mozilla · Vinnl · Dec 18, 2025
diff --git a/.github/workflows/docker_build_deploy.yml b/.github/workflows/docker_build_deploy.yml
@@ -1,66 +1,95 @@
-name: Build Docker image and publish
+name: Build Docker image and publish to GAR
 
 permissions: {}
 
 on:
   push:
-    branches: [ main ]
+    branches:
+      - main
+    tags:
+      - "*"
+
 jobs:
-  push_to_registry:
-    name: Push Docker image to Docker Hub
+  build_and_push_to_gar:
+    # Define permissions at the job level
+    permissions:
+      contents: "read" # Needed for checkout
+      id-token: "write" # Needed for GCP auth
+      packages: "none" # Explicitly disable package permissions
+    name: Build and Push Docker image to GAR
     runs-on: ubuntu-latest
+    environment: build
+    env:
+      GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }} # Base name for GAR image
+      GAR_REGISTRY: us-docker.pkg.dev
     steps:
       - name: Check out the repo
         uses: actions/checkout@v6
         with:
           persist-credentials: false
 
-      - name: Log in to Docker Hub
+      - name: Authenticate to Google Cloud
+        id: gcp-auth
+        uses: google-github-actions/auth@v3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }}
+
+      - name: Login to Artifact Registry
+        id: gar-login
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          registry: ${{ env.GAR_REGISTRY }}
+          username: oauth2accesstoken
+          password: ${{ steps.gcp-auth.outputs.access_token }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: mozilla/blurts-server
+          # Only generate the image name for GAR
+          images: ${{ env.GAR_IMAGE_BASE }}
           tags: |
-            type=semver,pattern={{raw}}
-            type=raw,value={{sha}},event=tag
+            # Generate tag based on short commit SHA
+            type=sha,format=short,prefix=
 
       - name: Create version.json
         run: |
+          # Use full sha here for version.json content
           echo "{\"commit\":\"$GITHUB_SHA\",\"version\":\"$GITHUB_REF_NAME\",\"source\":\"https://github.com/$GITHUB_REPOSITORY\",\"build\":\"$GITHUB_RUN_ID\"}" > version.json
 
-      - name: Check Docker Version
-        run: docker --version
-      - name: Install Latest Docker
-        run: |
-          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-          sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu  $(lsb_release -cs)  stable"
-          sudo apt-get update
-          sudo apt-get install docker-ce
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
 
-      - name: Build Docker image
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image to GAR
+        id: build-and-push
         env:
-          UPLOAD_SENTRY_SOURCEMAPS: true
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_RELEASE: ${{ github.ref_name }}
-          NEXT_PUBLIC_SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-        run: |
-          docker build --tag blurts-server \
-            --build-arg SENTRY_RELEASE="$SENTRY_RELEASE" \
-            --build-arg NEXT_PUBLIC_SENTRY_DSN="$NEXT_PUBLIC_SENTRY_DSN" \
-            --secret id=SENTRY_AUTH_TOKEN \
-            .
+          TAGS: ${{ steps.meta.outputs.tags }}
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          # Push is true to push to GAR after build
+          push: true
+          # Tags generated by the metadata action (only GAR tag)
+          tags: ${{ env.TAGS }}
+          # Pass build arguments
+          build-args: |
+            SENTRY_RELEASE=${{ github.sha }}
+            NEXT_PUBLIC_SENTRY_DSN=${{ secrets.SENTRY_DSN }}
+          # Pass secrets securely to the build
+          secrets: |
+            SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
+          # Enable build cache for faster builds (optional but recommended)
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-      - name: Deploy to Dockerhub
+      - name: Print Image URI
         env:
-          DOCKERHUB_REPO: ${{ env.DOCKERHUB_REPO }}
           TAGS: ${{ steps.meta.outputs.tags }}
         run: |
-          # deploy main
-          docker tag blurts-server $TAGS
-          docker push $TAGS
+          echo "Pushed GAR image: $TAGS"
diff --git a/.github/workflows/docker_build_deploy_v2.yml b/.github/workflows/docker_build_deploy_v2.yml
diff --git a/.github/workflows/release_retag.yaml b/.github/workflows/release_retag.yaml
@@ -1,45 +1,83 @@
-name: Retag and Push Docker Image on Release
+name: Retag and Push GAR Image on Release
 
 permissions: {}
 
-# GH release should always create a tag automatically
 on:
   push:
     tags:
       - '*'
 
 jobs:
-  retag-and-push:
+  retag-and-push-gar:
+    permissions:
+      contents: "read" # Needed for checkout
+      id-token: "write" # Needed for GCP auth
+      packages: "none" # Explicitly disable package permissions
+    name: Retag and Push GAR image
     runs-on: ubuntu-latest
-
+    environment: build
+    env:
+      GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }}
     steps:
     - name: Check out the repo
       uses: actions/checkout@v6
       with:
-        persist-credentials: false
+        persist-credentials: false # Not strictly needed for retagging, but good practice
+
+    - name: Authenticate to Google Cloud
+      id: gcp-auth
+      uses: google-github-actions/auth@v3
+      with:
+        token_format: access_token
+        workload_identity_provider: ${{ vars.GCPV2_GITHUB_WORKLOAD_IDENTITY_PROVIDER }}
+        service_account: ${{ vars.GCP_GAR_SERVICE_ACCOUNT }}
 
-    - name: Log in to Docker Hub
+    - name: Login to Artifact Registry
+      id: gar-login
       uses: docker/login-action@v3
       with:
-        username: ${{ secrets.DOCKER_USERNAME }}
-        password: ${{ secrets.DOCKER_PASSWORD }}
+        registry: us-docker.pkg.dev
+        username: oauth2accesstoken
+        password: ${{ steps.gcp-auth.outputs.access_token }}
 
     - name: Extract metadata (tags, labels) for Docker
       id: meta
       uses: docker/metadata-action@v5
       with:
-        images: mozilla/blurts-server
-        tags: type=sha,format=short,prefix=
+        # Use the GAR image base
+        images: ${{ env.GAR_IMAGE_BASE }}
+        tags: |
+          # Only generate the tag based on short commit SHA
+          type=sha,format=short,prefix=
+
+    - name: Determine Release-tagged image name
+      id: release_tag_info
+      run: echo "name=${{ env.GAR_IMAGE_BASE }}:${{ github.ref_name }}" >> $GITHUB_OUTPUT
 
-    - name: Pull Docker image with commit tag
+    - name: Pull Docker image with commit tag from GAR
       env:
         TAGS: ${{ steps.meta.outputs.tags }}
-      run: docker pull $TAGS
+      run: |
+        echo "Pulling $TAGS"
+        docker pull $TAGS
 
     - name: Tag Docker image with release tag
       env:
         TAGS: ${{ steps.meta.outputs.tags }}
-      run: docker tag $TAGS mozilla/blurts-server:${{ github.ref_name }}
+        NAME: ${{ steps.release_tag_info.outputs.name }}
+      run: |
+        echo "Tagging $TAGS as $NAME"
+        docker tag $TAGS $NAME
 
-    - name: Push Docker image with release tag
-      run: docker push mozilla/blurts-server:${{ github.ref_name }}
+    - name: Push Docker image with release tag to GAR
+      env:
+        NAME: ${{ steps.release_tag_info.outputs.name }}
+      run: |
+        echo "Pushing $NAME"
+        docker push $NAME
+
+    - name: Print Image URI
+      env:
+        NAME: ${{ steps.release_tag_info.outputs.name }}
+      run: |
+        echo "Retagged and pushed GAR image: $NAME"