diff --git a/.github/workflows/docker_push.yml b/.github/workflows/docker_push.yml index 88959ae..df896d1 100644 --- a/.github/workflows/docker_push.yml +++ b/.github/workflows/docker_push.yml @@ -6,6 +6,15 @@ on: push: tags: ["v*"] workflow_dispatch: + inputs: + tag_latest: + description: 'Tag Docker image as latest' + required: false + type: boolean + default: false + +env: + TAG_LATEST: ${{ github.event.inputs.tag_latest || 'true' }} permissions: contents: read @@ -13,6 +22,15 @@ permissions: jobs: build: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + strategy: + matrix: + repository: + - docker.io/matrixdotorg/sygnal + - oci-push.vpn.infra.element.io/sygnal + steps: - name: Set up QEMU id: qemu @@ -33,13 +51,63 @@ jobs: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_TOKEN }} + - name: Tailscale + uses: tailscale/github-action@53acf823325fe9ca47f4cdaa951f90b4b0de5bb9 # v4.1.1 + with: + oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} + audience: ${{ secrets.TS_AUDIENCE }} + tags: tag:github-actions + + - name: Compute vault jwt role name + id: vault-jwt-role + run: | + echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" + + - name: Get team registry token + id: import-secrets + uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0 + with: + url: https://vault.infra.ci.i.element.dev + role: ${{ steps.vault-jwt-role.outputs.role_name }} + path: service-management/github-actions + jwtGithubAudience: https://vault.infra.ci.i.element.dev + method: jwt + secrets: | + services/backend-repositories/secret/data/oci.element.io username | OCI_USERNAME ; + services/backend-repositories/secret/data/oci.element.io password | OCI_PASSWORD ; + + - name: Login to Element OCI Registry + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: oci-push.vpn.infra.element.io + username: ${{ steps.import-secrets.outputs.OCI_USERNAME }} + password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }} + + - name: Decide whether to tag latest + id: latest + run: | + TAG_LATEST=false + + if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_type }}" == "tag" && "${{ github.ref_name }}" == v* ]]; then + TAG_LATEST=true + fi + + if [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ github.event.inputs.tag_latest }}" == "true" ]]; then + TAG_LATEST=true + fi + + echo "tag_latest=$TAG_LATEST" >> "$GITHUB_OUTPUT" + - name: Calculate docker image tags id: set-tag uses: docker/metadata-action@v5 with: - images: matrixdotorg/sygnal + images: ${{ matrix.repository }} + flavor: | + latest=false tags: | type=ref,event=tag + type=raw,value=latest,enable=${{ steps.latest.outputs.tag_latest == 'true' }} # we explicitly check out the repository (and use `context: .` in buildx) # because we need to preserve the git metadata so that setuptools_scm diff --git a/changelog.d/428.misc b/changelog.d/428.misc new file mode 100644 index 0000000..1d03e16 --- /dev/null +++ b/changelog.d/428.misc @@ -0,0 +1 @@ +Push Sygnal docker images to Element OCI Registry.