AUT-270: implement new deployment workflow for autograph

In AUT-326 we decided that we would: * Deploy stage in response to new version tags in the autograph repository * Avoid rebuilding docker images when pushing a version tag to dockerhub (we will instead pull the docker image we deployed to dev from the ref that we tagged) This commit implements this. You can see example runs of this for the push and release cases in: * https://github.com/bhearsum/autograph-edge/actions/runs/11578701794/job/32233148148 * https://github.com/bhearsum/autograph-edge/actions/runs/11578752320/job/32233325739
mozilla-services · Oct 29, 2024 · 5f8c567 · 5f8c567
1 parent 269ab0b
commit 5f8c567
Showing 1 changed file with 30 additions and 4 deletions.
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -4,8 +4,9 @@ on:
   push:
     branches:
       - main
-    tags:
-      - '[0-9]+.[0-9a-z]+.[0-9a-z]+'
+  release:
+    types:
+      - released
 
 jobs:
   docker:
@@ -26,12 +27,16 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
+          flavor:
+            # don't automatically tag with `latest`; we do this conditionally in the `tags` section
+            latest=false
           images: |
             ${{ vars.DOCKERHUB_REPO }}
             ${{ vars.GCP_PROJECT_ID && format('{0}-docker.pkg.dev/{1}/{2}/autograph-edge', vars.GAR_LOCATION, vars.GCP_PROJECT_ID, vars.GAR_REPOSITORY) }}
           tags: |
             type=semver,pattern={{raw}}
-            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=latest,enable=${{ github.event_name == 'push' }}
+            type=sha,format=long,enable=${{ github.event_name == 'push' }}
 
       - id: gcp-auth
         if: ${{ vars.GCP_PROJECT_ID }}
@@ -61,10 +66,31 @@ jobs:
         run: ./version.sh | tee version.json
 
       - name: Build and push
+        # On pushes to `main`, we build and push a new image, so we can simply
+        # use the `docker/build-push-action` action.
+        if: ${{ github.event_name == 'push' }}
         uses: docker/build-push-action@v6
         with:
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ github.event_name == 'push' }}
           sbom: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           context: .
+
+      - name: Tag and push
+        # For releases, we specifically do _not_ want to rebuild, just tag the
+        # existing image and push. There's no officially maintained action for
+        # this use case, but it's trivial enough to do ourselves.
+        if: ${{ github.event_name == 'release' }}
+        env:
+          # Tags come in the form of a fully qualified image name and tag, eg:
+          # mozilla/autograph:1.1.8
+          # us-west2-docker.pkg.dev/autograph-proj/autograph-repo/autograph:1.1.8
+          TAGS: ${{ steps.meta.outputs.tags }}
+          SRC: ${{ vars.DOCKERHUB_REPO}}:sha-${{ github.sha }}
+        run: |
+          docker pull $SRC
+          for tag in $TAGS; do
+            docker tag $SRC $tag
+            docker push $tag
+          done