Merge pull request #3 from IFRCGo/feature/setup-secret-vault #52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: ["develop"] | |
| tags: ["v*"] | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| go: | |
| name: go (vet, build) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@main | |
| with: | |
| submodules: true | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: "1.23.x" | |
| cache: true | |
| - name: Verify gofmt | |
| run: | | |
| files=$(gofmt -l .) | |
| if [ -n "$files" ]; then | |
| echo "gofmt needed on:" | |
| echo "$files" | |
| exit 1 | |
| fi | |
| - name: Tidy check (no diff) | |
| run: | | |
| go mod tidy | |
| git diff --exit-code | |
| - name: Vet | |
| run: go vet ./... | |
| - name: Build | |
| run: go build -trimpath -ldflags="-s -w" -o cacheppuccino . | |
| docker: | |
| name: docker (build and push) | |
| runs-on: ubuntu-latest | |
| needs: [go] | |
| # if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| outputs: | |
| docker_image_tag: ${{ steps.meta.outputs.version }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@main | |
| with: | |
| submodules: true | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=sha,format=short,prefix=0.1.0- | |
| type=ref,event=tag | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| helm: | |
| name: helm (package and push) | |
| runs-on: ubuntu-latest | |
| needs: [docker] | |
| # if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@main | |
| with: | |
| submodules: true | |
| - name: Setup Helm | |
| uses: azure/setup-helm@v4 | |
| with: | |
| version: v3.15.4 | |
| - name: Determine chart version | |
| id: ver | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then | |
| # Tag format: v0.1.0 -> 0.1.0 | |
| VERSION="${GITHUB_REF_NAME#v}" | |
| else | |
| # Unique semver prerelease for main pushes | |
| SHORT_SHA="$(echo "${GITHUB_SHA}" | cut -c1-7)" | |
| VERSION="0.1.0-${SHORT_SHA}" | |
| fi | |
| echo "version=${VERSION}" >> "$GITHUB_OUTPUT" | |
| - name: Login to GHCR (Helm OCI) | |
| shell: bash | |
| run: | | |
| echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u "${{ github.actor }}" --password-stdin | |
| - name: Lint chart | |
| run: helm lint helm | |
| - name: 🐳 Helm template (snapshot) | |
| run: ./helm/update-snapshots.sh --check-diff-only | |
| - name: Tag docker image in Helm Chart values.yaml | |
| working-directory: helm | |
| env: | |
| IMAGE_TAG: ${{ needs.docker.outputs.docker_image_tag }} | |
| run: | | |
| # Update values.yaml with latest docker image | |
| sed -i "s/SET-BY-CICD-TAG/$IMAGE_TAG/" ./values.yaml | |
| - name: Package chart | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| mkdir -p dist | |
| helm package helm \ | |
| --destination dist \ | |
| --version "${{ steps.ver.outputs.version }}" \ | |
| --app-version "${{ steps.ver.outputs.version }}" | |
| - name: Push chart to GHCR (OCI) | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| OWNER_LC="$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')" | |
| CHART_TGZ="$(ls -1 dist/cacheppuccino-*.tgz | head -n 1)" | |
| helm push "${CHART_TGZ}" "oci://ghcr.io/${OWNER_LC}" |