mirror of
https://github.com/SamyRai/tercul-backend.git
synced 2025-12-27 02:51:34 +00:00
4876c3d9db
- Updated all actions to latest versions with SHA pinning - Added security enhancements: CodeQL scans, artifact attestations, OIDC - Enabled caching, multi-platform Docker builds - Added Dependabot configuration for automated updates - Improved matrix testing across Go versions 1.22-1.25
86 lines
2.6 KiB
YAML
86 lines
2.6 KiB
YAML
name: Go CD
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
tags: ["v*"]
|
|
|
|
jobs:
|
|
build-and-push:
|
|
name: Build and Push Docker Image
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
attestations: write
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: Check out code
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.2.0
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
|
|
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract metadata
|
|
id: meta
|
|
uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
|
|
with:
|
|
images: ghcr.io/${{ github.repository }}
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=tag
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=sha,format=long
|
|
|
|
- name: Build and push
|
|
id: push
|
|
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
|
|
with:
|
|
context: .
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
platforms: linux/amd64,linux/arm64
|
|
|
|
- name: Generate artifact attestation
|
|
uses: actions/attest-build-provenance@v3
|
|
with:
|
|
subject-name: ghcr.io/${{ github.repository}}
|
|
subject-digest: ${{ steps.push.outputs.digest }}
|
|
push-to-registry: true
|
|
|
|
deploy:
|
|
name: Deploy to Production
|
|
needs: build-and-push
|
|
runs-on: ubuntu-latest
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
|
|
steps:
|
|
- name: Check out code
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.2.0
|
|
|
|
- name: Extract tag name
|
|
id: tag
|
|
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
|
|
|
|
# This step is a placeholder for deployment logic
|
|
# Replace with your actual deployment mechanism (SSH, kubectl, etc.)
|
|
- name: Deploy to production
|
|
run: |
|
|
echo "Deploying version ${{ steps.tag.outputs.TAG }} to production"
|
|
# Add your deployment commands here
|
|
env:
|
|
TAG: ${{ steps.tag.outputs.TAG }}
|
|
# Add other environment variables needed for deployment
|