Merge pull request #7693 from freedomofpress/enp/github

Add workflows for building and publishing container images for the demo application components to Github Packages

Author: legoktm

.github/workflows/build.yml

@@ -1,8 +1,10 @@
 name: Package builds
 on:
-  - merge_group
-  - push
-  - pull_request
+  merge_group:
+  push:
+    branches: ["develop", "release/**"]
+  pull_request:
+    types: ["opened", "synchronize"]
 
 # Only build for latest push/PR unless it's main or release/
 concurrency:

.github/workflows/cargo-vet.yml

@@ -2,7 +2,12 @@
 
 name: cargo vet
 
-on: [push, pull_request]
+on:
+  push:
+    branches: ["develop", "release/**"]
+  pull_request:
+    types: ["opened", "synchronize"]
+  merge_group:
 
 jobs:
   cargo-vet:

.github/workflows/ci.yml

@@ -1,5 +1,12 @@
 name: CI
-on: [push, pull_request]
+
+on:
+  push:
+    branches: ["develop", "release/**"]
+  pull_request:
+    types: ["opened", "synchronize"]
+
+  merge_group:
 
 defaults:
   run:

.github/workflows/demo-landing.yml

@@ -0,0 +1,47 @@
+---
+name: Publish Demo Landing Page
+
+on:
+  push:
+    branches: ["develop"]
+    paths:
+    - devops/demo/landing-page/**
+
+jobs:
+  prepare:
+    name: Prepare
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+    steps:
+    - name: Determine tags
+      id: tags
+      env:
+        REF: ${{ github.ref_name }}
+        SHA: ${{ github.sha }}
+      # So annoying that GHA doesn't have a builtin substring
+      # function (or expose the shortened SHA). If it did then
+      # we could drop this whole job and just set it as a statically
+      # templated value in the build job.
+      run: |
+        echo "tags=$REF;$REF-${SHA:0:7}" >>$GITHUB_OUTPUT
+    outputs:
+      tags: ${{ steps.tags.outputs.tags }}
+
+  build:
+    name: Build Landing Page
+    uses: freedomofpress/actionslib/.github/workflows/oci-build.yaml@main
+    needs:
+    - prepare
+    permissions:
+      contents: read
+      actions: read
+      packages: write
+    with:
+      context: "."
+      containerfile: devops/demo/landing-page/Dockerfile
+      tags: ${{ needs.prepare.outputs.tags }}
+      registry: ghcr.io/freedomofpress/securedrop-demo-landing-page
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/demo-publish.yml

@@ -0,0 +1,50 @@
+---
+name: Publish Demo
+
+on:
+  push:
+    branches: ["develop"]
+    tags: ["**"]  # run for all tags
+
+jobs:
+  prepare:
+    name: Prepare
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+    steps:
+    - name: Determine tags
+      id: tags
+      env:
+        REF: ${{ github.ref_name }}
+        SHA: ${{ github.sha }}
+      # So annoying that GHA doesn't have a builtin substring
+      # function (or expose the shortened SHA). If it did then
+      # we could drop this whole job and just set it as a statically
+      # templated value in the build job.
+      run: |
+        echo "tags=$REF;$REF-${SHA:0:7}" >>$GITHUB_OUTPUT
+    outputs:
+      tags: ${{ steps.tags.outputs.tags }}
+
+  build:
+    name: Build
+    uses: freedomofpress/actionslib/.github/workflows/oci-build.yaml@main
+    needs:
+    - prepare
+    strategy:
+      matrix:
+        debian:
+        - noble
+    permissions:
+      contents: read
+      actions: read
+      packages: write
+    with:
+      context: "."
+      containerfile: securedrop/dockerfiles/${{ matrix.debian }}/python3/DemoDockerfile
+      tags: ${{ needs.prepare.outputs.tags }}
+      registry: ghcr.io/freedomofpress/securedrop-demo-${{ matrix.debian }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/demo.yml renamed to .github/workflows/demo-test.yml

@@ -1,38 +1,62 @@
-name: Demo
+---
+name: Test Demo
 
-on: [push, pull_request]
+on:
+  push:
+    branches: ["develop", "release/**"]
+  pull_request:
+    types: ["opened", "synchronize"]
+  merge_group:
 
 defaults:
   run:
     shell: bash
 
 jobs:
   build:
-    name: Build demo
+    name: Build Demo
+    uses: freedomofpress/actionslib/.github/workflows/oci-build.yaml@main
+    with:
+      context: "."
+      tags: demo
+      containerfile: securedrop/dockerfiles/noble/python3/DemoDockerfile
+
+  test:
+    name: Test Demo
     runs-on: ubuntu-24.04
+    needs:
+      - build
     env:
       DOCKERIZE_VERSION: v0.6.1
     steps:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - name: Build container
+      - name: Download artifact
+        uses: actions/download-artifact@v5
+        with:
+          name: ${{ needs.build.outputs.artifact-name }}
+      - name: Restore container image
+        env:
+          IMAGE_FILE: ${{ needs.build.outputs.artifact-image }}
         run: |
-          podman build -t demo -f securedrop/dockerfiles/noble/python3/DemoDockerfile .
+          podman image load --input="${GITHUB_WORKSPACE}/${IMAGE_FILE}"
       - name: Install dockerize
         run: |
           wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz
           tar -C /usr/local/bin -xzvf dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz
           rm dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz
       - name: Run container and verify it's up
+        env:
+          IMAGE: ${{ needs.build.outputs.image-url }}
         run: |
           function debug() {
             # Dump container logs on failure
             podman logs demo
             exit 1
           }
           # Start the container in the background
-          podman run --name=demo -d -t -p 8080:8080 -p 8081:8081 demo
+          podman run --name=demo -d -t -p 8080:8080 -p 8081:8081 "${IMAGE}"
           # And wait for both ports to be up!
           dockerize -wait http://127.0.0.1:8080 -timeout 2m || debug
           dockerize -wait http://127.0.0.1:8081 -timeout 2m || debug

.github/workflows/security.yml

@@ -1,7 +1,9 @@
 name: Security
 on:
   push:
+    branches: ["develop", "release/**"]
   pull_request:
+    types: ["opened", "synchronize"]
   merge_group:
   schedule:
     - cron: '0 3 * * *'