Merge pull request #21651 from dvdksn/seccomp-freshness #4088
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: deploy | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- lab | |
- main | |
- published | |
env: | |
# Use edge release of buildx (latest RC, fallback to latest stable) | |
SETUP_BUILDX_VERSION: edge | |
SETUP_BUILDKIT_IMAGE: "moby/buildkit:latest" | |
# these permissions are needed to interact with GitHub's OIDC Token endpoint. | |
permissions: | |
id-token: write | |
contents: read | |
jobs: | |
publish: | |
runs-on: ubuntu-24.04 | |
if: github.repository_owner == 'docker' | |
steps: | |
- | |
name: Prepare | |
run: | | |
HUGO_ENV=development | |
DOCS_AWS_REGION=us-east-1 | |
if [ "${{ github.ref }}" = "refs/heads/main" ]; then | |
HUGO_ENV=staging | |
DOCS_URL="https://docs-stage.docker.com" | |
DOCS_AWS_IAM_ROLE="arn:aws:iam::710015040892:role/stage-docs-docs.docker.com-20220818202135984800000001" | |
DOCS_S3_BUCKET="stage-docs-docs.docker.com" | |
DOCS_S3_CONFIG="s3-config.json" | |
DOCS_CLOUDFRONT_ID="E1R7CSW3F0X4H8" | |
DOCS_LAMBDA_FUNCTION_REDIRECTS="DockerDocsRedirectFunction-stage" | |
DOCS_SLACK_MSG="Successfully deployed docs-stage from main branch. $DOCS_URL" | |
elif [ "${{ github.ref }}" = "refs/heads/published" ]; then | |
HUGO_ENV=production | |
DOCS_URL="https://docs.docker.com" | |
DOCS_AWS_IAM_ROLE="arn:aws:iam::710015040892:role/prod-docs-docs.docker.com-20220818202218674300000001" | |
DOCS_S3_BUCKET="prod-docs-docs.docker.com" | |
DOCS_S3_CONFIG="s3-config.json" | |
DOCS_CLOUDFRONT_ID="E228TTN20HNU8F" | |
DOCS_LAMBDA_FUNCTION_REDIRECTS="DockerDocsRedirectFunction-prod" | |
DOCS_SLACK_MSG="Successfully deployed docs from published branch. $DOCS_URL" | |
elif [ "${{ github.ref }}" = "refs/heads/lab" ]; then | |
HUGO_ENV=lab | |
DOCS_URL="https://docs-labs.docker.com" | |
DOCS_AWS_IAM_ROLE="arn:aws:iam::710015040892:role/labs-docs-docs.docker.com-20220818202218402500000001" | |
DOCS_S3_BUCKET="labs-docs-docs.docker.com" | |
DOCS_S3_CONFIG="s3-config.json" | |
DOCS_CLOUDFRONT_ID="E1MYDYF65FW3HG" | |
DOCS_LAMBDA_FUNCTION_REDIRECTS="DockerDocsRedirectFunction-labs" | |
else | |
echo >&2 "ERROR: unknown branch ${{ github.ref }}" | |
exit 1 | |
fi | |
SEND_SLACK_MSG="true" | |
if [ -z "$DOCS_AWS_IAM_ROLE" ] || [ -z "$DOCS_S3_BUCKET" ] || [ -z "$DOCS_CLOUDFRONT_ID" ] || [ -z "$DOCS_SLACK_MSG" ]; then | |
SEND_SLACK_MSG="false" | |
fi | |
echo "BRANCH_NAME=${GITHUB_REF#refs/heads/}" >> $GITHUB_ENV | |
echo "HUGO_ENV=$HUGO_ENV" >> $GITHUB_ENV | |
echo "DOCS_URL=$DOCS_URL" >> $GITHUB_ENV | |
echo "DOCS_AWS_REGION=$DOCS_AWS_REGION" >> $GITHUB_ENV | |
echo "DOCS_AWS_IAM_ROLE=$DOCS_AWS_IAM_ROLE" >> $GITHUB_ENV | |
echo "DOCS_S3_BUCKET=$DOCS_S3_BUCKET" >> $GITHUB_ENV | |
echo "DOCS_S3_CONFIG=$DOCS_S3_CONFIG" >> $GITHUB_ENV | |
echo "DOCS_CLOUDFRONT_ID=$DOCS_CLOUDFRONT_ID" >> $GITHUB_ENV | |
echo "DOCS_LAMBDA_FUNCTION_REDIRECTS=$DOCS_LAMBDA_FUNCTION_REDIRECTS" >> $GITHUB_ENV | |
echo "DOCS_SLACK_MSG=$DOCS_SLACK_MSG" >> $GITHUB_ENV | |
echo "SEND_SLACK_MSG=$SEND_SLACK_MSG" >> $GITHUB_ENV | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
version: ${{ env.SETUP_BUILDX_VERSION }} | |
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} | |
- | |
name: Build website | |
uses: docker/bake-action@v5 | |
with: | |
files: | | |
docker-bake.hcl | |
targets: release | |
set: | | |
*.cache-from=type=gha,scope=deploy-${{ env.BRANCH_NAME }} | |
*.cache-to=type=gha,scope=deploy-${{ env.BRANCH_NAME }},mode=max | |
provenance: false | |
- | |
name: Configure AWS Credentials | |
if: ${{ env.DOCS_AWS_IAM_ROLE != '' }} | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ env.DOCS_AWS_IAM_ROLE }} | |
aws-region: ${{ env.DOCS_AWS_REGION }} | |
- | |
name: Upload files to S3 bucket | |
if: ${{ env.DOCS_S3_BUCKET != '' }} | |
run: | | |
aws --region ${{ env.DOCS_AWS_REGION }} s3 sync \ | |
--acl public-read \ | |
--delete \ | |
--exclude "*" \ | |
--include "*.webp" \ | |
--metadata-directive="REPLACE" \ | |
--no-guess-mime-type \ | |
--content-type="image/webp" \ | |
public s3://${{ env.DOCS_S3_BUCKET }}/ | |
aws --region ${{ env.DOCS_AWS_REGION }} s3 sync \ | |
--acl public-read \ | |
--delete \ | |
--exclude "*.webp" \ | |
public s3://${{ env.DOCS_S3_BUCKET }}/ | |
- | |
name: Update S3 config | |
if: ${{ env.DOCS_S3_BUCKET != '' && env.DOCS_S3_CONFIG != '' }} | |
uses: docker/bake-action@v5 | |
with: | |
files: | | |
docker-bake.hcl | |
targets: aws-s3-update-config | |
set: | | |
*.cache-from=type=gha,scope=releaser | |
env: | |
AWS_REGION: ${{ env.DOCS_AWS_REGION }} | |
AWS_S3_BUCKET: ${{ env.DOCS_S3_BUCKET }} | |
AWS_S3_CONFIG: ${{ env.DOCS_S3_CONFIG }} | |
- | |
name: Update Cloudfront config | |
if: ${{ env.DOCS_CLOUDFRONT_ID != '' }} | |
uses: docker/bake-action@v5 | |
with: | |
files: | | |
docker-bake.hcl | |
targets: aws-cloudfront-update | |
env: | |
AWS_REGION: us-east-1 # cloudfront and lambda edge functions are only available in us-east-1 region | |
AWS_CLOUDFRONT_ID: ${{ env.DOCS_CLOUDFRONT_ID }} | |
AWS_LAMBDA_FUNCTION: ${{ env.DOCS_LAMBDA_FUNCTION_REDIRECTS }} | |
- | |
name: Invalidate Cloudfront cache | |
if: ${{ env.DOCS_CLOUDFRONT_ID != '' }} | |
run: | | |
aws cloudfront create-invalidation --distribution-id ${{ env.DOCS_CLOUDFRONT_ID }} --paths "/*" | |
env: | |
AWS_REGION: us-east-1 # cloudfront is only available in us-east-1 region | |
AWS_MAX_ATTEMPTS: 5 | |
- | |
name: Send Slack notification | |
if: ${{ env.SEND_SLACK_MSG == 'true' }} | |
run: | | |
curl -X POST -H 'Content-type: application/json' --data '{"text":"${{ env.DOCS_SLACK_MSG }}"}' ${{ secrets.SLACK_WEBHOOK }} |