name: CI

on:
  push:
    branches: [develop]
  pull_request:
    branches: [develop]

jobs:
  build:
    permissions: 
      packages: write
      contents: write
    environment: develop
    strategy:
      matrix:
        node-version: [18.x, 20.x]

    name: Build with ${{ matrix.node-version }}
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'yarn'
          
      - run: yarn
      
      - run: yarn build

      - name: Copy google accounts credentials
        env:
          GOOGLE_SVC_ACC_CREDS_IT: ${{ secrets.GOOGLE_SVC_ACC_CREDS_IT }}
        run: echo "$GOOGLE_SVC_ACC_CREDS_IT" > account-creds.json
      
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Log in to GitHub container registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Lowercase the repo name
        run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
       
      - name: Build and push container image to registry
        uses: docker/build-push-action@v4
        with:
          context: .
          push: true
          tags: ghcr.io/${{ env.REPO }}:${{ github.sha }}
          file: ./Dockerfile

The above assumes that the Dockerfile is in the root of the checked out source code. Note the context key which is required otherwise the step with fail with Dockerfile not found.

The permissions key is required if the Github has organization settings with restrictive permissions. The above allows the workflow to checkout the code and later push the docker image to the ghcr.io container registry.

yarn commands are just examples for building the next.js app.

Copy the credentials is an example of secrets. The GOOGLE_SVC_ACC_CREDS_IT is defined in repo Settings > Secrets and variables > Actions > Environment secrets (https://github.com/myorg/myrepo/settings/secrets/actions) Doing it like this, you need to have the environment directive in your jobs to access the variables (top level env key here) containing secrets otherwise the variables will be empty.

If the secrets containe curly braces for example if its a json object the GA workflow will replace any curly brace (for example one used in curl command to post data) with '***'. You will need to encode the json secret to base64 as above.

• Github actions 2024-02

• https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#storing-base64-binary-blobs-as-secrets
• https://github.com/orgs/community/discussions/54300
• https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment
• https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets