ci(docker): Publish to GCR in addition to GHCR (#122)

The production image will be deployed from our internal artifact
registry. This sets up the publishing process for both registries.

Also adds explicit permission blocks to all workflows and jobs to
resolve two issues raised by code scanning.

Author: jan-auer

.github/workflows/build.yml

@@ -10,7 +10,6 @@ on:
 
 permissions:
   contents: read
-  packages: write
 
 jobs:
   build:
@@ -73,42 +72,80 @@ jobs:
           name: objectstore-${{ matrix.platform }}
           path: /tmp/objectstore-${{ matrix.platform }}.tar
 
-  assemble-image:
-    name: Publish
+  assemble-ghcr:
+    name: Publish to GHCR
     runs-on: ubuntu-latest
     needs: [build]
 
     # Intentionally never publish on pull requests
     if: ${{ github.event_name != 'pull_request' }}
 
+    permissions:
+      packages: write
+
+    env:
+      REGISTRY: ghcr.io/getsentry/objectstore
+
     steps:
       - uses: actions/checkout@v4
 
       - run: docker login --username '${{ github.actor }}' --password-stdin ghcr.io <<< "$GHCR_TOKEN"
         env:
           GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Download Images
+      - &download
+        name: Download Images
         uses: actions/download-artifact@v5
         with:
           pattern: objectstore-*
           path: /tmp
           merge-multiple: true
 
-      - name: Push to GitHub Container Registry
-        env:
-          REGISTRY: ghcr.io/getsentry/objectstore
-          SHA_TAG: ${{ github.sha }}
+      - &assemble
+        name: Push to GitHub Container Registry
         run: |
           for PLATFORM in amd64 arm64; do
             docker load --input /tmp/objectstore-$PLATFORM.tar
-            docker tag $PLATFORM $REGISTRY:$SHA_TAG-$PLATFORM
-            docker push $REGISTRY:$SHA_TAG-$PLATFORM
+            docker tag $PLATFORM $REGISTRY:${{ github.sha }}-$PLATFORM
+            docker push $REGISTRY:${{ github.sha }}-$PLATFORM
           done
 
-          for TAG in $SHA_TAG latest; do
+          for TAG in ${{ github.sha }} latest; do
             docker manifest create $REGISTRY:$TAG \
-              --amend $REGISTRY:$SHA_TAG-amd64 \
-              --amend $REGISTRY:$SHA_TAG-arm64
+              --amend $REGISTRY:${{ github.sha }}-amd64 \
+              --amend $REGISTRY:${{ github.sha }}-arm64
             docker manifest push $REGISTRY:$TAG
           done
+
+  assemble-gcr:
+    name: Publish to GCR
+    runs-on: ubuntu-latest
+    needs: [build]
+
+    # Intentionally never publish on pull requests
+    if: ${{ github.event_name != 'pull_request' }}
+
+    permissions:
+      id-token: write
+
+    env:
+      REGISTRY: us-central1-docker.pkg.dev/sentryio/objectstore/image
+
+    steps:
+      - name: Google Auth
+        id: auth
+        uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool
+          service_account: [email protected]
+
+      - name: "Set up Cloud SDK"
+        uses: "google-github-actions/setup-gcloud@v3"
+        with:
+          version: ">= 390.0.0"
+
+      - name: Configure docker
+        run: gcloud auth configure-docker us-central1-docker.pkg.dev
+
+      - *download
+      - *assemble

.github/workflows/ci.yml

@@ -11,6 +11,9 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
@@ -91,7 +94,6 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
-      contents: read
       pages: write
       id-token: write