From 2dbd902c3cdffcc03dca87feb49dedd544ed8917 Mon Sep 17 00:00:00 2001 From: fkwp Date: Fri, 6 Feb 2026 11:42:43 +0100 Subject: [PATCH 1/7] Push docker images to oci.element.io --- .../workflows/build-and-publish-docker.yaml | 44 +++++++++++++++++-- 1 file changed, 41 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-publish-docker.yaml b/.github/workflows/build-and-publish-docker.yaml index 4ad1a551b..72976682c 100644 --- a/.github/workflows/build-and-publish-docker.yaml +++ b/.github/workflows/build-and-publish-docker.yaml @@ -33,19 +33,57 @@ jobs: name: build-output-full path: dist - - name: Log in to container registry + - name: Login to GitHub container registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Connect to Tailscale + uses: tailscale/github-action@53acf823325fe9ca47f4cdaa951f90b4b0de5bb9 # v4 + if: github.event_name != 'pull_request' + with: + oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} + audience: ${{ secrets.TS_AUDIENCE }} + tags: tag:github-actions + + - name: Compute vault jwt role name + id: vault-jwt-role + if: github.event_name != 'pull_request' + run: | + echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" + + - name: Get team registry token + id: import-secrets + uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3 + if: github.event_name != 'pull_request' + with: + url: https://vault.infra.ci.i.element.dev + role: ${{ steps.vault-jwt-role.outputs.role_name }} + path: service-management/github-actions + jwtGithubAudience: https://vault.infra.ci.i.element.dev + method: jwt + secrets: | + services/-repositories/secret/data/oci.element.io username | OCI_USERNAME ; + services/-repositories/secret/data/oci.element.io password | OCI_PASSWORD ; + + - name: Login to oci.element.io Registry + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 + if: github.event_name != 'pull_request' + with: + registry: oci-push.vpn.infra.element.io + username: ${{ steps.import-secrets.outputs.OCI_USERNAME }} + password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }} + - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: ${{ inputs.docker_tags}} + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + oci-push.vpn.infra.element.io/element-web + tags: ${{ inputs.docker_tags }} labels: | org.opencontainers.image.licenses=AGPL-3.0-only OR LicenseRef-Element-Commercial From c6f829e861bbc90d00a4b3486ee05472d994fc85 Mon Sep 17 00:00:00 2001 From: fkwp Date: Fri, 6 Feb 2026 13:38:52 +0100 Subject: [PATCH 2/7] prettier --- .../workflows/build-and-publish-docker.yaml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-and-publish-docker.yaml b/.github/workflows/build-and-publish-docker.yaml index 72976682c..4b7fdf1c7 100644 --- a/.github/workflows/build-and-publish-docker.yaml +++ b/.github/workflows/build-and-publish-docker.yaml @@ -44,37 +44,37 @@ jobs: uses: tailscale/github-action@53acf823325fe9ca47f4cdaa951f90b4b0de5bb9 # v4 if: github.event_name != 'pull_request' with: - oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} - audience: ${{ secrets.TS_AUDIENCE }} - tags: tag:github-actions + oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} + audience: ${{ secrets.TS_AUDIENCE }} + tags: tag:github-actions - name: Compute vault jwt role name id: vault-jwt-role if: github.event_name != 'pull_request' run: | - echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" + echo "role_name=github_service_management_$( echo "${{ github.repository }}" | sed -r 's|[/-]|_|g')" | tee -a "$GITHUB_OUTPUT" - name: Get team registry token id: import-secrets uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3 if: github.event_name != 'pull_request' with: - url: https://vault.infra.ci.i.element.dev - role: ${{ steps.vault-jwt-role.outputs.role_name }} - path: service-management/github-actions - jwtGithubAudience: https://vault.infra.ci.i.element.dev - method: jwt - secrets: | - services/-repositories/secret/data/oci.element.io username | OCI_USERNAME ; - services/-repositories/secret/data/oci.element.io password | OCI_PASSWORD ; + url: https://vault.infra.ci.i.element.dev + role: ${{ steps.vault-jwt-role.outputs.role_name }} + path: service-management/github-actions + jwtGithubAudience: https://vault.infra.ci.i.element.dev + method: jwt + secrets: | + services/-repositories/secret/data/oci.element.io username | OCI_USERNAME ; + services/-repositories/secret/data/oci.element.io password | OCI_PASSWORD ; - name: Login to oci.element.io Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 if: github.event_name != 'pull_request' with: - registry: oci-push.vpn.infra.element.io - username: ${{ steps.import-secrets.outputs.OCI_USERNAME }} - password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }} + registry: oci-push.vpn.infra.element.io + username: ${{ steps.import-secrets.outputs.OCI_USERNAME }} + password: ${{ steps.import-secrets.outputs.OCI_PASSWORD }} - name: Extract metadata (tags, labels) for Docker id: meta From 94583130b5762e375b14993a95ac25503c3b510c Mon Sep 17 00:00:00 2001 From: fkwp Date: Mon, 2 Mar 2026 15:50:39 +0100 Subject: [PATCH 3/7] add id-token permission as its required by tailscale login --- .github/workflows/build-and-publish-docker.yaml | 3 ++- .github/workflows/build.yaml | 1 + .github/workflows/pr-deploy.yaml | 1 + .github/workflows/publish.yaml | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-publish-docker.yaml b/.github/workflows/build-and-publish-docker.yaml index 68f7131cb..631750193 100644 --- a/.github/workflows/build-and-publish-docker.yaml +++ b/.github/workflows/build-and-publish-docker.yaml @@ -20,7 +20,8 @@ jobs: runs-on: ubuntu-latest permissions: contents: write # required to upload release asset - packages: write + packages: write # needed for publishing packages to GHCR + id-token: write # needed for login into tailscale with GitHub OIDC Token steps: - name: Check it out uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9b86215e8..4f9e80f2b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -49,6 +49,7 @@ jobs: permissions: contents: write packages: write + id-token: write uses: ./.github/workflows/build-and-publish-docker.yaml with: artifact_run_id: ${{ github.run_id }} diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index fe934162f..62b37acae 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -60,6 +60,7 @@ jobs: permissions: contents: write packages: write + id-token: write uses: ./.github/workflows/build-and-publish-docker.yaml with: artifact_run_id: ${{ github.event.workflow_run.id || github.run_id }} diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 7f2c58fe2..ade91019d 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -55,6 +55,7 @@ jobs: permissions: contents: write packages: write + id-token: write uses: ./.github/workflows/build-and-publish-docker.yaml with: artifact_run_id: ${{ github.event.workflow_run.id || github.run_id }} From 3d12c082f12b1137e16c28cc7056b3eff96cae12 Mon Sep 17 00:00:00 2001 From: fkwp Date: Tue, 10 Mar 2026 15:10:46 +0100 Subject: [PATCH 4/7] pass secrets to reusable workflows --- .github/workflows/build.yaml | 1 + .github/workflows/pr-deploy.yaml | 1 + .github/workflows/publish.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4f9e80f2b..32ce25c98 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -51,6 +51,7 @@ jobs: packages: write id-token: write uses: ./.github/workflows/build-and-publish-docker.yaml + secrets: inherit with: artifact_run_id: ${{ github.run_id }} docker_tags: | diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 62b37acae..138ab2b5f 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -62,6 +62,7 @@ jobs: packages: write id-token: write uses: ./.github/workflows/build-and-publish-docker.yaml + secrets: inherit with: artifact_run_id: ${{ github.event.workflow_run.id || github.run_id }} docker_tags: | diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index ade91019d..ceedf7813 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -57,6 +57,7 @@ jobs: packages: write id-token: write uses: ./.github/workflows/build-and-publish-docker.yaml + secrets: inherit with: artifact_run_id: ${{ github.event.workflow_run.id || github.run_id }} docker_tags: | From 164e620603cbaf778883e5b2f834668499e1dc0c Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 11 Mar 2026 15:05:17 +0100 Subject: [PATCH 5/7] change secret path team -> voip --- .github/workflows/build-and-publish-docker.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-publish-docker.yaml b/.github/workflows/build-and-publish-docker.yaml index 6e8f01f54..edd7b6ae5 100644 --- a/.github/workflows/build-and-publish-docker.yaml +++ b/.github/workflows/build-and-publish-docker.yaml @@ -66,8 +66,8 @@ jobs: jwtGithubAudience: https://vault.infra.ci.i.element.dev method: jwt secrets: | - services/-repositories/secret/data/oci.element.io username | OCI_USERNAME ; - services/-repositories/secret/data/oci.element.io password | OCI_PASSWORD ; + services/-repositories/secret/data/oci.element.io username | OCI_USERNAME ; + services/-repositories/secret/data/oci.element.io password | OCI_PASSWORD ; - name: Login to oci.element.io Registry uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 From 0b0dd09225e8bce04e9f4067afc6e6a348e7a324 Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 11 Mar 2026 15:14:37 +0100 Subject: [PATCH 6/7] Update .github/workflows/build-and-publish-docker.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Gaƫl Goinvic <97093369+gaelgatelement@users.noreply.github.com> --- .github/workflows/build-and-publish-docker.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-publish-docker.yaml b/.github/workflows/build-and-publish-docker.yaml index f5e37a52e..a3a5cba77 100644 --- a/.github/workflows/build-and-publish-docker.yaml +++ b/.github/workflows/build-and-publish-docker.yaml @@ -68,8 +68,8 @@ jobs: jwtGithubAudience: https://vault.infra.ci.i.element.dev method: jwt secrets: | - services/-repositories/secret/data/oci.element.io username | OCI_USERNAME ; - services/-repositories/secret/data/oci.element.io password | OCI_PASSWORD ; + services/voip-repositories/secret/data/oci.element.io username | OCI_USERNAME ; + services/voip-repositories/secret/data/oci.element.io password | OCI_PASSWORD ; - name: Login to oci.element.io Registry uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 From 323892a7ce919297262c675f8571d614cd598e33 Mon Sep 17 00:00:00 2001 From: fkwp Date: Wed, 11 Mar 2026 15:30:28 +0100 Subject: [PATCH 7/7] typo --- .github/workflows/build-and-publish-docker.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-publish-docker.yaml b/.github/workflows/build-and-publish-docker.yaml index a3a5cba77..6447c094c 100644 --- a/.github/workflows/build-and-publish-docker.yaml +++ b/.github/workflows/build-and-publish-docker.yaml @@ -85,7 +85,7 @@ jobs: with: images: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - oci-push.vpn.infra.element.io/element-web + oci-push.vpn.infra.element.io/element-call tags: ${{ inputs.docker_tags }} labels: | org.opencontainers.image.licenses=AGPL-3.0-only OR LicenseRef-Element-Commercial