fxa/.github/workflows/docker.yml

name: Docker

on:
  push:
    tags:
      - '*'
  workflow_call:
    inputs:
      git_tag:
        type: string
        required: true
  workflow_dispatch:
    inputs:
      git_tag:
        type: string
        required: true

jobs:
  tag:
    name: Determine tag to build
    runs-on: ubuntu-latest
    permissions: {}
    outputs:
      TAG: ${{ steps.determine.outputs.tag }}
    steps:
      - id: determine
        run: |
          # workflow_dispatch
          if [[ "${{ inputs.git_tag }}" != "" ]]; then
            echo "tag=${{ inputs.git_tag }}" >> $GITHUB_OUTPUT
          # push
          elif [[ "${{ github.ref }}" != "" ]]; then
            echo "tag=$(cut -d \/ -f3 <(echo '${{ github.ref }}'))" >> $GITHUB_OUTPUT
          else
            echo "Cannot determine tag"
            exit 1
          fi          

  docker:
    name: Docker build and push to GAR
    runs-on: ubuntu-latest
    environment: build
    permissions:
      contents: read
      id-token: write
    env:
      GAR_LOCATION: us
      GAR_REPOSITORY: fxa-prod
      GCP_PROJECT_ID: moz-fx-fxa-prod
      IMAGE: fxa-mono
      RUN_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
      GIT_TAG: ${{ needs.tag.outputs.TAG }}
    needs:
      - tag
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ env.GIT_TAG }}

      - uses: actions/setup-node@v4
        with:
          cache: yarn

      - run: ./_scripts/l10n/clone.sh

      - run: ./.circleci/base-install.sh

      - run: ./_scripts/create-version-json.sh

      - uses: docker/setup-buildx-action@v3

      - id: gcp-auth
        uses: google-github-actions/auth@v2
        with:
          token_format: 'access_token'
          service_account: artifact-writer@${{ env.GCP_PROJECT_ID}}.iam.gserviceaccount.com
          workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}

      - uses: docker/login-action@v3
        with:
          registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
          username: oauth2accesstoken
          password: ${{ steps.gcp-auth.outputs.access_token }}

      - id: build-and-push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: _dev/docker/mono/Dockerfile
          tags: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.GAR_REPOSITORY}}/${{ env.IMAGE}}:${{ env.GIT_TAG }}
          push: true
          cache-from: type=gha
          cache-to: type=gha,mode=max