name: Docker Hub Workflow run-name: Docker Hub Workflow on: workflow_dispatch: push: branches: - "main" tags: - "v*" pull_request: branches: - "main" env: DOCKER_USER: 1001:127 SHOULD_PUSH: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview') }} permissions: contents: read jobs: build-and-push-backend: runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up QEMU if: env.SHOULD_PUSH == 'true' uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx if: env.SHOULD_PUSH == 'true' uses: docker/setup-buildx-action@v3 - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: lasuite/impress-backend - name: Login to DockerHub if: env.SHOULD_PUSH == 'true' uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USER }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} - name: Run trivy scan uses: numerique-gouv/action-trivy-cache@main with: docker-build-args: "--target backend-production -f Dockerfile" docker-image-name: "docker.io/lasuite/impress-backend:${{ github.sha }}" trivyignores: ./.github/.trivyignore - name: Build and push if: env.SHOULD_PUSH == 'true' uses: docker/build-push-action@v6 with: context: . target: backend-production platforms: linux/amd64,linux/arm64 build-args: DOCKER_USER=${{ env.DOCKER_USER }} push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Cleanup Docker after build if: always() run: | docker system prune -af docker volume prune -f build-and-push-frontend: runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up QEMU if: env.SHOULD_PUSH == 'true' uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx if: env.SHOULD_PUSH == 'true' uses: docker/setup-buildx-action@v3 - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: lasuite/impress-frontend - name: Login to DockerHub if: env.SHOULD_PUSH == 'true' uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USER }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} - name: Run trivy scan uses: numerique-gouv/action-trivy-cache@main with: docker-build-args: "-f src/frontend/Dockerfile --target frontend-production" docker-image-name: "docker.io/lasuite/impress-frontend:${{ github.sha }}" trivyignores: ./.github/.trivyignore - name: Build and push if: env.SHOULD_PUSH == 'true' uses: docker/build-push-action@v6 with: context: . file: ./src/frontend/Dockerfile target: frontend-production platforms: linux/amd64,linux/arm64 build-args: | DOCKER_USER=${{ env.DOCKER_USER }} PUBLISH_AS_MIT=false push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Cleanup Docker after build if: always() run: | docker system prune -af docker volume prune -f build-and-push-y-provider: runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up QEMU if: env.SHOULD_PUSH == 'true' uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx if: env.SHOULD_PUSH == 'true' uses: docker/setup-buildx-action@v3 - name: Docker meta id: meta uses: docker/metadata-action@v5 with: images: lasuite/impress-y-provider - name: Login to DockerHub if: env.SHOULD_PUSH == 'true' run: echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_HUB_USER }}" --password-stdin - name: Run trivy scan uses: numerique-gouv/action-trivy-cache@main with: docker-build-args: "-f src/frontend/servers/y-provider/Dockerfile --target y-provider" docker-image-name: "docker.io/lasuite/impress-y-provider:${{ github.sha }}" trivyignores: ./.github/.trivyignore - name: Build and push if: env.SHOULD_PUSH == 'true' uses: docker/build-push-action@v6 with: context: . file: ./src/frontend/servers/y-provider/Dockerfile target: y-provider platforms: linux/amd64,linux/arm64 build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Cleanup Docker after build if: always() run: | docker system prune -af docker volume prune -f notify-argocd: needs: - build-and-push-backend - build-and-push-frontend - build-and-push-y-provider runs-on: ubuntu-latest if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'preview') steps: - uses: numerique-gouv/action-argocd-webhook-notification@main id: notify with: deployment_repo_path: "${{ secrets.DEPLOYMENT_REPO_URL }}" argocd_webhook_secret: "${{ secrets.ARGOCD_PREPROD_WEBHOOK_SECRET }}" argocd_url: "${{ vars.ARGOCD_PREPROD_WEBHOOK_URL }}"