name: Docker on: workflow_dispatch: {} push: tags: [v*] pull_request: {} schedule: # This job can take a while, and we have usage limits, so just publish develop only twice a day - cron: "0 7/12 * * *" concurrency: ${{ github.workflow }}-${{ github.ref_name }} permissions: {} jobs: buildx: name: Docker Buildx runs-on: ubuntu-24.04 environment: ${{ github.event_name != 'pull_request' && 'dockerhub' || '' }} permissions: id-token: write # needed for signing the images with GitHub OIDC Token packages: write # needed for publishing packages to GHCR env: TEST_TAG: vectorim/element-web:test steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 # needed for docker-package to be able to calculate the version persist-credentials: false - name: Install Cosign uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 if: github.event_name != 'pull_request' - name: Set up QEMU uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 with: install: true - name: Build and load id: test-build uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 with: context: . file: apps/web/Dockerfile load: true - name: Test the image env: IMAGEID: ${{ steps.test-build.outputs.imageid }} timeout-minutes: 2 run: | set -x # Make a fake module to test the image MODULE_PATH="modules/module_name/index.js" mkdir -p $(dirname $MODULE_PATH) echo 'alert("Testing");' > $MODULE_PATH # Spin up a container of the image ELEMENT_WEB_PORT=8181 CONTAINER_ID=$( docker run \ --rm \ -e "ELEMENT_WEB_PORT=$ELEMENT_WEB_PORT" \ -dp "$ELEMENT_WEB_PORT:$ELEMENT_WEB_PORT" \ -v $(pwd)/modules:/modules \ "$IMAGEID" \ ) # Run some smoke tests wget --retry-connrefused --tries=5 -q --wait=3 --spider "http://localhost:$ELEMENT_WEB_PORT/modules/module_name/index.js" MODULE_0=$(curl "http://localhost:$ELEMENT_WEB_PORT/config.json" | jq -r .modules[0]) test "$MODULE_0" = "/${MODULE_PATH}" # Check healthcheck until test "$(docker inspect -f {{.State.Health.Status}} $CONTAINER_ID)" == "healthy"; do sleep 1 done # Clean up docker stop "$CONTAINER_ID" - name: Docker meta id: meta uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 if: github.event_name != 'pull_request' with: images: | vectorim/element-web ghcr.io/element-hq/element-web oci-push.vpn.infra.element.io/element-web tags: | type=ref,event=branch type=ref,event=tag flavor: | latest=${{ contains(github.ref_name, '-rc.') && 'false' || 'auto' }} - name: Login to Docker Hub uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 if: github.event_name != 'pull_request' with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 if: github.event_name != 'pull_request' with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Connect to Tailscale uses: tailscale/github-action@306e68a486fd2350f2bfc3b19fcd143891a4a2d8 # v4 if: github.event_name != 'pull_request' with: oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} audience: ${{ secrets.TS_AUDIENCE }} tags: tag:github-actions - name: Compute vault jwt role name id: vault-jwt-role if: github.event_name != 'pull_request' run: | echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" - name: Get team registry token id: import-secrets uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3 if: github.event_name != 'pull_request' with: url: https://vault.infra.ci.i.element.dev role: ${{ steps.vault-jwt-role.outputs.role_name }} path: service-management/github-actions jwtGithubAudience: https://vault.infra.ci.i.element.dev method: jwt secrets: | services/web-repositories/secret/data/oci.element.io username | OCI_USERNAME ; services/web-repositories/secret/data/oci.element.io password | OCI_PASSWORD ; - name: Login to oci.element.io Registry uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 if: github.event_name != 'pull_request' with: registry: oci-push.vpn.infra.element.io username: ${{ steps.import-secrets.outputs.OCI_USERNAME }} password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }} - name: Build and push id: build-and-push uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 if: github.event_name != 'pull_request' with: context: . file: apps/web/Dockerfile push: true platforms: linux/amd64,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Sign the images with GitHub OIDC Token env: DIGEST: ${{ steps.build-and-push.outputs.digest }} TAGS: ${{ steps.meta.outputs.tags }} if: github.event_name != 'pull_request' run: | images="" for tag in ${TAGS}; do images+="${tag}@${DIGEST} " done cosign sign --yes ${images} - name: Update repo description uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5 if: github.event_name != 'pull_request' continue-on-error: true with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} repository: vectorim/element-web