From 4e14a7650699af5c701b918310759bb2f5f8c279 Mon Sep 17 00:00:00 2001 From: Aaro Koinsaari <89689072+koinsaari@users.noreply.github.com> Date: Sat, 30 May 2026 14:15:52 +0300 Subject: [PATCH] ci: add deploy workflow that builds image and dispatches infra bump --- .github/workflows/deploy.yml | 92 ++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 .github/workflows/deploy.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 0000000..285a5ab --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,92 @@ +name: Deploy + +on: + push: + branches: [main] + workflow_dispatch: + inputs: + ref: + description: "Ref (branch / tag / SHA) to build and deploy. Defaults to main." + required: false + default: "main" + +permissions: + contents: read + packages: write + +concurrency: + group: deploy-production + cancel-in-progress: false + +jobs: + build-and-push: + name: build and push image + runs-on: ubuntu-latest + timeout-minutes: 15 + outputs: + image_digest: ${{ steps.push.outputs.digest }} + target_sha: ${{ steps.resolve.outputs.sha }} + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ inputs.ref || github.sha }} + fetch-depth: 1 + + - name: Resolve target SHA + id: resolve + run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Log in to GHCR + uses: docker/login-action@5e57cd118135c172c3672efd2d6d95d0d3c2eaf3 # v4.2.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push image + id: push + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v7.2.0 + with: + context: . + push: true + tags: | + ghcr.io/${{ github.repository }}:${{ steps.resolve.outputs.sha }} + ghcr.io/${{ github.repository }}:latest + + trigger-infra-bump: + name: trigger infra digest bump + needs: build-and-push + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - name: Preflight — verify required secrets are set + env: + INFRA_DISPATCH_TOKEN: ${{ secrets.INFRA_DISPATCH_TOKEN }} + run: | + set -euo pipefail + if [ -z "${INFRA_DISPATCH_TOKEN:-}" ]; then + echo "::error::Missing required secret: INFRA_DISPATCH_TOKEN" + echo "Needs a fine-grained PAT with contents:write on Stoganet/infra to fire repository_dispatch." + exit 1 + fi + echo "All required secrets are set." + + - name: Fire repository_dispatch at infra + env: + GH_TOKEN: ${{ secrets.INFRA_DISPATCH_TOKEN }} + OWNER: ${{ github.repository_owner }} + TARGET_SHA: ${{ needs.build-and-push.outputs.target_sha }} + IMAGE_DIGEST: ${{ needs.build-and-push.outputs.image_digest }} + run: | + set -euo pipefail + [ -n "${IMAGE_DIGEST}" ] || { echo "::error::IMAGE_DIGEST is empty — aborting dispatch"; exit 1; } + [ -n "${TARGET_SHA}" ] || { echo "::error::TARGET_SHA is empty — aborting dispatch"; exit 1; } + gh api -X POST "repos/${OWNER}/infra/dispatches" \ + -f "event_type=api-proxy-bump" \ + -f "client_payload[sha]=${TARGET_SHA}" \ + -f "client_payload[digest]=${IMAGE_DIGEST}" + echo "Dispatched api-proxy-bump to ${OWNER}/infra (sha=${TARGET_SHA})"