Docker Hub Workflow #2954

Workflow file for this run

.github/workflows/docker-hub.yml at a57a31d

	name: Docker Hub Workflow
	run-name: Docker Hub Workflow

	on:
	workflow_dispatch:
	push:
	branches:
	- 'main'
	tags:
	- 'v*'
	pull_request:
	branches:
	- 'main'

	env:
	DOCKER_USER: 1001:127

	jobs:
	trivy-scan:
	runs-on: ubuntu-latest
	steps:
	-
	uses: actions/create-github-app-token@v1
	id: app-token
	with:
	app-id: ${{ secrets.APP_ID }}
	private-key: ${{ secrets.PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}
	repositories: "people,secrets"
	-
	name: Checkout repository
	uses: actions/checkout@v2
	with:
	submodules: recursive
	token: ${{ steps.app-token.outputs.token }}
	-
	name: Docker meta
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: \|
	lasuite/people-backend
	lasuite/people-frontend
	-
	name: Run trivy scan (backend)
	uses: numerique-gouv/action-trivy-cache@main
	with:
	docker-build-args: '--target backend-production -f Dockerfile'
	docker-image-name: 'docker.io/lasuite/people-backend:${{ github.sha }}'
	-
	name: Run trivy scan (frontend)
	uses: numerique-gouv/action-trivy-cache@main
	with:
	docker-build-args: '--target frontend-production -f Dockerfile'
	docker-image-name: 'docker.io/lasuite/people-frontend:${{ github.sha }}'

	build-and-push-backend:
	runs-on: ubuntu-latest
	steps:
	-
	uses: actions/create-github-app-token@v1
	id: app-token
	with:
	app-id: ${{ secrets.APP_ID }}
	private-key: ${{ secrets.PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}
	repositories: "people,secrets"
	-
	name: Checkout repository
	uses: actions/checkout@v2
	with:
	submodules: recursive
	token: ${{ steps.app-token.outputs.token }}
	-
	name: Docker meta
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: lasuite/people-backend
	-
	name: Load sops secrets
	uses: rouja/actions-sops@main
	with:
	secret-file: secrets/numerique-gouv/people/secrets.enc.env
	age-key: ${{ secrets.SOPS_PRIVATE }}
	-
	name: Login to DockerHub
	if: github.event_name != 'pull_request'
	run: echo "$DOCKER_HUB_PASSWORD" \| docker login -u "$DOCKER_HUB_USER" --password-stdin
	-
	name: Build and push
	uses: docker/build-push-action@v6
	with:
	context: .
	target: backend-production
	build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
	push: ${{ github.event_name != 'pull_request' }}
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}

	build-and-push-frontend:
	runs-on: ubuntu-latest
	steps:
	-
	uses: actions/create-github-app-token@v1
	id: app-token
	with:
	app-id: ${{ secrets.APP_ID }}
	private-key: ${{ secrets.PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}
	repositories: "people,secrets"
	-
	name: Checkout repository
	uses: actions/checkout@v2
	with:
	submodules: recursive
	token: ${{ steps.app-token.outputs.token }}
	-
	name: Docker meta
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: lasuite/people-frontend
	-
	name: Load sops secrets
	uses: rouja/actions-sops@main
	with:
	secret-file: secrets/numerique-gouv/people/secrets.enc.env
	age-key: ${{ secrets.SOPS_PRIVATE }}
	-
	name: Login to DockerHub
	if: github.event_name != 'pull_request'
	run: echo "$DOCKER_HUB_PASSWORD" \| docker login -u "$DOCKER_HUB_USER" --password-stdin
	-
	name: Build and push
	uses: docker/build-push-action@v6
	with:
	context: .
	target: frontend-production
	build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
	push: ${{ github.event_name != 'pull_request' }}
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}

	notify-argocd:
	needs:
	- build-and-push-frontend
	- build-and-push-backend
	runs-on: ubuntu-latest
	if: github.event_name != 'pull_request'
	steps:
	-
	uses: actions/create-github-app-token@v1
	id: app-token
	with:
	app-id: ${{ secrets.APP_ID }}
	private-key: ${{ secrets.PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}
	repositories: "people,secrets"
	-
	name: Checkout repository
	uses: actions/checkout@v2
	with:
	submodules: recursive
	token: ${{ steps.app-token.outputs.token }}
	-
	name: Load sops secrets
	uses: rouja/actions-sops@main
	with:
	secret-file: secrets/numerique-gouv/people/secrets.enc.env
	age-key: ${{ secrets.SOPS_PRIVATE }}
	-
	name: Call argocd github webhook
	run: \|
	data='{"ref": "'$GITHUB_REF'","repository": {"html_url":"'$GITHUB_SERVER_URL'/'$GITHUB_REPOSITORY'"}}'
	sig=$(echo -n ${data} \| openssl dgst -sha1 -hmac ''${ARGOCD_WEBHOOK_SECRET}'' \| awk '{print "X-Hub-Signature: sha1="$2}')
	curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_WEBHOOK_URL

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Docker Hub Workflow #2954

Workflow file

Docker Hub Workflow #2954

Jobs

Run details

Workflow file for this run