Tag docker images with git hashes and tags (#107)

The build step that previously existed now adds the short commit SHA as a docker tag, in addition to latest. There is an additional trigger that fires on tags that will pull the docker image with the commit SHA corresponding to the tag, and then push it with the git tag as a docker tag.
transparency-dev · Feb 22, 2024 · dad04e2 · dad04e2
1 parent 2badd90
commit dad04e2
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 7 deletions.
diff --git a/deployment/modules/cloudbuild/main.tf b/deployment/modules/cloudbuild/main.tf
@@ -26,7 +26,7 @@ resource "google_artifact_registry_repository" "distributor_docker" {
 
 locals {
   artifact_repo  = "${var.region}-docker.pkg.dev/${var.project_id}/${google_artifact_registry_repository.distributor_docker.name}"
-  docker_address = "${local.artifact_repo}/distributor:latest"
+  docker_image   = "${local.artifact_repo}/distributor"
 }
 
 resource "google_cloudbuild_trigger" "distributor_docker" {
@@ -47,7 +47,8 @@ resource "google_cloudbuild_trigger" "distributor_docker" {
       name = "gcr.io/cloud-builders/docker"
       args = [
         "build",
-        "-t", "${local.docker_address}",
+        "-t", "${local.docker_image}:$SHORT_SHA",
+        "-t", "${local.docker_image}:latest",
         "-f", "./cmd/Dockerfile",
         "."
       ]
@@ -56,7 +57,8 @@ resource "google_cloudbuild_trigger" "distributor_docker" {
       name = "gcr.io/cloud-builders/docker"
       args = [
         "push",
-        local.docker_address
+        "--all-tags",
+        local.docker_image
       ]
     }
     # Deploy container image to Cloud Run
@@ -68,7 +70,7 @@ resource "google_cloudbuild_trigger" "distributor_docker" {
         "deploy",
         var.cloud_run_service,
         "--image",
-        local.docker_address,
+        "${local.docker_image}:$SHORT_SHA",
         "--region",
         var.region
       ]
@@ -79,6 +81,54 @@ resource "google_cloudbuild_trigger" "distributor_docker" {
   }
 }
 
+# When a new tag is pushed to GitHub, add that tag to the docker
+# image that was already pushed to the repo for the corresponding
+# commit hash.
+# This requires that the above step has already completed, but that
+# seems like a fair assumption given that we'd have deployed it in ci
+# before tagging it.
+resource "google_cloudbuild_trigger" "distributor_docker_tag" {
+  name            = "tag-distributor-docker-${var.env}"
+  service_account = google_service_account.cloudbuild_service_account.id
+  location        = var.region
+
+  github {
+    owner = "transparency-dev"
+    name  = "distributor"
+    push {
+      tag = ".*"
+    }
+  }
+
+  build {
+    step {
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "pull",
+        "${local.docker_image}:$SHORT_SHA",
+      ]
+    }
+    step {
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "tag",
+        "${local.docker_image}:$SHORT_SHA",
+        "${local.docker_image}:$TAG_NAME",
+      ]
+    }
+    step {
+      name = "gcr.io/cloud-builders/docker"
+      args = [
+        "push",
+        "${local.docker_image}:$TAG_NAME",
+      ]
+    }
+    options {
+      logging = "CLOUD_LOGGING_ONLY"
+    }
+  }
+}
+
 resource "google_service_account" "cloudbuild_service_account" {
   account_id   = "cloudbuild-${var.env}-sa"
   display_name = "Service Account for CloudBuild (${var.env})"

diff --git a/deployment/modules/cloudbuild/outputs.tf b/deployment/modules/cloudbuild/outputs.tf
@@ -29,7 +29,7 @@ output "cloudbuild_trigger_id" {
   value       = google_cloudbuild_trigger.distributor_docker.id
 }
 
-output "docker_image_latest" {
-  description = "The address of the latest docker image that will be built"
-  value       = local.docker_address
+output "docker_image" {
+  description = "The address of the docker image that will be built"
+  value       = local.docker_image
 }