Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and push Docker image | |
| on: | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| env: | |
| IMAGE_NAME: library/threatzone-mcp-server | |
| jobs: | |
| build: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Get runner public IP | |
| id: ip | |
| run: | | |
| IPV4=$(curl -fsS https://ifconfig.me/ip) | |
| echo "ipv4=$IPV4" >> "$GITHUB_OUTPUT" | |
| echo "Runner IP: $IPV4" | |
| - name: Configure AWS CLI | |
| run: | | |
| aws configure set aws_access_key_id ${{ secrets.AWS_EC2_ACCESS_KEY_ID }} | |
| aws configure set aws_secret_access_key ${{ secrets.AWS_EC2_SECRET_ACCESS_KEY }} | |
| aws configure set region ${{ secrets.AWS_EC2_REGION }} | |
| - name: Setup Hetzner CLI | |
| uses: hetznercloud/setup-hcloud@v1 | |
| - name: Add IP to Hetzner firewall | |
| run: | | |
| hcloud firewall add-rule \ | |
| --direction in \ | |
| --protocol tcp \ | |
| --port 443 \ | |
| --source-ips ${{ steps.ip.outputs.ipv4 }}/32 \ | |
| ${{ secrets.HCLOUD_FIREWALL_ID }} \ | |
| --description "CI: threatzone-mcp-server publish" | |
| env: | |
| HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }} | |
| - name: Add IP to AWS security group | |
| run: | | |
| aws ec2 authorize-security-group-ingress \ | |
| --group-id ${{ secrets.AWS_SECURITY_GROUP_ID }} \ | |
| --ip-permissions \ | |
| IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges='[{CidrIp=${{ steps.ip.outputs.ipv4 }}/32,Description="CI: threatzone-mcp-server publish"}]' \ | |
| IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=${{ steps.ip.outputs.ipv4 }}/32,Description="CI: threatzone-mcp-server publish"}]' | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to private registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ secrets.REGISTRY_URL }} | |
| username: ${{ secrets.REGISTRY_USERNAME }} | |
| password: ${{ secrets.REGISTRY_PASSWORD }} | |
| - name: Compute image tags | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha,format=short,prefix=sha- | |
| type=raw,value=latest,enable=${{ github.event_name == 'release' && !github.event.release.prerelease }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| provenance: false | |
| - name: Remove IP from Hetzner firewall | |
| if: always() | |
| run: | | |
| hcloud firewall delete-rule \ | |
| --direction in \ | |
| --protocol tcp \ | |
| --port 443 \ | |
| --source-ips ${{ steps.ip.outputs.ipv4 }}/32 \ | |
| ${{ secrets.HCLOUD_FIREWALL_ID }} \ | |
| --description "CI: threatzone-mcp-server publish" || true | |
| env: | |
| HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }} | |
| - name: Remove IP from AWS security group | |
| if: always() | |
| run: | | |
| aws ec2 revoke-security-group-ingress \ | |
| --group-id ${{ secrets.AWS_SECURITY_GROUP_ID }} \ | |
| --ip-permissions \ | |
| IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges='[{CidrIp=${{ steps.ip.outputs.ipv4 }}/32}]' \ | |
| IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=${{ steps.ip.outputs.ipv4 }}/32}]' || true |