name: Release pipeline on: push: branches: - main - 'hotfix.*' - 'testing*' tags: - '[0-9]+.[0-9]+.[0-9]+' workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ startsWith(github.ref, 'refs/heads/testing') }} # deployments on testing* will cancel each other, prod and tags no jobs: get-version: name: Get version uses: ./.github/workflows/get-version.yml get-chart-name: name: Get Chart Name uses: ./.github/workflows/get-chart-name.yml tests: needs: [get-version] uses: ./.github/workflows/tests.yml with: CONTINUE_ON_ERROR: ${{ startsWith(github.ref, 'refs/heads/testing') }} # allows releasing on testing even if test fail DISABLE_SKIPPING: ${{ startsWith(github.ref, 'refs/heads/main') }} # disable test skip on main secrets: inherit builds: needs: [get-version] uses: ./.github/workflows/builds.yml with: IMAGE_VERSION_TAG: ${{ needs.get-version.outputs.IMAGE_VERSION_TAG }} REGISTRY_DOMAIN: ${{ (github.repository == 'specklesystems/speckle-server') && 'docker.io' || 'ghcr.io' }} REGISTRY_USERNAME: ${{ (github.repository == 'specklesystems/speckle-server') && 'speckledevops' || github.actor }} # REGISTRY_DOMAIN, REGISTRY_USERNAME, REGISTRY_TOKEN must allow pushing to the below IMAGE_PREFIX IMAGE_PREFIX: ${{ (github.repository == 'specklesystems/speckle-server') && 'speckle' || 'ghcr.io/specklesystems' }} PUBLISH: true # publish the sourcemaps and include the version in frontend-2 builds PUBLISH_LATEST: ${{ startsWith(github.ref, 'refs/heads/main') }} secrets: DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }} REGISTRY_TOKEN: ${{ (github.repository == 'specklesystems/speckle-server') && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }} #HACK temporary job to build and push to ghcr.io until we migrate everything builds-ghcr: needs: [get-version] uses: ./.github/workflows/builds.yml with: IMAGE_VERSION_TAG: ${{ needs.get-version.outputs.IMAGE_VERSION_TAG }} REGISTRY_DOMAIN: ${{ 'ghcr.io' }} REGISTRY_USERNAME: ${{ github.actor }} # REGISTRY_DOMAIN, REGISTRY_USERNAME, REGISTRY_TOKEN must allow pushing to the below IMAGE_PREFIX IMAGE_PREFIX: ${{ 'ghcr.io/specklesystems' }} PUBLISH: true # publish the sourcemaps and include the version in frontend-2 builds PUBLISH_LATEST: ${{ startsWith(github.ref, 'refs/heads/main') }} secrets: DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }} REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }} test-deployments: needs: [get-version, builds, builds-ghcr] uses: ./.github/workflows/deployment-tests.yml with: IMAGE_VERSION_TAG: ${{ needs.get-version.outputs.IMAGE_VERSION_TAG }} REGISTRY_DOMAIN: ${{ (github.repository == 'specklesystems/speckle-server') && 'docker.io' || 'ghcr.io' }} REGISTRY_USERNAME: ${{ (github.repository == 'specklesystems/speckle-server') && 'speckledevops' || github.actor }} IMAGE_PREFIX: ${{ (github.repository == 'specklesystems/speckle-server') && 'speckle' || 'ghcr.io/specklesystems' }} secrets: REGISTRY_TOKEN: ${{ (github.repository == 'specklesystems/speckle-server') && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }} deploy: needs: [get-version, tests, builds, builds-ghcr, test-deployments, get-chart-name] uses: ./.github/workflows/publish.yml with: IMAGE_PREFIX: ${{ (github.repository == 'specklesystems/speckle-server') && 'speckle' || 'ghcr.io/specklesystems' }} IMAGE_VERSION_TAG: ${{ needs.get-version.outputs.IMAGE_VERSION_TAG }} CLOUDFLARE_ACCOUNT_ID: ${{ vars.CLOUDFLARE_ACCOUNT_ID }} OCI_REGISTRY_DOMAIN: ${{ (github.repository == 'specklesystems/speckle-server') && 'docker.io' || 'ghcr.io' }} OCI_REGISTRY_PATH: ${{ (github.repository == 'specklesystems/speckle-server') && 'speckle' || 'specklesystems' }} OCI_REGISTRY_USERNAME: ${{ (github.repository == 'specklesystems/speckle-server') && 'speckledevops' || github.actor }} CHART_NAME: ${{ needs.get-chart-name.outputs.CHART_NAME }} secrets: DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }} CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} OCI_REGISTRY_PASSWORD: ${{ (github.repository == 'specklesystems/speckle-server') && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }} GH_DEVOPS_PAT: ${{ secrets.GH_DEVOPS_PAT }} #HACK temporary job to publish helm charts to ghcr.io until we migrate everything ghcr-helm-chart-oci: needs: [get-version, tests, builds, builds-ghcr, test-deployments, get-chart-name] runs-on: blacksmith-4vcpu-ubuntu-2404 name: Helm chart oci container: image: speckle/pre-commit-runner:latest env: IMAGE_PREFIX: 'ghcr.io/specklesystems' IMAGE_VERSION_TAG: ${{ needs.get-version.outputs.IMAGE_VERSION_TAG }} HELM_REGISTRY_DOMAIN: 'ghcr.io' HELM_REPOSITORY_PATH: 'specklesystems' REGISTRY_USERNAME: ${{ github.actor }} REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} CHART_NAME: ${{ needs.get-chart-name.outputs.CHART_NAME }} steps: - uses: actions/checkout@v4.2.2 with: fetch-depth: 0 - run: git config --global --add safe.directory $PWD - name: Publish Helm Chart run: ./.github/workflows/scripts/publish_helm_chart_oci.sh npm: needs: [get-version, tests, builds, builds-ghcr] uses: ./.github/workflows/npm.yml # only run if a tag triggered the workflow on specklesystems/speckle-server repository if: startsWith(github.ref, 'refs/tags/') with: GITHUB_REGISTRY_URL: ${{ format('%s%s.git', 'https://github.com/', github.repository) }} GITHUB_ORG: ${{ github.repository_owner }} NPM_REGISTRY_URL: ${{ github.repository == 'specklesystems/speckle-server' && 'https://registry.npmjs.org/' || 'https://npm.pkg.github.com/' }} NPM_PUBLISH_ACCESS: ${{ github.repository == 'specklesystems/speckle-server' && 'public' || 'restricted' }} IMAGE_VERSION_TAG: ${{ needs.get-version.outputs.IMAGE_VERSION_TAG }} secrets: NPM_TOKEN: ${{ github.repository == 'specklesystems/speckle-server' && secrets.NPM_TOKEN || github.token}} snyk: needs: [tests] uses: ./.github/workflows/snyk.yml # skip snyk on testing branches if: startsWith(github.ref , 'refs/heads/testing') == false secrets: inherit