diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 2d5567a46..fa1b19b82 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -4,8 +4,9 @@ on: push: branches: - main - tags: - - '[0-9]+.[0-9a-z]+.[0-9a-z]+' + release: + types: + - released jobs: docker: @@ -26,12 +27,16 @@ jobs: id: meta uses: docker/metadata-action@v5 with: + flavor: + # don't automatically tag with `latest`; we do this conditionally in the `tags` section + latest=false images: | ${{ vars.DOCKERHUB_REPO }} ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${{ vars.GAR_REPOSITORY}}/autograph tags: | type=semver,pattern={{raw}} - type=raw,value=latest,enable={{is_default_branch}} + type=raw,value=latest,enable=${{ github.event_name == 'push' }} + type=sha,format=long,enable=${{ github.event_name == 'push' }} - name: Generate version.json shell: bash @@ -58,10 +63,31 @@ jobs: password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Build and push + # On pushes to `main`, we build and push a new image, so we can simply + # use the `docker/build-push-action` action. + if: ${{ github.event_name == 'push' }} uses: docker/build-push-action@v6 with: - push: ${{ github.event_name != 'pull_request' }} + push: ${{ github.event_name == 'push' }} sbom: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} context: . + + - name: Tag and push + # For releases, we specifically do _not_ want to rebuild, just tag the + # existing image and push. There's no officially maintained action for + # this use case, but it's trivial enough to do ourselves. + if: ${{ github.event_name == 'release' }} + env: + # Tags come in the form of a fully qualified image name and tag, eg: + # mozilla/autograph:1.1.8 + # us-west2-docker.pkg.dev/autograph-proj/autograph-repo/autograph:1.1.8 + TAGS: ${{ steps.meta.outputs.tags }} + SRC: ${{ vars.DOCKERHUB_REPO}}:sha-${{ github.sha }} + run: | + docker pull $SRC + for tag in $TAGS; do + docker tag $SRC $tag + docker push $tag + done