Add release & publishing pipelines for Element Web modules #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This pipeline runs for every new tag. It will pull the docker container for | |
| # the commit hash of the tag, and will publish it as `:<tag-name>` and `latest`. | |
| name: Release Element Web Module containers | |
| on: | |
| pull_request: {} | |
| push: | |
| tags: | |
| - "module/opendesk@*" | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| env: | |
| DOCKER_IMAGE: ghcr.io/element-hq/synapse-guest-module | |
| steps: | |
| - name: Generate Docker metadata of the existing image | |
| id: meta-existing-tag | |
| uses: docker/metadata-action@v5 | |
| with: | |
| bake-target: docker-metadata-action | |
| flavor: | | |
| latest=auto | |
| tags: | | |
| type=ref,event=branch | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha | |
| - name: Login to ghcr.io | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # @v3.5.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build | |
| uses: docker/[email protected] | |
| if: github.event_name == 'pull_request' | |
| with: | |
| files: | | |
| ./docker-bake.hcl | |
| cwd://${{ steps.meta.outputs.bake-file }} | |
| - name: Build and push | |
| id: bake | |
| uses: docker/[email protected] | |
| if: github.event_name != 'pull_request' | |
| with: | |
| files: | | |
| ./docker-bake.hcl | |
| cwd://${{ steps.meta.outputs.bake-file }} | |
| set: | | |
| _common.output=type=image,push=true | |
| - name: Transform bake output | |
| id: output | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| echo 'digests<<EOF' >> $GITHUB_OUTPUT | |
| echo '${{ steps.bake.outputs.metadata }}' | jq -r 'with_entries(select(.value | (type == "object" and has("containerimage.digest")))) | map_values(.["containerimage.digest"]) | to_entries[] | "\\(.key)@\\(.value)"' >> $GITHUB_OUTPUT | |
| echo 'EOF' >> $GITHUB_OUTPUT | |
| - name: Sign the images with GitHub Actions provided token | |
| # Only sign on tags and on commits on main branch | |
| if: github.event_name != 'pull_request' | |
| run: cosign sign --yes $DIGESTS | |
| env: | |
| DIGESTS: ${{ steps.output.outputs.digests }} |