From cb670e2c9b19729256834e2972a360d124ac749e Mon Sep 17 00:00:00 2001 From: Stefan Gersmann Date: Mon, 27 Apr 2026 18:46:47 +0200 Subject: [PATCH 01/10] chore: bakefile support for docker build In order to build multiple targets again, like we did in PAPI before this was reverted, and for Onyx where we have two containers that are currently being build in duplicated pipelines. --- .github/workflows/build-image.yaml | 101 ++++++++++++++++++++++++++++- .github/workflows/kubernetes.yaml | 8 ++- 2 files changed, 105 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index e7f8734..540fc77 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -14,7 +14,12 @@ on: type: string imageTargets: required: false - description: If provided, sets targets for as many image builds as targets specified + description: If provided, sets targets for as many image builds as targets specified. When bakeFile is provided, these are Docker Buildx Bake targets. + default: "" + type: string + bakeFile: + required: false + description: If provided, builds the imageTargets with Docker Buildx Bake instead of docker/build-push-action. default: "" type: string preScript: @@ -44,7 +49,7 @@ env: jobs: build-ecr-single: - if: inputs.imageTargets == '' + if: inputs.imageTargets == '' && inputs.bakeFile == '' permissions: id-token: write contents: read @@ -128,7 +133,7 @@ jobs: docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }} build-ecr-matrix: - if: inputs.imageTargets != '' + if: inputs.imageTargets != '' && inputs.bakeFile == '' permissions: id-token: write contents: read @@ -214,3 +219,93 @@ jobs: - name: Push ${{ matrix.containerfile_targets }} image to ECR run: | docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + + build-ecr-bake: + if: inputs.bakeFile != '' + permissions: + id-token: write + contents: read + environment: ${{ github.event.deployment.payload.env }} + runs-on: ${{ inputs.runner }} + strategy: + matrix: + bake_targets: ${{ fromJson(inputs.imageTargets) }} + steps: + - name: Checkout current git repository + uses: actions/checkout@v4 + - if: inputs.preScript != '' + name: Run script before the docker image is built + run: | + echo "Run '${{ inputs.preScript }}'" + ${{ inputs.preScript }} + env: + NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} + - if: inputs.artifactPath != '' && inputs.artifactName != '' + name: Download artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.artifactName }} + path: ${{ inputs.artifactPath }} + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v3 + with: + aws-region: eu-central-1 + role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + - name: Create ${{ matrix.bake_targets }} ECR repository if it doesn't exist + run: | + if ! aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} 2>/dev/null; then + echo "Repository ${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} does not exist, creating it..." + aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} + echo "Setting lifecycle policy..." + else + echo "Repository ${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} already exists, skipping creation" + fi + + echo "Applying lifecycle policies" + LIFECYCLE_POLICY='{"rules":[ + {"rulePriority":1,"description":"Preserve preview images","selection":{"tagStatus":"tagged","tagPatternList":["preview-*"],"countType":"sinceImagePushed","countUnit":"days","countNumber":365},"action":{"type":"expire"}}, + {"rulePriority":2,"description":"Preserve production images","selection":{"tagStatus":"tagged","tagPatternList":["v*"],"countType":"imageCountMoreThan","countNumber":50},"action":{"type":"expire"}}, + {"rulePriority":3,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"sinceImagePushed","countUnit":"days","countNumber":7},"action":{"type":"expire"}} + ]}' + aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + - name: Build ${{ matrix.bake_targets }} image with Docker Bake + env: + APP_NAME: ${{ github.event.deployment.payload.name }} + BAKE_FILE: ${{ inputs.bakeFile }} + BAKE_TARGET: ${{ matrix.bake_targets }} + ENVIRONMENT: ${{ github.event.deployment.payload.env }} + GITHUB_SHA: ${{ github.sha }} + IMAGE_REPOSITORY: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} + NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} + VERSION: ${{ inputs.version }} + run: | + set -euo pipefail + docker buildx bake \ + -f "$BAKE_FILE" \ + --push \ + --set "$BAKE_TARGET.args.APP_NAME=$APP_NAME" \ + --set "$BAKE_TARGET.args.ENVIRONMENT=$ENVIRONMENT" \ + --set "$BAKE_TARGET.args.GITHUB_SHA=$GITHUB_SHA" \ + --set "$BAKE_TARGET.args.NPM_GITHUB_TOKEN=$NPM_GITHUB_TOKEN" \ + --set "$BAKE_TARGET.args.VERSION=$VERSION" \ + --set "$BAKE_TARGET.cache-from=type=registry,ref=$IMAGE_REPOSITORY:cache" \ + --set "$BAKE_TARGET.cache-to=mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=$IMAGE_REPOSITORY:cache" \ + --set "$BAKE_TARGET.tags=$IMAGE_REPOSITORY:latest" \ + --set "$BAKE_TARGET.tags=$IMAGE_REPOSITORY:$VERSION" \ + --set "$BAKE_TARGET.tags=$IMAGE_REPOSITORY:$GITHUB_SHA" \ + "$BAKE_TARGET" + - name: Scan for vulnerabilities + if: inputs.enableContainerScan + uses: crazy-max/ghaction-container-scan@v4 + with: + image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }}:latest + severity: ${{ env.IMAGE_SCAN_SEVERITY }} + severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} + annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} + env: + TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 20f6481..42dc3a9 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -34,7 +34,12 @@ on: type: string imageTargets: required: false - description: If provided, sets targets for as many image builds as targets specified + description: If provided, sets targets for as many image builds as targets specified. When bakeFile is provided, these are Docker Buildx Bake targets. + default: "" + type: string + bakeFile: + required: false + description: If provided, builds the imageTargets with Docker Buildx Bake instead of docker/build-push-action. default: "" type: string preScript: @@ -166,6 +171,7 @@ jobs: with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} + bakeFile: ${{ inputs.bakeFile }} imageTargets: ${{ inputs.imageTargets }} preScript: ${{ inputs.preScript }} enableContainerScan: ${{ inputs.enableContainerScan }} From c471b1e2511f3be818b89b0e19f0777121eba27e Mon Sep 17 00:00:00 2001 From: Stefan Gersmann Date: Mon, 27 Apr 2026 21:40:39 +0200 Subject: [PATCH 02/10] chore: add deployment workflow validation fallbacks --- .github/workflows/build-image.yaml | 112 +++++++++++++++++------------ .github/workflows/kubernetes.yaml | 89 +++++++++++++++++------ 2 files changed, 134 insertions(+), 67 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 540fc77..25048ef 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -40,6 +40,26 @@ on: version: required: true type: string + appName: + required: false + description: Application name fallback for non-deployment validation runs + default: "" + type: string + env: + required: false + description: Environment fallback for non-deployment validation runs + default: test + type: string + containerContext: + required: false + description: Container context fallback for non-deployment validation runs + default: . + type: string + containerFile: + required: false + description: Container file fallback for non-deployment validation runs + default: Containerfile + type: string env: IMAGE_SCAN_SEVERITY: LOW @@ -53,7 +73,7 @@ jobs: permissions: id-token: write contents: read - environment: ${{ github.event.deployment.payload.env }} + environment: ${{ github.event.deployment.payload.env || inputs.env }} runs-on: ${{ inputs.runner }} steps: - name: Checkout current git repository @@ -80,12 +100,12 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - name: Create ECR repository if it doesn't exist run: | - if ! aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }} 2>/dev/null; then - echo "Repository ${{ github.event.deployment.payload.name }} does not exist, creating it..." - aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }} + if ! aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name || inputs.appName }} 2>/dev/null; then + echo "Repository ${{ github.event.deployment.payload.name || inputs.appName }} does not exist, creating it..." + aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name || inputs.appName }} echo "Setting lifecycle policy..." else - echo "Repository ${{ github.event.deployment.payload.name }} already exists, skipping creation" + echo "Repository ${{ github.event.deployment.payload.name || inputs.appName }} already exists, skipping creation" fi echo "Applying lifecycle policies" @@ -94,7 +114,7 @@ jobs: {"rulePriority":2,"description":"Preserve production images","selection":{"tagStatus":"tagged","tagPatternList":["v*"],"countType":"imageCountMoreThan","countNumber":50},"action":{"type":"expire"}}, {"rulePriority":3,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"sinceImagePushed","countUnit":"days","countNumber":7},"action":{"type":"expire"}} ]}' - aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name || inputs.appName }} --lifecycle-policy-text "$LIFECYCLE_POLICY" - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v2 @@ -104,24 +124,24 @@ jobs: build-args: | GITHUB_SHA=${{ github.sha }} VERSION=${{ inputs.version }} - APP_NAME=${{ github.event.deployment.payload.name }} - ENVIRONMENT=${{ github.event.deployment.payload.env }} + APP_NAME=${{ github.event.deployment.payload.name || inputs.appName }} + ENVIRONMENT=${{ github.event.deployment.payload.env || inputs.env }} NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} - cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:cache - cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:cache - context: ${{ github.event.deployment.payload.container.context }} + cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}:cache + cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}:cache + context: ${{ github.event.deployment.payload.container.context || inputs.containerContext }} load: true - file: ${{ github.event.deployment.payload.container.file }} + file: ${{ github.event.deployment.payload.container.file || inputs.containerFile }} platforms: linux/amd64 tags: | - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ inputs.version }} - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ github.sha }} + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}:latest + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}:${{ inputs.version }} + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}:${{ github.sha }} - name: Scan for vulnerabilities if: inputs.enableContainerScan uses: crazy-max/ghaction-container-scan@v4 with: - image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest + image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}:latest dockerfile: Containerfile severity: ${{ env.IMAGE_SCAN_SEVERITY }} severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} @@ -130,14 +150,14 @@ jobs: TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push image to ECR run: | - docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }} + docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }} build-ecr-matrix: if: inputs.imageTargets != '' && inputs.bakeFile == '' permissions: id-token: write contents: read - environment: ${{ github.event.deployment.payload.env }} + environment: ${{ github.event.deployment.payload.env || inputs.env }} runs-on: ${{ inputs.runner }} strategy: matrix: @@ -167,12 +187,12 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - name: Create ${{ matrix.containerfile_targets }} ECR repository if it doesn't exist run: | - if ! aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} 2>/dev/null; then - echo "Repository ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} does not exist, creating it..." - aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + if ! aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.containerfile_targets }} 2>/dev/null; then + echo "Repository ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.containerfile_targets }} does not exist, creating it..." + aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.containerfile_targets }} echo "Setting lifecycle policy..." else - echo "Repository ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} already exists, skipping creation" + echo "Repository ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.containerfile_targets }} already exists, skipping creation" fi echo "Applying lifecycle policies" @@ -181,7 +201,7 @@ jobs: {"rulePriority":2,"description":"Preserve production images","selection":{"tagStatus":"tagged","tagPatternList":["v*"],"countType":"imageCountMoreThan","countNumber":50},"action":{"type":"expire"}}, {"rulePriority":3,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"sinceImagePushed","countUnit":"days","countNumber":7},"action":{"type":"expire"}} ]}' - aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.containerfile_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v2 @@ -191,25 +211,25 @@ jobs: build-args: | GITHUB_SHA=${{ github.sha }} VERSION=${{ inputs.version }} - APP_NAME=${{ github.event.deployment.payload.name }} - ENVIRONMENT=${{ github.event.deployment.payload.env }} + APP_NAME=${{ github.event.deployment.payload.name || inputs.appName }} + ENVIRONMENT=${{ github.event.deployment.payload.env || inputs.env }} NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} - cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:cache - cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:cache - context: ${{ github.event.deployment.payload.container.context }} + cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}:cache + cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}:cache + context: ${{ github.event.deployment.payload.container.context || inputs.containerContext }} load: true - file: ${{ github.event.deployment.payload.container.file }} + file: ${{ github.event.deployment.payload.container.file || inputs.containerFile }} platforms: linux/amd64 tags: | - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ inputs.version }} - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.containerfile_targets }}:latest + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.containerfile_targets }}:${{ inputs.version }} + ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.containerfile_targets }}:${{ github.sha }} target: ${{ matrix.containerfile_targets }} - name: Scan for vulnerabilities if: inputs.enableContainerScan uses: crazy-max/ghaction-container-scan@v4 with: - image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest + image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.containerfile_targets }}:latest dockerfile: Containerfile severity: ${{ env.IMAGE_SCAN_SEVERITY }} severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} @@ -218,14 +238,14 @@ jobs: TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push ${{ matrix.containerfile_targets }} image to ECR run: | - docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.containerfile_targets }} build-ecr-bake: if: inputs.bakeFile != '' permissions: id-token: write contents: read - environment: ${{ github.event.deployment.payload.env }} + environment: ${{ github.event.deployment.payload.env || inputs.env }} runs-on: ${{ inputs.runner }} strategy: matrix: @@ -255,12 +275,12 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - name: Create ${{ matrix.bake_targets }} ECR repository if it doesn't exist run: | - if ! aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} 2>/dev/null; then - echo "Repository ${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} does not exist, creating it..." - aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} + if ! aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} 2>/dev/null; then + echo "Repository ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} does not exist, creating it..." + aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} echo "Setting lifecycle policy..." else - echo "Repository ${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} already exists, skipping creation" + echo "Repository ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} already exists, skipping creation" fi echo "Applying lifecycle policies" @@ -269,18 +289,18 @@ jobs: {"rulePriority":2,"description":"Preserve production images","selection":{"tagStatus":"tagged","tagPatternList":["v*"],"countType":"imageCountMoreThan","countNumber":50},"action":{"type":"expire"}}, {"rulePriority":3,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"sinceImagePushed","countUnit":"days","countNumber":7},"action":{"type":"expire"}} ]}' - aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v2 - - name: Build ${{ matrix.bake_targets }} image with Docker Bake + - name: Build ${{ matrix.bake_targets.target || matrix.bake_targets }} image with Docker Bake env: - APP_NAME: ${{ github.event.deployment.payload.name }} + APP_NAME: ${{ github.event.deployment.payload.name || inputs.appName }} BAKE_FILE: ${{ inputs.bakeFile }} - BAKE_TARGET: ${{ matrix.bake_targets }} - ENVIRONMENT: ${{ github.event.deployment.payload.env }} + BAKE_TARGET: ${{ matrix.bake_targets.target || matrix.bake_targets }} + ENVIRONMENT: ${{ github.event.deployment.payload.env || inputs.env }} GITHUB_SHA: ${{ github.sha }} - IMAGE_REPOSITORY: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }} + IMAGE_REPOSITORY: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} VERSION: ${{ inputs.version }} run: | @@ -303,7 +323,7 @@ jobs: if: inputs.enableContainerScan uses: crazy-max/ghaction-container-scan@v4 with: - image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.bake_targets }}:latest + image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }}:latest severity: ${{ env.IMAGE_SCAN_SEVERITY }} severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 42dc3a9..31ba52d 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -102,6 +102,46 @@ on: description: The relative file path to the folder that holds the application Kubernetes values default: values.yaml type: string + appName: + required: false + description: Application name fallback for non-deployment validation runs + default: "" + type: string + env: + required: false + description: Environment fallback for non-deployment validation runs + default: test + type: string + ref: + required: false + description: Git ref fallback for non-deployment validation runs + default: "" + type: string + sha: + required: false + description: Git SHA fallback for non-deployment validation runs + default: "" + type: string + versionKey: + required: false + description: Values key fallback for non-deployment validation runs + default: "" + type: string + pushToEnvTag: + required: false + description: Whether to push the env tag in the GitOps commit step + default: false + type: boolean + containerContext: + required: false + description: Container context fallback for non-deployment validation runs + default: . + type: string + containerFile: + required: false + description: Container file fallback for non-deployment validation runs + default: Containerfile + type: string secrets: npmGithubReadToken: required: true @@ -121,7 +161,7 @@ on: jobs: initialize: - environment: ${{ github.event.deployment.payload.env }} + environment: ${{ github.event.deployment.payload.env || inputs.env }} runs-on: ${{ inputs.runner }} outputs: channel-id: ${{ steps.vars.outputs.channel-id }} @@ -129,22 +169,24 @@ jobs: steps: - name: Check if 'env' input is provided run: | - if [ -z "${{ github.event.deployment.payload.env }}" ]; then + DEPLOY_ENV="${{ github.event.deployment.payload.env || inputs.env }}" + if [ -z "$DEPLOY_ENV" ]; then echo "ERROR: 'env' input is missing or empty!" exit 1 fi - name: Load deployment variables id: vars run: | - REF="${{ github.event.deployment.ref }}" - SHA="${{ github.event.deployment.sha }}" - if [[ "${{ github.event.deployment.payload.env }}" == 'prod' ]] + REF="${{ github.event.deployment.ref || inputs.ref }}" + SHA="${{ github.event.deployment.sha || inputs.sha || github.sha }}" + DEPLOY_ENV="${{ github.event.deployment.payload.env || inputs.env }}" + if [[ "$DEPLOY_ENV" == 'prod' ]] then # shellcheck disable=SC2086 echo "version=${REF##*/}" >> $GITHUB_OUTPUT # shellcheck disable=SC2086 echo "channel-id=${{ inputs.slackChannelProd }}" >> $GITHUB_OUTPUT - elif [[ "${{ github.event.deployment.payload.env }}" == 'test' ]] + elif [[ "$DEPLOY_ENV" == 'test' ]] then # shellcheck disable=SC2086 echo "version=${SHA:0:7}" >> $GITHUB_OUTPUT @@ -156,7 +198,8 @@ jobs: # shellcheck disable=SC2086 echo "channel-id=${{ inputs.slackChannelStaging }}" >> $GITHUB_OUTPUT fi - - name: Start ${{ github.event.deployment.payload.name }} deployment + - name: Start ${{ github.event.deployment.payload.name || inputs.appName }} deployment + if: github.event_name == 'deployment' uses: chrnorm/deployment-status@v2 with: deployment-id: ${{ github.event.deployment.id }} @@ -167,7 +210,7 @@ jobs: build: needs: [initialize] - uses: parcelLab/ci/.github/workflows/build-image.yaml@v8 + uses: parcelLab/ci/.github/workflows/build-image.yaml@chore/bake-build-support/sg with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} @@ -177,11 +220,15 @@ jobs: enableContainerScan: ${{ inputs.enableContainerScan }} runner: ${{ inputs.runner }} version: ${{ needs.initialize.outputs.version }} + appName: ${{ github.event.deployment.payload.name || inputs.appName }} + env: ${{ github.event.deployment.payload.env || inputs.env }} + containerContext: ${{ github.event.deployment.payload.container.context || inputs.containerContext }} + containerFile: ${{ github.event.deployment.payload.container.file || inputs.containerFile }} secrets: inherit commit: needs: [initialize, build] - environment: ${{ github.event.deployment.payload.env }} + environment: ${{ github.event.deployment.payload.env || inputs.env }} concurrency: commit-${{ inputs.deploymentRepoURL }}-${{ github.sha }} runs-on: ${{ inputs.runner }} steps: @@ -192,10 +239,10 @@ jobs: path: remote token: ${{ secrets.repoAccessToken }} ref: main - - name: Deploy ${{ github.sha }} to ${{ github.event.deployment.environment }} values + - name: Deploy ${{ github.sha }} to ${{ github.event.deployment.environment || inputs.env }} values uses: mikefarah/yq@v4.52.5 with: - cmd: yq '(.${{ github.event.deployment.payload.kubernetes.versionKey }} = "${{ needs.initialize.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/values.yaml + cmd: yq '(.${{ github.event.deployment.payload.kubernetes.versionKey || inputs.versionKey }} = "${{ needs.initialize.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/values.yaml - name: Commit and push new image tag run: | set -euxo pipefail @@ -215,11 +262,11 @@ jobs: env: GIT_USER_EMAIL: dev.bot@parcellab.com GIT_USER_NAME: parcellab-dev-bot - ENV: ${{ github.event.deployment.payload.env }} + ENV: ${{ github.event.deployment.payload.env || inputs.env }} VERSION: ${{ needs.initialize.outputs.version }} - PUSH_TO_ENV_TAG: ${{ github.event.deployment.payload.pushToEnvTag }} - - if: success() - name: Successful ${{ github.event.deployment.payload.name }} deployment + PUSH_TO_ENV_TAG: ${{ github.event.deployment.payload.pushToEnvTag || inputs.pushToEnvTag }} + - if: success() && github.event_name == 'deployment' + name: Successful ${{ github.event.deployment.payload.name || inputs.appName }} deployment uses: chrnorm/deployment-status@v2 with: deployment-id: ${{ github.event.deployment.id }} @@ -227,8 +274,8 @@ jobs: environment: ${{ github.event.deployment.payload.env }} state: "success" token: ${{ github.token }} - - if: failure() - name: Failed ${{ github.event.deployment.payload.name }} deployment + - if: failure() && github.event_name == 'deployment' + name: Failed ${{ github.event.deployment.payload.name || inputs.appName }} deployment uses: chrnorm/deployment-status@v2 with: deployment-id: ${{ github.event.deployment.id }} @@ -236,8 +283,8 @@ jobs: environment: ${{ github.event.deployment.payload.env }} state: "failure" token: ${{ github.token }} - - if: success() && needs.initialize.outputs.channel-id != '' - name: Notify ${{ github.event.deployment.payload.name }} deployment success + - if: success() && github.event_name == 'deployment' && needs.initialize.outputs.channel-id != '' + name: Notify ${{ github.event.deployment.payload.name || inputs.appName }} deployment success continue-on-error: true uses: darioblanco/slack-deployment@main env: @@ -264,14 +311,14 @@ jobs: SENTRY_PROJECT: ${{ inputs.sentryProject }} SENTRY_URL: ${{ inputs.sentryUrl }} with: - environment: ${{ inputs.sentryEnvironment != '' && inputs.sentryEnvironment || github.event.deployment.payload.env }} + environment: ${{ inputs.sentryEnvironment != '' && inputs.sentryEnvironment || github.event.deployment.payload.env || inputs.env }} set_commits: skip version: ${{ needs.initialize.outputs.version }} continue-on-error: true - name: Clean up images uses: actions/delete-package-versions@v5 with: - package-name: ${{ github.event.deployment.payload.name }} + package-name: ${{ github.event.deployment.payload.name || inputs.appName }} package-type: container min-versions-to-keep: "500" token: ${{ secrets.repoAccessToken }} From 4bcf4b3185b844b0849206570b90dc06a3abef1b Mon Sep 17 00:00:00 2001 From: Stefan Gersmann Date: Mon, 27 Apr 2026 21:44:52 +0200 Subject: [PATCH 03/10] chore: declare nested build workflow secrets --- .github/workflows/build-image.yaml | 7 +++++++ .github/workflows/kubernetes.yaml | 4 +++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 25048ef..3fbe5b5 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -60,6 +60,13 @@ on: description: Container file fallback for non-deployment validation runs default: Containerfile type: string + secrets: + npmGithubReadToken: + required: true + description: The Github token with permissions to read NPM private packages + AWS_ROLE_TO_ASSUME: + required: true + description: AWS OIDC role for GitHub to assume env: IMAGE_SCAN_SEVERITY: LOW diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 31ba52d..929152a 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -224,7 +224,9 @@ jobs: env: ${{ github.event.deployment.payload.env || inputs.env }} containerContext: ${{ github.event.deployment.payload.container.context || inputs.containerContext }} containerFile: ${{ github.event.deployment.payload.container.file || inputs.containerFile }} - secrets: inherit + secrets: + npmGithubReadToken: ${{ secrets.npmGithubReadToken }} + AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }} commit: needs: [initialize, build] From 9dcf996aa1defa041ae5b3fc6a4b9a2283d165ec Mon Sep 17 00:00:00 2001 From: Stefan Gersmann Date: Mon, 27 Apr 2026 21:45:47 +0200 Subject: [PATCH 04/10] chore: pin nested build workflow for validation --- .github/workflows/kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 929152a..2b247de 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -210,7 +210,7 @@ jobs: build: needs: [initialize] - uses: parcelLab/ci/.github/workflows/build-image.yaml@chore/bake-build-support/sg + uses: parcelLab/ci/.github/workflows/build-image.yaml@4bcf4b3185b844b0849206570b90dc06a3abef1b with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} From d26de74a09dc7a73dbacd61e2677987b584167c7 Mon Sep 17 00:00:00 2001 From: Stefan Gersmann Date: Mon, 27 Apr 2026 21:46:17 +0200 Subject: [PATCH 05/10] chore: allow validation without required reusable secrets --- .github/workflows/build-image.yaml | 4 ++-- .github/workflows/kubernetes.yaml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 3fbe5b5..32b18fc 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -62,10 +62,10 @@ on: type: string secrets: npmGithubReadToken: - required: true + required: false description: The Github token with permissions to read NPM private packages AWS_ROLE_TO_ASSUME: - required: true + required: false description: AWS OIDC role for GitHub to assume env: diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 2b247de..2d365d8 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -144,10 +144,10 @@ on: type: string secrets: npmGithubReadToken: - required: true + required: false description: The Github token with permissions to read NPM private packages repoAccessToken: - required: true + required: false description: The Github token to perform operations cross-repo (not github.token!) slackBotToken: required: false @@ -156,7 +156,7 @@ on: required: false description: Authentication token for Sentry AWS_ROLE_TO_ASSUME: - required: true + required: false description: AWS OIDC role for GitHub to assume jobs: From 76aa435b547e22c03cf3d33c440bb81ee95a85ee Mon Sep 17 00:00:00 2001 From: Stefan Gersmann Date: Mon, 27 Apr 2026 21:46:29 +0200 Subject: [PATCH 06/10] chore: pin optional-secret build workflow for validation --- .github/workflows/kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 2d365d8..ea2210e 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -210,7 +210,7 @@ jobs: build: needs: [initialize] - uses: parcelLab/ci/.github/workflows/build-image.yaml@4bcf4b3185b844b0849206570b90dc06a3abef1b + uses: parcelLab/ci/.github/workflows/build-image.yaml@d26de74a09dc7a73dbacd61e2677987b584167c7 with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} From ac31230f866628762809412e5de956a7ac5c9515 Mon Sep 17 00:00:00 2001 From: Stefan Gersmann Date: Mon, 27 Apr 2026 21:54:35 +0200 Subject: [PATCH 07/10] fix: run docker bake targets in one job --- .github/workflows/build-image.yaml | 96 +++++++++++++++--------------- 1 file changed, 49 insertions(+), 47 deletions(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 32b18fc..9cb151d 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -254,9 +254,6 @@ jobs: contents: read environment: ${{ github.event.deployment.payload.env || inputs.env }} runs-on: ${{ inputs.runner }} - strategy: - matrix: - bake_targets: ${{ fromJson(inputs.imageTargets) }} steps: - name: Checkout current git repository uses: actions/checkout@v4 @@ -280,59 +277,64 @@ jobs: with: aws-region: eu-central-1 role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - - name: Create ${{ matrix.bake_targets }} ECR repository if it doesn't exist - run: | - if ! aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} 2>/dev/null; then - echo "Repository ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} does not exist, creating it..." - aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} - echo "Setting lifecycle policy..." - else - echo "Repository ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} already exists, skipping creation" - fi - - echo "Applying lifecycle policies" - LIFECYCLE_POLICY='{"rules":[ - {"rulePriority":1,"description":"Preserve preview images","selection":{"tagStatus":"tagged","tagPatternList":["preview-*"],"countType":"sinceImagePushed","countUnit":"days","countNumber":365},"action":{"type":"expire"}}, - {"rulePriority":2,"description":"Preserve production images","selection":{"tagStatus":"tagged","tagPatternList":["v*"],"countType":"imageCountMoreThan","countNumber":50},"action":{"type":"expire"}}, - {"rulePriority":3,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"sinceImagePushed","countUnit":"days","countNumber":7},"action":{"type":"expire"}} - ]}' - aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v2 - - name: Build ${{ matrix.bake_targets.target || matrix.bake_targets }} image with Docker Bake + - name: Build images with Docker Bake env: APP_NAME: ${{ github.event.deployment.payload.name || inputs.appName }} BAKE_FILE: ${{ inputs.bakeFile }} - BAKE_TARGET: ${{ matrix.bake_targets.target || matrix.bake_targets }} ENVIRONMENT: ${{ github.event.deployment.payload.env || inputs.env }} GITHUB_SHA: ${{ github.sha }} - IMAGE_REPOSITORY: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }} + IMAGE_TARGETS: ${{ inputs.imageTargets }} + REGISTRY: ${{ steps.login-ecr.outputs.registry }} NPM_GITHUB_TOKEN: ${{ secrets.npmGithubReadToken }} VERSION: ${{ inputs.version }} run: | set -euo pipefail - docker buildx bake \ - -f "$BAKE_FILE" \ - --push \ - --set "$BAKE_TARGET.args.APP_NAME=$APP_NAME" \ - --set "$BAKE_TARGET.args.ENVIRONMENT=$ENVIRONMENT" \ - --set "$BAKE_TARGET.args.GITHUB_SHA=$GITHUB_SHA" \ - --set "$BAKE_TARGET.args.NPM_GITHUB_TOKEN=$NPM_GITHUB_TOKEN" \ - --set "$BAKE_TARGET.args.VERSION=$VERSION" \ - --set "$BAKE_TARGET.cache-from=type=registry,ref=$IMAGE_REPOSITORY:cache" \ - --set "$BAKE_TARGET.cache-to=mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=$IMAGE_REPOSITORY:cache" \ - --set "$BAKE_TARGET.tags=$IMAGE_REPOSITORY:latest" \ - --set "$BAKE_TARGET.tags=$IMAGE_REPOSITORY:$VERSION" \ - --set "$BAKE_TARGET.tags=$IMAGE_REPOSITORY:$GITHUB_SHA" \ - "$BAKE_TARGET" - - name: Scan for vulnerabilities - if: inputs.enableContainerScan - uses: crazy-max/ghaction-container-scan@v4 - with: - image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name || inputs.appName }}-${{ matrix.bake_targets.imageTarget || matrix.bake_targets.target || matrix.bake_targets }}:latest - severity: ${{ env.IMAGE_SCAN_SEVERITY }} - severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} - annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} - env: - TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} + if [ -z "$IMAGE_TARGETS" ]; then + echo "ERROR: imageTargets is required when bakeFile is provided" + exit 1 + fi + + LIFECYCLE_POLICY='{"rules":[ + {"rulePriority":1,"description":"Preserve preview images","selection":{"tagStatus":"tagged","tagPatternList":["preview-*"],"countType":"sinceImagePushed","countUnit":"days","countNumber":365},"action":{"type":"expire"}}, + {"rulePriority":2,"description":"Preserve production images","selection":{"tagStatus":"tagged","tagPatternList":["v*"],"countType":"imageCountMoreThan","countNumber":50},"action":{"type":"expire"}}, + {"rulePriority":3,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"sinceImagePushed","countUnit":"days","countNumber":7},"action":{"type":"expire"}} + ]}' + + mapfile -t TARGET_CONFIGS < <(jq -c '.[]' <<< "$IMAGE_TARGETS") + BAKE_ARGS=(-f "$BAKE_FILE" --push) + BAKE_TARGETS=() + + for target_config in "${TARGET_CONFIGS[@]}"; do + bake_target=$(jq -r 'if type == "object" then .target else . end' <<< "$target_config") + image_target=$(jq -r 'if type == "object" then (.imageTarget // .target) else . end' <<< "$target_config") + image_repository="$REGISTRY/$APP_NAME-$image_target" + + if ! aws ecr describe-repositories --repository-names "$APP_NAME-$image_target" 2>/dev/null; then + echo "Repository $APP_NAME-$image_target does not exist, creating it..." + aws ecr create-repository --repository-name "$APP_NAME-$image_target" + else + echo "Repository $APP_NAME-$image_target already exists, skipping creation" + fi + + echo "Applying lifecycle policy for $APP_NAME-$image_target" + aws ecr put-lifecycle-policy --repository-name "$APP_NAME-$image_target" --lifecycle-policy-text "$LIFECYCLE_POLICY" + + BAKE_ARGS+=( + --set "$bake_target.args.APP_NAME=$APP_NAME" + --set "$bake_target.args.ENVIRONMENT=$ENVIRONMENT" + --set "$bake_target.args.GITHUB_SHA=$GITHUB_SHA" + --set "$bake_target.args.NPM_GITHUB_TOKEN=$NPM_GITHUB_TOKEN" + --set "$bake_target.args.VERSION=$VERSION" + --set "$bake_target.cache-from=type=registry,ref=$image_repository:cache" + --set "$bake_target.cache-to=mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=$image_repository:cache" + --set "$bake_target.tags=$image_repository:latest" + --set "$bake_target.tags=$image_repository:$VERSION" + --set "$bake_target.tags=$image_repository:$GITHUB_SHA" + ) + BAKE_TARGETS+=("$bake_target") + done + + docker buildx bake "${BAKE_ARGS[@]}" "${BAKE_TARGETS[@]}" From 0d384a0ad33782aba90d2d2ac3ee7d09b612fb20 Mon Sep 17 00:00:00 2001 From: Stefan Gersmann Date: Mon, 27 Apr 2026 21:54:44 +0200 Subject: [PATCH 08/10] chore: pin single-job bake workflow for validation --- .github/workflows/kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index ea2210e..f9da52f 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -210,7 +210,7 @@ jobs: build: needs: [initialize] - uses: parcelLab/ci/.github/workflows/build-image.yaml@d26de74a09dc7a73dbacd61e2677987b584167c7 + uses: parcelLab/ci/.github/workflows/build-image.yaml@ac31230f866628762809412e5de956a7ac5c9515 with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} From 4b6ef60d89b4c14873364c74da8fa2df04c96def Mon Sep 17 00:00:00 2001 From: andibeuge <97287249+andibeuge@users.noreply.github.com> Date: Tue, 28 Apr 2026 09:48:41 +0200 Subject: [PATCH 09/10] Update .github/workflows/build-image.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/build-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 9cb151d..49e0862 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -14,7 +14,7 @@ on: type: string imageTargets: required: false - description: If provided, sets targets for as many image builds as targets specified. When bakeFile is provided, these are Docker Buildx Bake targets. + description: If provided, must be a JSON array string of target names to build (for example, ["app","worker"]). When bakeFile is provided, these values are Docker Buildx Bake targets. default: "" type: string bakeFile: From 11241275a547688a9d62bffb3591d87695ee0ee4 Mon Sep 17 00:00:00 2001 From: Stefan Gersmann Date: Tue, 28 Apr 2026 11:13:59 +0200 Subject: [PATCH 10/10] chore: restore build workflow version tag --- .github/workflows/kubernetes.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index f9da52f..e3466d9 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -210,7 +210,7 @@ jobs: build: needs: [initialize] - uses: parcelLab/ci/.github/workflows/build-image.yaml@ac31230f866628762809412e5de956a7ac5c9515 + uses: parcelLab/ci/.github/workflows/build-image.yaml@v8 with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }}