forked from SkyCryptWebsite/SkyCrypt-Frontend
-
Notifications
You must be signed in to change notification settings - Fork 0
135 lines (113 loc) · 3.71 KB
/
website.yml
File metadata and controls
135 lines (113 loc) · 3.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Website
on:
push:
paths: ["src/**", "Dockerfile", "package.json", ".changeset/**", ".github/workflows/website.yml"]
workflow_dispatch:
env:
CONTAINER_REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
SHORT_SHA: 0000000
jobs:
prepare:
name: Determine Deployment
runs-on: ubuntu-latest
if: |
(github.ref == 'refs/heads/prod' || github.ref == 'refs/heads/dev')
&& github.repository_owner == 'SkyCryptWebsite'
&& github.event_name != 'pull_request'
outputs:
should_deploy: ${{ steps.decision.outputs.should_deploy }}
server_api_url: ${{ steps.decision.outputs.server_api_url }}
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Decide whether to deploy
id: decision
run: |
VERSION=$(node -p "require('./package.json').version")
SERVER_API_URL=cupcake.shiiyu.moe
SHOULD_DEPLOY=false
if [ "$GITHUB_REF" = "refs/heads/dev" ]; then
SHOULD_DEPLOY=true
else
SERVER_API_URL=sky.shiiyu.moe
if [[ "$VERSION" != *beta* ]]; then
SHOULD_DEPLOY=true
fi
fi
echo "Detected version: $VERSION"
echo "should_deploy=$SHOULD_DEPLOY" >> "$GITHUB_OUTPUT"
echo "server_api_url=$SERVER_API_URL" >> "$GITHUB_OUTPUT"
checks:
needs: prepare
if: needs.prepare.outputs.should_deploy == 'true'
uses: ./.github/workflows/checks.yml
analyze:
name: Analyze
runs-on: ubuntu-latest
needs: prepare
if: |
needs.prepare.outputs.should_deploy == 'true'
permissions:
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: javascript-typescript
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
build:
needs: prepare
if: needs.prepare.outputs.should_deploy == 'true'
uses: ./.github/workflows/build.yml
with:
server-api-url: ${{ needs.prepare.outputs.server_api_url }}
secrets:
server-api-token: ${{ secrets.SERVER_API_TOKEN }}
package:
name: Package into Container
runs-on: ubuntu-latest
needs: [prepare, checks, analyze, build]
if: needs.prepare.outputs.should_deploy == 'true'
permissions:
packages: write
contents: read
id-token: write
attestations: write
artifact-metadata: write
steps:
- name: Git checkout
uses: actions/checkout@v6
- name: Assign short SHA
run: echo "SHORT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Registry login
uses: docker/login-action@v4
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v6
with:
images: ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and Push
id: push
uses: docker/build-push-action@v7
with:
context: .
push: true
build-args: |
PUBLIC_COMMIT_HASH=${{ env.SHORT_SHA }}
PUBLIC_SERVER_API_URL=https://${{ needs.prepare.outputs.server_api_url }}/api/
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Attest Build Provenance
uses: actions/attest@v4
with:
subject-name: ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true