firezone/.github/workflows/publish.yml

name: Publish Images
run-name: Triggered by ${{ github.actor }}
on:
  release:
    types:
      - published

concurrency:
  group: "publish-production-${{ github.event_name }}-${{ github.workflow }}-${{ github.ref }}"
  cancel-in-progress: false

jobs:
  publish-artifacts:
    if: ${{ startsWith(github.event.release.name, 'gateway') || startsWith(github.event.release.name, 'headless-client') }}
    runs-on: ubuntu-22.04
    permissions:
      # Needed to upload artifacts to a release
      packages: write
      # Needed to login to GCP
      id-token: write
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: ./.github/actions/gcp-docker-login
        id: login
        with:
          project: firezone-staging
      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set variables
        id: set-variables
        run: |
          set -xe

          if [[ "${{ github.event.release.name }}" =~ gateway* ]]; then
            ARTIFACT=gateway
            # mark:next-gateway-version
            VERSION="1.4.4"
          elif [[ "${{ github.event.release.name }}" =~ headless* ]]; then
            ARTIFACT=client
            # mark:next-headless-version
            VERSION="1.4.2"
          else
            echo "Shouldn't have gotten here. Exiting."
            exit 1
          fi

          MAJOR_VERSION="${VERSION%%.*}"
          MAJOR_MINOR_VERSION="${VERSION%.*}"

          echo "artifact=$ARTIFACT" >> "$GITHUB_OUTPUT"
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
          echo "major_version=$MAJOR_VERSION" >> "$GITHUB_OUTPUT"
          echo "major_minor_version=$MAJOR_MINOR_VERSION" >> "$GITHUB_OUTPUT"
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
        with:
          # We are overriding the default buildkit version being used by Buildx. We need buildkit >= 12.0 and currently BuildX
          # supports v0.11.6 https://github.com/docker/buildx/blob/b8739d74417f86aa8fc9aafb830a8ba656bdef0e/Dockerfile#L9.
          # We should for any updates on buildx and on the setup-buildx-action itself.
          driver-opts: |
            image=moby/buildkit:v0.15.1
      - name: Pull and push
        run: |
          set -xe

          SOURCE_TAG=${{ steps.login.outputs.registry }}/firezone/${{ steps.set-variables.outputs.artifact }}:${{ github.sha }}

          docker buildx imagetools create \
            -t ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:${{ github.sha }} \
            -t ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:${{ steps.set-variables.outputs.version }} \
            -t ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:${{ steps.set-variables.outputs.version }}-${{ github.sha }} \
            -t ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:${{ steps.set-variables.outputs.major_version }} \
            -t ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:${{ steps.set-variables.outputs.major_minor_version }} \
            -t ghcr.io/firezone/${{ steps.set-variables.outputs.artifact }}:latest \
            $SOURCE_TAG
      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
        with:
          workload_identity_provider: "projects/397012414171/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions"
          service_account: "github-actions@github-iam-387915.iam.gserviceaccount.com"
          export_environment_variables: true
          create_credentials_file: true
      - name: Copy Google Cloud Storage binaries to "latest" version
        run: |
          set -xe

          ARCHITECTURES=(x86_64 aarch64 armv7)

          for arch in "${ARCHITECTURES[@]}"; do
            # Copy sha256sum.txt
            gcloud storage cp \
              gs://firezone-staging-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/${{ github.sha }}/${arch}.sha256sum.txt \
              gs://firezone-prod-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/latest/${arch}.sha256sum.txt
            gcloud storage cp \
              gs://firezone-staging-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/${{ github.sha }}/${arch}.sha256sum.txt \
              gs://firezone-prod-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/${{ github.sha }}/${arch}.sha256sum.txt
            gcloud storage cp \
              gs://firezone-staging-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/${{ github.sha }}/${arch}.sha256sum.txt \
              gs://firezone-prod-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/${{ steps.set-variables.outputs.version }}/${arch}.sha256sum.txt

            # Copy binaries
            gcloud storage cp \
              gs://firezone-staging-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/${{ github.sha }}/${arch} \
              gs://firezone-prod-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/latest/${arch}
            gcloud storage cp \
              gs://firezone-staging-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/${{ github.sha }}/${arch} \
              gs://firezone-prod-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/${{ github.sha }}/${arch}
            gcloud storage cp \
              gs://firezone-staging-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/${{ github.sha }}/${arch} \
              gs://firezone-prod-artifacts/firezone-${{ steps.set-variables.outputs.artifact }}/${{ steps.set-variables.outputs.version }}/${arch}
          done