chore(gha): add missing version pin #26

Workflow file for this run

.github/workflows/build-and-publish-docker-artifacts.yaml at 95677b9

	name: build-and-publish-docker-artifacts

	###############################################################################
	# WARNING:
	# This workflow uses pull_request_target to allow building images from forks,
	# this means that secrets are exposed and we should never run anything (ie tests)
	# outside a sandbox (ie, docker containers) to prevent potential malicious code
	# leaking the github actions secrets.
	###############################################################################

	on:
	push:
	branches:
	- main
	- 'release/**'
	tags:
	- '[0-9]+.[0-9]+.[0-9]+*'
	pull_request:
	types: [ opened, synchronize ]
	paths:
	- 'Earthfile'
	- '.github/workflows/docker-builds.yaml'
	- 'services/credential-server-ui/**'
	- 'services/credential-server/**'
	workflow_dispatch:
	inputs:
	images:
	description: 'Select which earthly targets to build and push'
	required: true
	default: 'all'
	type: choice
	options:
	- idw-keria
	- idw-witness
	- cred-issuance
	- cred-issuance-ui
	- cip45-sample-dapp
	- keria-passcode-gen
	- all

	env:
	DOCKER_PUSH: true

	jobs:
	set-matrix:
	runs-on: ubuntu-latest
	outputs:
	matrix: ${{ steps.set-matrix.outputs.matrix }}
	steps:
	- name: set-matrix
	id: set-matrix
	run: \|
	echo 'matrix={"platform":["linux/amd64","linux/arm64"]}' \| tee -a "$GITHUB_ENV" \| tee -a "$GITHUB_OUTPUT"
	build-n-publish:
	needs: set-matrix
	permissions:
	contents: read
	packages: write
	runs-on: ubuntu-latest
	strategy:
	matrix: ${{fromJson(needs.set-matrix.outputs.matrix)}}
	steps:
	- name: Checkout
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	fetch-depth: 0

	- name: Setup qemu for arm builds
	uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
	if: matrix.platform == 'linux/arm64'
	with:
	platforms: arm64

	- name: ⛮ cf-gha-baseline
	uses: cardano-foundation/cf-gha-workflows/./actions/cf-gha-baseline@234ee2fbd4073e759aba6f3ca53e912ab8403886 # main at 02/10/2025
	id: cf-gha-baseline
	with:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	PRIVATE_DOCKER_REGISTRY_URL: ${{ secrets.GITLAB_DOCKER_REGISTRY_URL }}
	PRIVATE_DOCKER_REGISTRY_USER: Deploy-Token
	PRIVATE_DOCKER_REGISTRY_PASS: ${{ secrets.GITLAB_PKG_REGISTRY_TOKEN }}
	HUB_DOCKER_COM_USER: ${{ secrets.HUB_DOCKER_COM_USER }}
	HUB_DOCKER_COM_PASS: ${{ secrets.HUB_DOCKER_COM_PASS }}
	DOCKER_REGISTRIES: "${{ secrets.DOCKER_REGISTRIES }}"

	- name: Set docker image targets based on path changes from last commit
	id: metadata
	run: \|
	set -x

	if [ ${{github.event_name}} == "workflow_dispatch" ]
	then
	case "${{ github.event.inputs.images }}" in
	idw-keria)
	DOCKER_IMAGES_TARGETS="idw-keria"
	;;
	idw-witness)
	DOCKER_IMAGES_TARGETS="idw-witness"
	;;
	cred-issuance)
	DOCKER_IMAGES_TARGETS="cred-issuance"
	;;
	cred-issuance-ui)
	DOCKER_IMAGES_TARGETS="cred-issuance-ui"
	;;
	cip45-sample-dapp)
	DOCKER_IMAGES_TARGETS="cip45-sample-dapp"
	;;
	keria-passcode-gen)
	DOCKER_IMAGES_TARGETS="keria-passcode-gen"
	;;
	all)
	DOCKER_IMAGES_TARGETS="idw-keria idw-witness cred-issuance cred-issuance-ui cip45-sample-dapp keria-passcode-gen"
	;;
	*)
	echo "Invalid option, exiting..."
	exit 1
	;;
	esac

	echo "DOCKER_IMAGES_TARGETS=${DOCKER_IMAGES_TARGETS}" \| tee -a "$GITHUB_ENV" \| tee -a "$GITHUB_OUTPUT"
	echo "DOCKER_IMAGES_TARGETS_$(echo ${{ matrix.platform }} \| sed 's\|/\|_\|g')=${DOCKER_IMAGES_TARGETS}" \| tee -a "$GITHUB_ENV" \| tee -a "$GITHUB_OUTPUT"
	fi

	if [ "$TRIGGERING_REF" == "pr" ]
	then
	# At this point cf-gha-baseline has already checked out the PR input and failed the pipeline, but leaving this here for extra safety in case of future changes
	if [[ ! '${{ github.event.pull_request.head.repo.full_name }}' =~ ^[a-zA-Z0-9._/-]+$ ]] \|\| [[ ! '${{ github.event.pull_request.head.ref }}' =~ ^[a-zA-Z0-9._/-]+$ ]];
	then
	echo "[!] Invalid PR branch or repo name (!= ^[a-zA-Z0-9._/-]+\$). Aborting for security reasons."
	exit 1
	fi
	if [ "$IS_PR_FROM_FORK" == "true" ]; then
	echo "External PR detected: fetching branch from $PR_HEAD_REPO"
	git fetch https://github.com/${PR_HEAD_REPO}.git "$PR_HEAD_REF"
	git checkout FETCH_HEAD
	else
	echo "Internal PR: checking out branch $PR_HEAD_REF"
	git checkout ${BRANCH_NAME}
	fi

	# set earthly docker image targets based on changed paths
	set +e
	DOCKER_IMAGES_TARGETS="$( \
	( git log --pretty=format:'%h' -n 1 Earthfile \| grep -q ${PR_GIT_SHORT_COMMIT} ) && \
	( git log --patch -n1 Earthfile \| grep -q "^[+-]ARG.global.KERIA_" ) && \
	echo idw-keria
	)"
	DOCKER_IMAGES_TARGETS="$DOCKER_IMAGES_TARGETS $( \
	( git log --pretty=format:'%h' -n 1 Earthfile \| grep -q ${PR_GIT_SHORT_COMMIT} ) && \
	( git log --patch -n1 Earthfile \| grep -q "^[+-]ARG.global.KERI_DOCKER" ) && \
	echo idw-witness
	)"
	DOCKER_IMAGES_TARGETS="$DOCKER_IMAGES_TARGETS $( \
	( git log --pretty=format:'%h' -n 1 services/credential-server \| grep -q ${PR_GIT_SHORT_COMMIT} ) && \
	echo cred-issuance
	)"
	DOCKER_IMAGES_TARGETS="$DOCKER_IMAGES_TARGETS $( \
	( git log --pretty=format:'%h' -n 1 services/credential-server-ui \| grep -q ${PR_GIT_SHORT_COMMIT} ) && \
	echo cred-issuance-ui
	)"
	DOCKER_IMAGES_TARGETS="$DOCKER_IMAGES_TARGETS $( \
	( git log --pretty=format:'%h' -n 1 services/cip45-sample-dapp \| grep -q ${PR_GIT_SHORT_COMMIT} ) && \
	echo cip45-sample-dapp
	)"
	DOCKER_IMAGES_TARGETS="$DOCKER_IMAGES_TARGETS $( \
	( git log --pretty=format:'%h' -n 1 services/Dockerfile.keria-passcode-gen \| grep -q ${PR_GIT_SHORT_COMMIT} ) && \
	echo keria-passcode-gen
	)"
	set -e
	STRIPPED_DOCKER_IMAGES_TARGETS=$(echo $DOCKER_IMAGES_TARGETS \| tr -s ' ' \| sed -e 's\|^ \|\|' -e 's\| $\|\|')
	if [ ! -z "${STRIPPED_DOCKER_IMAGES_TARGETS}" ]; then
	echo "DOCKER_IMAGES_TARGETS=${STRIPPED_DOCKER_IMAGES_TARGETS}" \| tee -a "$GITHUB_ENV" \| tee -a "$GITHUB_OUTPUT"
	echo "DOCKER_IMAGES_TARGETS_$(echo ${{ matrix.platform }} \| sed 's\|/\|_\|g')=${STRIPPED_DOCKER_IMAGES_TARGETS}" \| tee -a "$GITHUB_ENV" \| tee -a "$GITHUB_OUTPUT"
	fi

	if [ "$IS_PR_FROM_FORK" == "true" ]; then
	git checkout ${GIT_SHORT_COMMIT}
	git config --global user.email "github-actions[bot]@users.noreply.github.com"
	git config --global user.name "github-actions[bot]"
	git checkout ${GIT_SHORT_COMMIT}
	git merge --no-ff --no-commit FETCH_HEAD
	else
	git checkout ${GIT_SHORT_COMMIT}
	fi
	fi

	- name: 🌍 earthly (docker build and push)
	run: \|
	set -x
	# For PR builds, we skip any earthly build if there are no changes on any known target-related file, for branch builds, we just build everything
	if [ "$TRIGGERING_REF" == "pr" ]
	then
	if [ ! -z "${DOCKER_IMAGES_TARGETS}" ]
	then
	earthly --platform=${{ matrix.platform }} \
	+docker-publish \
	--PUSH=true \
	--TARGET_PLATFORM="${{ matrix.platform }}" \
	--DOCKER_REGISTRIES="${DOCKER_REGISTRIES_FILTERED}" \
	--DOCKER_IMAGES_EXTRA_TAGS="${EARTHLY_DOCKER_IMAGES_EXTRA_TAGS}" \
	--DOCKER_IMAGES_LABELS="${DOCKER_METADATA_OUTPUT_LABELS_COMMA_SEPARATED}" \
	--DOCKER_IMAGES_TARGETS="${DOCKER_IMAGES_TARGETS}"
	else
	echo "[+] No changes on any known target-related file, skipping earthly build..."
	fi
	else
	# if the workflow was triggered manually, we force the build
	if [ ${{github.event_name}} == "workflow_dispatch" ]
	then
	FORCE_BUILD="--FORCE_BUILD=true"
	DOCKER_IMAGES_TARGETS_ARG="--DOCKER_IMAGES_TARGETS=${DOCKER_IMAGES_TARGETS}"
	earthly --platform=${{ matrix.platform }} \
	+docker-publish \
	${FORCE_BUILD} \
	"${DOCKER_IMAGES_TARGETS_ARG}" \
	--PUSH=true \
	--TARGET_PLATFORM="${{ matrix.platform }}" \
	--DOCKER_REGISTRIES="${DOCKER_REGISTRIES_FILTERED}" \
	--DOCKER_IMAGES_LABELS="${DOCKER_METADATA_OUTPUT_LABELS_COMMA_SEPARATED}" \
	--DOCKER_IMAGES_EXTRA_TAGS="${EARTHLY_DOCKER_IMAGES_EXTRA_TAGS}"
	else
	earthly --platform=${{ matrix.platform }} \
	+docker-publish \
	${FORCE_BUILD} \
	--PUSH=true \
	--TARGET_PLATFORM="${{ matrix.platform }}" \
	--DOCKER_REGISTRIES="${DOCKER_REGISTRIES_FILTERED}" \
	--DOCKER_IMAGES_LABELS="${DOCKER_METADATA_OUTPUT_LABELS_COMMA_SEPARATED}" \
	--DOCKER_IMAGES_EXTRA_TAGS="${EARTHLY_DOCKER_IMAGES_EXTRA_TAGS}"
	fi
	fi

	- uses: cloudposse/github-action-matrix-outputs-write@ed06cf3a6bf23b8dce36d1cf0d63123885bb8375 # v1.0.0
	id: out
	with:
	matrix-step-name: ${{ github.job }}
	matrix-key: ${{ matrix.platform }}
	outputs: \|-
	DOCKER_IMAGES_TARGETS: ${{ steps.metadata.outputs.DOCKER_IMAGES_TARGETS }}

	merge-multi-platform-manifests:
	needs:
	- set-matrix
	- build-n-publish
	permissions:
	contents: read
	packages: write
	runs-on: ubuntu-latest
	steps:

	- uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0

	# Manually doing this instead of using the cloudposse/read action as it seems there is some issue with it
	- name: read-matrix-artifacts
	id: matrix-artifacts
	env:
	MATRIX_STEP_NAME: build-n-publish
	run: \|
	DOCKER_IMAGES_TARGETS=$(find . -name ${MATRIX_STEP_NAME} -maxdepth 2 -type f \| head -n1 \| xargs cat \| jq -r '.[].DOCKER_IMAGES_TARGETS')
	echo DOCKER_IMAGES_TARGETS=${DOCKER_IMAGES_TARGETS} \| tee -a "$GITHUB_ENV" \| tee -a "$GITHUB_OUTPUT"

	- name: Checkout
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	fetch-depth: 0

	- name: ⛮ cf-gha-baseline
	uses: cardano-foundation/cf-gha-workflows/./actions/cf-gha-baseline@234ee2fbd4073e759aba6f3ca53e912ab8403886 # main at 02/10/2025
	id: cf-gha-baseline
	with:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	PRIVATE_DOCKER_REGISTRY_URL: ${{ secrets.GITLAB_DOCKER_REGISTRY_URL }}
	PRIVATE_DOCKER_REGISTRY_USER: Deploy-Token
	PRIVATE_DOCKER_REGISTRY_PASS: ${{ secrets.GITLAB_PKG_REGISTRY_TOKEN }}
	HUB_DOCKER_COM_USER: ${{ secrets.HUB_DOCKER_COM_USER }}
	HUB_DOCKER_COM_PASS: ${{ secrets.HUB_DOCKER_COM_PASS }}
	DOCKER_REGISTRIES: "${{ secrets.DOCKER_REGISTRIES }}"

	- name: Merge multi-platform manifests
	run: \|
	PLATFORMS=$(echo '${{ needs.set-matrix.outputs.matrix }}' \| jq -r '.platform[]' \| xargs echo)
	echo $PLATFORMS
	echo $DOCKER_IMAGES_TARGETS

	if [ "${DOCKER_IMAGES_TARGETS}" != "null" ]
	then
	DOCKER_IMAGES_TARGETS_ARG="--DOCKER_IMAGES_TARGETS=${DOCKER_IMAGES_TARGETS}"
	earthly \
	+docker-manifests-merge \
	--DOCKER_IMAGES_TARGETS="${DOCKER_IMAGES_TARGETS}" \
	--PUSH=true \
	--PLATFORMS="${PLATFORMS}" \
	--DOCKER_IMAGES_TARGETS="${DOCKER_IMAGES_TARGETS}" \
	--DOCKER_REGISTRIES="${DOCKER_REGISTRIES_FILTERED}" \
	--DOCKER_IMAGES_EXTRA_TAGS="${EARTHLY_DOCKER_IMAGES_EXTRA_TAGS}"
	else
	if [ "$TRIGGERING_REF" == "pr" ]
	then
	echo "[+] No changes on any known target-related file, skipping earthly build..."
	exit 0
	fi
	earthly \
	+docker-manifests-merge \
	--PUSH=true \
	--PLATFORMS="${PLATFORMS}" \
	--DOCKER_REGISTRIES="${DOCKER_REGISTRIES_FILTERED}" \
	--DOCKER_IMAGES_EXTRA_TAGS="${EARTHLY_DOCKER_IMAGES_EXTRA_TAGS}"
	fi

	dispatch-build-success-event:
	runs-on: ubuntu-latest
	needs:
	- merge-multi-platform-manifests
	steps:
	- name: Checkout
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

	- name: ⛮ cf-gha-baseline
	uses: cardano-foundation/cf-gha-workflows/./actions/cf-gha-baseline@234ee2fbd4073e759aba6f3ca53e912ab8403886 # main at 02/10/2025
	id: cf-gha-baseline
	with:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Dispatch successful build event to private repo
	uses: cardano-foundation/cf-gha-workflows/./actions/cf-gha-dispatch-event@234ee2fbd4073e759aba6f3ca53e912ab8403886 # main at 02/10/2025
	with:
	EVENT_TYPE: "${{ github.event_name }}-${{ steps.cf-gha-baseline.outputs.TRIGGERING_REF }}-${{ steps.cf-gha-baseline.outputs.BRANCH_NAME }}"
	GITHUB_TOKEN: ${{ secrets.PRIVATE_REPO_PAT }}
	GITHUB_REPO: ${{ secrets.PRIVATE_REPO }}
	TRIGGERING_EVENT: ${{ github.event_name }}
	TRIGGERING_REF: ${{ steps.cf-gha-baseline.outputs.TRIGGERING_REF }}
	TRIGGERING_BRANCH: ${{ steps.cf-gha-baseline.outputs.BRANCH_NAME }}
	TRIGGERING_GHRUNID: ${{ github.run_id }}
	GIT_SHORT_COMMIT: ${{ steps.cf-gha-baseline.outputs.GIT_SHORT_COMMIT }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(gha): add missing version pin #26

Workflow file

chore(gha): add missing version pin #26

Uh oh!

Jobs

Run details

Workflow file for this run