docs(readme): comment on NHS_* variables and secrets #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CI/CD publish" | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| types: [closed] | |
| branches: | |
| - main | |
| permissions: | |
| contents: write | |
| issues: write | |
| packages: write | |
| pull-requests: write # optional | |
| jobs: | |
| publish: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: "🔐 Generate GitHub App token" | |
| uses: actions/create-github-app-token@v2 | |
| id: app-token | |
| with: | |
| app-id: ${{ vars.GH_VERSIONING_APP_ID || vars.NHS_GH_VERSIONING_APP_ID }} | |
| private-key: ${{ secrets.GH_VERSIONING_APP_PRIVATE_KEY || secrets.NHS_GH_VERSIONING_APP_PRIVATE_KEY }} | |
| - name: "🙈 Mask App token" | |
| run: echo "::add-mask::${{ steps.app-token.outputs.token }}" | |
| - name: "📥 Checkout repository" | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ steps.app-token.outputs.token }} | |
| persist-credentials: false | |
| - name: "🔏 Import and configure commit signing key" | |
| env: | |
| GIT_USER_NAME: ${{ vars.GIT_SIGNING_BOT_NAME || vars.NHS_GIT_SIGNING_BOT_NAME }} | |
| GIT_USER_EMAIL: ${{ vars.GIT_SIGNING_BOT_EMAIL || vars.NHS_GIT_SIGNING_BOT_EMAIL }} | |
| GPG_PKEY: ${{ secrets.GIT_SIGNING_BOT_GPG_PRIVATE_KEY || secrets.NHS_GIT_SIGNING_BOT_GPG_PRIVATE_KEY }} | |
| GPG_PASS: ${{ secrets.GIT_SIGNING_BOT_GPG_PASSPHRASE || secrets.NHS_GIT_SIGNING_BOT_GPG_PASSPHRASE }} | |
| run: | | |
| mkdir -p ~/.gnupg | |
| chmod 700 ~/.gnupg | |
| echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf | |
| echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf | |
| export GPG_TTY=$(tty) | |
| echo "$GPG_PKEY" | gpg --batch --import | |
| key_id=$(gpg --batch --list-secret-keys --with-colons | awk -F: '/^sec:/ {print $5; exit}') | |
| git config --global user.name "$GIT_USER_NAME" | |
| git config --global user.email "$GIT_USER_EMAIL" | |
| git config --global user.signingkey "$key_id" | |
| git config --global gpg.program gpg | |
| git config --global commit.gpgsign true | |
| if [ -n "$GPG_PASS" ]; then | |
| gpgconf --kill gpg-agent || true | |
| gpgconf --launch gpg-agent || true | |
| echo "warmup" | gpg --batch --yes --passphrase "$GPG_PASS" --pinentry-mode loopback --sign >/dev/null 2>&1 || true | |
| fi | |
| # Commit signature debug info | |
| gpg --list-secret-keys --keyid-format LONG | |
| git config --get user.name | |
| git config --get user.email | |
| gpg --fingerprint "$key_id" | |
| - name: "🚀 Run release process" | |
| id: release | |
| uses: cycjimmy/semantic-release-action@v4 | |
| with: | |
| extra_plugins: | | |
| @semantic-release/git | |
| @semantic-release/github | |
| @semantic-release/exec | |
| conventional-changelog-conventionalcommits | |
| env: | |
| GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} | |
| GIT_AUTHOR_NAME: ${{ vars.GIT_SIGNING_BOT_NAME || vars.NHS_GIT_SIGNING_BOT_NAME }} | |
| GIT_AUTHOR_EMAIL: ${{ vars.GIT_SIGNING_BOT_EMAIL || vars.NHS_GIT_SIGNING_BOT_EMAIL }} | |
| GIT_COMMITTER_NAME: ${{ vars.GIT_SIGNING_BOT_NAME || vars.NHS_GIT_SIGNING_BOT_NAME }} | |
| GIT_COMMITTER_EMAIL: ${{ vars.GIT_SIGNING_BOT_EMAIL || vars.NHS_GIT_SIGNING_BOT_EMAIL }} | |
| - name: "🔑 Login to GitHub Container Registry" | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - name: "🐳 Build and push container image" | |
| if: steps.release.outputs.new_release_published == 'true' | |
| env: | |
| IMAGE_NAME: ghcr.io/${{ github.repository }} | |
| VERSION: ${{ steps.release.outputs.new_release_version }} | |
| run: | | |
| docker build -t ${IMAGE_NAME}:app-${VERSION} ./app | |
| docker tag ${IMAGE_NAME}:app-${VERSION} ${IMAGE_NAME}:app-latest | |
| docker push ${IMAGE_NAME}:app-${VERSION} | |
| docker push ${IMAGE_NAME}:app-latest | |
| - name: "📝 Update release notes with image info" | |
| if: steps.release.outputs.new_release_published == 'true' | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| VERSION: ${{ steps.release.outputs.new_release_version }} | |
| run: | | |
| existing_notes=$(gh release view "v${VERSION}" \ | |
| --repo ${{ github.repository }} \ | |
| --json body \ | |
| -q '.body') | |
| updated_notes="${existing_notes}<br/><br/>🐳 image published to [GitHub Container Registry](https://github.com/${{ github.repository }}/pkgs/container/${{ github.event.repository.name }})" | |
| gh release edit "v${VERSION}" \ | |
| --repo ${{ github.repository }} \ | |
| --notes "$updated_notes" |