diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml deleted file mode 100644 index cee1627..0000000 --- a/.forgejo/workflows/deploy.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Deploy to Pages - -on: - push: - branches: ['main'] - pull_request: - branches: ['main'] - workflow_dispatch: - -concurrency: - group: 'pages' - cancel-in-progress: false - -jobs: - deploy: - runs-on: docker - - steps: - - uses: actions/checkout@v4 - - - name: Validate static frontend - run: | - test -f frontend/index.html - test -f frontend/fizika.json - - - name: Copy frontend to host pages mount - if: github.event_name == 'push' && github.ref == 'refs/heads/main' - run: | - apt update && apt install -y rsync - mkdir -p /pages - rsync -a --delete frontend/ /pages/fizika diff --git a/.forgejo/workflows/docker-publish.yml b/.forgejo/workflows/docker-publish.yml deleted file mode 100644 index f13528a..0000000 --- a/.forgejo/workflows/docker-publish.yml +++ /dev/null @@ -1,63 +0,0 @@ -name: Build and Publish Docker Image - -on: - push: - branches: ['main'] - tags: ['v*'] - pull_request: - branches: ['main'] - workflow_dispatch: - -env: - IMAGE_NAME: ${{ forgejo.repository }}/fizika-admin - -jobs: - build-and-push: - runs-on: ubuntu-docker - - steps: - - name: Checkout repository - uses: https://code.forgejo.org/actions/checkout@v4 - - - name: Extract registry host - id: registry - run: echo "host=$(echo '${{ forgejo.server_url }}' | sed 's|https\?://||')" >> "$GITHUB_OUTPUT" - - - name: Log into Forgejo registry - if: forgejo.event_name != 'pull_request' - run: echo "${{ secrets.FORGEJO_TOKEN }}" | docker login "${{ steps.registry.outputs.host }}" -u "${{ forgejo.actor }}" --password-stdin - - - name: Build Docker image - run: | - IMAGE="${{ steps.registry.outputs.host }}/$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')" - SHA_SHORT="$(echo "${{ forgejo.sha }}" | cut -c1-12)" - TAG_ARGS="-t ${IMAGE}:sha-${SHA_SHORT}" - - if [ "${{ forgejo.ref }}" = "refs/heads/main" ]; then - TAG_ARGS="${TAG_ARGS} -t ${IMAGE}:main -t ${IMAGE}:latest" - fi - - if [ "${{ forgejo.ref_type }}" = "tag" ]; then - REF_NAME="${{ forgejo.ref_name }}" - TAG_ARGS="${TAG_ARGS} -t ${IMAGE}:${REF_NAME}" - - if echo "$REF_NAME" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then - VERSION="${REF_NAME#v}" - MAJOR_MINOR="$(echo "$VERSION" | cut -d. -f1,2)" - MAJOR="$(echo "$VERSION" | cut -d. -f1)" - TAG_ARGS="${TAG_ARGS} -t ${IMAGE}:${VERSION} -t ${IMAGE}:${MAJOR_MINOR} -t ${IMAGE}:${MAJOR}" - fi - fi - - docker build \ - --label "org.opencontainers.image.source=${{ forgejo.server_url }}/${{ forgejo.repository }}" \ - --label "org.opencontainers.image.revision=${{ forgejo.sha }}" \ - --label "org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \ - ${TAG_ARGS} \ - ./backend - - echo "IMAGE=${IMAGE}" >> "$GITHUB_ENV" - - - name: Push Docker image - if: forgejo.event_name != 'pull_request' - run: docker push --all-tags "$IMAGE" diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..1230149 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml new file mode 100644 index 0000000..b5103e5 --- /dev/null +++ b/.github/workflows/deploy.yaml @@ -0,0 +1,36 @@ +name: Deploy to Pages + +on: + push: + branches: [main] + workflow_dispatch: + +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + - name: Setup Pages + uses: actions/configure-pages@v5 + - name: Upload artifact + uses: actions/upload-pages-artifact@v4 + with: + path: "frontend" + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 0000000..f182605 --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,86 @@ +name: Build and Publish Docker Image + +on: + push: + branches: ["main"] + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }}/fizika-admin + +jobs: + build-and-push: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v3 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha,prefix={{branch}}- + # set latest tag for default branch + type=raw,value=latest,enable={{is_default_branch}} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v5 + with: + context: ./backend + file: ./backend/Dockerfile + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + # Security scanning + sbom: true + provenance: true + + # Sign the resulting Docker image digest. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.ref_type == 'tag' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}