11
2- # This worklflow will perform following actions when the code is pushed to main branch:
3- # - Build the latest docker image in main which needs test to pass first.
4- # - Push the docker image to Docker Hub under namespace - nfdi4chem with tag:[release_version].
2+ # This workflow will perform following actions when code is pushed to the main branch:
3+ # - Run tests and linting checks (can be enabled via needs: test_and_lint)
4+ # - Build and push nmrKit Docker image with layer caching for faster builds
5+ # - Conditionally build nmr-cli image only if files in app/scripts/nmr-cli/ changed
6+ # - Push images to Docker Hub under namespace nfdi4chem with latest tag
7+ # - Prevent redundant builds using concurrency control
58#
69# Maintainers:
710# - name: Nisha Sharma
811# - email: nisha.sharma@uni-jena.de
912
10- name : Prod Build, Test and Publish
13+ name : Prod Build and Publish
1114
15+ # Runs on manual workflow_dispatch with confirmation
1216on :
13- release :
14- types : [published]
17+ workflow_dispatch :
18+ inputs :
19+ confirm :
20+ description : " Type 'DEPLOY' to confirm production deployment"
21+ required : true
22+ type : string
23+
24+ concurrency :
25+ group : ${{ github.workflow }}-${{ github.ref }}
26+ cancel-in-progress : true
1527
1628env :
17- DOCKER_HUB_USERNAME : ${{ secrets.DOCKER_USERNAME }}
18- DOCKER_HUB_PASSWORD : ${{ secrets.DOCKER_PASSWORD }}
19- REPOSITORY_NAME : nmrkit
29+ NMRKIT_REPOSITORY_NAME : nmrkit
30+ NMR_CLI_REPOSITORY_NAME : nmr-cli
2031 REPOSITORY_NAMESPACE : nfdi4chem
32+ RELEASE_TAG : latest
2133
2234jobs :
23- push_to_registry :
35+ # test_and_lint:
36+ # uses: NFDI4Chem/nmrkit/.github/workflows/test.yml@main
37+
38+ # Guard: confirm input and authorize actor
39+ guard :
40+ name : Access control and confirmation
41+ runs-on : ubuntu-latest
42+ steps :
43+ - name : Validate actor and confirmation
44+ shell : bash
45+ run : |
46+ echo "Actor: ${GITHUB_ACTOR}"
47+ # Confirm input (workflow_dispatch)
48+ if [[ "${{ github.event.inputs.confirm }}" != "DEPLOY" ]]; then
49+ echo "Confirmation token mismatch. Expected 'DEPLOY'."
50+ exit 1
51+ fi
52+
53+ # Authorize actor (comma/space separated list in secret)
54+ AUTHORIZED_ACTORS="${{ secrets.PROD_DEPLOY_AUTHORIZED_ACTORS }}"
55+ allowed=0
56+ for u in ${AUTHORIZED_ACTORS//,/ }; do
57+ if [[ "${u,,}" == "${GITHUB_ACTOR,,}" ]]; then
58+ allowed=1
59+ break
60+ fi
61+ done
62+ if [[ $allowed -ne 1 ]]; then
63+ echo "User '${GITHUB_ACTOR}' is not authorized to trigger this workflow."
64+ exit 1
65+ fi
66+ echo "Authorization check passed."
67+
68+ build_and_push_to_registry :
2469 name : Push Docker image to Docker Hub
2570 runs-on : ubuntu-latest
71+ needs : guard
2672 steps :
73+ # Clone repository code to runner
2774 - name : Check out the repo
2875 uses : actions/checkout@v4
29-
30- # Fetch Latest release
31- - name : Fetch latest release
32- id : fetch-latest-release
33- uses : InsonusK/get-latest-release@v1.0.1
34- with :
35- myToken : ${{ github.token }}
36- exclude_types : " draft"
37- view_top : 10
38- - name : " Print release name"
39- run : |
40- echo "tag_name: ${{ steps.fetch-latest-release.outputs.tag_name }}"
41-
42- # Login to Docker Hub
76+
77+ # Enable advanced Docker build features (required for caching)
78+ - name : Set up Docker Buildx
79+ uses : docker/setup-buildx-action@v3
80+
81+ # Authenticate with Docker Hub for image push access
4382 - name : Log in to Docker Hub
44- uses : docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
83+ uses : docker/login-action@v3
4584 with :
46- username : ${{ env.DOCKER_HUB_USERNAME }}
47- password : ${{ env.DOCKER_HUB_PASSWORD }}
48-
49- # Build and push Docker image
50- - name : Build and push Docker image
51- uses : docker/build-push-action@v4
85+ username : ${{ secrets.DOCKER_USERNAME }}
86+ password : ${{ secrets.DOCKER_PASSWORD }}
87+
88+ # Detect changes in nmr-cli folder to skip unnecessary builds
89+ - name : Check for file changes
90+ id : changes
91+ uses : dorny/paths-filter@v3
92+ with :
93+ filters : |
94+ nmr-cli:
95+ - 'app/scripts/nmr-cli/**'
96+
97+ # Build main nmrKit image with registry caching for faster builds
98+ - name : Build and push nmrKit Docker image
99+ uses : docker/build-push-action@v6
52100 with :
53101 context : .
54102 file : ./Dockerfile
55103 push : true
56- build-args : |
57- RELEASE_VERSION=${{ steps.fetch-latest-release.outputs.tag_name }}
58- tags : ${{ env.REPOSITORY_NAMESPACE }}/${{ env.REPOSITORY_NAME }}:${{ steps.fetch-latest-release.outputs.tag_name }}
59- username : ${{ env.DOCKER_HUB_USERNAME }}
60- password : ${{ env.DOCKER_HUB_PASSWORD }}
104+ build-args : RELEASE_VERSION=${{ env.RELEASE_TAG }}
105+ tags : ${{ env.REPOSITORY_NAMESPACE }}/${{ env.NMRKIT_REPOSITORY_NAME }}:${{ env.RELEASE_TAG }}
106+ cache-from : type=registry,ref=${{ env.REPOSITORY_NAMESPACE }}/${{ env.NMRKIT_REPOSITORY_NAME }}:buildcache
107+ cache-to : type=registry,ref=${{ env.REPOSITORY_NAMESPACE }}/${{ env.NMRKIT_REPOSITORY_NAME }}:buildcache,mode=max
108+
109+ # Build nmr-cli image only if files in app/scripts/nmr-cli/ changed
110+ - name : Build and push nmr-cli Docker image
111+ if : steps.changes.outputs.nmr-cli == 'true'
112+ uses : docker/build-push-action@v6
113+ with :
114+ context : ./app/scripts/nmr-cli/
115+ file : ./app/scripts/nmr-cli/Dockerfile
116+ push : true
117+ build-args : RELEASE_VERSION=${{ env.RELEASE_TAG }}
118+ tags : ${{ env.REPOSITORY_NAMESPACE }}/${{ env.NMR_CLI_REPOSITORY_NAME }}:${{ env.RELEASE_TAG }}
119+ cache-from : type=registry,ref=${{ env.REPOSITORY_NAMESPACE }}/${{ env.NMR_CLI_REPOSITORY_NAME }}:buildcache
120+ cache-to : type=registry,ref=${{ env.REPOSITORY_NAMESPACE }}/${{ env.NMR_CLI_REPOSITORY_NAME }}:buildcache,mode=max
0 commit comments