Databuddy/.github/workflows/docker-publish.yml at 0db292cfc9d16f191faea4596e997205ceb82c2f · databuddy-analytics/Databuddy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
name: Publish Docker Images

on:
  release:
    types: [published]
  push:
    branches: [main]
    paths:
      - "*.Dockerfile"
      - "apps/**"
      - "packages/**"
      - ".github/workflows/docker-publish.yml"
  workflow_dispatch:

concurrency:
  group: docker-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name != 'release' }}

env:
  REGISTRY: ghcr.io
  IMAGE_PREFIX: ghcr.io/databuddy-analytics/databuddy

jobs:
  detect:
    name: Detect affected services
    runs-on: blacksmith-2vcpu-ubuntu-2404
    timeout-minutes: 5
    outputs:
      services: ${{ steps.detect.outputs.services }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
        with:
          bun-version: "1.3.11"
      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ~/.bun/install/cache
          key: ${{ runner.os }}-bun-${{ hashFiles('bun.lock') }}
          restore-keys: ${{ runner.os }}-bun-
      - run: bun install --frozen-lockfile
      - id: detect
        env:
          EVENT_NAME: ${{ github.event_name }}
          BEFORE_SHA: ${{ github.event.before }}
        run: |
          ALL='["api","basket","links","uptime"]'
          if [[ "$EVENT_NAME" != "push" ]]; then
            echo "services=$ALL" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          if [[ -z "$BEFORE_SHA" || "$BEFORE_SHA" == "0000000000000000000000000000000000000000" ]]; then
            echo "services=$ALL" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          export TURBO_SCM_BASE="$BEFORE_SHA"
          export TURBO_SCM_HEAD="HEAD"
          affected=()
          for svc in api basket links uptime; do
            count=$(bunx turbo ls --affected --filter="@databuddy/$svc" --output=json | jq -r '.packages.count')
            if [[ "$count" != "0" ]]; then
              affected+=("\"$svc\"")
            fi
          done
          if [[ ${#affected[@]} -eq 0 ]]; then
            echo "services=[]" >> "$GITHUB_OUTPUT"
          else
            IFS=,
            echo "services=[${affected[*]}]" >> "$GITHUB_OUTPUT"
          fi

  build:
    name: Build ${{ matrix.service }} (${{ matrix.platform.arch }})
    needs: detect
    if: needs.detect.outputs.services != '[]'
    runs-on: ${{ matrix.platform.runner }}
    timeout-minutes: 30
    permissions:
      contents: read
      packages: write
      id-token: write
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        service: ${{ fromJson(needs.detect.outputs.services) }}
        platform:
          - arch: amd64
            os: linux/amd64
            runner: blacksmith-4vcpu-ubuntu-2404
          - arch: arm64
            os: linux/arm64
            runner: blacksmith-4vcpu-ubuntu-2404-arm
        include:
          - service: api
            description: "Databuddy API service - analytics backend"
          - service: basket
            description: "Databuddy Basket service - event ingestion"
          - service: links
            description: "Databuddy Links service - URL shortening and tracking"
          - service: uptime
            description: "Databuddy Uptime service - availability monitoring"

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Mount Docker build cache
        uses: useblacksmith/stickydisk@41873b1513bb679f9c115504cbd13d3660432504 # v1
        with:
          key: ${{ github.repository }}-${{ matrix.service }}-${{ matrix.platform.arch }}
          path: /tmp/docker-build-cache

      - name: Set up Docker Builder
        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1

      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Determine version tag
        id: version
        env:
          EVENT_NAME: ${{ github.event_name }}
          TAG_NAME: ${{ github.event.release.tag_name }}
        run: |
          if [[ "$EVENT_NAME" == "release" ]]; then
            echo "tag=$TAG_NAME" >> "$GITHUB_OUTPUT"
          else
            echo "tag=edge" >> "$GITHUB_OUTPUT"
          fi

      - name: Capture build date
        id: builddate
        run: echo "timestamp=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT"

      - name: Extract metadata (labels)
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ${{ env.IMAGE_PREFIX }}-${{ matrix.service }}
          labels: |
            org.opencontainers.image.title=databuddy-${{ matrix.service }}
            org.opencontainers.image.description=${{ matrix.description }}
            org.opencontainers.image.vendor=Databuddy Analytics
            org.opencontainers.image.licenses=AGPL-3.0

      - name: Build and push
        id: build
        uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2
        with:
          context: .
          file: ${{ matrix.service }}.Dockerfile
          push: true
          platforms: ${{ matrix.platform.os }}
          provenance: mode=max
          sbom: true
          labels: ${{ steps.meta.outputs.labels }}
          tags: ${{ env.IMAGE_PREFIX }}-${{ matrix.service }}:${{ steps.version.outputs.tag }}-${{ matrix.platform.arch }}
          build-args: |
            VERSION=${{ steps.version.outputs.tag }}
            BUILD_DATE=${{ steps.builddate.outputs.timestamp }}
            GIT_SHA=${{ github.sha }}
          cache-from: type=gha,scope=${{ matrix.service }}-${{ matrix.platform.arch }}
          cache-to: type=gha,mode=max,scope=${{ matrix.service }}-${{ matrix.platform.arch }}

      - name: Scan image for vulnerabilities
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        with:
          image-ref: ${{ env.IMAGE_PREFIX }}-${{ matrix.service }}:${{ steps.version.outputs.tag }}-${{ matrix.platform.arch }}
          format: sarif
          output: trivy-results.sarif
          severity: CRITICAL,HIGH
          ignore-unfixed: true

      - name: Upload scan results to GitHub Security
        uses: github/codeql-action/upload-sarif@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
        if: always()
        with:
          sarif_file: trivy-results.sarif

      - name: Install cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4

      - name: Sign image
        run: cosign sign --yes ${{ env.IMAGE_PREFIX }}-${{ matrix.service }}:${{ steps.version.outputs.tag }}-${{ matrix.platform.arch }}

  manifest:
    name: Publish ${{ matrix.service }} manifest
    needs: [detect, build]
    if: needs.detect.outputs.services != '[]'
    runs-on: blacksmith-2vcpu-ubuntu-2404
    timeout-minutes: 10
    permissions:
      contents: read
      packages: write
      id-token: write
    strategy:
      matrix:
        service: ${{ fromJson(needs.detect.outputs.services) }}

    steps:
      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Determine version tag
        id: version
        env:
          EVENT_NAME: ${{ github.event_name }}
          TAG_NAME: ${{ github.event.release.tag_name }}
        run: |
          if [[ "$EVENT_NAME" == "release" ]]; then
            echo "tag=$TAG_NAME" >> "$GITHUB_OUTPUT"
            echo "is_release=true" >> "$GITHUB_OUTPUT"
          else
            echo "tag=edge" >> "$GITHUB_OUTPUT"
            echo "is_release=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Create multi-arch manifest
        run: |
          IMAGE="${{ env.IMAGE_PREFIX }}-${{ matrix.service }}"
          TAG="${{ steps.version.outputs.tag }}"
          SHA_SHORT="${{ github.sha }}"
          SHA_SHORT="${SHA_SHORT:0:7}"

          docker buildx imagetools create \
            --tag "$IMAGE:$TAG" \
            --tag "$IMAGE:sha-$SHA_SHORT" \
            "$IMAGE:$TAG-amd64" \
            "$IMAGE:$TAG-arm64"

          if [[ "${{ steps.version.outputs.is_release }}" == "true" ]]; then
            docker buildx imagetools create \
              --tag "$IMAGE:latest" \
              "$IMAGE:$TAG-amd64" \
              "$IMAGE:$TAG-arm64"
          fi

      - name: Verify manifest
        run: |
          IMAGE="${{ env.IMAGE_PREFIX }}-${{ matrix.service }}"
          TAG="${{ steps.version.outputs.tag }}"
          echo "Inspecting $IMAGE:$TAG"
          docker buildx imagetools inspect "$IMAGE:$TAG"

      - name: Install cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4

      - name: Sign manifest
        run: |
          IMAGE="${{ env.IMAGE_PREFIX }}-${{ matrix.service }}"
          TAG="${{ steps.version.outputs.tag }}"
          cosign sign --yes "$IMAGE:$TAG"