fix: correct asset image naming in build pipeline

BrendanGalloway · BrendanGalloway · commit 95cab82feb3f · 2025-11-24T20:04:24.000+02:00
diff --git a/.github/workflows/build-images.yaml b/.github/workflows/build-images.yaml
@@ -4,253 +4,193 @@ on:
   workflow_call:
     inputs:
       git_ref:
-        description: 'Git reference to build from'
-        required: true
         type: string
-      image_tag:
-        description: 'Tag to apply to the images'
         required: true
+      image_tag:
         type: string
-      branch_name:
-        description: 'Formatted branch name for image naming'
         required: true
+      branch_name:
         type: string
-      environment:
-        description: 'Target environment (pr, staging, preprod, production)'
         required: true
+      environment:
         type: string
+        required: true
       push_to_prod_registry:
-        description: 'Whether to push to production registry (true for staging/preprod/prod)'
-        required: false
         type: boolean
         default: false
+
     outputs:
-      web_digest:
-        description: 'Digest of the web image'
-        value: ${{ jobs.build-web.outputs.digest }}
-      node_digest:
-        description: 'Digest of the node image'
-        value: ${{ jobs.build-node.outputs.digest }}
-      asset_digest:
-        description: 'Digest of the asset image'
-        value: ${{ jobs.build-asset.outputs.digest }}
-      image_tag:
-        description: 'The tag applied to all images'
-        value: ${{ inputs.image_tag }}
       web_image:
-        description: 'Full web image reference'
-        value: ${{ jobs.build-web.outputs.image }}
+        value: ${{ jobs.calculate.outputs.web_image }}
       node_image:
-        description: 'Full node image reference'
-        value: ${{ jobs.build-node.outputs.image }}
+        value: ${{ jobs.calculate.outputs.node_image }}
       asset_image:
-        description: 'Full asset image reference'
-        value: ${{ jobs.build-asset.outputs.image }}
+        value: ${{ jobs.calculate.outputs.asset_image }}
 
 jobs:
+  calculate:
+    name: "calculate variables for the pipeline"
+    runs-on: ubuntu-latest
+
+  outputs:
+    web_image: ${{ steps.images.output.web_image }}
+    node_image: ${{ steps.images.output.node_image }}
+    asset_image: ${{ steps.images.output.asset_image }}
+    datetime: ${{ steps.datetime.output.dt }}
+  steps:
+      - id: datetime
+        run: echo "dt=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
+      - name: Compute asset repo
+        id: images
+        run: |
+          if [ "${{ inputs.push_to_prod_registry }}" = "true" ]; then
+            project=${{ secrets.PROD_PROJECT }}
+          else
+            project=${{ secrets.DEV_PROJECT }}
+          fi
+
+          web="us-east1-docker.pkg.dev/$project/containers/sefaria-web"
+          node="us-east1-docker.pkg.dev/$project/containers/sefaria-node"
+          asset="us-east1-docker.pkg.dev/$project/containers/sefaria-asset"
+          if [ -n "${{ inputs.branch_name }}" ]; then
+            web="$web-${{ inputs.branch_name }}"
+            node="$node-${{ inputs.branch_name }}"
+            asset="$asset-${{ inputs.branch_name }}"
+          fi
+          echo "web_image=$web" >> $GITHUB_OUTPUT
+          echo "node_image=$node" >> $GITHUB_OUTPUT
+          echo "asset_image=$asset" >> $GITHUB_OUTPUT
+
+  ###########################################################################
+  # BUILD: web + node
+  ###########################################################################
   build-generic:
-    name: "Build ${{ matrix.app }} Image"
+    name: "Build ${{ matrix.app }} image"
     runs-on: ubuntu-latest
+
     permissions:
       contents: 'read'
       id-token: 'write'
+
+    needs: [calculate]
     strategy:
       matrix:
-        app: [ web, node ]
-    outputs:
-      web_digest: ${{ steps.output-web.outputs.digest }}
-      web_image: ${{ steps.output-web.outputs.image }}
-      node_digest: ${{ steps.output-node.outputs.digest }}
-      node_image: ${{ steps.output-node.outputs.image }}
+        - app: web
+          image: ${{ needs.calculate.outputs.web_image }}
+        - app: node
+          image: ${{ needs.calculate.outputs.node_image }}
+
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
+      - uses: actions/checkout@v4
+        with: 
           ref: ${{ inputs.git_ref }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+
+      ###########################################################################
+      # AUTH
+      ###########################################################################
       - id: auth
-        name: Authenticate to Google Cloud
         uses: google-github-actions/auth@v2
         with:
-          token_format: 'access_token'
-          workload_identity_provider: ${{ inputs.push_to_prod_registry && format('projects/{0}/locations/global/workloadIdentityPools/github/providers/github', secrets.PROD_GKE_PROJECT_ID) || format('projects/{0}/locations/global/workloadIdentityPools/github/providers/github', secrets.DEV_GKE_PROJECT_ID) }}
-          service_account: ${{ inputs.push_to_prod_registry && secrets.PROD_GKE_SA || secrets.DEV_GKE_SA }}
-      - name: Login to GAR
-        uses: docker/login-action@v3
+          token_format: access_token
+          workload_identity_provider: >-
+            ${{ inputs.push_to_prod_registry
+                && format('projects/{0}/locations/global/workloadIdentityPools/github/providers/github', secrets.PROD_GKE_PROJECT_ID)
+                || format('projects/{0}/locations/global/workloadIdentityPools/github/providers/github', secrets.DEV_GKE_PROJECT_ID) }}
+          service_account: >-
+            ${{ inputs.push_to_prod_registry && secrets.PROD_GKE_SA || secrets.DEV_GKE_SA }}
+
+      - uses: docker/login-action@v3
         with:
           registry: us-east1-docker.pkg.dev
           username: oauth2accesstoken
-          password: '${{ steps.auth.outputs.access_token }}'
-      - name: Get current date
-        id: date
-        run: echo "date=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
-      - name: Set registry path
-        id: registry
-        run: |
-          if [ "${{ inputs.push_to_prod_registry }}" = "true" ]; then
-            echo "project=${{ secrets.PROD_PROJECT }}" >> $GITHUB_OUTPUT
-          else
-            echo "project=${{ secrets.DEV_PROJECT }}" >> $GITHUB_OUTPUT
-          fi
-      - name: Determine Image URI
-        id: image_uri
-        run: |
-          if [ "${{ inputs.branch_name }}" = "" ]; then
-            echo "image_uri=us-east1-docker.pkg.dev/${{ steps.registry.outputs.project }}/containers/sefaria-${{ matrix.app }}" >> $GITHUB_OUTPUT
-          else
-            echo "image_uri=us-east1-docker.pkg.dev/${{ steps.registry.outputs.project }}/containers/sefaria-${{ matrix.app }}-${{ inputs.branch_name }}" >> $GITHUB_OUTPUT
-          fi
-      - name: Generate image metadata
-        id: meta
+          password: ${{ steps.auth.outputs.access_token }}
+
+      ###########################################################################
+      # METADATA (tags)
+      ###########################################################################
+      - id: meta
         uses: docker/metadata-action@v3
         with:
-          images: |
-            ${{ steps.image_uri.outputs.image_uri }}
+          images: ${{ matrix.image }}
           tags: |
+            type=raw,value=${{ inputs.image_tag }}-${{ needs.calculate.output.datetime }}
             type=raw,value=${{ inputs.image_tag }}
-            type=raw,value=${{ inputs.image_tag }}-${{ steps.date.outputs.date }}
             type=raw,value=latest
-          flavor: |
-            latest=false
-      - name: Build and push
-        id: build
+          flavor: latest=false
+
+      ###########################################################################
+      # BUILD AND PUSH
+      ###########################################################################
+      - id: build
         uses: docker/build-push-action@v6
         with:
           context: .
-          push: true
-          build-args: |
-            TYPE=build
           file: ./build/${{ matrix.app }}/Dockerfile
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      # Output digest for web
-      - name: Output web digest
-        id: output-web
-        if: matrix.app == 'web'
-        run: |
-          echo "digest=${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT
-          echo "image=${{steps.image_uri.outputs.image_uri }}" >> $GITHUB_OUTPUT
-      # Output digest for node
-      - name: Output node digest
-        id: output-node
-        if: matrix.app == 'node'
-        run: |
-          echo "digest=${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT
-          echo "image=${{steps.image_uri.outputs.image_uri }}" >> $GITHUB_OUTPUT
 
-  # Consolidate outputs from matrix job
-  build-web:
-    name: "Web Image Output"
-    runs-on: ubuntu-latest
-    needs: build-generic
-    outputs:
-      digest: ${{ needs.build-generic.outputs.web_digest }}
-      image: ${{ needs.build-generic.outputs.web_image }}
-    steps:
-      - run: echo "Web image built"
 
-  build-node:
-    name: "Node Image Output"
+  ###########################################################################
+  # BUILD ASSET IMAGE (depends on full digest of web)
+  ###########################################################################
+  build_asset:
+    needs: [calculate, build-generic]
     runs-on: ubuntu-latest
-    needs: build-generic
-    outputs:
-      digest: ${{ needs.build-generic.outputs.node_digest }}
-      image: ${{ needs.build-generic.outputs.node_image }}
-    steps:
-      - run: echo "Node image built"
 
-  # Build derived image (asset) that depends on web
-  build-asset:
-    name: "Build Asset Image"
-    runs-on: ubuntu-latest
-    needs: build-generic
     permissions:
       contents: 'read'
       id-token: 'write'
-    outputs:
-      digest: ${{ steps.build.outputs.digest }}
-      image: ${{ steps.output.outputs.image }}
+
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
+      - uses: actions/checkout@v4
+        with: 
           ref: ${{ inputs.git_ref }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+
       - id: auth
-        name: Authenticate to Google Cloud
         uses: google-github-actions/auth@v2
         with:
-          token_format: 'access_token'
-          workload_identity_provider: ${{ inputs.push_to_prod_registry && format('projects/{0}/locations/global/workloadIdentityPools/github/providers/github', secrets.PROD_GKE_PROJECT_ID) || format('projects/{0}/locations/global/workloadIdentityPools/github/providers/github', secrets.DEV_GKE_PROJECT_ID) }}
-          service_account: ${{ inputs.push_to_prod_registry && secrets.PROD_GKE_SA || secrets.DEV_GKE_SA }}
-      - name: Login to GAR
-        uses: docker/login-action@v3
+          token_format: access_token
+          workload_identity_provider: >-
+            ${{ inputs.push_to_prod_registry
+                && format('projects/{0}/locations/global/workloadIdentityPools/github/providers/github', secrets.PROD_GKE_PROJECT_ID)
+                || format('projects/{0}/locations/global/workloadIdentityPools/github/providers/github', secrets.DEV_GKE_PROJECT_ID) }}
+          service_account: >-
+            ${{ inputs.push_to_prod_registry && secrets.PROD_GKE_SA || secrets.DEV_GKE_SA }}
+
+      - uses: docker/login-action@v3
         with:
           registry: us-east1-docker.pkg.dev
           username: oauth2accesstoken
-          password: '${{ steps.auth.outputs.access_token }}'
-      - name: Get current date
-        id: date
-        run: echo "date=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
-      - name: Set registry path
-        id: registry
-        run: |
-          if [ "${{ inputs.push_to_prod_registry }}" = "true" ]; then
-            echo "project=${{ secrets.PROD_PROJECT }}" >> $GITHUB_OUTPUT
-          else
-            echo "project=${{ secrets.DEV_PROJECT }}" >> $GITHUB_OUTPUT
-          fi
-      - name: Generate image metadata
-        id: meta
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - id: meta
         uses: docker/metadata-action@v3
         with:
-          images: |
-            us-east1-docker.pkg.dev/${{ steps.registry.outputs.project }}/containers/sefaria-asset-${{ inputs.branch_name }}
+          images: ${{ needs.calculate.outputs.asset_image }}
           tags: |
+            type=raw,value=${{ inputs.image_tag }}-${{ needs.calculate.outputs.datetime }}
             type=raw,value=${{ inputs.image_tag }}
-            type=raw,value=${{ inputs.image_tag }}-${{ steps.date.outputs.date }}
             type=raw,value=latest
-          flavor: |
-            latest=false
-      - name: Build and push
-        id: build
+          flavor: latest=false
+
+      ###########################################################################
+      # BUILD ASSET (uses full web digest reference)
+      ###########################################################################
+      - id: build
         uses: docker/build-push-action@v6
         with:
           context: .
+          file: ./build/asset/Dockerfile
           push: true
           build-args: |
-            SRC_IMG=us-east1-docker.pkg.dev/${{ steps.registry.outputs.project }}/containers/sefaria-web-${{ inputs.branch_name }}:${{ inputs.image_tag }}
-          file: ./build/asset/Dockerfile
+            SRC_IMG=${{ needs.calculate.outputs.web_image }}:${{ inputs.image_tag }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - name: Output asset info
-        id: output
-        run: |
-          echo "image=us-east1-docker.pkg.dev/${{ steps.registry.outputs.project }}/containers/sefaria-asset-${{ inputs.branch_name }}:${{ inputs.image_tag }}" >> $GITHUB_OUTPUT
 
-  # Summary job
-  summary:
-    name: Build Summary
-    runs-on: ubuntu-latest
-    needs: [build-web, build-node, build-asset]
-    if: always()
-    steps:
-      - name: Output build summary
-        run: |
-          echo "### Docker Images Built and Pushed :whale:" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "**Environment:** ${{ inputs.environment }}" >> $GITHUB_STEP_SUMMARY
-          echo "**Branch Name:** ${{ inputs.branch_name }}" >> $GITHUB_STEP_SUMMARY
-          echo "**Tag:** ${{ inputs.image_tag }}" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Image | Status | Digest |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|--------|--------|" >> $GITHUB_STEP_SUMMARY
-          echo "| sefaria-web | ${{ needs.build-web.result }} | \`${{ needs.build-web.outputs.digest }}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| sefaria-node | ${{ needs.build-node.result }} | \`${{ needs.build-node.outputs.digest }}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| sefaria-asset | ${{ needs.build-asset.result }} | \`${{ needs.build-asset.outputs.digest }}\` |" >> $GITHUB_STEP_SUMMARY
