name: Build wonderwall on: [push] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: GOOGLE_REGISTRY: europe-north1-docker.pkg.dev GITHUB_REGISTRY: ghcr.io jobs: test: runs-on: ubuntu-latest steps: - name: Checkout latest code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # ratchet:actions/checkout@v5 - name: Set up Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # ratchet:actions/setup-go@v5 with: go-version-file: 'go.mod' - name: Test Go run: | make test make check build: needs: test name: Publish to Google and GitHub registries if: github.ref == 'refs/heads/master' permissions: contents: "read" id-token: "write" packages: "write" runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # ratchet:actions/checkout@v5 - name: Install cosign uses: sigstore/cosign-installer@074636bf86584fb361059563d092a9cfb6560f80 # ratchet:sigstore/cosign-installer@main with: cosign-release: 'v2.2.3' - name: Verify runner image run: cosign verify --certificate-oidc-issuer https://accounts.google.com --certificate-identity keyless@distroless.iam.gserviceaccount.com gcr.io/distroless/static-debian12:nonroot - uses: nais/platform-build-push-sign@main # ratchet:exclude id: build_push_sign with: name: wonderwall dockerfile: Dockerfile google_service_account: gh-wonderwall multi-platform: true push: true push_ghcr: true workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} outputs: version: ${{ steps.build_push_sign.outputs.version }} charts: needs: build name: Build and push chart if: github.ref == 'refs/heads/master' runs-on: ubuntu-latest permissions: contents: read id-token: write strategy: fail-fast: false matrix: chart: ["wonderwall", "wonderwall-forward-auth"] steps: - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # ratchet:actions/checkout@v5 - id: "auth" name: "Authenticate to Google Cloud" uses: "google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5" # ratchet:google-github-actions/auth@v2 with: workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} service_account: "gh-wonderwall@nais-io.iam.gserviceaccount.com" token_format: "access_token" - name: "Login to registry" uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # ratchet:docker/login-action@v3 with: registry: "${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature" username: "oauth2accesstoken" password: "${{ steps.auth.outputs.access_token }}" - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # ratchet:azure/setup-helm@v4 name: 'Setup Helm' with: version: '3.13.2' - name: Package chart id: package_chart env: CHART_PATH: ./charts/${{ matrix.chart }} run: | base_version="1.0.0" chart_version="${base_version}-${{ needs.build.outputs.version }}" yq eval \ '.version="'"$chart_version"'"' \ "${{ env.CHART_PATH }}/Chart.yaml" --inplace yq eval \ '.image.tag="${{ needs.build.outputs.version }}"' \ "${{ env.CHART_PATH }}/values.yaml" --inplace helm dependency update "${{ env.CHART_PATH }}" helm package "${{ env.CHART_PATH }}" --destination . name=$(yq '.name' < "${{ env.CHART_PATH }}/Chart.yaml") echo "name=$name" >> $GITHUB_OUTPUT echo "version=$chart_version" >> $GITHUB_OUTPUT echo "archive=$name-$chart_version.tgz" >> $GITHUB_OUTPUT - name: Push Chart run: |- chart="${{ steps.package_chart.outputs.archive }}" echo "Pushing: $chart" helm push "$chart" oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature rollout: name: Rollout if: github.actor != 'dependabot[bot]' && github.ref == 'refs/heads/master' needs: [build, charts] runs-on: fasit-deploy permissions: id-token: write strategy: fail-fast: false matrix: chart: ["wonderwall", "wonderwall-forward-auth"] steps: - uses: nais/fasit-deploy@v2 # ratchet:exclude with: chart: oci://${{ env.GOOGLE_REGISTRY }}/nais-io/nais/feature/${{ matrix.chart }} version: "1.0.0-${{ needs.build.outputs.version }}"