cinny/.github/workflows/prod-deploy.yml

name: 'Production deploy'

on:
  release:
    types: [published]

jobs:
  create-release:
    name: 'Create release tar'
    runs-on: ubuntu-latest
    steps:
      - name: Check out the repo
        uses: actions/checkout@v3.0.2
      - name: Build
        run: |
          npm ci
          npm run build
      - name: Get version from tag
        id: vars
        run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
      - name: Create tar.gz
        run: tar -czvf cinny-${{ steps.vars.outputs.tag }}.tar.gz dist
      - name: Sign tar.gz
        run: |
          echo '${{ secrets.GNUPG_KEY }}' | gpg --batch --import
          # Sadly a few lines in the private key match a few lines in the public key,
          # As a result just --export --armor gives us a few lines replaced with ***
          # making it useless for importing the signing key. Instead, we dump it as
          # non-armored and hex-encode it so that its printable.
          echo "PGP Signing key, in raw PGP format in hex. Import with cat ... | xxd -r -p - | gpg --import"
          gpg --export | xxd -p
          echo '${{ secrets.GNUPG_PASSPHRASE }}' | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --armor --detach-sign cinny-${{ steps.vars.outputs.tag }}.tar.gz
      - name: Upload tagged release
        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
        with:
          files: |
            cinny-${{ steps.vars.outputs.tag }}.tar.gz
            cinny-${{ steps.vars.outputs.tag }}.tar.gz.asc

  deploy-to-netlify:
    name: 'Deploy to Netlify'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3.0.2
      - name: Build and deploy to Netlify
        uses: jsmrcaga/action-netlify-deploy@fb6a5f936a4b06a8f7793e69fc5a022ffe39807a
        with:
          install_command: "npm ci"
          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
          BUILD_DIRECTORY: "dist"
          NETLIFY_DEPLOY_MESSAGE: "Prod deploy v${{ github.ref }}"
          NETLIFY_DEPLOY_TO_PROD: true

  push_to_dockerhub:
    name: Push Docker image to Docker Hub
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3.0.2
      - name: Login to Docker Hub
        uses: docker/login-action@v2.0.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v4.0.1
        with:
          images: ajbura/cinny
      - name: Build and push Docker image
        uses: docker/build-push-action@v3.0.0
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00			`name: 'Production deploy'`

			`on:`
			`release:`
			`types: [published]`

			`jobs:`
Reduce third-party build script dependencies and reduce GITHUB_TOKEN perms in CI (#541) * Reduce dependence on third-party build scripts in release pipeline This removes one third-party build script from the release pipeline for the release tar.gz, though one is still used in the now-separate netlify deploy. * Reduce GITHUB_TOKEN perms in actions when using 3rd party scripts This avoids allowing third parties to arbitrarily overwrite the repository. * Replace PGP signing action with the bash script from the same The PGP signing action ultimately just calls gpg with arguments set in https://github.com/actionhippie/gpgsign/blob/v1/overlay/usr/local/bin/entrypoint so its rather trivial to simply take the required arguments and put them directly in CI. This is substantially safer than the PGP signing action used as the action currently downloads, unverified and un-pinned, a docker image in order to access PGP. 2022-05-26 17:47:41 +03:00			`create-release:`
			`name: 'Create release tar'`
Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00			`runs-on: ubuntu-latest`
			`steps:`
Reduce third-party build script dependencies and reduce GITHUB_TOKEN perms in CI (#541) * Reduce dependence on third-party build scripts in release pipeline This removes one third-party build script from the release pipeline for the release tar.gz, though one is still used in the now-separate netlify deploy. * Reduce GITHUB_TOKEN perms in actions when using 3rd party scripts This avoids allowing third parties to arbitrarily overwrite the repository. * Replace PGP signing action with the bash script from the same The PGP signing action ultimately just calls gpg with arguments set in https://github.com/actionhippie/gpgsign/blob/v1/overlay/usr/local/bin/entrypoint so its rather trivial to simply take the required arguments and put them directly in CI. This is substantially safer than the PGP signing action used as the action currently downloads, unverified and un-pinned, a docker image in order to access PGP. 2022-05-26 17:47:41 +03:00			`- name: Check out the repo`
Bump actions/checkout from 3.0.1 to 3.0.2 (#508) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.0.1...v3.0.2) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-04-26 14:53:22 +03:00			`uses: actions/checkout@v3.0.2`
Reduce third-party build script dependencies and reduce GITHUB_TOKEN perms in CI (#541) * Reduce dependence on third-party build scripts in release pipeline This removes one third-party build script from the release pipeline for the release tar.gz, though one is still used in the now-separate netlify deploy. * Reduce GITHUB_TOKEN perms in actions when using 3rd party scripts This avoids allowing third parties to arbitrarily overwrite the repository. * Replace PGP signing action with the bash script from the same The PGP signing action ultimately just calls gpg with arguments set in https://github.com/actionhippie/gpgsign/blob/v1/overlay/usr/local/bin/entrypoint so its rather trivial to simply take the required arguments and put them directly in CI. This is substantially safer than the PGP signing action used as the action currently downloads, unverified and un-pinned, a docker image in order to access PGP. 2022-05-26 17:47:41 +03:00			`- name: Build`
			`run: \|`
			`npm ci`
			`npm run build`
Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00			`- name: Get version from tag`
			`id: vars`
			`run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}`
			`- name: Create tar.gz`
			`run: tar -czvf cinny-${{ steps.vars.outputs.tag }}.tar.gz dist`
Sign release tarball with PGP key (#392) 2022-05-03 14:13:16 +03:00			`- name: Sign tar.gz`
Reduce third-party build script dependencies and reduce GITHUB_TOKEN perms in CI (#541) * Reduce dependence on third-party build scripts in release pipeline This removes one third-party build script from the release pipeline for the release tar.gz, though one is still used in the now-separate netlify deploy. * Reduce GITHUB_TOKEN perms in actions when using 3rd party scripts This avoids allowing third parties to arbitrarily overwrite the repository. * Replace PGP signing action with the bash script from the same The PGP signing action ultimately just calls gpg with arguments set in https://github.com/actionhippie/gpgsign/blob/v1/overlay/usr/local/bin/entrypoint so its rather trivial to simply take the required arguments and put them directly in CI. This is substantially safer than the PGP signing action used as the action currently downloads, unverified and un-pinned, a docker image in order to access PGP. 2022-05-26 17:47:41 +03:00			`run: \|`
			`echo '${{ secrets.GNUPG_KEY }}' \| gpg --batch --import`
			`# Sadly a few lines in the private key match a few lines in the public key,`
			`# As a result just --export --armor gives us a few lines replaced with ***`
			`# making it useless for importing the signing key. Instead, we dump it as`
			`# non-armored and hex-encode it so that its printable.`
			`echo "PGP Signing key, in raw PGP format in hex. Import with cat ... \| xxd -r -p - \| gpg --import"`
			`gpg --export \| xxd -p`
			`echo '${{ secrets.GNUPG_PASSPHRASE }}' \| gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --armor --detach-sign cinny-${{ steps.vars.outputs.tag }}.tar.gz`
Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00			`- name: Upload tagged release`
Use SHA instead of tag for 3rd party actions (#498) 2022-05-01 10:53:42 +03:00			`uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5`
Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00			`with:`
			`files: \|`
			`cinny-${{ steps.vars.outputs.tag }}.tar.gz`
Sign release tarball with PGP key (#392) 2022-05-03 14:13:16 +03:00			`cinny-${{ steps.vars.outputs.tag }}.tar.gz.asc`
Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00
Reduce third-party build script dependencies and reduce GITHUB_TOKEN perms in CI (#541) * Reduce dependence on third-party build scripts in release pipeline This removes one third-party build script from the release pipeline for the release tar.gz, though one is still used in the now-separate netlify deploy. * Reduce GITHUB_TOKEN perms in actions when using 3rd party scripts This avoids allowing third parties to arbitrarily overwrite the repository. * Replace PGP signing action with the bash script from the same The PGP signing action ultimately just calls gpg with arguments set in https://github.com/actionhippie/gpgsign/blob/v1/overlay/usr/local/bin/entrypoint so its rather trivial to simply take the required arguments and put them directly in CI. This is substantially safer than the PGP signing action used as the action currently downloads, unverified and un-pinned, a docker image in order to access PGP. 2022-05-26 17:47:41 +03:00			`deploy-to-netlify:`
			`name: 'Deploy to Netlify'`
			`runs-on: ubuntu-latest`
			`permissions:`
			`contents: read`
			`steps:`
			`- name: Checkout repository`
			`uses: actions/checkout@v3.0.2`
			`- name: Build and deploy to Netlify`
			`uses: jsmrcaga/action-netlify-deploy@fb6a5f936a4b06a8f7793e69fc5a022ffe39807a`
			`with:`
			`install_command: "npm ci"`
			`NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}`
			`NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}`
			`BUILD_DIRECTORY: "dist"`
			`NETLIFY_DEPLOY_MESSAGE: "Prod deploy v${{ github.ref }}"`
			`NETLIFY_DEPLOY_TO_PROD: true`

Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00			`push_to_dockerhub:`
			`name: Push Docker image to Docker Hub`
			`runs-on: ubuntu-latest`
Reduce third-party build script dependencies and reduce GITHUB_TOKEN perms in CI (#541) * Reduce dependence on third-party build scripts in release pipeline This removes one third-party build script from the release pipeline for the release tar.gz, though one is still used in the now-separate netlify deploy. * Reduce GITHUB_TOKEN perms in actions when using 3rd party scripts This avoids allowing third parties to arbitrarily overwrite the repository. * Replace PGP signing action with the bash script from the same The PGP signing action ultimately just calls gpg with arguments set in https://github.com/actionhippie/gpgsign/blob/v1/overlay/usr/local/bin/entrypoint so its rather trivial to simply take the required arguments and put them directly in CI. This is substantially safer than the PGP signing action used as the action currently downloads, unverified and un-pinned, a docker image in order to access PGP. 2022-05-26 17:47:41 +03:00			`permissions:`
			`contents: read`
Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00			`steps:`
General fix and consistency changes (#428) 2022-03-23 16:10:39 +02:00			`- name: Checkout repository`
Bump actions/checkout from 3.0.1 to 3.0.2 (#508) Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.1 to 3.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.0.1...v3.0.2) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-04-26 14:53:22 +03:00			`uses: actions/checkout@v3.0.2`
Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00			`- name: Login to Docker Hub`
Bump docker/login-action from 1.14.1 to 2.0.0 (#540) Bumps [docker/login-action](https://github.com/docker/login-action) from 1.14.1 to 2.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v1.14.1...v2.0.0) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-05-20 07:28:34 +03:00			`uses: docker/login-action@v2.0.0`
Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00			`with:`
			`username: ${{ secrets.DOCKER_USERNAME }}`
			`password: ${{ secrets.DOCKER_PASSWORD }}`
			`- name: Extract metadata (tags, labels) for Docker`
			`id: meta`
Bump docker/metadata-action from 3.8.0 to 4.0.1 (#539) Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 3.8.0 to 4.0.1. - [Release notes](https://github.com/docker/metadata-action/releases) - [Upgrade guide](https://github.com/docker/metadata-action/blob/master/UPGRADE.md) - [Commits](https://github.com/docker/metadata-action/compare/v3.8.0...v4.0.1) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-05-20 07:29:00 +03:00			`uses: docker/metadata-action@v4.0.1`
Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00			`with:`
			`images: ajbura/cinny`
			`- name: Build and push Docker image`
Bump docker/build-push-action from 2.10.0 to 3.0.0 (#538) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.10.0 to 3.0.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v2.10.0...v3.0.0) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-05-20 07:29:40 +03:00			`uses: docker/build-push-action@v3.0.0`
Simplify GitHub actions (#387) * Simplify production build actions This merges both the netlify-prod and docker action and also automatically add tarball to releases. * Delete docker.yaml * Delete netlify-prod.yaml * Cosmetic changes and add dockerhub check * Cosmetic changes * Fix check runs on Tuesdays only 2022-03-15 13:34:14 +02:00			`with:`
			`context: .`
			`push: true`
			`tags: ${{ steps.meta.outputs.tags }}`
			`labels: ${{ steps.meta.outputs.labels }}`