diff --git a/.github/workflows/docker-publish-ci.yml b/.github/workflows/docker-publish-ci.yml index cb3ccea4..3c5931f9 100644 --- a/.github/workflows/docker-publish-ci.yml +++ b/.github/workflows/docker-publish-ci.yml @@ -1,25 +1,11 @@ name: Docker Publish (CI) -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - - +# This workflow publishes ghcr.io/neilotoole/sq as part of the CI process. +# It is called from the main workflow. on: workflow_call: - # Allows you to run this workflow manually from the Actions tab -# workflow_dispatch: -# schedule: -# - cron: '25 4 * * *' -# push: -# branches: [ "master" ] -# # Publish semver tags as releases. -# tags: [ 'v*.*.*' ] -# pull_request: -# branches: [ "master" ] env: # Use docker.io for Docker Hub if empty @@ -27,7 +13,6 @@ env: # github.repository as / IMAGE_NAME: ${{ github.repository }} - jobs: build: @@ -52,8 +37,6 @@ jobs: - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@v3.3.0 -# with: -# cosign-release: 'v3.1.1' # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache @@ -90,7 +73,6 @@ jobs: push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} -# labels: latest platforms: linux/amd64,linux/arm64 cache-from: type=gha cache-to: type=gha,mode=max diff --git a/.github/workflows/docker-publish-dispatch.yml b/.github/workflows/docker-publish-dispatch.yml index 372a291d..3905c4f7 100644 --- a/.github/workflows/docker-publish-dispatch.yml +++ b/.github/workflows/docker-publish-dispatch.yml @@ -1,26 +1,14 @@ name: Docker Publish (dispatch) -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - - - +# This workflow publishes ghcr.io/neilotoole/sq:latest using +# the latest sq release. This workflow is intended for manual +# execution from the Actions tab, and is not triggered by +# any events. Ultimately this workflow may be deleted; it was +# created to facilitate testing of the Docker publishing +# process. on: - workflow_call: - - # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -# schedule: -# - cron: '25 4 * * *' -# push: -# branches: [ "master" ] -# # Publish semver tags as releases. -# tags: [ 'v*.*.*' ] -# pull_request: -# branches: [ "master" ] env: # Use docker.io for Docker Hub if empty @@ -54,8 +42,6 @@ jobs: - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@v3.3.0 -# with: -# cosign-release: 'v3.1.1' # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache @@ -90,7 +76,7 @@ jobs: file: packages/docker/alpine.Dockerfile context: packages/docker push: ${{ github.event_name != 'pull_request' }} - tags: ${{ env.IMAGE_FQ_TAG }} + tags: ${{ env.IMAGE_FQ_TAG }} # Explicitly set the tag to push labels: ${{ steps.meta.outputs.labels }} platforms: linux/amd64,linux/arm64 cache-from: type=gha @@ -105,7 +91,7 @@ jobs: if: ${{ github.event_name != 'pull_request' }} env: # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ env.IMAGE_FQ_TAG }} + TAGS: ${{ env.IMAGE_FQ_TAG }} # Explicitly set the tag to sign DIGEST: ${{ steps.build-and-push.outputs.digest }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ae812be8..5b5d8a8c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,4 +1,4 @@ -name: Main pipeline +name: Main Pipeline on: push: paths-ignore: @@ -326,7 +326,7 @@ jobs: FURY_TOKEN: ${{ secrets.FURY_TOKEN }} AUR_PRIVATE_KEY: ${{ secrets.AUR_PRIVATE_KEY }} - install: + test-install: # Verify that install mechanisms are working on the various # supported platforms. This workflow runs *after* the new release # has been published. So, if this workflow fails, it means that @@ -334,3 +334,10 @@ jobs: needs: publish if: startsWith(github.ref, 'refs/tags/v') uses: ./.github/workflows/test-install.yml + + docker-publish: + # Publish docker image to registry. This runs *after* the new release + # has been published and test-install has passed. + needs: test-install + if: startsWith(github.ref, 'refs/tags/v') + uses: ./.github/workflows/docker-publish-ci.yml