add repository dispatch to trigger publishing from main project repo #41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: deploy-docs | |
| on: | |
| workflow_dispatch: | |
| repository_dispatch: | |
| types: [trigger-downstream] | |
| push: | |
| branches: [main] | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| MODULE: hololinked-python-docs | |
| jobs: | |
| build: | |
| name: build, sign & deploy | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| # Install the cosign tool | |
| # https://github.com/sigstore/cosign-installer | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 | |
| with: | |
| cosign-release: "v2.2.4" | |
| - name: Install Skaffold | |
| run: | | |
| set -euo pipefail | |
| curl -L "https://storage.googleapis.com/skaffold/releases/v2.16.1/skaffold-linux-amd64" -o skaffold | |
| chmod +x skaffold | |
| sudo mv skaffold /usr/local/bin/skaffold | |
| # Set up BuildKit Docker container builder to be able to build | |
| # multi-platform images and export cache | |
| # https://github.com/docker/setup-buildx-action | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
| # Login against a Docker registry | |
| # https://github.com/docker/login-action | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Build & push with skaffold, and write the build outputs to a JSON file | |
| - name: Build with Skaffold (push) | |
| run: | | |
| skaffold build \ | |
| --default-repo=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} \ | |
| --push \ | |
| --file-output build.out.json \ | |
| -m ${{ env.MODULE }} | |
| # Cosign sign each built image by digest from the skaffold build output (keyless with OIDC) | |
| - name: Cosign sign images | |
| run: | | |
| set -euo pipefail | |
| # Extract full refs (they include @sha256:...); sign each | |
| jq -r '.builds[].tag' build.out.json | while read -r REF; do | |
| echo "Signing $REF" | |
| cosign sign --yes "$REF" | |
| done | |
| # Provide your cluster config (example expects a base64-encoded kubeconfig secret) | |
| - name: Configure kubeconfig | |
| env: | |
| KUBECONFIG_B64: ${{ secrets.KUBECONFIG_B64 }} | |
| run: | | |
| mkdir -p ~/.kube | |
| echo "${KUBECONFIG_B64}" | base64 -d > ~/.kube/config | |
| # Deploy using the exact images produced in the build job | |
| - name: Deploy with Skaffold | |
| run: | | |
| skaffold deploy \ | |
| --build-artifacts build.out.json \ | |
| -m ${{ env.MODULE }} |