diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a4bc940..237c2f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,11 +1,47 @@ name: ci on: - pull_request: - push: - branches: - - main + pull_request: {} + push: {} + +permissions: + contents: write + packages: write jobs: + detect-release: + runs-on: ubuntu-latest + outputs: + is_semver_tag: ${{ steps.detect.outputs.is_semver_tag }} + steps: + - id: detect + shell: bash + run: | + set -euo pipefail + # Only true for tag refs like v1.2.3 (no suffix) + if [[ "${GITHUB_REF}" == refs/tags/* ]] && [[ "${GITHUB_REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "is_semver_tag=true" >> "$GITHUB_OUTPUT" + else + echo "is_semver_tag=false" >> "$GITHUB_OUTPUT" + fi + tests: uses: ./.github/workflows/reusable-test.yml + with: + python-version: "3.12" + matomo-token-description: "ci-token" + + publish-image: + if: needs.detect-release.outputs.is_semver_tag == 'true' + needs: [detect-release, tests] + uses: ./.github/workflows/publish-image.yml + permissions: + contents: read + packages: write + + tag-stable: + if: needs.detect-release.outputs.is_semver_tag == 'true' + needs: [detect-release, tests, publish-image] + uses: ./.github/workflows/stable-tag.yml + permissions: + contents: write diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index 9351511..a3462f5 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -1,20 +1,10 @@ name: publish-image on: - push: - tags: - - "v*.*.*" - - workflow_run: - workflows: ["Stable Tag"] # MUST match stable-tag.yml -> name: Stable Tag - types: [completed] + workflow_call: {} jobs: build-and-push: - if: | - (github.event_name == 'push') || - (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') - runs-on: ubuntu-latest permissions: contents: read @@ -24,9 +14,8 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - # push: checks out the tag ref - # workflow_run: checks out the exact commit that the Stable Tag workflow ran on - ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.ref }} + fetch-depth: 0 + ref: ${{ github.ref }} # bei tag-push ist das der Tag-Ref - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -47,14 +36,9 @@ jobs: run: | set -euo pipefail IMAGE="ghcr.io/${{ github.repository }}" - - if [ "${{ github.event_name }}" = "push" ]; then - RAW_TAG="${{ github.ref_name }}" # e.g. v1.1.7 - TAG="${RAW_TAG#v}" # -> 1.1.7 (only strips leading 'v') - echo "tags=$IMAGE:$TAG,$IMAGE:latest" >> "$GITHUB_OUTPUT" - else - echo "tags=$IMAGE:stable" >> "$GITHUB_OUTPUT" - fi + RAW_TAG="${{ github.ref_name }}" # e.g. v1.1.7 + TAG="${RAW_TAG#v}" # -> 1.1.7 + echo "tags=$IMAGE:$TAG,$IMAGE:latest" >> "$GITHUB_OUTPUT" - name: Build and push uses: docker/build-push-action@v6 diff --git a/.github/workflows/stable-tag.yml b/.github/workflows/stable-tag.yml index 25627a5..16f5746 100644 --- a/.github/workflows/stable-tag.yml +++ b/.github/workflows/stable-tag.yml @@ -1,24 +1,14 @@ name: Stable Tag on: - push: - tags: - - "v*" + workflow_call: {} permissions: contents: write jobs: - test: - uses: ./.github/workflows/reusable-test.yml - with: - python-version: "3.12" - matomo-token-description: "stable-ci-token" - tag-stable: runs-on: ubuntu-latest - needs: test - if: startsWith(github.ref, 'refs/tags/v') steps: - name: Checkout (full history for tags) @@ -37,6 +27,5 @@ jobs: git config user.email "github-actions[bot]@users.noreply.github.com" git fetch --tags --force - git tag -fa stable -m "stable -> ${GITHUB_REF_NAME} (${GITHUB_SHA})" "${GITHUB_SHA}" git push --force origin stable