Work in progress : bookmarks to upstream

.aikido

@@ -0,0 +1,12 @@
+ignore:
+  cves:
+    CVE-2026-23949:
+      reason: python dependency, waiting for upstream release of gotenberg
+    CVE-2026-24049:
+      reason: python dependency, waiting for upstream release of gotenberg
+    CVE-2025-48924:
+      reason: java dependency, waiting for upstream release of gotenberg
+    CVE-2025-47914:
+      reason: Go dependency, waiting for upstream release of gotenberg
+    CVE-2025-58181:
+      reason: Go dependency, waiting for upstream release of gotenberg

.env

@@ -1,5 +1,5 @@
 GOTENBERG_VERSION=snapshot
-DOCKER_REGISTRY=gotenberg
+DOCKER_REGISTRY=ghcr.io/fulll
 DOCKER_REPOSITORY=gotenberg
 DOCKERFILE=build/Dockerfile
 DOCKERFILE_CLOUDRUN=build/Dockerfile.cloudrun

.github/actions/build-test-push/action.yml

@@ -7,12 +7,12 @@ inputs:
     description: The GitHub token
     required: true
     default: ${{ github.token }}
-  docker_hub_username:
-    description: The Docker Hub username
-    required: true
-  docker_hub_password:
-    description: The Docker Hub password
-    required: true
+  # docker_hub_username:
+  #   description: The Docker Hub username
+  #   required: true
+  # docker_hub_password:
+  #   description: The Docker Hub password
+  #   required: true
   platform:
     description: linux/amd64, linux/ppc64le, linux/386, linux/arm64, linux/arm/v7
     required: true
@@ -50,40 +50,50 @@ runs:
     - name: Check out code
       uses: actions/checkout@v5
 
-    - name: Log in to Docker Hub
-      if: inputs.docker_hub_username != ''
-      uses: docker/login-action@v3
-      with:
-        username: ${{ inputs.docker_hub_username }}
-        password: ${{ inputs.docker_hub_password }}
+    # - name: Log in to Docker Hub
+    #   if: inputs.docker_hub_username != ''
+    #   uses: docker/login-action@v3
+    #   with:
+    #     username: ${{ inputs.docker_hub_username }}
+    #     password: ${{ inputs.docker_hub_password }}
 
     - name: Build ${{ inputs.platform }}
       id: build
       shell: bash
+      env:
+        INPUT_VERSION: ${{ inputs.version }}
+        INPUT_PLATFORM: ${{ inputs.platform }}
+        INPUT_ALTERNATE_REPOSITORY: ${{ inputs.alternate_repository }}
+        INPUT_DRY_RUN: ${{ inputs.dry_run }}
       run: |
         .github/actions/build-test-push/build.sh \
-          --version "${{ inputs.version }}" \
-          --platform "${{ inputs.platform }}" \
-          --alternate-repository "${{ inputs.alternate_repository }}" \
-          --dry-run "${{ inputs.dry_run }}"
+          --version "$INPUT_VERSION" \
+          --platform "$INPUT_PLATFORM" \
+          --alternate-repository "$INPUT_ALTERNATE_REPOSITORY" \
+          --dry-run "$INPUT_DRY_RUN"
 
     - name: Run integration tests
       if: inputs.skip_integrations_tests != 'true'
       shell: bash
+      env:
+        INPUT_VERSION: ${{ inputs.version }}
+        INPUT_PLATFORM: ${{ inputs.platform }}
+        INPUT_ALTERNATE_REPOSITORY: ${{ inputs.alternate_repository }}
+        INPUT_DRY_RUN: ${{ inputs.dry_run }}
       run: |
         .github/actions/build-test-push/test.sh \
-          --version "${{ inputs.version }}" \
-          --platform "${{ inputs.platform }}" \
-          --alternate-repository "${{ inputs.alternate_repository }}" \
-          --dry-run "${{ inputs.dry_run }}"
+          --version "$INPUT_VERSION" \
+          --platform "$INPUT_PLATFORM" \
+          --alternate-repository "$INPUT_ALTERNATE_REPOSITORY" \
+          --dry-run "$INPUT_DRY_RUN"
 
-    - name: Push
-      if: inputs.docker_hub_username != ''
-      shell: bash
-      run: |
-        .github/actions/build-test-push/push.sh \
-          --tags "${{ steps.build.outputs.tags }},${{ steps.build.outputs.tags_cloud_run }},${{ steps.build.outputs.tags_aws_lambda }}" \
-          --dry-run "${{ inputs.dry_run }}"
+    # - name: Push
+    #   if: inputs.docker_hub_username != ''
+    #   shell: bash
+    #   run: |
+    #     .github/actions/build-test-push/push.sh \
+    #       --tags "${{ steps.build.outputs.tags }},${{ steps.build.outputs.tags_cloud_run }},${{ steps.build.outputs.tags_aws_lambda }}" \
+    #       --dry-run "${{ inputs.dry_run }}"
 
     - name: Outputs
       shell: bash

.github/actions/clean/action.yml

@@ -23,9 +23,12 @@ runs:
       env:
         DOCKERHUB_USERNAME: ${{ inputs.docker_hub_username }}
         DOCKERHUB_TOKEN: ${{ inputs.docker_hub_password }}
+        INPUT_TAGS: ${{ inputs.tags }}
+        INPUT_SNAPSHOT_VERSION: ${{ inputs.snapshot_version }}
+        INPUT_DRY_RUN: ${{ inputs.dry_run }}
       shell: bash
       run: |
         .github/actions/clean/clean.sh \
-          --tags "${{ inputs.tags }}" \
-          --snapshot-version "${{ inputs.snapshot_version }}" \
-          --dry-run "${{ inputs.dry_run }}"
+          --tags "$INPUT_TAGS" \
+          --snapshot-version "$INPUT_SNAPSHOT_VERSION" \
+          --dry-run "$INPUT_DRY_RUN"

.github/actions/merge/action.yml

@@ -41,8 +41,12 @@ runs:
 
     - name: Merge
       shell: bash
+      env:
+        INPUT_TAGS: ${{ inputs.tags }}
+        INPUT_ALTERNATE_REGISTRY: ${{ inputs.alternate_registry }}
+        INPUT_DRY_RUN: ${{ inputs.dry_run }}
       run: |
         .github/actions/merge/merge.sh \
-          --tags "${{ inputs.tags }}" \
-          --alternate-registry "${{ inputs.alternate_registry }}" \
-          --dry-run "${{ inputs.dry_run }}"
+          --tags "$INPUT_TAGS" \
+          --alternate-registry "$INPUT_ALTERNATE_REGISTRY" \
+          --dry-run "$INPUT_DRY_RUN"

.github/workflows/continuous-delivery.yml

@@ -19,132 +19,42 @@ jobs:
       - name: Checkout source code
         uses: actions/checkout@v6
 
+      # action modified to onlu build
       - name: Build and push
         id: build_push
         uses: ./.github/actions/build-test-push
         with:
-          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
-          docker_hub_password: ${{ secrets.DOCKERHUB_TOKEN }}
           version: ${{ github.event.release.tag_name }}
           platform: linux/amd64
           skip_integrations_tests: true
 
-  release_386:
-    name: Release linux/386
-    runs-on: ubuntu-latest
-    outputs:
-      tags: ${{ steps.build_push.outputs.tags }}
-      tags_cloud_run: ${{ steps.build_push.outputs.tags_cloud_run }}
-      tags_aws_lambda: ${{ steps.build_push.outputs.tags_aws_lambda }}
-    steps:
-      - name: Checkout source code
-        uses: actions/checkout@v6
-
-      - name: Build and push
-        id: build_push
-        uses: ./.github/actions/build-test-push
-        with:
-          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
-          docker_hub_password: ${{ secrets.DOCKERHUB_TOKEN }}
-          version: ${{ github.event.release.tag_name }}
-          platform: linux/386
-          skip_integrations_tests: true
-
-  release_ppc64le:
-    name: Release linux/ppc64le
-    runs-on: ubuntu-24.04-ppc64le
-    outputs:
-      tags: ${{ steps.build_push.outputs.tags }}
-      tags_cloud_run: ${{ steps.build_push.outputs.tags_cloud_run }}
-      tags_aws_lambda: ${{ steps.build_push.outputs.tags_aws_lambda }}
-    steps:
-      - name: Checkout source code
-        uses: actions/checkout@v6
-
-      - name: Build and push
-        id: build_push
-        uses: ./.github/actions/build-test-push
-        with:
-          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
-          docker_hub_password: ${{ secrets.DOCKERHUB_TOKEN }}
-          version: ${{ github.event.release.tag_name }}
-          platform: linux/ppc64le
-          skip_integrations_tests: true
-
-  release_arm64:
-    name: Release linux/arm64
-    runs-on: ubuntu-24.04-arm
-    outputs:
-      tags: ${{ steps.build_push.outputs.tags }}
-      tags_cloud_run: ${{ steps.build_push.outputs.tags_cloud_run }}
-      tags_aws_lambda: ${{ steps.build_push.outputs.tags_aws_lambda }}
-    steps:
-      - name: Checkout source code
-        uses: actions/checkout@v6
-
-      - name: Build and push
-        id: build_push
-        uses: ./.github/actions/build-test-push
-        with:
-          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
-          docker_hub_password: ${{ secrets.DOCKERHUB_TOKEN }}
-          version: ${{ github.event.release.tag_name }}
-          platform: linux/arm64
-          skip_integrations_tests: true
-
-  release_arm_v7:
-    name: Release linux/arm/v7
-    runs-on: ubuntu-24.04-arm
-    outputs:
-      tags: ${{ steps.build_push.outputs.tags }}
-      tags_cloud_run: ${{ steps.build_push.outputs.tags_cloud_run }}
-      tags_aws_lambda: ${{ steps.build_push.outputs.tags_aws_lambda }}
-    steps:
-      - name: Checkout source code
-        uses: actions/checkout@v6
-
-      - name: Build and push
-        id: build_push
-        uses: ./.github/actions/build-test-push
-        with:
-          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
-          docker_hub_password: ${{ secrets.DOCKERHUB_TOKEN }}
-          version: ${{ github.event.release.tag_name }}
-          platform: linux/arm/v7
-          skip_integrations_tests: true
-
-  merge_clean_release_tags:
-    needs:
-      - release_amd64
-      - release_386
-      - release_ppc64le
-      - release_arm64
-      - release_arm_v7
-    name: Merge and clean release tags
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout source code
-        uses: actions/checkout@v6
-
-      - name: Merge
-        uses: ./.github/actions/merge
-        with:
-          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
-          docker_hub_password: ${{ secrets.DOCKERHUB_TOKEN }}
-          tags: "${{ needs.release_amd64.outputs.tags }},${{ needs.release_386.outputs.tags }},${{ needs.release_ppc64le.outputs.tags }},${{ needs.release_arm64.outputs.tags }},${{ needs.release_arm_v7.outputs.tags }}"
-          alternate_registry: thecodingmachine
-
-      - name: Merge AWS Lambda
-        uses: ./.github/actions/merge
-        with:
-          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
-          docker_hub_password: ${{ secrets.DOCKERHUB_TOKEN }}
-          tags: "${{ needs.release_amd64.outputs.tags_aws_lambda }},${{ needs.release_arm64.outputs.tags_aws_lambda }}"
-          alternate_registry: thecodingmachine
-
-      - name: Clean
-        uses: ./.github/actions/clean
-        with:
-          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
-          docker_hub_password: ${{ secrets.DOCKERHUB_TOKEN }}
-          tags: "${{ needs.release_amd64.outputs.tags }},${{ needs.release_386.outputs.tags }},${{ needs.release_ppc64le.outputs.tags }},${{ needs.release_arm64.outputs.tags }},${{ needs.release_arm_v7.outputs.tags }},${{ needs.release_amd64.outputs.tags_aws_lambda }},${{ needs.release_arm64.outputs.tags_aws_lambda }}"
+      # list docker images that have bee built
+      - name: Output built tags to console
+        run: |
+          echo "Tags: ${{ steps.build_push.outputs.tags }}"
+          echo "Cloud Run Tags: ${{ steps.build_push.outputs.tags_cloud_run }}"
+          echo "AWS Lambda Tags: ${{ steps.build_push.outputs.tags_aws_lambda }}"
+
+      - name: generate aws credentials config
+        env:
+          AWS_CREDENTIALS: ${{ secrets.STAGING_AWS_CREDENTIALS }}
+          aws-region: eu-central-1
+        run: |
+          mkdir -p "${HOME}/.aws"
+          echo "${AWS_CREDENTIALS}" > "${HOME}/.aws/credentials"
+
+      #  Get the image build by the upstream process then :
+      #  - tag it for AWS ECR
+      #  - push it to AWS ECR
+      - name: docker login and push
+        run: |
+          # Extract the tag name and strip the first letter using cut
+          TAG_NAME=$(echo "${{ github.event.release.tag_name }}" | cut -c 2-)
+
+          docker tag ghcr.io/fulll/gotenberg:latest-cloudrun ${AWS_ECR_REGISTRY}/gotenberg-fulll:${TAG_NAME}-cloudrun
+          aws --region eu-central-1 ecr get-login-password | docker login --username AWS --password-stdin ${AWS_ECR_REGISTRY}
+          docker tag ${AWS_ECR_REGISTRY}/gotenberg-fulll:${TAG_NAME}-cloudrun ${AWS_ECR_REGISTRY}/gotenberg-fulll:latest
+          docker push ${AWS_ECR_REGISTRY}/gotenberg-fulll:${TAG_NAME}-cloudrun
+          docker push ${AWS_ECR_REGISTRY}/gotenberg-fulll:latest
+        env:
+          AWS_ECR_REGISTRY: ${{ secrets.AWS_ECR_REGISTRY }}