feat(webapp,rbac): REQUIRE_PLUGINS=1 fail-fast for required plugin lo… #3205
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 🚀 Publish Trigger.dev Docker | |
| on: | |
| workflow_dispatch: | |
| workflow_call: | |
| inputs: | |
| image_tag: | |
| description: The image tag to publish | |
| required: true | |
| type: string | |
| secrets: | |
| DOCKERHUB_USERNAME: | |
| required: false | |
| DOCKERHUB_TOKEN: | |
| required: false | |
| SENTRY_AUTH_TOKEN: | |
| required: false | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "v.docker.*" | |
| - "build-*" | |
| paths: | |
| - ".github/actions/**/*.yml" | |
| - ".github/workflows/publish.yml" | |
| - ".github/workflows/typecheck.yml" | |
| - ".github/workflows/unit-tests.yml" | |
| - ".github/workflows/e2e.yml" | |
| - ".github/workflows/publish-webapp.yml" | |
| - ".github/workflows/publish-worker.yml" | |
| - "packages/**" | |
| - "!packages/**/*.md" | |
| - "!packages/**/*.eslintrc" | |
| - "internal-packages/**" | |
| - "apps/**" | |
| - "!apps/**/*.md" | |
| - "!apps/**/*.eslintrc" | |
| - "pnpm-lock.yaml" | |
| - "pnpm-workspace.yaml" | |
| - "turbo.json" | |
| - "docker/Dockerfile" | |
| - "docker/scripts/**" | |
| - "tests/**" | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| env: | |
| AWS_REGION: us-east-1 | |
| jobs: | |
| typecheck: | |
| uses: ./.github/workflows/typecheck.yml | |
| units: | |
| uses: ./.github/workflows/unit-tests.yml | |
| secrets: | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
| publish-webapp: | |
| needs: [typecheck] | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| attestations: write | |
| uses: ./.github/workflows/publish-webapp.yml | |
| secrets: | |
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
| with: | |
| image_tag: ${{ inputs.image_tag }} | |
| # Target registry namespace. Defaults to ghcr.io/<owner> so a fork publishes | |
| # to its own namespace; set the IMAGE_REGISTRY repository variable to override. | |
| image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }} | |
| publish-worker: | |
| needs: [typecheck] | |
| permissions: | |
| contents: read | |
| packages: write | |
| uses: ./.github/workflows/publish-worker.yml | |
| secrets: | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
| with: | |
| image_tag: ${{ inputs.image_tag }} | |
| image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }} | |
| publish-worker-v4: | |
| needs: [typecheck] | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| uses: ./.github/workflows/publish-worker-v4.yml | |
| with: | |
| image_tag: ${{ inputs.image_tag }} | |
| image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }} | |
| # OS-level CVE scan of the image just published above. Report-only (writes to | |
| # the run summary); runs alongside the worker publishes and never blocks them. | |
| scan-webapp: | |
| needs: [publish-webapp] | |
| permissions: | |
| contents: read | |
| packages: read # pull the just-published image from GHCR | |
| uses: ./.github/workflows/trivy-image-webapp.yml | |
| with: | |
| image-ref: ${{ needs.publish-webapp.outputs.image_repo }}:${{ needs.publish-webapp.outputs.version }} |