diff --git a/.github/workflows/docker_deploy_jobs.yaml b/.github/workflows/docker_deploy_jobs.yaml new file mode 100644 index 000000000..bd2658036 --- /dev/null +++ b/.github/workflows/docker_deploy_jobs.yaml @@ -0,0 +1,81 @@ +name: Docker deploy jobs +on: + workflow_call: + inputs: + dockerTag: + required: true + description: 'tag to assign docker images' + type: string + secrets: + DOCKERHUB_TOKEN: + required: true + +permissions: + contents: read + +env: + DOCKER_TAG: "${{ inputs.dockerTag }}" + +jobs: + # The credentials used in the following jobs are for the shared + # certbotbot account on Docker Hub. + # They are located under the certbot organization settings, + # under Secrets and Variables -> Actions. + # DOCKERHUB_USERNAME is saved as a variable. + # DOCKERHUB_TOKEN is a secret, and it is a PAT created by + # following the instructions at + # https://docs.docker.com/security/access-tokens/ + # with Read and Write permissions. The access token can be deleted + # on Docker Hub if these credentials need to be revoked. + # The password is a PAT following the advice given by + # https://github.com/docker/login-action?tab=readme-ov-file#docker-hub + publish_docker_by_arch: + name: Publish docker by arch + runs-on: + - 'ubuntu-24.04' + strategy: + fail-fast: false + matrix: + DOCKER_ARCH: + - arm32v6 + - arm64v8 + - amd64 + steps: + - name: Checkout + uses: actions/checkout@v6.0.2 + with: + persist-credentials: false + - name: Retrieve Docker images + uses: actions/download-artifact@v8.0.1 + with: + name: docker_${{ matrix.DOCKER_ARCH }} + path: "${{ github.workspace }}" + - name: Load Docker images + run: docker load --input ${{ github.workspace }}/images.tar + shell: bash + - name: Login to Docker Hub + uses: docker/login-action@v4.1.0 + with: + username: "${{ vars.DOCKERHUB_USERNAME }}" + password: "${{ secrets.DOCKERHUB_TOKEN }}" + - name: Deploy the Docker images by architecture + run: tools/docker/deploy_images.sh "$DOCKER_TAG" ${{ matrix.DOCKER_ARCH }} + shell: bash + publish_docker_multiarch: + name: Publish docker multiarch + needs: publish_docker_by_arch + runs-on: + - 'ubuntu-24.04' + steps: + - name: Checkout + uses: actions/checkout@v6.0.2 + with: + persist-credentials: false + - name: Login to Docker Hub + uses: docker/login-action@v4.1.0 + with: + username: "${{ vars.DOCKERHUB_USERNAME }}" + password: "${{ secrets.DOCKERHUB_TOKEN }}" + - name: Deploy the Docker multiarch manifests + run: tools/docker/deploy_manifests.sh "$DOCKER_TAG" all + shell: bash diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 780ec0076..96e98f94d 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -6,8 +6,11 @@ on: workflow_dispatch: jobs: - # The first four jobs could be grouped in a separate workflow, but the github actions UI + # While many of these jobs could be grouped in a separate workflow, the github actions UI # is much nicer if they are instead listed explicitly here. + ########################### + #### testing jobs ### + ########################### standard_tests_jobs: name: Standard tests permissions: @@ -22,6 +25,9 @@ jobs: AWS_TEST_FARM_PEM: "${{ secrets.AWS_TEST_FARM_PEM }}" AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}" AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" + ########################### + #### packaging jobs ### + ########################### docker_packaging_jobs: name: Docker packaging permissions: @@ -43,22 +49,38 @@ jobs: permissions: contents: read uses: "./.github/workflows/changelog_stage.yml" - nightly_deploy_stage: - name: Nightly deploy + ############################ + #### deploy jobs ### + ############################ + docker_deploy_stage: + name: Deploy docker images permissions: contents: read needs: - standard_tests_jobs - extended_tests_jobs - docker_packaging_jobs - - snap_packaging_jobs - uses: "./.github/workflows/common_deploy_jobs.yml" + uses: "./.github/workflows/docker_deploy_jobs.yml" secrets: - SNAPCRAFTCFG: "${{ secrets.SNAPCRAFTCFG }}" DOCKERHUB_TOKEN: "${{ secrets.DOCKERHUB_TOKEN }}" with: dockerTag: nightly + snap_deploy_stage: + name: Deploy snaps + permissions: + contents: read + needs: + - standard_tests_jobs + - extended_tests_jobs + - snap_packaging_jobs + uses: "./.github/workflows/snap_deploy_jobs.yml" + secrets: + SNAPCRAFTCFG: "${{ secrets.SNAPCRAFTCFG }}" + with: snapReleaseChannel: edge + ############################ + #### rerun job ### + ############################ re-run: needs: - standard_tests_jobs @@ -66,7 +88,8 @@ jobs: - docker_packaging_jobs - snap_packaging_jobs - changelog_stage - - nightly_deploy_stage + - docker_deploy_stage + - snap_deploy_stage if: failure() && fromJSON(github.run_attempt) < 3 permissions: actions: write diff --git a/.github/workflows/common_deploy_jobs.yml b/.github/workflows/snap_deploy_jobs.yaml similarity index 53% rename from .github/workflows/common_deploy_jobs.yml rename to .github/workflows/snap_deploy_jobs.yaml index 79bc028f9..625ac8011 100644 --- a/.github/workflows/common_deploy_jobs.yml +++ b/.github/workflows/snap_deploy_jobs.yaml @@ -1,11 +1,7 @@ -name: Common deploy jobs +name: Snap deploy jobs on: workflow_call: inputs: - dockerTag: - required: true - description: 'tag to assign docker images' - type: string snapReleaseChannel: description: 'snap channel to release to' required: true @@ -13,14 +9,11 @@ on: secrets: SNAPCRAFTCFG: required: true - DOCKERHUB_TOKEN: - required: true permissions: contents: read env: - DOCKER_TAG: "${{ inputs.dockerTag }}" SNAP_RELEASE_CHANNEL: "${{ inputs.snapReleaseChannel }}" jobs: @@ -91,65 +84,3 @@ jobs: - name: Fail run: exit 1 shell: bash - # The credentials used in the following jobs are for the shared - # certbotbot account on Docker Hub. - # They are located under the certbot organization settings, - # under Secrets and Variables -> Actions. - # DOCKERHUB_USERNAME is saved as a variable. - # DOCKERHUB_TOKEN is a secret, and it is a PAT created by - # following the instructions at - # https://docs.docker.com/security/access-tokens/ - # with Read and Write permissions. The access token can be deleted - # on Docker Hub if these credentials need to be revoked. - # The password is a PAT following the advice given by - # https://github.com/docker/login-action?tab=readme-ov-file#docker-hub - publish_docker_by_arch: - name: Publish docker by arch - runs-on: - - 'ubuntu-24.04' - strategy: - fail-fast: false - matrix: - DOCKER_ARCH: - - arm32v6 - - arm64v8 - - amd64 - steps: - - name: Checkout - uses: actions/checkout@v6.0.2 - with: - persist-credentials: false - - name: Retrieve Docker images - uses: actions/download-artifact@v8.0.1 - with: - name: docker_${{ matrix.DOCKER_ARCH }} - path: "${{ github.workspace }}" - - name: Load Docker images - run: docker load --input ${{ github.workspace }}/images.tar - shell: bash - - name: Login to Docker Hub - uses: docker/login-action@v4.1.0 - with: - username: "${{ vars.DOCKERHUB_USERNAME }}" - password: "${{ secrets.DOCKERHUB_TOKEN }}" - - name: Deploy the Docker images by architecture - run: tools/docker/deploy_images.sh "$DOCKER_TAG" ${{ matrix.DOCKER_ARCH }} - shell: bash - publish_docker_multiarch: - name: Publish docker multiarch - needs: publish_docker_by_arch - runs-on: - - 'ubuntu-24.04' - steps: - - name: Checkout - uses: actions/checkout@v6.0.2 - with: - persist-credentials: false - - name: Login to Docker Hub - uses: docker/login-action@v4.1.0 - with: - username: "${{ vars.DOCKERHUB_USERNAME }}" - password: "${{ secrets.DOCKERHUB_TOKEN }}" - - name: Deploy the Docker multiarch manifests - run: tools/docker/deploy_manifests.sh "$DOCKER_TAG" all - shell: bash