chore: update chainguard nginx digest #161
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow build and push a Docker container to Google Artifact Registry | |
| # and deploy it on Cloud Run when a commit is pushed to the "main" | |
| # branch. | |
| # | |
| # To configure this workflow: | |
| # | |
| # 1. Enable the following Google Cloud APIs: | |
| # | |
| # - Artifact Registry (artifactregistry.googleapis.com) | |
| # - Cloud Run (run.googleapis.com) | |
| # - IAM Credentials API (iamcredentials.googleapis.com) | |
| # | |
| # You can learn more about enabling APIs at | |
| # https://support.google.com/googleapi/answer/6158841. | |
| # | |
| # 2. Create and configure a Workload Identity Provider for GitHub: | |
| # https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. | |
| # | |
| # Depending on how you authenticate, you will need to grant an IAM principal | |
| # permissions on Google Cloud: | |
| # | |
| # - Artifact Registry Administrator (roles/artifactregistry.admin) | |
| # - Cloud Run Developer (roles/run.developer) | |
| # | |
| # You can learn more about setting IAM permissions at | |
| # https://cloud.google.com/iam/docs/manage-access-other-resources | |
| # | |
| # 3. Change the values in the "env" block to match your values. | |
| name: 'CD' | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| env: | |
| PROJECT_ID: 'tugidoko-dev' # TODO: update to your Google Cloud project ID | |
| REGION: 'asia-northeast1' # TODO: update to your region | |
| SERVICE: 'nginx-app' # TODO: update to your service name | |
| WORKLOAD_IDENTITY_PROVIDER: 'projects/109380428695/locations/global/workloadIdentityPools/github-pool/providers/github-provider' # TODO: update to your workload identity provider | |
| jobs: | |
| build-and-deploy: | |
| name: Build and Deploy to Cloud Run | |
| runs-on: 'ubuntu-latest' | |
| if: "!contains(github.event.head_commit.message, '[skip cd]') && !contains(github.event.head_commit.message, '[skip ci cd]')" | |
| permissions: | |
| contents: 'write' | |
| id-token: 'write' | |
| steps: | |
| - name: 'Checkout' | |
| uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 | |
| with: | |
| token: ${{ secrets.PAT_TOKEN }} | |
| # Configure Workload Identity Federation and generate an access token. | |
| # | |
| # See https://github.com/google-github-actions/auth for more options, | |
| # including authenticating via a JSON credentials file. | |
| - id: 'auth' | |
| name: 'Authenticate to Google Cloud' | |
| uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}' | |
| # BEGIN - Docker auth and build | |
| # | |
| # If you already have a container image, you can omit these steps. | |
| - name: 'Docker Auth' | |
| uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3 | |
| with: | |
| username: 'oauth2accesstoken' | |
| password: '${{ steps.auth.outputs.auth_token }}' | |
| registry: '${{ env.REGION }}-docker.pkg.dev' | |
| - name: 'Set up Docker Buildx' | |
| uses: docker/setup-buildx-action@v3 | |
| - name: 'Build and Push Container' | |
| id: build | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/cloud-run-source-deploy/${{ env.SERVICE }}:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| platforms: linux/amd64 | |
| provenance: false | |
| - name: 'Check if deployment is needed' | |
| id: check-deploy-needed | |
| run: | | |
| CURRENT_DIGEST="${{ steps.build.outputs.digest }}" | |
| echo "Current build digest: $CURRENT_DIGEST" | |
| if [ -z "$CURRENT_DIGEST" ]; then | |
| echo "deploy-needed=false" >> $GITHUB_OUTPUT | |
| echo "❌ No digest output (cache hit) - skipping deployment" | |
| echo "current_digest_short=" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| DIGEST_FILE=".nginx-app-digest" | |
| if [ -f "$DIGEST_FILE" ]; then | |
| PREVIOUS_DIGEST=$(cat "$DIGEST_FILE") | |
| echo "Previous digest: $PREVIOUS_DIGEST" | |
| else | |
| PREVIOUS_DIGEST="" | |
| echo "No previous digest file found" | |
| fi | |
| if [ "$CURRENT_DIGEST" != "$PREVIOUS_DIGEST" ] || [ -z "$PREVIOUS_DIGEST" ]; then | |
| echo "deploy-needed=true" >> $GITHUB_OUTPUT | |
| echo "✅ Image digest changed - proceeding with deployment" | |
| echo "$CURRENT_DIGEST" > "$DIGEST_FILE" | |
| CURRENT_DIGEST_SHORT=$(echo "${CURRENT_DIGEST}" | sed 's/^sha256://' | cut -c1-7) | |
| echo "current_digest_short=${CURRENT_DIGEST_SHORT}" >> $GITHUB_OUTPUT | |
| else | |
| echo "deploy-needed=false" >> $GITHUB_OUTPUT | |
| echo "❌ Image digest unchanged (cache hit) - skipping deployment" | |
| fi | |
| - name: 'Deploy to Cloud Run' | |
| if: steps.check-deploy-needed.outputs.deploy-needed == 'true' | |
| # END - Docker auth and build | |
| uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 | |
| with: | |
| service: '${{ env.SERVICE }}' | |
| region: '${{ env.REGION }}' | |
| project_id: '${{ env.PROJECT_ID }}' | |
| # NOTE: If using a pre-built image, update the image name below: | |
| image: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/cloud-run-source-deploy/${{ env.SERVICE }}:${{ github.sha }}' | |
| # If required, use the Cloud Run URL output in later steps | |
| - name: 'Show output' | |
| if: steps.check-deploy-needed.outputs.deploy-needed == 'true' | |
| run: |2- | |
| echo ${{ steps.deploy.outputs.url }} | |
| - name: 'Get commit info' | |
| if: steps.check-deploy-needed.outputs.deploy-needed == 'true' | |
| id: 'commit-info' | |
| run: |- | |
| # Extract first 7 characters of commit hash for badge display | |
| COMMIT_SHORT=$(echo "${{ github.sha }}" | cut -c1-7) | |
| echo "commit_short=${COMMIT_SHORT}" >> $GITHUB_OUTPUT | |
| echo "Full commit hash: ${{ github.sha }}" | |
| - name: 'Update README with commit and image info' | |
| if: steps.check-deploy-needed.outputs.deploy-needed == 'true' | |
| run: |- | |
| perl -i -pe 'BEGIN{undef $/;} s|<!-- DEPLOY_COMMIT -->.*?<!-- /DEPLOY_COMMIT -->|<!-- DEPLOY_COMMIT -->\n<img src="https://img.shields.io/badge/Commit-${{ steps.commit-info.outputs.commit_short }}-blue?logo=github" alt="Badge">\n<!-- /DEPLOY_COMMIT -->|gs' README.md | |
| perl -i -pe 'BEGIN{undef $/;} s|<!-- DEPLOY_DIGEST -->.*?<!-- /DEPLOY_DIGEST -->|<!-- DEPLOY_DIGEST -->\n<img src="https://img.shields.io/badge/Image%20Digest-${{ steps.check-deploy-needed.outputs.current_digest_short }}-green?logo=docker" alt="Badge">\n<!-- /DEPLOY_DIGEST -->|gs' README.md | |
| - name: 'Commit README and digest changes' | |
| if: steps.check-deploy-needed.outputs.deploy-needed == 'true' | |
| run: |- | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git stash | |
| git pull --rebase origin main | |
| git stash pop || git checkout --ours README.md .nginx-app-digest | |
| git add README.md .nginx-app-digest | |
| git diff --quiet && git diff --staged --quiet || \ | |
| (git commit -m "chore: update commit and deployment info [skip ci cd]" && git push) |