ci: align release workflow with service-hub container release#2
Open
djwmarcx wants to merge 4 commits into
Open
ci: align release workflow with service-hub container release#2djwmarcx wants to merge 4 commits into
djwmarcx wants to merge 4 commits into
Conversation
Rename docker-publish workflow to release and rewrite it to trigger on release publication (driven by release-please), build and push the container image to ghcr.io, stamp version.json, and trigger a Terraform Cloud deploy via the variable set. Harden against workflow injection: pass github.ref and secrets through env vars, validate the release tag as strict semver, and build the Terraform payload with jq.
Pin every GitHub Action to a commit SHA and bump to the latest release: - googleapis/release-please-action v4 -> v5.0.0 - actions/checkout v6.0.2 -> v6.0.3 - docker/login-action v4.1.0 -> v4.2.0 - docker/build-push-action v7.0.0 -> v7.2.0
After updating the web_api_version variable set, trigger a Terraform Cloud run on the web-api workspace with auto-apply enabled so a published release deploys immediately instead of waiting for manual confirmation.
Look up the variable set entry by its key (web_api_image_tag) instead of assuming it is the first variable, and fail loudly if it is missing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Renames the
docker-publishworkflow toreleaseand rewrites it to follow the same pattern ashome-assistant/service-hub, adapted forweb-api.What changed
release: [published]only (was push to main / tags / PRs). Combined with the existing release-please setup, releases are automatic: merge the release PR → release-please publishes the GitHub Release → this workflow builds, pushes, and deploys.ghcr.io/OpenHomeFoundation/web-api:<version>to GHCR.github.repository_owner.Deviations from the reference
$GITHUB_OUTPUTinstead of the deprecated::set-outputcommand.web-api.Security hardening
Avoids GitHub Actions injection:
github.refand secrets are passed via env vars (not${{ }}shell interpolation), the release tag is validated against strict semver (vX.Y.Z), and the Terraform payload is built withjq.Requires
TERRAFORM_CLOUD_TOKENandTERRAFORM_CLOUD_VARSET_IDsecrets in the repo/org.