wpsecadv/.github/workflows/deploy.yml at main · typisttech/wpsecadv · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: Deploy

on:
  workflow_dispatch:
    inputs:
      tag:
        description: 'Container image tag to deploy'
        required: true
        default: 'latest'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref_name }}
  cancel-in-progress: true

permissions: {}

jobs:
  fly:
    runs-on: ubuntu-24.04
    environment: production-fly
    steps:
      - run: |
          digest=$(gh attestation verify --format json  --jq "${JQ}" --repo "${REPO}" "${IMAGE}")
          echo "digest=${digest}" >> "${GITHUB_OUTPUT}"
        id: verify
        env:
          IMAGE: oci://ghcr.io/${{ github.repository }}:${{ inputs.tag }}
          REPO: ${{ github.repository }}
          JQ: .[0].verificationResult.statement.subject[0].digest.sha256
          GH_TOKEN: ${{ github.token }}

      - uses: superfly/flyctl-actions/setup-flyctl@ed8efb33836e8b2096c7fd3ba1c8afe303ebbff1 # 1.6
      - run: flyctl deploy --image "${IMAGE}"
        env:
          IMAGE: ghcr.io/${{ github.repository }}@sha256:${{ steps.verify.outputs.digest }}
          FLY_APP: ${{ vars.FLY_APP }}
          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}

  dispatch:
    needs:
      - fly
    permissions:
      actions: write
    runs-on: ubuntu-24.04
    steps:
      - name: Dispatch Test (e2e Production) Workflow
        run: |
          gh workflow run test-e2e-prod.yml \
            --repo "${REPO}" \
            --ref "${REF}"
        env:
          REPO: ${{ github.repository }}
          REF: ${{ github.ref_name }}
          GH_TOKEN: ${{ github.token }}