From b22b6d814b6c25ea842e1ef9ba6ad4b2e20fe741 Mon Sep 17 00:00:00 2001
From: Felipe Morato <felipe.morato@csc.fi>
Date: Thu, 6 Jun 2024 14:57:37 +0300
Subject: [PATCH] Publish docker images to ghcr.io

---
 .github/dependabot.yaml                 |  7 ++++
 .github/workflows/clean-containers.yaml | 33 ++++++++++++++++
 .github/workflows/publish.yaml          | 50 +++++++++++++++++++++++++
 README.md                               |  2 +
 config.json                             | 11 ++++++
 5 files changed, 103 insertions(+)
 create mode 100644 .github/dependabot.yaml
 create mode 100644 .github/workflows/clean-containers.yaml
 create mode 100644 .github/workflows/publish.yaml
 create mode 100644 config.json

diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
new file mode 100644
index 0000000..29c419f
--- /dev/null
+++ b/.github/dependabot.yaml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      day: "monday"
diff --git a/.github/workflows/clean-containers.yaml b/.github/workflows/clean-containers.yaml
new file mode 100644
index 0000000..451efff
--- /dev/null
+++ b/.github/workflows/clean-containers.yaml
@@ -0,0 +1,33 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: ghcr actions
+
+on:
+  schedule:
+    - cron: "21 21 * * *"
+
+jobs:
+  clean-ghcr:
+    name: Delete old unused container images
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: downcase REPO name
+        run: |
+          echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+      - name: Delete 'PR' containers older than a week
+        uses: snok/container-retention-policy@v2.2.1
+        with:
+          image-names: ${{ env.REGISTRY }}/${{ env.REPO }}
+          filter-tags: sha-*,sha256:*
+          skip-tags: latest
+          cut-off: A week ago UTC
+          account-type: org
+          org-name: ${{ github.repository_owner }}
+          keep-at-least: 1
+          token: ${{ secrets.GH_REPO_TOKEN }}
+          timestamp-to-use: updated_at
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
new file mode 100644
index 0000000..f1ec589
--- /dev/null
+++ b/.github/workflows/publish.yaml
@@ -0,0 +1,50 @@
+name: Build and Publish
+
+on: [push]
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          
+      - name: downcase REPO name
+        run: |
+          echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.REPO }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=sha,enable=true,priority=100,prefix=sha-,suffix=,format=short
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
+            org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+            org.opencontainers.image.revision=${{ github.sha }}
diff --git a/README.md b/README.md
index e53d082..dd860dd 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,8 @@ The app contacts `url_oidc` on startup and retrieves the `authorization_endpoint
 uvicorn main:app --reload
 ```
 ### For Deployment
+The docker image copies `config.json` from the current directory, so either edit the values before building the image, or mount a file with correct values into the container.
+
 Build image
 ```
 docker build -t cscfi/tiny-rp .
diff --git a/config.json b/config.json
new file mode 100644
index 0000000..cf152bb
--- /dev/null
+++ b/config.json
@@ -0,0 +1,11 @@
+{
+    "client_id": "",
+    "client_secret": "",
+    "url_oidc": "https://openid-provider.org/oidc/.well-known/openid-configuration",
+    "url_callback": "http://localhost:8080/callback",
+    "url_redirect": "http://localhost:8080/frontend",
+    "scope": "openid",
+    "resource": "something",
+    "cookie_domain": "",
+    "cors_domains": [""]
+}