Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
name: Bake and Push
name: Reusable | Bake and Push

permissions:
contents: read
actions: read

# Reusable workflow for building and pushing a bake target.
# Reusable workflow for building and optionally pushing a bake target.
# Replaces build-docker-image.yml for apps migrated to docker-bake.hcl.
#
# Callers pass app-specific build args via the `set` input using GitHub Variables
Expand All @@ -25,22 +25,26 @@ on:
required: true
type: string
description: >
JSON string. Target OS (e.g. ubuntu-24.04-arm or
['ubuntu-24.04-arm', 'ubuntu-24.04']) of the image
JSON string passed to runs-on via fromJSON, e.g.
["ubuntu-24.04-arm"].
tag:
required: true
type: string
description: "Image tag to push (e.g. git SHA or semver)"
description: "Image tag to build or push (e.g. git SHA or semver)"
push:
required: false
type: boolean
default: true
description: "Whether to push the built image to the registry"
base_tag:
required: false
type: string
default: ""
description: >
Pre-built base image tag (BASE_TAG). When set, pulls ui-builder-base
and ui-runner-base from the registry instead of building them inline.
Use this in CI to avoid rebuilding base images on every app push.
Omit (or leave empty) to build base images inline — useful when
testing base image changes locally via act or in build-base-images.yml.
Required for CI app builds so they reuse published base images rather
than rebuilding base images inline.
set:
required: false
type: string
Expand All @@ -56,9 +60,9 @@ on:
DATABASE_URL:
required: false
DOCKER_HUB_USERNAME:
required: true
required: false
DOCKER_HUB_ACCESS_TOKEN:
required: true
required: false
PAYLOAD_SECRET:
required: false
SENTRY_AUTH_TOKEN:
Expand All @@ -82,14 +86,21 @@ jobs:
id: meta
run: echo "date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"

- name: Validate base image tag
if: ${{ inputs.base_tag == '' }}
run: |
echo "::error::base_tag is required for CI app builds. Build and publish base images, then set vars.UI_BASE_TAG."
exit 1

- uses: docker/setup-buildx-action@v4

- uses: docker/login-action@v4
if: ${{ inputs.push }}
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

- name: Build and push
- name: Build with Docker bake
uses: docker/bake-action@v7
env:
TAG: ${{ inputs.tag }}
Expand All @@ -104,7 +115,7 @@ jobs:
with:
files: docker-bake.hcl
targets: ${{ inputs.target }}
push: true
push: ${{ inputs.push }}
set: |
*.cache-from=type=gha,scope=${{ inputs.target }}
*.cache-to=type=gha,mode=max,scope=${{ inputs.target }}
Expand Down
61 changes: 61 additions & 0 deletions .github/workflows/_build-techlabblog.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: Reusable Build | TechLab Blog

on:
workflow_call:
inputs:
tag:
required: true
type: string
description: "Image tag to build or push"
push:
required: true
type: boolean
description: "Whether to push the built image to the registry"
base_tag:
required: true
type: string
description: "Published base image tag to build from"
sentry_environment:
required: true
type: string
description: "Sentry environment baked into the app"
set:
required: false
type: string
default: ""
description: "Additional bake --set overrides"
secrets:
DOCKER_HUB_USERNAME:
required: false
DOCKER_HUB_ACCESS_TOKEN:
required: false
SENTRY_AUTH_TOKEN:
required: false
SENTRY_ORG:
required: false
SENTRY_PROJECT:
required: false

jobs:
build:
permissions:
actions: read
contents: read
uses: ./.github/workflows/_bake-and-push.yml
with:
target: techlabblog
target_os: '["ubuntu-24.04-arm"]'
base_tag: ${{ inputs.base_tag }}
tag: ${{ inputs.tag }}
push: ${{ inputs.push }}
# Stable app-level config lives here so PR and main builds share one build contract.
set: |
techlabblog.args.SENTRY_DSN=${{ vars.TECHLABBLOG_SENTRY_DSN }}
techlabblog.args.SENTRY_ENVIRONMENT=${{ inputs.sentry_environment }}
${{ inputs.set }}
secrets:
DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
DOCKER_HUB_ACCESS_TOKEN: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
59 changes: 59 additions & 0 deletions .github/workflows/_build-trustlab.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Reusable Build | TrustLab

on:
workflow_call:
inputs:
tag:
required: true
type: string
description: "Image tag to build or push"
push:
required: true
type: boolean
description: "Whether to push the built image to the registry"
base_tag:
required: true
type: string
description: "Published base image tag to build from"
set:
required: false
type: string
default: ""
description: "Additional bake --set overrides"
secrets:
DATABASE_URL:
required: false
DOCKER_HUB_USERNAME:
required: false
DOCKER_HUB_ACCESS_TOKEN:
required: false
PAYLOAD_SECRET:
required: false
SENTRY_AUTH_TOKEN:
required: false
SENTRY_ORG:
required: false
SENTRY_PROJECT:
required: false

jobs:
build:
permissions:
actions: read
contents: read
uses: ./.github/workflows/_bake-and-push.yml
with:
target: trustlab
target_os: '["ubuntu-24.04-arm"]'
base_tag: ${{ inputs.base_tag }}
tag: ${{ inputs.tag }}
push: ${{ inputs.push }}
set: ${{ inputs.set }}
secrets:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
DOCKER_HUB_ACCESS_TOKEN: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
PAYLOAD_SECRET: ${{ secrets.PAYLOAD_SECRET }}
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
19 changes: 10 additions & 9 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,17 +24,16 @@ jobs:
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
strategy:
matrix:
node-version: [24]
os: [ubuntu-latest]
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
fetch-depth: 2

# https://github.com/pnpm/action-setup#use-cache-to-reduce-installation-time
- name: Install pnpm
uses: pnpm/action-setup@v4
uses: pnpm/action-setup@v6
id: pnpm-install
with:
run_install: false
Expand All @@ -46,7 +45,7 @@ jobs:
echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT

- name: Setup pnpm cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
Expand All @@ -56,9 +55,9 @@ jobs:
# Looks like to use pnpm cache, setup-node must run after pnpm/action-setup
# https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#caching-packages-data
- name: Install Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@v6
with:
node-version: ${{ matrix.node-version }}
node-version-file: "package.json"
cache: "pnpm"

- name: Confirm pnpm version
Expand All @@ -67,16 +66,18 @@ jobs:
- name: Install dependencies
run: pnpm install

# root task
# https://turborepo.dev/docs/guides/tools/oxc#create-root-tasks-1
- name: Format
run: pnpm format:check
run: pnpm exec turbo format:check

- name: Lint
run: pnpm lint:check

# Standard linux runners for public repositories have 4 vCPUs and 16GB of RAM
# see: https://docs.github.com/en/actions/reference/runners/github-hosted-runners#standard-github-hosted-runners-for-public-repositories
- name: Jest
run: pnpm jest:ci
- name: Test
run: pnpm test:ci

# TODO: Re-enable build in a dedicated CI build cleanup PR. The current
# build surface needs app-scoped env isolation for Payload/Next apps.
Expand Down
Loading