Feature/79895 Split build and release in two separate Github Actions jobs

.github/workflows/ci-cd-java.yml

@@ -1,17 +1,10 @@
 name: ci-cd-java.yml
 
-permissions:
-  contents: read
-  packages: read
+permissions: {}
 
 on:
   workflow_call:
     inputs:
-      # it is required for backwards compatibility with CI/CD pipelines that have not been yet fully migrated to shared workflows
-      uploadJarArtifact:
-        required: false
-        type: boolean
-        default: false
       performRelease:
         required: false
         type: boolean
@@ -32,15 +25,19 @@ env:
   IMAGE_NAME_MIXED_CASE: "${{ github.repository }}"
 
 jobs:
-  build-check-test-push:
-    name: Build, check, test, push
+  ci:
+    name: Build, check, test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           clean: 'true'
           fetch-depth: 2
+          persist-credentials: false
 
       # Required since custom scripts from /scripts are being used
       - name: Resolve shared workflow ref
@@ -66,6 +63,7 @@ jobs:
           repository: HSLdevcom/transitdata-shared-workflows
           ref: ${{ steps.resolve_shared_workflow_ref.outputs.shared_workflow_ref }}
           path: .shared-workflows
+          persist-credentials: false
 
       - name: Check if release build
         id: release_check
@@ -170,38 +168,44 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Upload .jar artifact
-        if: ${{ inputs.uploadJarArtifact }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+  release:
+    name: Build & push Docker image
+    needs: ci
+    if: >-
+      github.ref == 'refs/heads/main' ||
+      github.ref == 'refs/heads/develop' ||
+      github.ref == 'refs/heads/aks-dev' ||
+      startsWith(github.ref, 'refs/tags/') ||
+      inputs.performRelease == true
+    runs-on: ubuntu-latest
+    environment: docker-hub-release
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
-          name: 'app.jar'
-          path: '/app/app.jar'
+          clean: 'true'
+          persist-credentials: false
 
       - name: Set Docker Image Name
+        env:
+          IMAGE_NAME_INPUT: ${{ inputs.imageName }}
         run: |
           OWNER="${GITHUB_REPOSITORY%%/*}"
 
-          if [[ -n "${{ inputs.imageName }}" ]]; then
-            IMAGE_NAME="${OWNER,,}/${{ inputs.imageName }}"
+          if [[ -n "${IMAGE_NAME_INPUT}" ]]; then
+            IMAGE_NAME="${OWNER,,}/${IMAGE_NAME_INPUT}"
           else
             IMAGE_NAME="${GITHUB_REPOSITORY,,}"
           fi
 
           echo "IMAGE_NAME=${IMAGE_NAME}" >> "$GITHUB_ENV"
 
-      - name: Build Docker Image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
-        with:
-          context: ${{ inputs.workingDirectory }}
-          push: 'false'
-          tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}'
-          secrets: |
-            github_token=${{ secrets.GITHUB_TOKEN }}
-          build-args:
-            GITHUB_ACTOR=${{ github.actor }}
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Extract Docker metadata
-        if: ${{ steps.release_check.outputs.perform_release == 'true' }}
         id: meta
         uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
@@ -214,26 +218,19 @@ jobs:
             org.opencontainers.image.title=${{ env.IMAGE_NAME }}
             org.opencontainers.image.vendor=hsldevcom
 
-      - name: Setup Docker Buildx
-        if: ${{ steps.release_check.outputs.perform_release == 'true' }}
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
       - name: Login to Docker Hub
-        if: ${{ steps.release_check.outputs.perform_release == 'true' }}
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }}
 
       - name: Build & Push Docker image
-        if: ${{ steps.release_check.outputs.perform_release == 'true' }}
         uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ${{ inputs.workingDirectory }}
-          push: ${{ steps.release_check.outputs.perform_release }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           secrets: |
             github_token=${{ secrets.GITHUB_TOKEN }}
-          build-args: |
-            GITHUB_ACTOR=${{ github.actor }}
+            github_actor=${{ github.actor }}

.github/workflows/ci-cd-kotlin.yml

@@ -1,22 +1,10 @@
 name: ci-cd-kotlin.yml
 
-permissions:
-  contents: read
-  packages: read
+permissions: {}
 
 on:
   workflow_call:
     inputs:
-      uploadJarArtifact:
-        required: false
-        type: boolean
-        default: false
-      jarArtifactName:
-        required: false
-        type: string
-      jarArtifactPath:
-        required: false
-        type: string
       performRelease:
         required: false
         type: boolean
@@ -34,15 +22,19 @@ env:
   IMAGE_NAME_MIXED_CASE: "${{ github.repository }}"
 
 jobs:
-  build-check-test-push:
-    name: Build, check, test, push
+  ci:
+    name: Build, check, test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           clean: 'true'
           fetch-depth: 2
+          persist-credentials: false
 
       # Required since custom scripts from /scripts are being used
       - name: Resolve shared workflow ref
@@ -67,6 +59,7 @@ jobs:
           repository: HSLdevcom/transitdata-shared-workflows
           ref: ${{ env.SHARED_WORKFLOW_REF }}
           path: .shared-workflows
+          persist-credentials: false
 
       - name: Check if release build
         id: release_check
@@ -106,24 +99,24 @@ jobs:
         if: ${{ inputs.runTestsInsideDocker }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_ACTOR_ARG: ${{ github.actor }}
+          GITHUB_ACTOR: ${{ github.actor }}
           DOCKER_BUILDKIT: "1"
         run: |
           cat > /tmp/Dockerfile.test << DOCKERFILE
           # syntax=docker/dockerfile:1
           # check=error=true
           FROM ${TEST_BASE_IMAGE}
           WORKDIR /usr/app
-          ARG GITHUB_ACTOR=github-actions
           COPY . .
           RUN --mount=type=secret,id=github_token \
+              --mount=type=secret,id=github_actor \
               export GITHUB_TOKEN="\$(cat /run/secrets/github_token)" && \
-              export GITHUB_ACTOR="\$GITHUB_ACTOR" && \
+              export GITHUB_ACTOR="\$(cat /run/secrets/github_actor)" && \
               ./gradlew test --stacktrace --no-daemon
           DOCKERFILE
           docker build \
             --secret id=github_token,env=GITHUB_TOKEN \
-            --build-arg "GITHUB_ACTOR=${GITHUB_ACTOR_ARG}" \
+            --secret id=github_actor,env=GITHUB_ACTOR \
             -f /tmp/Dockerfile.test \
             .
 
@@ -156,35 +149,40 @@ jobs:
           fail_ci_if_error: true
           report_type: test_results
 
-      - name: Upload .jar artifact
-        if: ${{ inputs.uploadJarArtifact }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: ${{ inputs.jarArtifactName }}
-          path: ${{ inputs.jarArtifactPath }}
-
       - name: Build artifact
         run: ./gradlew build -x test
         env:
           GITHUB_ACTOR: ${{ github.actor }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  release:
+    name: Build & push Docker image
+    needs: ci
+    if: >-
+      github.ref == 'refs/heads/main' ||
+      github.ref == 'refs/heads/develop' ||
+      github.ref == 'refs/heads/aks-dev' ||
+      startsWith(github.ref, 'refs/tags/') ||
+      inputs.performRelease == true
+    runs-on: ubuntu-latest
+    environment: docker-hub-release
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          clean: 'true'
+          persist-credentials: false
+
       - name: Lowercase Docker Image Name
         run: |
           echo "IMAGE_NAME=${IMAGE_NAME_MIXED_CASE,,}" >> "${GITHUB_ENV}"
-      - name: Build Docker Image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
-        with:
-          context: .
-          push: 'false'
-          tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}'
 
       - name: Setup Docker Buildx
-        if: steps.release_check.outputs.perform_release == 'true'
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Extract Docker metadata
-        if: steps.release_check.outputs.perform_release == 'true'
         id: meta
         uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
@@ -198,17 +196,15 @@ jobs:
             org.opencontainers.image.vendor=hsldevcom
 
       - name: Login to Docker Hub
-        if: steps.release_check.outputs.perform_release == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }}
 
       - name: Build & Push Docker image
-        if: steps.release_check.outputs.perform_release == 'true'
         uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: .
-          push: ${{ steps.release_check.outputs.perform_release }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}