gmetribin/build-tools
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

ci: migrate workflows from Gitea to GitHub Actions

Browse Source 
Archive non-GCP workflows, rename GCP variants to drop -gcp suffix,
replace Gitea-hosted aws-cli-action with aws-actions/configure-aws-credentials@v4.
This commit is contained in:
Amit Rajput 2026-04-06 17:45:07 +05:30
parent cafe89be6a
commit be25d56aab
17 changed files with 663 additions and 306 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
.github/workflows/archive/base-build-image.yml vendored Normal file
View File

@ -0,0 +1,61 @@
name: Build base images (Generally from basin repo)
on:
workflow_call:
inputs:
image_tag:
required: true
type: string
fail_on_scan:
default: true
type: boolean
jobs:
docker-build-and-push:
runs-on: ubuntu-22.04 #ubuntu-latest
steps:
- id: get-id
name: Get a unique tag for this build
run: |
echo "DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT";
- name: Print image name
run: |
echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- uses: actions/checkout@v4
- name: Login to Docker Container Registry
# if: ${{ github.event_name == 'push' }}
uses: docker/login-action@v3
with:
registry: ${{ vars.docker_repo2_registry }}
username: ${{ secrets.docker_repo2_username }}
password: ${{ secrets.docker_repo2_password }}
- name: Build and push the Docker image
run: |
docker build \
--file context/Dockerfile \
--tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
./context;
- name: Container details
run: |
IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- name: Scan Docker Image for vulnerabilities with Grype
uses: anchore/scan-action@v6
with:
image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
cache-db: true #Cache Grype DB in Github Actions
output-format: table
only-fixed: true
severity-cutoff: critical
fail-build: ${{ inputs.fail_on_scan }}
- name: Push the container image
run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}

59
.github/workflows/archive/dispatch-container-base.yml vendored Normal file
View File

@ -0,0 +1,59 @@
name: Build base images from code repos
on:
workflow_call:
inputs:
image_tag:
required: true
type: string
jobs:
docker-base-build-and-push:
runs-on: ubuntu-22.04 #ubuntu-latest
steps:
- id: get-id
name: Get a unique tag for this build
run: |
echo "DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT";
- name: Print image name
run: |
echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- uses: actions/checkout@v4
- name: Login to Docker Container Registry
# if: ${{ github.event_name == 'push' }}
uses: docker/login-action@v3
with:
registry: ${{ vars.docker_repo2_registry }}
username: ${{ secrets.docker_repo2_username }}
password: ${{ secrets.docker_repo2_password }}
- name: Build and push the Docker image
run: |
docker build \
--file fab/d/actions-base.Dockerfile \
--tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
.;
- name: Container details
run: |
IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- name: Push the container image
run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}
- name: Scan Docker Image for vulnerabilities with Grype
uses: anchore/scan-action@v6
with:
image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
cache-db: true #Cache Grype DB in Github Actions
output-format: table
only-fixed: true
severity-cutoff: critical
fail-build: true

52
.github/workflows/archive/push-container.yml vendored Normal file
View File

@ -0,0 +1,52 @@
name: Reusable container push workflow
on:
workflow_call:
env:
REPO: ${{ github.repository }}
jobs:
push-container:
runs-on: ubuntu-22.04
steps:
- id: get-id
name: Get a unique tag for this build
run: |
SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }};
BUILD_ID=$BRANCH_NAME-${SHA:0:8};
DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID;
echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT";
echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT";
- name: Print build id and image name
run: |
echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}";
echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- uses: actions/checkout@v4
- name: Login to docker container registry
uses: docker/login-action@v3
with:
registry: ${{ vars.docker_repo2_registry }}
username: ${{ secrets.docker_repo2_username }}
password: ${{ secrets.docker_repo2_password }}
- name: Build the container image
run: |
docker build \
--build-arg BUILD_STEP=container \
--build-arg PUBLIC_BUILD_VERSION=${{ steps.get-id.outputs.BUILD_ID }} \
--file fab/d/actions-build.Dockerfile \
--tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
.;
- name: Container details
run: |
IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- name: Push the container image
run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}

24
.github/workflows/push-s3-gcp.yml → .github/workflows/archive/push-s3.yml vendored
View File

@ -19,7 +19,7 @@ jobs:
run: | run: |
SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }}; SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }};
BUILD_ID=$BRANCH_NAME-${SHA:0:8}; BUILD_ID=$BRANCH_NAME-${SHA:0:8};
DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/$REPO:$BUILD_ID; DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID;
echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT"; echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT";
echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"; echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT";
@ -30,24 +30,12 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
# ✅ 1) Auth to GCP (this is where your SA key is used) - name: Login to docker container registry
- name: Auth to GCP uses: docker/login-action@v3
uses: google-github-actions/auth@v2
with: with:
# using your existing secret that contains the SA JSON registry: ${{ vars.docker_repo2_registry }}
credentials_json: ${{ secrets.GCP_SA_KEY }} username: ${{ secrets.docker_repo2_username }}
password: ${{ secrets.docker_repo2_password }}
# ✅ 2) Install gcloud (no creds here)
- name: Set up gcloud
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ vars.GCP_PROJECT_ID }}
export_default_credentials: true
- name: Configure Docker for GAR
run: |
gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev
- name: Build the container image for bundle step - name: Build the container image for bundle step
run: | run: |

71
.github/workflows/base-build-image-gcp.yml vendored
View File

@ -1,71 +0,0 @@
name: Build base images (Generally from basin repo)
on:
workflow_call:
inputs:
image_tag:
required: true
type: string
fail_on_scan:
default: true
type: boolean
jobs:
docker-build-and-push:
runs-on: ubuntu-22.04 #ubuntu-latest
steps:
- id: get-id
name: Get a unique tag for this build
run: |
echo "DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT";
- name: Print image name
run: |
echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- uses: actions/checkout@v4
# ✅ 1) Auth to GCP (this is where your SA key is used)
- name: Auth to GCP
uses: google-github-actions/auth@v2
with:
# using your existing secret that contains the SA JSON
credentials_json: ${{ secrets.GCP_SA_KEY }}
# ✅ 2) Install gcloud (no creds here)
- name: Set up gcloud
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ vars.GCP_PROJECT_ID }}
export_default_credentials: true
- name: Configure Docker for GAR
run: |
gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev
- name: Build and push the Docker image
run: |
docker build \
--file context/Dockerfile \
--tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
./context;
- name: Container details
run: |
IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
# - name: Scan Docker Image for vulnerabilities with Grype
# uses: anchore/scan-action@v6
# with:
# image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
# cache-db: true #Cache Grype DB in Github Actions
# output-format: table
# only-fixed: true
# severity-cutoff: critical
# fail-build: ${{ inputs.fail_on_scan }}
- name: Push the container image
run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}

42
.github/workflows/base-build-image.yml vendored
View File

@ -19,7 +19,7 @@ jobs:
- id: get-id - id: get-id
name: Get a unique tag for this build name: Get a unique tag for this build
run: | run: |
echo "DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; echo "DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT";
- name: Print image name - name: Print image name
run: | run: |
@ -27,13 +27,23 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Login to Docker Container Registry # ✅ 1) Auth to GCP (this is where your SA key is used)
# if: ${{ github.event_name == 'push' }} - name: Auth to GCP
uses: docker/login-action@v3 uses: google-github-actions/auth@v2
with: with:
registry: ${{ vars.docker_repo2_registry }} # using your existing secret that contains the SA JSON
username: ${{ secrets.docker_repo2_username }} credentials_json: ${{ secrets.GCP_SA_KEY }}
password: ${{ secrets.docker_repo2_password }}
# ✅ 2) Install gcloud (no creds here)
- name: Set up gcloud
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ vars.GCP_PROJECT_ID }}
export_default_credentials: true
- name: Configure Docker for GAR
run: |
gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev
- name: Build and push the Docker image - name: Build and push the Docker image
run: | run: |
@ -47,15 +57,15 @@ jobs:
IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`; IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}"; echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- name: Scan Docker Image for vulnerabilities with Grype # - name: Scan Docker Image for vulnerabilities with Grype
uses: anchore/scan-action@v6 # uses: anchore/scan-action@v6
with: # with:
image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} # image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
cache-db: true #Cache Grype DB in Github Actions # cache-db: true #Cache Grype DB in Github Actions
output-format: table # output-format: table
only-fixed: true # only-fixed: true
severity-cutoff: critical # severity-cutoff: critical
fail-build: ${{ inputs.fail_on_scan }} # fail-build: ${{ inputs.fail_on_scan }}
- name: Push the container image - name: Push the container image
run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}

69
.github/workflows/dispatch-container-base-gcp.yml vendored
View File

@ -1,69 +0,0 @@
name: Build base images from code repos
on:
workflow_call:
inputs:
image_tag:
required: true
type: string
jobs:
docker-base-build-and-push:
runs-on: ubuntu-22.04 #ubuntu-latest
steps:
- id: get-id
name: Get a unique tag for this build
run: |
echo "DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT";
- name: Print image name
run: |
echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- uses: actions/checkout@v4
# ✅ 1) Auth to GCP (this is where your SA key is used)
- name: Auth to GCP
uses: google-github-actions/auth@v2
with:
# using your existing secret that contains the SA JSON
credentials_json: ${{ secrets.GCP_SA_KEY }}
# ✅ 2) Install gcloud (no creds here)
- name: Set up gcloud
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ vars.GCP_PROJECT_ID }}
export_default_credentials: true
- name: Configure Docker for GAR
run: |
gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev
- name: Build and push the Docker image
run: |
docker build \
--file fab/d/actions-base.Dockerfile \
--tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
.;
- name: Container details
run: |
IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- name: Push the container image
run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}
# - name: Scan Docker Image for vulnerabilities with Grype
# uses: anchore/scan-action@v6
# with:
# image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
# cache-db: true #Cache Grype DB in Github Actions
# output-format: table
# only-fixed: true
# severity-cutoff: critical
# fail-build: true

42
.github/workflows/dispatch-container-base.yml vendored
View File

@ -16,7 +16,7 @@ jobs:
- id: get-id - id: get-id
name: Get a unique tag for this build name: Get a unique tag for this build
run: | run: |
echo "DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT"; echo "DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT";
- name: Print image name - name: Print image name
run: | run: |
@ -24,13 +24,23 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Login to Docker Container Registry # ✅ 1) Auth to GCP (this is where your SA key is used)
# if: ${{ github.event_name == 'push' }} - name: Auth to GCP
uses: docker/login-action@v3 uses: google-github-actions/auth@v2
with: with:
registry: ${{ vars.docker_repo2_registry }} # using your existing secret that contains the SA JSON
username: ${{ secrets.docker_repo2_username }} credentials_json: ${{ secrets.GCP_SA_KEY }}
password: ${{ secrets.docker_repo2_password }}
# ✅ 2) Install gcloud (no creds here)
- name: Set up gcloud
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ vars.GCP_PROJECT_ID }}
export_default_credentials: true
- name: Configure Docker for GAR
run: |
gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev
- name: Build and push the Docker image - name: Build and push the Docker image
run: | run: |
@ -47,13 +57,13 @@ jobs:
- name: Push the container image - name: Push the container image
run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }} run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}
- name: Scan Docker Image for vulnerabilities with Grype # - name: Scan Docker Image for vulnerabilities with Grype
uses: anchore/scan-action@v6 # uses: anchore/scan-action@v6
with: # with:
image: ${{ steps.get-id.outputs.DOCKER_IMAGE }} # image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
cache-db: true #Cache Grype DB in Github Actions # cache-db: true #Cache Grype DB in Github Actions
output-format: table # output-format: table
only-fixed: true # only-fixed: true
severity-cutoff: critical # severity-cutoff: critical
fail-build: true # fail-build: true

63
.github/workflows/push-container-gcp.yml vendored
View File

@ -1,63 +0,0 @@
name: Reusable container push workflow
on:
workflow_call:
env:
REPO: ${{ github.repository }}
jobs:
push-container:
runs-on: ubuntu-22.04
steps:
- id: get-id
name: Get a unique tag for this build
run: |
SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }};
BUILD_ID=$BRANCH_NAME-${SHA:0:8};
DOCKER_IMAGE="${{vars.GCP_DOCKER_REGISTRY}}/$REPO:$BUILD_ID"
echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT";
echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT";
- name: Print build id and image name
run: |
echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}";
echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- uses: actions/checkout@v4
# ✅ 1) Auth to GCP (this is where your SA key is used)
- name: Auth to GCP
uses: google-github-actions/auth@v2
with:
# using your existing secret that contains the SA JSON
credentials_json: ${{ secrets.GCP_SA_KEY }}
# ✅ 2) Install gcloud (no creds here)
- name: Set up gcloud
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ vars.GCP_PROJECT_ID }}
export_default_credentials: true
- name: Configure Docker for GAR
run: |
gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev
- name: Build the container image
run: |
docker build \
--build-arg BUILD_STEP=container \
--build-arg PUBLIC_BUILD_VERSION=${{ steps.get-id.outputs.BUILD_ID }} \
--file fab/d/actions-build.Dockerfile \
--tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
.;
- name: Container details
run: |
IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";
- name: Push the container image
run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}

23
.github/workflows/push-container.yml vendored
View File

@ -16,7 +16,7 @@ jobs:
run: | run: |
SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }}; SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }};
BUILD_ID=$BRANCH_NAME-${SHA:0:8}; BUILD_ID=$BRANCH_NAME-${SHA:0:8};
DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID; DOCKER_IMAGE="${{vars.GCP_DOCKER_REGISTRY}}/$REPO:$BUILD_ID"
echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT"; echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT";
echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"; echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT";
@ -27,12 +27,23 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Login to docker container registry # ✅ 1) Auth to GCP (this is where your SA key is used)
uses: docker/login-action@v3 - name: Auth to GCP
uses: google-github-actions/auth@v2
with: with:
registry: ${{ vars.docker_repo2_registry }} # using your existing secret that contains the SA JSON
username: ${{ secrets.docker_repo2_username }} credentials_json: ${{ secrets.GCP_SA_KEY }}
password: ${{ secrets.docker_repo2_password }}
# ✅ 2) Install gcloud (no creds here)
- name: Set up gcloud
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ vars.GCP_PROJECT_ID }}
export_default_credentials: true
- name: Configure Docker for GAR
run: |
gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev
- name: Build the container image - name: Build the container image
run: | run: |

45
.github/workflows/push-s3.yml vendored
View File

@ -19,7 +19,7 @@ jobs:
run: | run: |
SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }}; SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }};
BUILD_ID=$BRANCH_NAME-${SHA:0:8}; BUILD_ID=$BRANCH_NAME-${SHA:0:8};
DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/$REPO:$BUILD_ID; DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/$REPO:$BUILD_ID;
echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT"; echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT";
echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"; echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT";
@ -30,12 +30,24 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Login to docker container registry # ✅ 1) Auth to GCP (this is where your SA key is used)
uses: docker/login-action@v3 - name: Auth to GCP
uses: google-github-actions/auth@v2
with: with:
registry: ${{ vars.docker_repo2_registry }} # using your existing secret that contains the SA JSON
username: ${{ secrets.docker_repo2_username }} credentials_json: ${{ secrets.GCP_SA_KEY }}
password: ${{ secrets.docker_repo2_password }}
# ✅ 2) Install gcloud (no creds here)
- name: Set up gcloud
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ vars.GCP_PROJECT_ID }}
export_default_credentials: true
- name: Configure Docker for GAR
run: |
gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev
- name: Build the container image for bundle step - name: Build the container image for bundle step
run: | run: |
@ -59,16 +71,17 @@ jobs:
echo "Running: ls $destination_path" echo "Running: ls $destination_path"
ls $destination_path ls $destination_path
- name: Upload cloud files - name: Configure AWS credentials
uses: https://git.gmetri.io/gmetribin/aws-cli-action@v1.0.0 uses: aws-actions/configure-aws-credentials@v4
env:
AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
AWS_DEFAULT_REGION: ${{ vars.aws_default_region }}
with: with:
args: > aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
s3 cp \ aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ vars.AWS_DEFAULT_REGION }}
- name: Upload cloud files
run: |
aws s3 cp \
--recursive \ --recursive \
--cache-control max-age=31536000 \ --cache-control max-age=31536000 \
--storage-class 'STANDARD_IA' \ --storage-class STANDARD_IA \
cloud/ s3://${{ vars.aws_upload_bucket }}/${{ env.REPO_SHORT_NAME }}/${{ steps.get-id.outputs.BUILD_ID }} cloud/ s3://${{ vars.AWS_UPLOAD_BUCKET }}/${{ env.REPO_SHORT_NAME }}/${{ steps.get-id.outputs.BUILD_ID }}

13
fab/changes/260406-vhk4-migrate-workflows-github-actions/.history.jsonl Normal file
View File

@ -0,0 +1,13 @@
{"action":"enter","driver":"fab-new","event":"stage-transition","stage":"intake","ts":"2026-04-06T12:01:00Z"}
{"args":"Migrate *-gcp workflows to GitHub Actions, archive non-GCP workflows, rename GCP workflows to drop suffix, replace aws-cli-action with aws-actions/configure-aws-credentials","cmd":"fab-new","event":"command","ts":"2026-04-06T12:01:00Z"}
{"delta":"+4.4","event":"confidence","score":4.4,"trigger":"calc-score","ts":"2026-04-06T12:01:54Z"}
{"delta":"+0.0","event":"confidence","score":4.4,"trigger":"calc-score","ts":"2026-04-06T12:02:15Z"}
{"cmd":"fab-ff","event":"command","ts":"2026-04-06T12:08:20Z"}
{"delta":"+0.3","event":"confidence","score":4.7,"trigger":"calc-score","ts":"2026-04-06T12:09:03Z"}
{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"spec","ts":"2026-04-06T12:09:06Z"}
{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"tasks","ts":"2026-04-06T12:09:37Z"}
{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"apply","ts":"2026-04-06T12:09:37Z"}
{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"review","ts":"2026-04-06T12:11:03Z"}
{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"hydrate","ts":"2026-04-06T12:12:36Z"}
{"event":"review","result":"passed","ts":"2026-04-06T12:12:36Z"}
{"action":"enter","driver":"fab-ff","event":"stage-transition","stage":"ship","ts":"2026-04-06T12:12:40Z"}

42
fab/changes/260406-vhk4-migrate-workflows-github-actions/.status.yaml Normal file
View File

@ -0,0 +1,42 @@
id: vhk4
name: 260406-vhk4-migrate-workflows-github-actions
created: 2026-04-06T12:01:00Z
created_by: amitrajput1992
change_type: ci
issues: []
progress:
intake: done
spec: done
tasks: done
apply: done
review: done
hydrate: done
ship: active
review-pr: pending
checklist:
generated: true
path: checklist.md
completed: 15
total: 15
confidence:
certain: 9
confident: 1
tentative: 0
unresolved: 0
score: 4.7
fuzzy: true
dimensions:
signal: 92.0
reversibility: 88.0
competence: 91.5
disambiguation: 88.0
stage_metrics:
intake: {started_at: "2026-04-06T12:01:00Z", driver: fab-new, iterations: 1, completed_at: "2026-04-06T12:09:06Z"}
spec: {started_at: "2026-04-06T12:09:06Z", driver: fab-ff, iterations: 1, completed_at: "2026-04-06T12:09:37Z"}
tasks: {started_at: "2026-04-06T12:09:37Z", driver: fab-ff, iterations: 1, completed_at: "2026-04-06T12:09:37Z"}
apply: {started_at: "2026-04-06T12:09:37Z", driver: fab-ff, iterations: 1, completed_at: "2026-04-06T12:11:03Z"}
review: {started_at: "2026-04-06T12:11:03Z", driver: fab-ff, iterations: 1, completed_at: "2026-04-06T12:12:36Z"}
hydrate: {started_at: "2026-04-06T12:12:36Z", driver: fab-ff, iterations: 1, completed_at: "2026-04-06T12:12:40Z"}
ship: {started_at: "2026-04-06T12:12:40Z", driver: fab-ff, iterations: 1}
prs: []
last_updated: 2026-04-06T12:12:40Z

34
fab/changes/260406-vhk4-migrate-workflows-github-actions/checklist.md Normal file
View File

@ -0,0 +1,34 @@
# Quality Checklist: Migrate Workflows to GitHub Actions
**Change**: 260406-vhk4-migrate-workflows-github-actions
**Generated**: 2026-04-06
**Spec**: `spec.md`
## Functional Completeness
- [x] CHK-001 Archive: 4 non-GCP files exist in `.github/workflows/archive/`
- [x] CHK-002 Archive: 4 non-GCP files no longer exist in `.github/workflows/`
- [x] CHK-003 Rename: 4 GCP files renamed without `-gcp` suffix
- [x] CHK-004 Rename: No `-gcp.yml` files remain in `.github/workflows/`
- [x] CHK-005 S3 fix: `push-s3.yml` uses `aws-actions/configure-aws-credentials@v4`
- [x] CHK-006 S3 fix: `push-s3.yml` uses inline `aws s3 cp` command (no external action)
## Behavioral Correctness
- [x] CHK-007 GCP auth steps identical in all 4 renamed workflows (auth@v2, setup-gcloud@v2, configure-docker)
- [x] CHK-008 All runners are `ubuntu-22.04`
- [x] CHK-009 Grype scanning remains commented out in all workflows
- [x] CHK-010 AWS secret/var names are uppercase: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_DEFAULT_REGION`, `AWS_UPLOAD_BUCKET`
- [x] CHK-011 S3 upload preserves all flags: `--recursive`, `--cache-control max-age=31536000`, `--storage-class STANDARD_IA`
## Scenario Coverage
- [x] CHK-012 Archive directory exists with correct files
- [x] CHK-013 S3 destination path matches pattern: `s3://{bucket}/{repo_short_name}/{build_id}`
## Code Quality
- [x] CHK-014 Pattern consistency: Workflow YAML follows existing naming and structural patterns
- [x] CHK-015 No unnecessary duplication: No Gitea-specific references remain in active workflows
## Notes
- Check items as you review: `- [x]`
- All items must pass before `/fab-continue` (hydrate)
- If an item is not applicable, mark checked and prefix with **N/A**: `- [x] CHK-008 **N/A**: {reason}`

108
fab/changes/260406-vhk4-migrate-workflows-github-actions/intake.md Normal file
View File

@ -0,0 +1,108 @@
# Intake: Migrate Workflows to GitHub Actions
**Change**: 260406-vhk4-migrate-workflows-github-actions
**Created**: 2026-04-06
**Status**: Draft
## Origin
> Migrate the GitHub workflows ending with *-gcp to be compatible with GitHub Actions. Currently used inside a self-hosted Gitea instance. Once migrated, the repo moves to GitHub directly.
Conversational mode — extensive discussion preceded this intake. User confirmed all key decisions (see Assumptions).
## Why
The build-tools repo currently lives on a self-hosted Gitea instance. The organization is moving it to GitHub. The `*-gcp` workflow variants already use GitHub-compatible actions (`google-github-actions/auth@v2`, `actions/checkout@v4`, etc.) but one workflow (`push-s3-gcp.yml`) references a Gitea-hosted action (`https://git.gmetri.io/gmetribin/aws-cli-action@v1.0.0`) that GitHub Actions cannot resolve. The non-GCP workflows use Gitea-specific registry credentials (`docker_repo2_*`) that won't be needed on GitHub.
Without this change, the repo cannot be moved to GitHub — workflows would fail on first run.
## What Changes
### 1. Archive non-GCP workflows
Move these 4 files to `.github/workflows/archive/`:
- `base-build-image.yml`
- `dispatch-container-base.yml`
- `push-container.yml`
- `push-s3.yml`
### 2. Rename GCP workflows (drop `-gcp` suffix)
- `base-build-image-gcp.yml``base-build-image.yml`
- `dispatch-container-base-gcp.yml``dispatch-container-base.yml`
- `push-container-gcp.yml``push-container.yml`
- `push-s3-gcp.yml``push-s3.yml`
### 3. Fix `push-s3.yml` (formerly `push-s3-gcp.yml`)
Replace the Gitea-hosted `aws-cli-action` with the pattern from `dg2n-core`:
```yaml
# Replace this:
- name: Upload cloud files
uses: https://git.gmetri.io/gmetribin/aws-cli-action@v1.0.0
env:
AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
...
with:
args: >
s3 cp ...
# With this:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ vars.AWS_DEFAULT_REGION }}
- name: Upload cloud files
run: |
aws s3 cp \
--recursive \
--cache-control max-age=31536000 \
--storage-class STANDARD_IA \
cloud/ s3://${{ vars.AWS_UPLOAD_BUCKET }}/${{ env.REPO_SHORT_NAME }}/${{ steps.get-id.outputs.BUILD_ID }}
```
Also uppercase the AWS secret/var names to match dg2n-core convention: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_DEFAULT_REGION`, `AWS_UPLOAD_BUCKET`.
### 4. No changes to other workflows
These 5 workflows remain untouched — they already use standard GitHub Actions:
- `pr-lint-and-check.yml`
- `push-code-test.yml`
- `push-code-scan.yml`
- `push-npm.yml`
- `push-npm-from-container.yml`
## Affected Memory
- None — no spec-level behavior changes requiring memory updates.
## Impact
- `.github/workflows/` — 4 files archived, 4 files renamed, 1 file content-modified
- All consuming repos that call these reusable workflows will need to update their `uses:` references to drop the `-gcp` suffix
- GCP auth pattern (secrets/vars) stays identical — no infra changes needed
- Grype scanning stays disabled (commented out) in all GCP workflows
## Open Questions
- None — all questions resolved in discussion.
## Assumptions
| # | Grade | Decision | Rationale | Scores |
|---|-------|----------|-----------|--------|
| 1 | Certain | Non-GCP workflows archived, not deleted | Discussed — user explicitly said "put them in an archive folder" | S:95 R:90 A:95 D:90 |
| 2 | Certain | GCP workflows renamed to drop `-gcp` suffix | Discussed — user confirmed "yes lets remove gcp suffix" | S:95 R:85 A:90 D:85 |
| 3 | Certain | Grype scanning stays disabled | Discussed — user said "dont enable grype scanning" | S:95 R:90 A:95 D:95 |
| 4 | Certain | Use `aws-actions/configure-aws-credentials@v4` + inline `aws s3 cp` instead of custom action | Discussed — follows dg2n-core pattern, user pointed to that repo as reference | S:95 R:90 A:90 D:85 |
| 5 | Certain | AWS secret/var names uppercased to match dg2n-core convention | Discussed — user said dg2n-core has correct env vars/secrets config | S:90 R:85 A:90 D:85 |
| 6 | Certain | Use GitHub-hosted `ubuntu-22.04` runners | Discussed — user confirmed standard GitHub runners, was using self-hosted on Gitea | S:95 R:90 A:95 D:90 |
| 7 | Certain | `push-s3-gcp.yml` hybrid (GCP Docker + AWS S3) stays as-is | Discussed — user confirmed "yes" | S:90 R:85 A:90 D:90 |
| 8 | Confident | Other 5 workflows need no changes | Discussed — user confirmed "yes rest remain untouched", though npm workflows have gmetri email which user said is fine to keep | S:85 R:80 A:85 D:80 |
| 9 | Confident | Archive folder is `.github/workflows/archive/` | Reasonable default — user said "archive folder" without specifying exact path | S:80 R:75 A:85 D:80 |
9 assumptions (7 certain, 2 confident, 0 tentative, 0 unresolved).

131
fab/changes/260406-vhk4-migrate-workflows-github-actions/spec.md Normal file
View File

@ -0,0 +1,131 @@
# Spec: Migrate Workflows to GitHub Actions
**Change**: 260406-vhk4-migrate-workflows-github-actions
**Created**: 2026-04-06
**Affected memory**: None
## Non-Goals
- Enabling Grype vulnerability scanning — intentionally left disabled
- Modifying non-GCP workflows (`pr-lint-and-check.yml`, `push-code-test.yml`, `push-code-scan.yml`, `push-npm.yml`, `push-npm-from-container.yml`)
- Changing the GCP authentication pattern (secrets/vars remain identical)
- Updating consuming repos' `uses:` references (out of scope for this repo)
## Workflows: Archive Non-GCP Variants
### Requirement: Archive legacy workflows
The system SHALL move the 4 non-GCP workflow files to `.github/workflows/archive/` to preserve history without cluttering the active workflows directory.
Files to archive:
- `.github/workflows/base-build-image.yml`
- `.github/workflows/dispatch-container-base.yml`
- `.github/workflows/push-container.yml`
- `.github/workflows/push-s3.yml`
#### Scenario: Archive directory creation and file move
- **GIVEN** the 4 non-GCP workflow files exist in `.github/workflows/`
- **WHEN** the migration is applied
- **THEN** `.github/workflows/archive/` directory SHALL exist
- **AND** all 4 files SHALL be moved to `.github/workflows/archive/` with identical filenames
- **AND** the files SHALL no longer exist in `.github/workflows/`
## Workflows: Rename GCP Variants
### Requirement: Drop `-gcp` suffix from workflow filenames
The system SHALL rename the 4 GCP workflow files to remove the `-gcp` suffix, making them the canonical workflow files.
| Current name | New name |
|---|---|
| `base-build-image-gcp.yml` | `base-build-image.yml` |
| `dispatch-container-base-gcp.yml` | `dispatch-container-base.yml` |
| `push-container-gcp.yml` | `push-container.yml` |
| `push-s3-gcp.yml` | `push-s3.yml` |
#### Scenario: Rename after archive
- **GIVEN** the non-GCP files have been archived (no naming collision)
- **WHEN** the GCP files are renamed
- **THEN** each `-gcp.yml` file SHALL be renamed to the corresponding base name
- **AND** the original `-gcp.yml` files SHALL no longer exist
- **AND** the file contents SHALL be unchanged (rename only, no content modification at this stage)
## Workflows: Fix S3 Upload Action
### Requirement: Replace Gitea-hosted aws-cli-action
The `push-s3.yml` workflow (formerly `push-s3-gcp.yml`) SHALL replace the Gitea-hosted action reference with the `aws-actions/configure-aws-credentials@v4` action plus an inline `aws s3 cp` command, matching the pattern established in the `dg2n-core` repo.
#### Scenario: AWS credentials configuration
- **GIVEN** `push-s3.yml` has been renamed from `push-s3-gcp.yml`
- **WHEN** the S3 upload steps are updated
- **THEN** the `Upload cloud files` step using `https://git.gmetri.io/gmetribin/aws-cli-action@v1.0.0` SHALL be replaced with two steps:
1. A `Configure AWS credentials` step using `aws-actions/configure-aws-credentials@v4` with:
- `aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}`
- `aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}`
- `aws-region: ${{ vars.AWS_DEFAULT_REGION }}`
2. An `Upload cloud files` step using `run:` with inline `aws s3 cp` command
#### Scenario: AWS secret/var name casing
- **GIVEN** the current workflow uses lowercase secret names (`secrets.aws_access_key_id`, etc.)
- **WHEN** the S3 steps are replaced
- **THEN** all AWS secret and variable references SHALL use uppercase names:
- `secrets.AWS_ACCESS_KEY_ID` (was `secrets.aws_access_key_id`)
- `secrets.AWS_SECRET_ACCESS_KEY` (was `secrets.aws_secret_access_key`)
- `vars.AWS_DEFAULT_REGION` (was `vars.aws_default_region`)
- `vars.AWS_UPLOAD_BUCKET` (was `vars.aws_upload_bucket`)
#### Scenario: S3 upload command equivalence
- **GIVEN** the old action ran `s3 cp --recursive --cache-control max-age=31536000 --storage-class 'STANDARD_IA' cloud/ s3://{bucket}/{repo}/{build_id}`
- **WHEN** the inline command replaces it
- **THEN** the `aws s3 cp` command SHALL preserve all flags: `--recursive`, `--cache-control max-age=31536000`, `--storage-class STANDARD_IA`
- **AND** the destination path SHALL remain `s3://${{ vars.AWS_UPLOAD_BUCKET }}/${{ env.REPO_SHORT_NAME }}/${{ steps.get-id.outputs.BUILD_ID }}`
## Workflows: Preserve Existing Behavior
### Requirement: No functional changes to GCP auth
All 4 renamed workflows SHALL retain their existing GCP authentication steps unchanged:
- `google-github-actions/auth@v2` with `credentials_json: ${{ secrets.GCP_SA_KEY }}`
- `google-github-actions/setup-gcloud@v2` with `project_id: ${{ vars.GCP_PROJECT_ID }}`
- `gcloud auth configure-docker ${{ vars.GCP_REGION }}-docker.pkg.dev`
#### Scenario: GCP auth preserved after rename
- **GIVEN** any of the 4 renamed workflow files
- **WHEN** the file content is inspected
- **THEN** the GCP auth steps SHALL be identical to the original `-gcp` variant
### Requirement: Runners use GitHub-hosted ubuntu-22.04
All workflows SHALL use `runs-on: ubuntu-22.04` (GitHub-hosted runners). No self-hosted runner references.
#### Scenario: Runner specification
- **GIVEN** any workflow file in `.github/workflows/` (excluding archive)
- **WHEN** the `runs-on` value is inspected
- **THEN** it SHALL be `ubuntu-22.04`
### Requirement: Grype scanning remains disabled
All workflows SHALL keep Grype vulnerability scanning commented out. No uncommented `anchore/scan-action` steps.
#### Scenario: Grype stays commented
- **GIVEN** any workflow that previously had Grype scanning commented out
- **WHEN** the migration is complete
- **THEN** the Grype scanning steps SHALL remain commented out
## Assumptions
| # | Grade | Decision | Rationale | Scores |
|---|-------|----------|-----------|--------|
| 1 | Certain | Non-GCP workflows archived to `.github/workflows/archive/`, not deleted | Confirmed from intake #1 — user explicit | S:95 R:90 A:95 D:90 |
| 2 | Certain | GCP workflows renamed to drop `-gcp` suffix | Confirmed from intake #2 — user explicit | S:95 R:85 A:90 D:85 |
| 3 | Certain | Grype scanning stays disabled (commented out) | Confirmed from intake #3 — user explicit | S:95 R:90 A:95 D:95 |
| 4 | Certain | Use `aws-actions/configure-aws-credentials@v4` + inline `aws s3 cp` | Confirmed from intake #4 — matches dg2n-core reference | S:95 R:90 A:90 D:85 |
| 5 | Certain | AWS secret/var names uppercased to match dg2n-core | Confirmed from intake #5 — user said dg2n-core is correct | S:90 R:85 A:90 D:85 |
| 6 | Certain | GitHub-hosted `ubuntu-22.04` runners | Confirmed from intake #6 — already the value in all workflows | S:95 R:90 A:95 D:90 |
| 7 | Certain | S3 upload hybrid (GCP Docker + AWS S3) stays as-is | Confirmed from intake #7 — user explicit | S:90 R:85 A:90 D:90 |
| 8 | Certain | Other 5 workflows unchanged | Upgraded from intake #8 Confident — user confirmed explicitly | S:90 R:85 A:90 D:85 |
| 9 | Confident | Archive folder path is `.github/workflows/archive/` | Carried from intake #9 — user said "archive folder", path is reasonable convention | S:80 R:85 A:85 D:80 |
| 10 | Certain | Archive must happen before rename to avoid filename collisions | Ordering constraint derived from spec — both old and new files share the same base names | S:95 R:95 A:95 D:95 |
10 assumptions (9 certain, 1 confident, 0 tentative, 0 unresolved).

28
fab/changes/260406-vhk4-migrate-workflows-github-actions/tasks.md Normal file
View File

@ -0,0 +1,28 @@
# Tasks: Migrate Workflows to GitHub Actions
**Change**: 260406-vhk4-migrate-workflows-github-actions
**Spec**: `spec.md`
**Intake**: `intake.md`
## Phase 1: Archive Non-GCP Workflows
- [x] T001 Create `.github/workflows/archive/` directory and move `base-build-image.yml`, `dispatch-container-base.yml`, `push-container.yml`, `push-s3.yml` into it
## Phase 2: Rename GCP Workflows
- [x] T002 [P] Rename `.github/workflows/base-build-image-gcp.yml``.github/workflows/base-build-image.yml`
- [x] T003 [P] Rename `.github/workflows/dispatch-container-base-gcp.yml``.github/workflows/dispatch-container-base.yml`
- [x] T004 [P] Rename `.github/workflows/push-container-gcp.yml``.github/workflows/push-container.yml`
- [x] T005 [P] Rename `.github/workflows/push-s3-gcp.yml``.github/workflows/push-s3.yml`
## Phase 3: Fix S3 Upload Action
- [x] T006 In `.github/workflows/push-s3.yml`, replace the Gitea-hosted `aws-cli-action` step with `aws-actions/configure-aws-credentials@v4` + inline `aws s3 cp`, and uppercase all AWS secret/var names (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_DEFAULT_REGION`, `AWS_UPLOAD_BUCKET`)
---
## Execution Order
- T001 must complete before T002-T005 (archive frees the base filenames)
- T002-T005 are independent and parallel
- T006 depends on T005 (operates on the renamed `push-s3.yml`)