker-library tests - # Ghost V5 grep "0o0o" - # Ghost V4 grep "Thoughts, stories and ideas" - # Ghost V3 grep "The professional publishing platform" - run: | - curl http://localhost:2368 | grep "Thoughts, stories and ideas" - git clone --depth 1 https://github.com/docker-library/official-images.git official-images - cp ./test/config.sh official-images/test/config.sh - official-images/test/run.sh ${{ github.run_id }} - - - name: Checkpoint | image ls - run: docker image ls - - build_stable: - needs: [myvars] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 - with: - version: v0.6.0 - - uses: docker/login-action@v3.2.0 - with: - username: ${{ needs.myvars.outputs.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - uses: docker/login-action@v3.2.0 - with: - registry: ghcr.io - username: ${{ needs.myvars.outputs.GITHUB_ORG }} - password: ${{ secrets.TOKEN_GPR }} - - - name: Build and push image (stable) - uses: docker/build-push-action@v6 - with: - context: . - file: ./${{ env.SUB_DIR }}/Dockerfile - platforms: | - linux/amd64 - # linux/arm64/v8 - # linux/arm/v8 - # linux/arm/v7 - push: true - tags: | - ${{ needs.myvars.outputs.TAG_DKR_VERSION }} - ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} - ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} - # The order for matters for our CD down the line - cache-from: type=gha, scope=${{ github.workflow }} - cache-to: type=gha, scope=${{ github.workflow }}, mode=max - - - name: UAT run stable | Wait for container to run - timeout-minutes: 2 - # These two VAR are here to force SQLite over Mysql - # database__client=s - # database__connection__filename= - run: | - docker run -d --name ghostUAT -p 2368:2368 -e WEB_URL=http://localhost:2368 -e NODE_ENV=production -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - echo "--- Wait for ghostUAT --->" - until $(curl --output /dev/null --silent --head --fail http://localhost:2368); do - echo "--- ghostUAT is starting..." - sleep 1 - done; - echo "--- ghostUAT is running! --->" - - - name: UAT docker test stable | docker-library tests - # Ghost V5 grep "0o0o" - # Ghost V4 grep "Thoughts, stories and ideas" - # Ghost V3 grep "The professional publishing platform" - run: | - curl http://localhost:2368 | grep "Thoughts, stories and ideas" - git clone --depth 1 https://github.com/docker-library/official-images.git official-images - cp ./test/config.sh official-images/test/config.sh - official-images/test/run.sh ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - - name: Checkpoint | image ls - run: docker image ls - - # ---------------------------------------------- - # UAT / edge OR stable - # This job is bypassed: weird bug on the uat job. Ci complain about docker login. So the UAT is under the build job. - # ---------------------------------------------- - - # ---------------------------------------------- - # Continuous Deployment / edge OR stable - # I duplicate this in two jobs to have a better visual representation - # ---------------------------------------------- - cd_edge: - needs: [build_edge] - if: github.ref_type != 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: cd edge - uses: appleboy/ssh-action@v1.0.3 - with: - host: ${{ secrets.NODE1 }} - port: ${{ secrets.SSH_PORT }} - username: ${{ secrets.SSH_USERNAME }} - key: ${{ secrets.SSH_KEY_ACTIONS }} - passphrase: ${{ secrets.SSH_KEY_ACTIONS_PASSPHRASE }} - script: | - ${{ secrets.SSH_CMD__UPDATE_DKR_IMG_EDGE }} - hostname - #sync: true - #host: "${{ secrets.NODE1 }},${{ secrets.NODE2 }},${{ secrets.NODE3 }}" - # alt projet: fifsky/ssh-action@master https://github.com/appleboy/ssh-action/issues/80#issuecomment-759473472 - - - name: Add a comment (from a PR) - run: | - echo '## For reference' >> $GITHUB_STEP_SUMMARY - echo 'Docker image: ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}' >> $GITHUB_STEP_SUMMARY - echo 'Please use docker images that were build from a tag. More details: https://github.com/firepress-org/ghostfire/issues/265' >> $GITHUB_STEP_SUMMARY - - cd_stable: - needs: [build_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: cd stable - uses: appleboy/ssh-action@v1.0.3 - with: - host: ${{ secrets.NODE1 }} - port: ${{ secrets.SSH_PORT }} - username: ${{ secrets.SSH_USERNAME }} - key: ${{ secrets.SSH_KEY_ACTIONS }} - passphrase: ${{ secrets.SSH_KEY_ACTIONS_PASSPHRASE }} - script: | - ${{ secrets.SSH_CMD__UPDATE_DKR_IMG_STABLE }} - hostname - - - name: Add a comment (from a tag) - run: | - echo '## Offical Docker Image :rocket:' >> $GITHUB_STEP_SUMMARY - echo 'Docker image: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}' >> $GITHUB_STEP_SUMMARY - - # ---------------------------------------------- - # Reviews - # ---------------------------------------------- - review_myvars: - needs: [myvars] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Show variables - run: | - echo "Final Docker image name:" - echo "= = = = = = = = = =" - echo ${{ needs.myvars.outputs.TAG_DKR_VERSION }} - echo ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} - echo ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} - echo ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - echo ${{ needs.myvars.outputs.TAG_GPR_VERSION }} - echo ${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }} - echo ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} - echo ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} - echo "---" - echo "Core environment variables:" - echo "---" - echo "${{ env.SUB_DIR }} << SUB_DIR" - echo "${{ needs.myvars.outputs.APP_NAME }} << APP_NAME" - echo "${{ needs.myvars.outputs.DOCKERHUB_USER }} << DOCKERHUB_USER" - echo "${{ needs.myvars.outputs.GITHUB_ORG }} << GITHUB_ORG" - echo "${{ needs.myvars.outputs.GITHUB_REGISTRY }} << GITHUB_REGISTRY" - echo "${{ needs.myvars.outputs.DKR_PREFIX }} << DKR_PREFIX" - echo "${{ needs.myvars.outputs.GPR_PREFIX }} << GPR_PREFIX" - echo "${{ needs.myvars.outputs.VERSION }} << VERSION" - echo "${{ needs.myvars.outputs.SHORT_HASH_COMMIT }} << SHORT_HASH_COMMIT" - echo "${{ needs.myvars.outputs.DATE }} << DATE" - echo "${{ needs.myvars.outputs.BRANCH_NAME }} << BRANCH_NAME" - echo "${{ needs.myvars.outputs.VERSION_HASH_ONLY }} << VERSION_HASH_ONLY" - echo "${{ needs.myvars.outputs.VERSION_HASH_DATE }} << VERSION_HASH_DATE" - echo "${{ needs.myvars.outputs._NOTI_MESSAGE }} << _NOTI_MESSAGE" - echo "---" - echo "Environment variables provided Github Actions :" - echo "---" - echo "${GITHUB_WORKFLOW} << GITHUB_WORKFLOW" - echo "${GITHUB_RUN_ID} << GITHUB_RUN_ID" - echo "${GITHUB_RUN_NUMBER} << GITHUB_RUN_NUMBER" - echo "${GITHUB_JOB} << GITHUB_JOB" - echo "${GITHUB_ACTION} << GITHUB_ACTION" - echo "${GITHUB_ACTOR} << GITHUB_ACTOR" - echo "${GITHUB_REPOSITORY} << GITHUB_REPOSITORY" - echo "${GITHUB_EVENT_NAME} << GITHUB_EVENT_NAME" - echo "${GITHUB_EVENT_PATH} << GITHUB_EVENT_PATH" - echo "${GITHUB_WORKSPACE} << GITHUB_WORKSPACE" - echo "${GITHUB_SHA} << GITHUB_SHA" - echo "${GITHUB_REF} << GITHUB_REF" - echo "${GITHUB_SERVER_URL} << GITHUB_SERVER_URL" - echo "${GITHUB_API_URL} << GITHUB_API_URL" - echo "${GITHUB_GRAPHQL_URL} << GITHUB_GRAPHQL_URL" - echo "${RUNNER_OS} << RUNNER_OS" - echo "${RUNNER_TEMP} << RUNNER_TEMP" - echo "${RUNNER_TOOL_CACHE} << RUNNER_TOOL_CACHE" - echo "${GITHUB_ACTIONS} << GITHUB_ACTIONS" - - # https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#context-availability - # if: github.event_name != 'pull_request' - # if: ${{ github.ref == 'refs/heads/main' }} - # $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID - - review_snyk_opt: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Checkpoint | Scanner by Snyk - # https://github.com/snyk/actions/tree/master/docker - uses: snyk/actions/docker@0.4.0 - # Snyk can be used to break the build when it detects vulnerabilities. - # In this case we want to upload the issues to GitHub Code Scanning - continue-on-error: true - env: - # In order to use the Snyk Action you will need to have a Snyk API token. - # More details in https://github.com/snyk/actions#getting-your-snyk-token - # or you can signup for free at https://snyk.io/login - SNYK_TOKEN: ${{ secrets.TOKEN_SNYK }} - with: - image: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - args: --file=./${{ env.SUB_DIR }}/Dockerfile --severity-threshold=high - - name: Checkpoint | Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: snyk.sarif - - review_trivy_opt: - needs: [myvars, build_stable, cd_stable] - - #permissions: - # contents: read # for actions/checkout to fetch code - # security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Checkpoint | Scanner Trivy for HIGH,CRITICAL CVEs and report (blocking) - continue-on-error: true - uses: aquasecurity/trivy-action@0.23.0 - with: - image-ref: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - exit-code: 0 - format: table - ignore-unfixed: true - vuln-type: "os,library" - severity: "HIGH,CRITICAL" - #output: "trivy-results.sarif" - - #- name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v3 - # if: always() - # with: - # sarif_file: "trivy-results.sarif" - - review_dockle: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Checkpoint | Scanner by Dockle - run: | - docker run --rm goodwithtech/dockle:latest ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - # review_superlinter_call: - # needs: [myvars, build] - # uses: firepress-org/reusable_workflows/.github/workflows/super-linter.yaml@master - review_linter_opt: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Checkpoint | Linter - continue-on-error: true - uses: docker://ghcr.io/github/super-linter:slim-v4 - # github/super-linter@v4 - # docker://ghcr.io/github/super-linter:slim-v4 - env: - DISABLE_ERRORS: true # Flag to have the linter complete with exit code 0 even if errors were detected. - VALIDATE_ALL_CODEBASE: false - VALIDATE_MARKDOWN: false - VALIDATE_DOCKERFILE: false - VALIDATE_JSCPD: false - DEFAULT_BRANCH: edge - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - review_inspect: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Login to DockerHub registry - uses: docker/login-action@v3.2.0 - with: - username: ${{ needs.myvars.outputs.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - name: Login to GitHub registry - uses: docker/login-action@v3.2.0 - with: - registry: ghcr.io - username: ${{ needs.myvars.outputs.GITHUB_ORG }} - password: ${{ secrets.TOKEN_GPR }} - - name: Checkpoint | docker pull - run: | - docker pull ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - name: Checkpoint | See platforms - run: | - docker run --rm mplatform/mquery ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - name: Checkpoint | docker history - run: | - docker history --human ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - name: Checkpoint | docker image inspect - run: | - docker image inspect ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - name: Checkpoint | docker info - run: | - docker info - - name: Checkpoint | docker version - run: | - docker version - - name: Checkpoint | uname - run: | - uname -a && echo && echo - - review_lighthouse: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Checkpoint | Lighthouse - uses: treosh/lighthouse-ci-action@12.1.0 - with: - urls: | - https://trial.firepress.link/edge/welcome/ - https://trial.firepress.link/edge/tag/getting-started/ - #budgetPath: ./budget.json # test performance budgets - uploadArtifacts: true # save results as an action artifacts - temporaryPublicStorage: true # upload lighthouse report to the temporary storage - - review_artillery: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Checkpoint | Artillery - id: load-test - uses: kenju/github-actions-artillery@master - with: - filepath: ./.github/load-test.yml - # https://trial.firepress.link/edge - - review_slack: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Notify on Slack - run: | - docker run --rm \ - --name noti \ - -e NOTI_MESSAGE='${{ needs.myvars.outputs._NOTI_MESSAGE }}' \ - -e SLACK_CHANNEL="github-actions" \ - -e SLACK_TOKEN_CRON="${{ secrets.TOKEN_SLACK }}" \ - devmtl/noti:stable sh -c \ - ' NOTI_SLACK_TOKEN="$SLACK_TOKEN_CRON" \ - NOTI_SLACK_CHANNEL="$SLACK_CHANNEL" \ - noti -k -m "$NOTI_MESSAGE" ' - - # ---------------------------------------------- - # Actions after continuous_deployment - # ---------------------------------------------- - - update_readme: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Update README on Dockerhub - run: | - docker run --rm \ - -v $(pwd)/README.md:/data/README.md \ - -e DOCKERHUB_USERNAME=${{ needs.myvars.outputs.DOCKERHUB_USER }} \ - -e DOCKERHUB_PASSWORD=${{ secrets.DOCKERHUB_PASSWORD }} \ - -e DOCKERHUB_REPO_PREFIX=${{ needs.myvars.outputs.DOCKERHUB_USER }} \ - -e DOCKERHUB_REPO_NAME=${{ needs.myvars.outputs.APP_NAME }} \ - devmtl/readme-to-dockerhub:stable - - comment_within_pr: - needs: [myvars, build_stable, cd_stable] - - permissions: - pull-requests: write # needed to create and update comments in PRs - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Find comment for image tags - # If PR, put image tags in the PR comments - # from https://github.com/marketplace/actions/create-or-update-comment - uses: peter-evans/find-comment@v3 - if: github.event_name == 'pull_request' - id: fc - with: - issue-number: ${{ github.event.pull_request.number }} - comment-author: "github-actions[bot]" - body-includes: Docker image tag(s) pushed - - # If PR, put image tags in the PR comments - - name: Create or update comment for image tags - uses: peter-evans/create-or-update-comment@v4 - if: github.event_name == 'pull_request' - with: - comment-id: ${{ steps.fc.outputs.comment-id }} - issue-number: ${{ github.event.pull_request.number }} - body: | - Docker image tag(s) pushed: - ```text - ${{ needs.myvars.outputs.TAG_DKR_VERSION }} - ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} - ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} - ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION }} - ${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} - ``` - edit-mode: replace diff --git a/.github/workflows/ghostv5-debian.yml b/.github/workflows/ghostv5-debian.yml deleted file mode 100755 index 32785df8..00000000 --- a/.github/workflows/ghostv5-debian.yml +++ /dev/null @@ -1,725 +0,0 @@ -# The beauty of our CI setup is that it will build Dockerfile and set variables from the Dockerfile. -# by https://pascalandy.com at https://firepress.org -# GNU v3 https://github.com/firepress-org/ghostfire/blob/master/LICENSE - -name: Ghost V5 debian - -on: - #schedule: - # - cron: "0 7 * * *" # everyday at 7am - pull_request: - branches: [debian_test] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -env: - # needed to define path within 'uses' - SUB_DIR: "v5-debian" - -defaults: - run: - shell: "bash -Eeuo pipefail -x {0}" - # works within 'run' but not with 'uses' - working-directory: "v5-debian" - -jobs: - # ---------------------------------------------- - # SET VARIABLES - # More context about the way we set variables https://github.com/firepress-org/ghostfire/issues/46 - # ---------------------------------------------- - myvars: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: "0" - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Github Actions system status - uses: crazy-max/ghaction-github-status@v4.0.0 - with: - actions_threshold: operational - git_threshold: degraded_performance - - # Commits from a PR use docker image tag: edge - # When a PR is merge/rebase into master, the docker image tag: stable - - name: Create dir for our varz - run: mkdir -pv ~/varz - - name: edge | Set BRANCH_NAME - if: github.ref_type != 'tag' - run: echo "edge" > ~/varz/BRANCH_NAME - - name: stable | Set BRANCH_NAME - if: github.ref_type == 'tag' - run: echo "stable" > ~/varz/BRANCH_NAME - - - name: Define and save variables to disk - run: | - cat Dockerfile | grep APP_NAME= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/APP_NAME - cat Dockerfile | grep VERSION= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/VERSION_TMP - echo "— — — DO NOT MIX alpine vs debian Tags! — — — " - echo "$(cat ~/varz/VERSION_TMP)" > ~/varz/VERSION - cat Dockerfile | grep DOCKERHUB_USER= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/DOCKERHUB_USER - cat Dockerfile | grep GITHUB_ORG= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/GITHUB_ORG - cat Dockerfile | grep GITHUB_REGISTRY= | head -n 1 | grep -o '".*"' | sed 's/"//g' > ~/varz/GITHUB_REGISTRY - echo "$(cat ~/varz/DOCKERHUB_USER)/$(cat ~/varz/APP_NAME)" > ~/varz/DKR_PREFIX - echo "ghcr.io/$(cat ~/varz/GITHUB_ORG)/$(cat ~/varz/GITHUB_REGISTRY)/$(cat ~/varz/APP_NAME)" > ~/varz/GPR_PREFIX - git rev-parse --short HEAD > ~/varz/SHORT_HASH_COMMIT - date "+%Y-%m-%d_%HH%M" > ~/varz/DATE - echo "$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)" > ~/varz/VERSION_HASH_ONLY - echo "$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)_$(cat ~/varz/DATE)" > ~/varz/VERSION_HASH_DATE - echo "$(cat ~/varz/APP_NAME):$(cat ~/varz/VERSION)_$(cat ~/varz/SHORT_HASH_COMMIT)" > ~/varz/_NOTI_MESSAGE - echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION)" > ~/varz/TAG_DKR_VERSION - echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/BRANCH_NAME)" > ~/varz/TAG_DKR_BRANCH_NAME - echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION_HASH_ONLY)" > ~/varz/TAG_DKR_VERSION_HASH_ONLY - echo "$(cat ~/varz/DKR_PREFIX):$(cat ~/varz/VERSION_HASH_DATE)" > ~/varz/TAG_DKR_VERSION_HASH_DATE - echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION)" > ~/varz/TAG_GPR_VERSION - echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/BRANCH_NAME)" > ~/varz/TAG_GPR_BRANCH_NAME - echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION_HASH_ONLY)" > ~/varz/TAG_GPR_VERSION_HASH_ONLY - echo "$(cat ~/varz/GPR_PREFIX):$(cat ~/varz/VERSION_HASH_DATE)" > ~/varz/TAG_GPR_VERSION_HASH_DATE - - name: Upload variables as artifact - uses: actions/upload-artifact@master - with: - name: variables_on_disk - path: ~/varz - - name: Expose variables to all jobs - id: myvars - run: | - echo "::set-output name=APP_NAME::$(cat ~/varz/APP_NAME)" - echo "::set-output name=VERSION::$(cat ~/varz/VERSION)" - echo "::set-output name=DOCKERHUB_USER::$(cat ~/varz/DOCKERHUB_USER)" - echo "::set-output name=GITHUB_ORG::$(cat ~/varz/GITHUB_ORG)" - echo "::set-output name=GITHUB_REGISTRY::$(cat ~/varz/GITHUB_REGISTRY)" - echo "::set-output name=DKR_PREFIX::$(cat ~/varz/DKR_PREFIX)" - echo "::set-output name=GPR_PREFIX::$(cat ~/varz/GPR_PREFIX)" - echo "::set-output name=SUB_DIR::$(cat ~/varz/SUB_DIR)" - echo "::set-output name=SHORT_HASH_COMMIT::$(cat ~/varz/SHORT_HASH_COMMIT)" - echo "::set-output name=DATE::$(cat ~/varz/DATE)" - echo "::set-output name=BRANCH_NAME::$(cat ~/varz/BRANCH_NAME)" - echo "::set-output name=VERSION_HASH_ONLY::$(cat ~/varz/VERSION_HASH_ONLY)" - echo "::set-output name=VERSION_HASH_DATE::$(cat ~/varz/VERSION_HASH_DATE)" - echo "::set-output name=_NOTI_MESSAGE::$(cat ~/varz/_NOTI_MESSAGE)" - echo "::set-output name=TAG_DKR_VERSION::$(cat ~/varz/TAG_DKR_VERSION)" - echo "::set-output name=TAG_DKR_BRANCH_NAME::$(cat ~/varz/TAG_DKR_BRANCH_NAME)" - echo "::set-output name=TAG_DKR_VERSION_HASH_ONLY::$(cat ~/varz/TAG_DKR_VERSION_HASH_ONLY)" - echo "::set-output name=TAG_DKR_VERSION_HASH_DATE::$(cat ~/varz/TAG_DKR_VERSION_HASH_DATE)" - echo "::set-output name=TAG_GPR_VERSION::$(cat ~/varz/TAG_GPR_VERSION)" - echo "::set-output name=TAG_GPR_BRANCH_NAME::$(cat ~/varz/TAG_GPR_BRANCH_NAME)" - echo "::set-output name=TAG_GPR_VERSION_HASH_ONLY::$(cat ~/varz/TAG_GPR_VERSION_HASH_ONLY)" - echo "::set-output name=TAG_GPR_VERSION_HASH_DATE::$(cat ~/varz/TAG_GPR_VERSION_HASH_DATE)" - outputs: - APP_NAME: ${{ steps.myvars.outputs.APP_NAME }} - VERSION: ${{ steps.myvars.outputs.VERSION }} - SUB_DIR: ${{ steps.myvars.outputs.SUB_DIR }} - DOCKERHUB_USER: ${{ steps.myvars.outputs.DOCKERHUB_USER }} - GITHUB_ORG: ${{ steps.myvars.outputs.GITHUB_ORG }} - GITHUB_REGISTRY: ${{ steps.myvars.outputs.GITHUB_REGISTRY }} - DKR_PREFIX: ${{ steps.myvars.outputs.DKR_PREFIX }} - GPR_PREFIX: ${{ steps.myvars.outputs.GPR_PREFIX }} - SHORT_HASH_COMMIT: ${{ steps.myvars.outputs.SHORT_HASH_COMMIT }} - DATE: ${{ steps.myvars.outputs.DATE }} - BRANCH_NAME: ${{ steps.myvars.outputs.BRANCH_NAME }} - VERSION_HASH_ONLY: ${{ steps.myvars.outputs.VERSION_HASH_ONLY }} - VERSION_HASH_DATE: ${{ steps.myvars.outputs.VERSION_HASH_DATE }} - _NOTI_MESSAGE: ${{ steps.myvars.outputs._NOTI_MESSAGE }} - TAG_DKR_VERSION: ${{ steps.myvars.outputs.TAG_DKR_VERSION }} - TAG_DKR_BRANCH_NAME: ${{ steps.myvars.outputs.TAG_DKR_BRANCH_NAME }} - TAG_DKR_VERSION_HASH_ONLY: ${{ steps.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} - TAG_DKR_VERSION_HASH_DATE: ${{ steps.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - TAG_GPR_VERSION: ${{ steps.myvars.outputs.TAG_GPR_VERSION }} - TAG_GPR_BRANCH_NAME: ${{ steps.myvars.outputs.TAG_GPR_BRANCH_NAME }} - TAG_GPR_VERSION_HASH_ONLY: ${{ steps.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} - TAG_GPR_VERSION_HASH_DATE: ${{ steps.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} - - # ---------------------------------------------- - # build / edge OR stable - # tags are not the same between edge or stable - # ---------------------------------------------- - build_edge: - needs: [myvars] - if: github.ref_type != 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 - with: - version: v0.6.0 - - uses: docker/login-action@v3.2.0 - with: - username: ${{ needs.myvars.outputs.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - uses: docker/login-action@v3.2.0 - with: - registry: ghcr.io - username: ${{ needs.myvars.outputs.GITHUB_ORG }} - password: ${{ secrets.TOKEN_GPR }} - - - name: Build and push image (edge) - uses: docker/build-push-action@v6 - with: - context: . - file: ./${{ env.SUB_DIR }}/Dockerfile - platforms: | - linux/amd64 - # linux/arm64/v8 - # linux/arm/v8 - # linux/arm/v7 - push: true - tags: | - ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} - ${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }} - # The order for matters for our CD down the line - cache-from: type=gha, scope=${{ github.workflow }} - cache-to: type=gha, scope=${{ github.workflow }}, mode=max - - - name: UAT run edge | Wait for container to run - timeout-minutes: 2 - # These two VAR are here to force SQLite over Mysql - # database__client=s - # database__connection__filename= - run: | - docker run -d --name ghostUAT -p 2368:2368 -e WEB_URL=http://localhost:2368 -e NODE_ENV=production -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} - echo "--- Wait for ghostUAT --->" - until $(curl --output /dev/null --silent --head --fail http://localhost:2368); do - echo "--- ghostUAT is starting..." - sleep 1 - done; - echo "--- ghostUAT is running! --->" - - - name: UAT docker test edge | docker-library tests - # Ghost V5 grep "Thoughts, stories and ideas" - # Ghost V4 grep "Thoughts, stories and ideas" - # Ghost V3 grep "The professional publishing platform" - run: | - curl http://localhost:2368 | grep "Thoughts, stories and ideas" - git clone --depth 1 https://github.com/docker-library/official-images.git official-images - cp ./test/config.sh official-images/test/config.sh - official-images/test/run.sh ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} - - - name: Checkpoint | image ls - run: docker image ls - - build_stable: - needs: [myvars] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 - with: - version: v0.6.0 - - uses: docker/login-action@v3.2.0 - with: - username: ${{ needs.myvars.outputs.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - uses: docker/login-action@v3.2.0 - with: - registry: ghcr.io - username: ${{ needs.myvars.outputs.GITHUB_ORG }} - password: ${{ secrets.TOKEN_GPR }} - - - name: Build and push image (stable) - uses: docker/build-push-action@v6 - with: - context: . - file: ./${{ env.SUB_DIR }}/Dockerfile - platforms: | - linux/amd64 - # linux/arm64/v8 - # linux/arm/v8 - # linux/arm/v7 - push: true - tags: | - ${{ needs.myvars.outputs.TAG_DKR_VERSION }} - ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} - ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} - ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION }} - ${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} - # The order for matters for our CD down the line - cache-from: type=gha, scope=${{ github.workflow }} - cache-to: type=gha, scope=${{ github.workflow }}, mode=max - - - name: UAT run stable | Wait for container to run - timeout-minutes: 2 - # These two VAR are here to force SQLite over Mysql - # database__client=s - # database__connection__filename= - run: | - docker run -d --name ghostUAT -p 2368:2368 -e WEB_URL=http://localhost:2368 -e NODE_ENV=production -e database__client=sqlite3 -e database__connection__filename=/var/lib/ghost/content/data/ghost.db ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - echo "--- Wait for ghostUAT --->" - until $(curl --output /dev/null --silent --head --fail http://localhost:2368); do - echo "--- ghostUAT is starting..." - sleep 1 - done; - echo "--- ghostUAT is running! --->" - - - name: UAT docker test stable | docker-library tests - # Ghost V5 grep "0o0o" - # Ghost V4 grep "Thoughts, stories and ideas" - # Ghost V3 grep "The professional publishing platform" - run: | - curl http://localhost:2368 | grep "Thoughts, stories and ideas" - git clone --depth 1 https://github.com/docker-library/official-images.git official-images - cp ./test/config.sh official-images/test/config.sh - official-images/test/run.sh ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - - name: Checkpoint | image ls - run: docker image ls - - # ---------------------------------------------- - # UAT / edge OR stable - # This job is bypassed: weird bug on the uat job. Ci complain about docker login. So the UAT is under the build job. - # ---------------------------------------------- - - # ---------------------------------------------- - # Continuous Deployment / edge OR stable - # I duplicate this in two jobs to have a better visual representation - # ---------------------------------------------- - cd_edge: - needs: [build_edge] - if: github.ref_type != 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: cd edge - uses: appleboy/ssh-action@v1.0.3 - with: - host: ${{ secrets.NODE1 }} - port: ${{ secrets.SSH_PORT }} - username: ${{ secrets.SSH_USERNAME }} - key: ${{ secrets.SSH_KEY_ACTIONS }} - passphrase: ${{ secrets.SSH_KEY_ACTIONS_PASSPHRASE }} - script: | - ${{ secrets.SSH_CMD__UPDATE_DKR_IMG_EDGE }} - hostname - #sync: true - #host: "${{ secrets.NODE1 }},${{ secrets.NODE2 }},${{ secrets.NODE3 }}" - # alt projet: fifsky/ssh-action@master https://github.com/appleboy/ssh-action/issues/80#issuecomment-759473472 - - - name: Add a comment (from a PR) - run: | - echo '## For reference' >> $GITHUB_STEP_SUMMARY - echo 'Docker image: ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }}' >> $GITHUB_STEP_SUMMARY - echo 'Please use docker images that were build from a tag. More details: https://github.com/firepress-org/ghostfire/issues/265' >> $GITHUB_STEP_SUMMARY - - cd_stable: - needs: [build_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: cd stable - uses: appleboy/ssh-action@v1.0.3 - with: - host: ${{ secrets.NODE1 }} - port: ${{ secrets.SSH_PORT }} - username: ${{ secrets.SSH_USERNAME }} - key: ${{ secrets.SSH_KEY_ACTIONS }} - passphrase: ${{ secrets.SSH_KEY_ACTIONS_PASSPHRASE }} - script: | - ${{ secrets.SSH_CMD__UPDATE_DKR_IMG_STABLE }} - hostname - - - name: Add a comment (from a tag) - run: | - echo '## Offical Docker Image :rocket:' >> $GITHUB_STEP_SUMMARY - echo 'Docker image: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }}' >> $GITHUB_STEP_SUMMARY - - # ---------------------------------------------- - # Reviews - # ---------------------------------------------- - review_myvars: - needs: [myvars] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Show variables - run: | - echo "Final Docker image name:" - echo "= = = = = = = = = =" - echo ${{ needs.myvars.outputs.TAG_DKR_VERSION }} - echo ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} - echo ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} - echo ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - echo ${{ needs.myvars.outputs.TAG_GPR_VERSION }} - echo ${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }} - echo ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} - echo ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} - echo "---" - echo "Core environment variables:" - echo "---" - echo "${{ env.SUB_DIR }} << SUB_DIR" - echo "${{ needs.myvars.outputs.APP_NAME }} << APP_NAME" - echo "${{ needs.myvars.outputs.DOCKERHUB_USER }} << DOCKERHUB_USER" - echo "${{ needs.myvars.outputs.GITHUB_ORG }} << GITHUB_ORG" - echo "${{ needs.myvars.outputs.GITHUB_REGISTRY }} << GITHUB_REGISTRY" - echo "${{ needs.myvars.outputs.DKR_PREFIX }} << DKR_PREFIX" - echo "${{ needs.myvars.outputs.GPR_PREFIX }} << GPR_PREFIX" - echo "${{ needs.myvars.outputs.VERSION }} << VERSION" - echo "${{ needs.myvars.outputs.SHORT_HASH_COMMIT }} << SHORT_HASH_COMMIT" - echo "${{ needs.myvars.outputs.DATE }} << DATE" - echo "${{ needs.myvars.outputs.BRANCH_NAME }} << BRANCH_NAME" - echo "${{ needs.myvars.outputs.VERSION_HASH_ONLY }} << VERSION_HASH_ONLY" - echo "${{ needs.myvars.outputs.VERSION_HASH_DATE }} << VERSION_HASH_DATE" - echo "${{ needs.myvars.outputs._NOTI_MESSAGE }} << _NOTI_MESSAGE" - echo "---" - echo "Environment variables provided Github Actions :" - echo "---" - echo "${GITHUB_WORKFLOW} << GITHUB_WORKFLOW" - echo "${GITHUB_RUN_ID} << GITHUB_RUN_ID" - echo "${GITHUB_RUN_NUMBER} << GITHUB_RUN_NUMBER" - echo "${GITHUB_JOB} << GITHUB_JOB" - echo "${GITHUB_ACTION} << GITHUB_ACTION" - echo "${GITHUB_ACTOR} << GITHUB_ACTOR" - echo "${GITHUB_REPOSITORY} << GITHUB_REPOSITORY" - echo "${GITHUB_EVENT_NAME} << GITHUB_EVENT_NAME" - echo "${GITHUB_EVENT_PATH} << GITHUB_EVENT_PATH" - echo "${GITHUB_WORKSPACE} << GITHUB_WORKSPACE" - echo "${GITHUB_SHA} << GITHUB_SHA" - echo "${GITHUB_REF} << GITHUB_REF" - echo "${GITHUB_SERVER_URL} << GITHUB_SERVER_URL" - echo "${GITHUB_API_URL} << GITHUB_API_URL" - echo "${GITHUB_GRAPHQL_URL} << GITHUB_GRAPHQL_URL" - echo "${RUNNER_OS} << RUNNER_OS" - echo "${RUNNER_TEMP} << RUNNER_TEMP" - echo "${RUNNER_TOOL_CACHE} << RUNNER_TOOL_CACHE" - echo "${GITHUB_ACTIONS} << GITHUB_ACTIONS" - - # https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#context-availability - # if: github.event_name != 'pull_request' - # if: ${{ github.ref == 'refs/heads/main' }} - # $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID - - review_snyk_opt: - continue-on-error: true - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Checkpoint | Scanner by Snyk - # https://github.com/snyk/actions/tree/master/docker - uses: snyk/actions/node@master - - # Snyk can be used to break the build when it detects vulnerabilities. - # In this case we want to upload the issues to GitHub Code Scanning - env: - # In order to use the Snyk Action you will need to have a Snyk API token. - # More details in https://github.com/snyk/actions#getting-your-snyk-token - # or you can signup for free at https://snyk.io/login - SNYK_TOKEN: ${{ secrets.TOKEN_SNYK }} - with: - image: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - args: --file=./${{ env.SUB_DIR }}/Dockerfile --severity-threshold=high - - name: Checkpoint | Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: snyk.sarif - - review_trivy_opt: - needs: [myvars, build_stable, cd_stable] - - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Checkpoint | Scanner Trivy for HIGH,CRITICAL CVEs and report (blocking) - continue-on-error: true - uses: aquasecurity/trivy-action@0.23.0 - with: - image-ref: ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - exit-code: 0 - format: table - ignore-unfixed: true - vuln-type: "os,library" - severity: "HIGH,CRITICAL" - #output: "trivy-results.sarif" - - #- name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v3 - # if: always() - # with: - # sarif_file: "trivy-results.sarif" - - review_dockle: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Checkpoint | Scanner by Dockle - run: | - docker run --rm goodwithtech/dockle:latest ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - # review_superlinter_call: - # needs: [myvars, build] - # uses: firepress-org/reusable_workflows/.github/workflows/super-linter.yaml@master - review_linter_opt: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Checkpoint | Linter - continue-on-error: true - uses: docker://ghcr.io/github/super-linter:slim-v4 - # github/super-linter@v4 - # docker://ghcr.io/github/super-linter:slim-v4 - env: - DISABLE_ERRORS: true # Flag to have the linter complete with exit code 0 even if errors were detected. - VALIDATE_ALL_CODEBASE: false - VALIDATE_MARKDOWN: false - VALIDATE_DOCKERFILE: false - VALIDATE_JSCPD: false - DEFAULT_BRANCH: edge - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - review_inspect: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - name: Login to DockerHub registry - uses: docker/login-action@v3.2.0 - with: - username: ${{ needs.myvars.outputs.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - name: Login to GitHub registry - uses: docker/login-action@v3.2.0 - with: - registry: ghcr.io - username: ${{ needs.myvars.outputs.GITHUB_ORG }} - password: ${{ secrets.TOKEN_GPR }} - - name: Checkpoint | docker pull - run: | - docker pull ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - name: Checkpoint | See platforms - run: | - docker run --rm mplatform/mquery ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - name: Checkpoint | docker history - run: | - docker history --human ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - name: Checkpoint | docker image inspect - run: | - docker image inspect ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - - name: Checkpoint | docker info - run: | - docker info - - name: Checkpoint | docker version - run: | - docker version - - name: Checkpoint | uname - run: | - uname -a && echo && echo - - review_lighthouse: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Checkpoint | Lighthouse - uses: treosh/lighthouse-ci-action@12.1.0 - with: - urls: | - https://trial.firepress.link/edge/welcome/ - https://trial.firepress.link/edge/tag/getting-started/ - #budgetPath: ./budget.json # test performance budgets - uploadArtifacts: true # save results as an action artifacts - temporaryPublicStorage: true # upload lighthouse report to the temporary storage - - review_artillery: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Checkpoint | Artillery - id: load-test - uses: kenju/github-actions-artillery@master - with: - filepath: ./.github/load-test.yml - # https://trial.firepress.link/edge - - review_slack: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Notify on Slack - run: | - docker run --rm \ - --name noti \ - -e NOTI_MESSAGE='${{ needs.myvars.outputs._NOTI_MESSAGE }}' \ - -e SLACK_CHANNEL="github-actions" \ - -e SLACK_TOKEN_CRON="${{ secrets.TOKEN_SLACK }}" \ - devmtl/noti:stable sh -c \ - ' NOTI_SLACK_TOKEN="$SLACK_TOKEN_CRON" \ - NOTI_SLACK_CHANNEL="$SLACK_CHANNEL" \ - noti -k -m "$NOTI_MESSAGE" ' - - # ---------------------------------------------- - # Actions after continuous_deployment - # ---------------------------------------------- - - update_readme: - needs: [myvars, build_stable, cd_stable] - if: github.ref_type == 'tag' - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Update README on Dockerhub - run: | - docker run --rm \ - -v $(pwd)/README.md:/data/README.md \ - -e DOCKERHUB_USERNAME=${{ needs.myvars.outputs.DOCKERHUB_USER }} \ - -e DOCKERHUB_PASSWORD=${{ secrets.DOCKERHUB_PASSWORD }} \ - -e DOCKERHUB_REPO_PREFIX=${{ needs.myvars.outputs.DOCKERHUB_USER }} \ - -e DOCKERHUB_REPO_NAME=${{ needs.myvars.outputs.APP_NAME }} \ - devmtl/readme-to-dockerhub:stable - - comment_within_pr: - needs: [myvars, build_stable, cd_stable] - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Find comment for image tags - # If PR, put image tags in the PR comments - # from https://github.com/marketplace/actions/create-or-update-comment - uses: peter-evans/find-comment@v3 - if: github.event_name == 'pull_request' - id: fc - with: - issue-number: ${{ github.event.pull_request.number }} - comment-author: "github-actions[bot]" - body-includes: Docker image tag(s) pushed - - # If PR, put image tags in the PR comments - - name: Create or update comment for image tags - uses: peter-evans/create-or-update-comment@v4 - if: github.event_name == 'pull_request' - with: - comment-id: ${{ steps.fc.outputs.comment-id }} - issue-number: ${{ github.event.pull_request.number }} - body: | - Docker image tag(s) pushed: - ```text - ${{ needs.myvars.outputs.TAG_DKR_VERSION }} - ${{ needs.myvars.outputs.TAG_DKR_BRANCH_NAME }} - ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_ONLY }} - ${{ needs.myvars.outputs.TAG_DKR_VERSION_HASH_DATE }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION }} - ${{ needs.myvars.outputs.TAG_GPR_BRANCH_NAME }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_ONLY }} - ${{ needs.myvars.outputs.TAG_GPR_VERSION_HASH_DATE }} - ``` - edit-mode: replace - - pr_label: - # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions - - if: ${{ github.actor == 'dependabot[bot]' }} - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: zcong1993/setup-timezone@v2.0.0 - with: - timezone: America/Montreal - - - name: Add a label for PR opened by dependabot - run: gh pr edit "$PR_URL" --add-label "dependabot"