Push Sygnal docker images to Element OCI Registry

.github/workflows/docker_push.yml

@@ -6,13 +6,31 @@ on:
   push:
     tags: ["v*"]
   workflow_dispatch:
+    inputs:
+      tag_latest:
+        description: 'Tag Docker image as latest'
+        required: false
+        type: boolean
+        default: false
+
+env:
+  TAG_LATEST: ${{ github.event.inputs.tag_latest || 'true' }}
 
 permissions:
   contents: read
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      matrix:
+        repository:
+          - docker.io/matrixdotorg/sygnal
+          - oci-push.vpn.infra.element.io/sygnal
+
     steps:
       - name: Set up QEMU
         id: qemu
@@ -33,13 +51,63 @@ jobs:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
 
+      - name: Tailscale
+        uses: tailscale/github-action@53acf823325fe9ca47f4cdaa951f90b4b0de5bb9 # v4.1.1
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          audience: ${{ secrets.TS_AUDIENCE }}
+          tags: tag:github-actions
+
+      - name: Compute vault jwt role name
+        id: vault-jwt-role
+        run: |
+           echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Get team registry token
+        id: import-secrets
+        uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
+        with:
+          url: https://vault.infra.ci.i.element.dev
+          role: ${{ steps.vault-jwt-role.outputs.role_name }}
+          path: service-management/github-actions
+          jwtGithubAudience: https://vault.infra.ci.i.element.dev
+          method: jwt
+          secrets: |
+             services/backend-repositories/secret/data/oci.element.io username | OCI_USERNAME ;
+             services/backend-repositories/secret/data/oci.element.io password | OCI_PASSWORD ;
+
+      - name: Login to Element OCI Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: oci-push.vpn.infra.element.io
+          username: ${{ steps.import-secrets.outputs.OCI_USERNAME }}
+          password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }}
+
+      - name: Decide whether to tag latest
+        id: latest
+        run: |
+          TAG_LATEST=false
+
+          if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_type }}" == "tag" && "${{ github.ref_name }}" == v* ]]; then
+            TAG_LATEST=true
+          fi
+
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ github.event.inputs.tag_latest }}" == "true" ]]; then
+            TAG_LATEST=true
+          fi
+
+          echo "tag_latest=$TAG_LATEST" >> "$GITHUB_OUTPUT"
+
       - name: Calculate docker image tags
         id: set-tag
         uses: docker/metadata-action@v5
         with:
-          images: matrixdotorg/sygnal
+          images: ${{ matrix.repository }}
+          flavor: |
+            latest=false
           tags: |
             type=ref,event=tag
+            type=raw,value=latest,enable=${{ steps.latest.outputs.tag_latest == 'true' }}
 
       # we explicitly check out the repository (and use `context: .` in buildx)
       # because we need to preserve the git metadata so that setuptools_scm

changelog.d/428.misc

@@ -0,0 +1 @@
+Push Sygnal docker images to Element OCI Registry.