From 31de8a346a778207cc2761ce05f5b40afb599291 Mon Sep 17 00:00:00 2001
From: "Ben Hearsum (he/him)" <ben@mozilla.com>
Date: Tue, 29 Oct 2024 13:33:12 -0400
Subject: [PATCH] AUT-270: implement new deployment workflow for autograph
 (#1037)

In AUT-326 we decided that we would:
* Deploy stage in response to new version tags in the autograph repository
* Avoid rebuilding docker images when pushing a version tag to dockerhub (we will instead pull the docker image we deployed to dev from the ref that we tagged)

This commit implements this.

Slightly tangential, but also of note is https://github.com/mozilla-it/global-platform-admin/pull/2138 adding support for disabling automatic sync in ArgoCD, and doing so for autograph prod. This means that prod will notice new version tags, but not automatically deploy in response to them (human approval will be needed).

You can see example runs of this for the push and release cases in:
* https://github.com/bhearsum/autograph/actions/runs/11557423769/job/32167407424
* https://github.com/bhearsum/autograph/actions/runs/11557348483/job/32167157862
---
 .github/workflows/deploy.yaml | 34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 2d5567a46..fa1b19b82 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -4,8 +4,9 @@ on:
   push:
     branches:
       - main
-    tags:
-      - '[0-9]+.[0-9a-z]+.[0-9a-z]+'
+  release:
+    types:
+      - released
 
 jobs:
   docker:
@@ -26,12 +27,16 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
+          flavor:
+            # don't automatically tag with `latest`; we do this conditionally in the `tags` section
+            latest=false
           images: |
             ${{ vars.DOCKERHUB_REPO }}
             ${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.GCP_PROJECT_ID }}/${{ vars.GAR_REPOSITORY}}/autograph
           tags: |
             type=semver,pattern={{raw}}
-            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=latest,enable=${{ github.event_name == 'push' }}
+            type=sha,format=long,enable=${{ github.event_name == 'push' }}
 
       - name: Generate version.json
         shell: bash
@@ -58,10 +63,31 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Build and push
+        # On pushes to `main`, we build and push a new image, so we can simply
+        # use the `docker/build-push-action` action.
+        if: ${{ github.event_name == 'push' }}
         uses: docker/build-push-action@v6
         with:
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ github.event_name == 'push' }}
           sbom: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           context: .
+
+      - name: Tag and push
+        # For releases, we specifically do _not_ want to rebuild, just tag the
+        # existing image and push. There's no officially maintained action for
+        # this use case, but it's trivial enough to do ourselves.
+        if: ${{ github.event_name == 'release' }}
+        env:
+          # Tags come in the form of a fully qualified image name and tag, eg:
+          # mozilla/autograph:1.1.8
+          # us-west2-docker.pkg.dev/autograph-proj/autograph-repo/autograph:1.1.8
+          TAGS: ${{ steps.meta.outputs.tags }}
+          SRC: ${{ vars.DOCKERHUB_REPO}}:sha-${{ github.sha }}
+        run: |
+          docker pull $SRC
+          for tag in $TAGS; do
+            docker tag $SRC $tag
+            docker push $tag
+          done