API design: Deploy security agents to macOS, Windows, and Linux hosts #36428
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker publish | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| - "prepare-*" | |
| - "patch-*" | |
| paths-ignore: | |
| - "handbook/**" | |
| - "website/**" | |
| - "mdm-profiles/**" | |
| pull_request: | |
| paths-ignore: | |
| - "handbook/**" | |
| - "website/**" | |
| - "mdm-profiles/**" | |
| workflow_dispatch: # Manual | |
| # This allows a subsequently queued workflow run to interrupt previous runs | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference | |
| shell: bash | |
| permissions: | |
| contents: read | |
| jobs: | |
| publish: | |
| # Only run it when the push is to the fleetdm/fleet repo. Otherwise the secrets for pushing to | |
| # Docker will not be available. | |
| # | |
| # Also not run if author is dependabot (it doesn't have access to Github secrets). | |
| if: ${{ (github.repository == 'fleetdm/fleet') && (github.actor != 'dependabot[bot]') }} | |
| runs-on: ubuntu-20.04 | |
| environment: Docker Hub | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} | |
| - name: Set up Go | |
| uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version: ${{ vars.GO_VERSION }} | |
| # Set the Node.js version | |
| - name: Set up Node.js ${{ vars.NODE_VERSION }} | |
| uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 | |
| with: | |
| node-version: ${{ vars.NODE_VERSION }} | |
| - name: Install Dependencies | |
| run: make deps | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b | |
| with: | |
| distribution: goreleaser-pro | |
| version: latest | |
| args: release --snapshot --rm-dist -f .goreleaser-snapshot.yml | |
| env: | |
| GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
| - name: Tag image with branch name | |
| run: docker tag fleetdm/fleet:$(git rev-parse --short HEAD) fleetdm/fleet:$(git rev-parse --abbrev-ref HEAD) | |
| # Explicitly push the docker images as GoReleaser will not do so in snapshot mode | |
| - name: Publish Docker images | |
| run: docker push fleetdm/fleet --all-tags | |
| - name: Get tag | |
| run: | | |
| echo "TAG=$(git rev-parse --abbrev-ref HEAD) $(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| id: docker | |
| - name: List tags for push | |
| run: | | |
| echo "The following TAGs are to be pushed: ${{ steps.docker.outputs.TAG }}" | |
| - name: Login to quay.io | |
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a | |
| with: | |
| registry: quay.io | |
| username: fleetdm+fleetreleaser | |
| password: ${{ secrets.QUAY_REGISTRY_PASSWORD }} | |
| - name: Tag and push to quay.io | |
| run: | | |
| for TAG in ${{ steps.docker.outputs.TAG }}; do | |
| docker tag fleetdm/fleet:${TAG} quay.io/fleetdm/fleet:${TAG} | |
| docker push quay.io/fleetdm/fleet:${TAG} | |
| done |