From b4e70f8f7a7eeb37eb6f3aa26bba75802694cb91 Mon Sep 17 00:00:00 2001 From: Sag Date: Thu, 29 May 2025 10:44:20 +0800 Subject: [PATCH 1/8] Added step to publish AP image to a public registry during CI --- .github/workflows/cicd.yml | 66 ++++++++++++++++++++++++++++++++++---- 1 file changed, 59 insertions(+), 7 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 4125115bd..4a04c8a77 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -51,15 +51,18 @@ jobs: environment: build runs-on: ubuntu-latest needs: [lint, check-yarn-lock] + permissions: + contents: read + packages: write outputs: migrations_docker_version: ${{ steps.migrations-docker-metadata.outputs.version }} - activitypub_docker_version: ${{ steps.activitypub-docker-metadata.outputs.version }} + activitypub_docker_version: ${{ steps.activitypub-docker-metadata-private.outputs.version }} steps: - name: "Checkout" uses: actions/checkout@v4 - - name: "ActivityPub Docker meta" - id: activitypub-docker-metadata + - name: "ActivityPub Docker metadata for private registry" + id: activitypub-docker-metadata-private uses: docker/metadata-action@v5 with: images: | @@ -72,6 +75,34 @@ jobs: type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=sha,priority=1100 + labels: | + org.opencontainers.image.title=Ghost — ActivityPub + org.opencontainers.image.description=Federate your Ghost site with ActivityPub to join the world's largest open network. + org.opencontainers.image.vendor=Ghost Foundation + org.opencontainers.image.licenses=MIT + org.opencontainers.image.documentation=https://github.com/TryGhost/ActivityPub + org.opencontainers.image.source=https://github.com/TryGhost/ActivityPub + + - name: "ActivityPub Docker metadata for public registry" + id: activitypub-docker-metadata-public + if: github.ref == 'refs/heads/main' + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/tryghost/activitypub + tags: | + type=edge,branch=main + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha,priority=1100 + labels: | + org.opencontainers.image.title=Ghost — ActivityPub + org.opencontainers.image.description=Federate your Ghost site with ActivityPub to join the world's largest open network. + org.opencontainers.image.vendor=Ghost Foundation + org.opencontainers.image.licenses=MIT + org.opencontainers.image.documentation=https://github.com/TryGhost/ActivityPub + org.opencontainers.image.source=https://github.com/TryGhost/ActivityPub - name: "Migrations Docker meta" id: migrations-docker-metadata @@ -93,7 +124,8 @@ jobs: with: context: . load: true - tags: ${{ steps.activitypub-docker-metadata.outputs.tags }} + tags: ${{ steps.activitypub-docker-metadata-private.outputs.tags }} + labels: ${{ steps.activitypub-docker-metadata-private.outputs.labels }} - name: "Build Docker Image for Migrations" uses: docker/build-push-action@v6 @@ -114,7 +146,7 @@ jobs: workload_identity_provider: projects/687476608778/locations/global/workloadIdentityPools/github-oidc-activitypub/providers/github-provider-activitypub service_account: stg-activitypub-cicd@ghost-activitypub.iam.gserviceaccount.com - - name: "Login to GCP Artifact Registry" + - name: "Login to GCP Artifact Registry (private registry)" if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled')) uses: docker/login-action@v3 with: @@ -122,13 +154,33 @@ jobs: username: oauth2accesstoken password: ${{ steps.gcp-auth.outputs.access_token }} - - name: "Push ActivityPub Docker Image" + - name: "Login to GitHub Container Registry (public registry)" + if: github.ref == 'refs/heads/main' + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: "Push ActivityPub Docker image to private registry" if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled')) uses: docker/build-push-action@v6 with: context: . push: true - tags: ${{ steps.activitypub-docker-metadata.outputs.tags }} + tags: ${{ steps.activitypub-docker-metadata-private.outputs.tags }} + labels: ${{ steps.activitypub-docker-metadata-private.outputs.labels }} + platforms: linux/amd64 + + - name: "Push ActivityPub Docker image to public registry" + if: github.ref == 'refs/heads/main' + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ steps.activitypub-docker-metadata-public.outputs.tags }} + labels: ${{ steps.activitypub-docker-metadata-public.outputs.labels }} + platforms: linux/amd64,linux/arm64 - name: "Push Migrations Docker Image" if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled')) From c88826646e1d98cd6773ac817fb21abf164b1aa4 Mon Sep 17 00:00:00 2001 From: Sag Date: Thu, 29 May 2025 14:54:38 +0800 Subject: [PATCH 2/8] Temporarily commented out yarn test to test ci changes faster --- .github/workflows/cicd.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 4a04c8a77..28b9eada6 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -134,8 +134,9 @@ jobs: load: true tags: ${{ steps.migrations-docker-metadata.outputs.tags }} - - name: "Run Tests" - run: yarn test + # TODO: Uncomment this when PR is ready! + # - name: "Run Tests" + # run: yarn test - name: "Authenticate with GCP" if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled')) From dcf066ab381e3fd2ecc6998556aa74dec675d7ab Mon Sep 17 00:00:00 2001 From: Sag Date: Thu, 29 May 2025 14:55:44 +0800 Subject: [PATCH 3/8] Removed new permissions --- .github/workflows/cicd.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 28b9eada6..1d32dbdeb 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -51,9 +51,6 @@ jobs: environment: build runs-on: ubuntu-latest needs: [lint, check-yarn-lock] - permissions: - contents: read - packages: write outputs: migrations_docker_version: ${{ steps.migrations-docker-metadata.outputs.version }} activitypub_docker_version: ${{ steps.activitypub-docker-metadata-private.outputs.version }} From 0499ffe9f74aeb4bc984416fa0eb6a3b6a9bb636 Mon Sep 17 00:00:00 2001 From: Sag Date: Thu, 29 May 2025 15:01:42 +0800 Subject: [PATCH 4/8] Temporarily allowed to push to public registry from PR --- .github/workflows/cicd.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 1d32dbdeb..1e3152ca7 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -82,13 +82,14 @@ jobs: - name: "ActivityPub Docker metadata for public registry" id: activitypub-docker-metadata-public - if: github.ref == 'refs/heads/main' uses: docker/metadata-action@v5 with: images: | ghcr.io/tryghost/activitypub tags: | - type=edge,branch=main + ${{ github.ref == 'refs/heads/main' && 'type=edge,branch=main' || '' }} + ${{ github.event_name == 'pull_request' && format('type=raw,value=pr-{0}', github.event.pull_request.number) || '' }} + type=raw,value=${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} @@ -153,7 +154,7 @@ jobs: password: ${{ steps.gcp-auth.outputs.access_token }} - name: "Login to GitHub Container Registry (public registry)" - if: github.ref == 'refs/heads/main' + if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled')) uses: docker/login-action@v3 with: registry: ghcr.io @@ -171,7 +172,7 @@ jobs: platforms: linux/amd64 - name: "Push ActivityPub Docker image to public registry" - if: github.ref == 'refs/heads/main' + if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled')) uses: docker/build-push-action@v6 with: context: . From 17655a428d7b6a8024ada25b6fb38a1ee728dd3a Mon Sep 17 00:00:00 2001 From: Sag Date: Thu, 29 May 2025 15:08:49 +0800 Subject: [PATCH 5/8] Removed multi-platforms when pushing to public registry --- .github/workflows/cicd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 1e3152ca7..32e9caf74 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -179,7 +179,7 @@ jobs: push: true tags: ${{ steps.activitypub-docker-metadata-public.outputs.tags }} labels: ${{ steps.activitypub-docker-metadata-public.outputs.labels }} - platforms: linux/amd64,linux/arm64 + platforms: linux/amd64 - name: "Push Migrations Docker Image" if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled')) From 11ac9c370121110568f269796eca35b6dbad7170 Mon Sep 17 00:00:00 2001 From: Sag Date: Thu, 29 May 2025 15:20:47 +0800 Subject: [PATCH 6/8] Added permission to write packages --- .github/workflows/cicd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 32e9caf74..e24f7f8fd 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -16,6 +16,7 @@ on: permissions: id-token: write contents: read + packages: write jobs: lint: From 91e4244be4659cd4658bb61dd58b47f4984fb599 Mon Sep 17 00:00:00 2001 From: Sag Date: Thu, 29 May 2025 15:30:36 +0800 Subject: [PATCH 7/8] Revert "Temporarily allowed to push to public registry from PR" This reverts commit 0499ffe9f74aeb4bc984416fa0eb6a3b6a9bb636. --- .github/workflows/cicd.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index e24f7f8fd..1d6ca398d 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -83,14 +83,13 @@ jobs: - name: "ActivityPub Docker metadata for public registry" id: activitypub-docker-metadata-public + if: github.ref == 'refs/heads/main' uses: docker/metadata-action@v5 with: images: | ghcr.io/tryghost/activitypub tags: | - ${{ github.ref == 'refs/heads/main' && 'type=edge,branch=main' || '' }} - ${{ github.event_name == 'pull_request' && format('type=raw,value=pr-{0}', github.event.pull_request.number) || '' }} - type=raw,value=${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} + type=edge,branch=main type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} @@ -155,7 +154,7 @@ jobs: password: ${{ steps.gcp-auth.outputs.access_token }} - name: "Login to GitHub Container Registry (public registry)" - if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled')) + if: github.ref == 'refs/heads/main' uses: docker/login-action@v3 with: registry: ghcr.io @@ -173,7 +172,7 @@ jobs: platforms: linux/amd64 - name: "Push ActivityPub Docker image to public registry" - if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled')) + if: github.ref == 'refs/heads/main' uses: docker/build-push-action@v6 with: context: . From ed83592bc362e4f3ecfba2758dba91f476c09bef Mon Sep 17 00:00:00 2001 From: Sag Date: Thu, 29 May 2025 15:31:12 +0800 Subject: [PATCH 8/8] Revert "Temporarily commented out yarn test to test ci changes faster" This reverts commit c88826646e1d98cd6773ac817fb21abf164b1aa4. --- .github/workflows/cicd.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 1d6ca398d..a8161ee6c 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -132,9 +132,8 @@ jobs: load: true tags: ${{ steps.migrations-docker-metadata.outputs.tags }} - # TODO: Uncomment this when PR is ready! - # - name: "Run Tests" - # run: yarn test + - name: "Run Tests" + run: yarn test - name: "Authenticate with GCP" if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' || github.event.action == 'labeled' || github.event.action == 'unlabeled'))