diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c806cff..09852f6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,9 @@ on: push: branches: - main + release: + types: + - published permissions: id-token: write @@ -58,63 +61,42 @@ jobs: poetry check poetry run python ./.github/actions/verify_imports.py - docker-build: + docker-build-push: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} steps: - - uses: actions/checkout@v4 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Build and push Docker image - uses: docker/build-push-action@v5 - with: - context: . - file: ./Dockerfile - tags: reactome-chatbot:${{ github.sha }} - outputs: type=docker,dest=/tmp/image.tar - - - uses: actions/upload-artifact@v4 - with: - name: image-artifact - path: /tmp/image.tar - - docker-push: - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} - needs: docker-build - runs-on: ubuntu-latest - - steps: - - uses: actions/download-artifact@v4 + - name: Extract build metadata + id: meta + uses: docker/metadata-action@v5 with: - name: image-artifact - path: /tmp - - id: get-hash - run: | - FULL_SHA=${{ github.sha }} - echo "SHORT_SHA=${FULL_SHA:0:7}" >> $GITHUB_OUTPUT - - - env: - AWS_REGION: us-east-1 - uses: aws-actions/configure-aws-credentials@v4 + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=semver,pattern={{version}} + type=sha,format=short,prefix= + + - name: Login to Docker registry ${{ env.REGISTRY }} + if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'release' && github.event.action == 'published') + uses: docker/login-action@v3 with: - role-to-assume: ${{ vars.AWS_ROLE }} - aws-region: ${{ env.AWS_REGION }} + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 + - name: Build (and push) Docker image + uses: docker/build-push-action@v6 with: - registry-type: public - - - env: - AWS_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - AWS_REGISTRY_ALIAS: reactome - AWS_REPO: reactome-chatbot - IMG_TAG: ${{ steps.get-hash.outputs.SHORT_SHA }} - run: | - docker load --input /tmp/image.tar - docker image tag reactome-chatbot:${{ github.sha }} $AWS_REGISTRY/$AWS_REGISTRY_ALIAS/$AWS_REPO:$IMG_TAG - docker image tag reactome-chatbot:${{ github.sha }} $AWS_REGISTRY/$AWS_REGISTRY_ALIAS/$AWS_REPO:latest - docker push $AWS_REGISTRY/$AWS_REGISTRY_ALIAS/$AWS_REPO:$IMG_TAG - docker push $AWS_REGISTRY/$AWS_REGISTRY_ALIAS/$AWS_REPO:latest + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + push: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'release' && github.event.action == 'published') }} + provenance: mode=max + cache-from: type=gha + cache-to: type=gha,mode=max