mirror of
				https://github.com/meilisearch/meilisearch.git
				synced 2025-10-22 19:46:26 +00:00 
			
		
		
		
	Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.9.2 to 3.10.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](d58896d6a1...d7543c93d8)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 3.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
		
	
		
			
				
	
	
		
			143 lines
		
	
	
		
			6.0 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			143 lines
		
	
	
		
			6.0 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| name: Publish images to Docker Hub
 | |
| 
 | |
| on:
 | |
|   push:
 | |
|     # Will run for every tag pushed except `latest`
 | |
|     # When the `latest` git tag is created with this [CI](../latest-git-tag.yml)
 | |
|     # we don't need to create a Docker `latest` image again.
 | |
|     # The `latest` Docker image push is already done in this CI when releasing a stable version of Meilisearch.
 | |
|     tags-ignore:
 | |
|       - latest
 | |
|   # Both `schedule` and `workflow_dispatch` build the nightly tag
 | |
|   schedule:
 | |
|     - cron: '0 23 * * *' # Every day at 11:00pm
 | |
|   workflow_dispatch:
 | |
| 
 | |
| jobs:
 | |
|   docker:
 | |
|     runs-on: docker
 | |
|     permissions:
 | |
|       id-token: write # This is needed to use Cosign in keyless mode
 | |
|     steps:
 | |
|       - uses: actions/checkout@v5
 | |
| 
 | |
|       # If we are running a cron or manual job ('schedule' or 'workflow_dispatch' event), it means we are publishing the `nightly` tag, so not considered stable.
 | |
|       # If we have pushed a tag, and the tag has the v<nmumber>.<number>.<number> format, it means we are publishing an official release, so considered stable.
 | |
|       # In this situation, we need to set `output.stable` to create/update the following tags (additionally to the `vX.Y.Z` Docker tag):
 | |
|       # - a `vX.Y` (without patch version) Docker tag
 | |
|       # - a `latest` Docker tag
 | |
|       # For any other tag pushed, this is not considered stable.
 | |
|       - name: Define if stable and latest release
 | |
|         id: check-tag-format
 | |
|         env:
 | |
|           # To avoid request limit with the .github/scripts/is-latest-release.sh script
 | |
|           GITHUB_PATH: ${{ secrets.MEILI_BOT_GH_PAT }}
 | |
|         run: |
 | |
|           escaped_tag=$(printf "%q" ${{ github.ref_name }})
 | |
|           echo "latest=false" >> $GITHUB_OUTPUT
 | |
| 
 | |
|           if [[ ${{ github.event_name }} != 'push' ]]; then
 | |
|             echo "stable=false" >> $GITHUB_OUTPUT
 | |
|           elif [[ $escaped_tag =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
 | |
|             echo "stable=true" >> $GITHUB_OUTPUT
 | |
|             echo "latest=$(sh .github/scripts/is-latest-release.sh)" >> $GITHUB_OUTPUT
 | |
|           else
 | |
|             echo "stable=false" >> $GITHUB_OUTPUT
 | |
|           fi
 | |
| 
 | |
|       # Check only the validity of the tag for stable releases (not for pre-releases or other tags)
 | |
|       - name: Check release validity
 | |
|         if: steps.check-tag-format.outputs.stable == 'true'
 | |
|         run: bash .github/scripts/check-release.sh
 | |
| 
 | |
|       - name: Set build-args for Docker buildx
 | |
|         id: build-metadata
 | |
|         run: |
 | |
|           # Extract commit date
 | |
|           commit_date=$(git show -s --format=%cd --date=iso-strict ${{ github.sha }})
 | |
| 
 | |
|           echo "date=$commit_date" >> $GITHUB_OUTPUT
 | |
| 
 | |
|       - name: Set up QEMU
 | |
|         uses: docker/setup-qemu-action@v3
 | |
| 
 | |
|       - name: Set up Docker Buildx
 | |
|         uses: docker/setup-buildx-action@v3
 | |
| 
 | |
|       - name: Install cosign
 | |
|         uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # tag=v3.10.0
 | |
| 
 | |
|       - name: Login to Docker Hub
 | |
|         uses: docker/login-action@v3
 | |
|         with:
 | |
|           username: ${{ secrets.DOCKERHUB_USERNAME }}
 | |
|           password: ${{ secrets.DOCKERHUB_TOKEN }}
 | |
| 
 | |
|       - name: Docker meta
 | |
|         id: meta
 | |
|         uses: docker/metadata-action@v5
 | |
|         with:
 | |
|           images: getmeili/meilisearch
 | |
|           # Prevent `latest` to be updated for each new tag pushed.
 | |
|           # We need latest and `vX.Y` tags to only be pushed for the stable Meilisearch releases.
 | |
|           flavor: latest=false
 | |
|           tags: |
 | |
|             type=ref,event=tag
 | |
|             type=raw,value=nightly,enable=${{ github.event_name != 'push' }}
 | |
|             type=semver,pattern=v{{major}}.{{minor}},enable=${{ steps.check-tag-format.outputs.stable == 'true' }}
 | |
|             type=semver,pattern=v{{major}},enable=${{ steps.check-tag-format.outputs.stable == 'true' }}
 | |
|             type=raw,value=latest,enable=${{ steps.check-tag-format.outputs.stable == 'true' && steps.check-tag-format.outputs.latest == 'true' }}
 | |
| 
 | |
|       - name: Build and push
 | |
|         uses: docker/build-push-action@v6
 | |
|         id: build-and-push
 | |
|         with:
 | |
|           push: true
 | |
|           platforms: linux/amd64,linux/arm64
 | |
|           tags: ${{ steps.meta.outputs.tags }}
 | |
|           build-args: |
 | |
|             COMMIT_SHA=${{ github.sha }}
 | |
|             COMMIT_DATE=${{ steps.build-metadata.outputs.date }}
 | |
|             GIT_TAG=${{ github.ref_name }}
 | |
| 
 | |
|       - name: Sign the images with GitHub OIDC Token
 | |
|         env:
 | |
|           DIGEST: ${{ steps.build-and-push.outputs.digest }}
 | |
|           TAGS: ${{ steps.meta.outputs.tags }}
 | |
|         run: |
 | |
|           images=""
 | |
|           for tag in ${TAGS}; do
 | |
|             images+="${tag}@${DIGEST} "
 | |
|           done
 | |
|           cosign sign --yes ${images}
 | |
| 
 | |
|       # /!\ Don't touch this without checking with Cloud team
 | |
|       - name: Send CI information to Cloud team
 | |
|         # Do not send if nightly build (i.e. 'schedule' or 'workflow_dispatch' event)
 | |
|         if: github.event_name == 'push'
 | |
|         uses: peter-evans/repository-dispatch@v3
 | |
|         with:
 | |
|           token: ${{ secrets.MEILI_BOT_GH_PAT }}
 | |
|           repository: meilisearch/meilisearch-cloud
 | |
|           event-type: cloud-docker-build
 | |
|           client-payload: '{ "meilisearch_version": "${{ github.ref_name }}", "stable": "${{ steps.check-tag-format.outputs.stable }}" }'
 | |
| 
 | |
|       # Send notification to Swarmia to notify of a deployment: https://app.swarmia.com
 | |
|       # - name: 'Setup jq'
 | |
|       #   uses: dcarbone/install-jq-action
 | |
|       # - name: Send deployment to Swarmia
 | |
|       #   if: github.event_name == 'push' && success()
 | |
|       #   run: |
 | |
|       #     JSON_STRING=$( jq --null-input --compact-output \
 | |
|       #     --arg version "${{ github.ref_name }}" \
 | |
|       #     --arg appName "meilisearch" \
 | |
|       #     --arg environment "production" \
 | |
|       #     --arg commitSha "${{ github.sha }}" \
 | |
|       #     --arg repositoryFullName "${{ github.repository }}" \
 | |
|       #     '{"version": $version, "appName": $appName, "environment": $environment, "commitSha": $commitSha, "repositoryFullName": $repositoryFullName}' )
 | |
| 
 | |
|       #     curl -H "Authorization: ${{ secrets.SWARMIA_DEPLOYMENTS_AUTHORIZATION }}" \
 | |
|       #       -H "Content-Type: application/json" \
 | |
|       #       -d "$JSON_STRING" \
 | |
|       #       https://hook.swarmia.com/deployments
 |