Skip to content

SSO guide: best practice for email 2FA #48780

SSO guide: best practice for email 2FA

SSO guide: best practice for email 2FA #48780

name: Docker publish
on:
push:
branches:
- "main"
- "rc-minor-*"
- "rc-patch-*"
paths-ignore:
- "handbook/**"
- "website/**"
- "mdm-profiles/**"
pull_request:
paths-ignore:
- "handbook/**"
- "website/**"
- "mdm-profiles/**"
workflow_dispatch: # Manual
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
publish:
# Only run it when the push is to the fleetdm/fleet repo. Otherwise the secrets for pushing to
# Docker will not be available.
#
# Also not run if author is dependabot (it doesn't have access to Github secrets).
if: ${{ (github.repository == 'fleetdm/fleet') && (github.actor != 'dependabot[bot]') }}
runs-on: ubuntu-20.04
environment: Docker Hub
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Login to Docker Hub
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version-file: "go.mod"
# Set the Node.js version
- name: Set up Node.js
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version-file: package.json
- name: Install Dependencies
run: make deps
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b
with:
distribution: goreleaser-pro
version: "~> 2"
args: release --snapshot --clean -f .goreleaser-snapshot.yml
env:
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
- name: Tag image with branch name
run: docker tag fleetdm/fleet:$(git rev-parse --short HEAD) fleetdm/fleet:$(git rev-parse --abbrev-ref HEAD)
# Explicitly push the docker images as GoReleaser will not do so in snapshot mode
- name: Publish Docker images
run: docker push fleetdm/fleet --all-tags
- name: Get tag
run: |
echo "TAG=$(git rev-parse --abbrev-ref HEAD) $(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
id: docker
- name: List tags for push
run: |
echo "The following TAGs are to be pushed: ${{ steps.docker.outputs.TAG }}"
- name: Login to quay.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with:
registry: quay.io
username: fleetdm+fleetreleaser
password: ${{ secrets.QUAY_REGISTRY_PASSWORD }}
- name: Tag and push to quay.io
run: |
for TAG in ${{ steps.docker.outputs.TAG }}; do
docker tag fleetdm/fleet:${TAG} quay.io/fleetdm/fleet:${TAG}
docker push quay.io/fleetdm/fleet:${TAG}
done