fix(ci): Move updating docker tag into own job to avoid setting it twice per run: when the builder image is built and when the app image is built (#269)

* fix(ci): Move updating docker tag into own job to avoid setting it twice per
run: when the builder image is built and when the app image is built

* Use create-github-app-token and action-github-commit to commit action on master

* Rename docker tag step

* Shuffle around steps

* Only get a token for master runs

Author: andreiborza

.github/workflows/build.yml

@@ -21,58 +21,70 @@ env:
   SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
 
 jobs:
-  docker-build:
-    name: Build & publish Docker images
+  prepare-docker:
+    name: Prepare docker tag
     runs-on: ubuntu-latest
     permissions:
       contents: write
-      packages: write
-    strategy:
-      matrix:
-        target:
-          - name: builder
-            image: action-release-builder-image
-          - name: app
-            image: action-release-image
+    outputs:
+      docker_tag: ${{ steps.docker_tag.outputs.docker_tag }}
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
 
-      - name: Set git user to getsentry-bot
-        if: github.ref == 'refs/heads/master'
-        run: |
-          echo "GIT_COMMITTER_NAME=getsentry-bot" >> $GITHUB_ENV;
-          echo "GIT_AUTHOR_NAME=getsentry-bot" >> $GITHUB_ENV;
-          echo "[email protected]" >> $GITHUB_ENV;
-
-      - name: Evaluate docker tag
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_SENTRY_BOT_PAT }}
+      - name: Get docker tag
+        id: docker_tag
         run: |
           if [[ "${{ github.ref }}" == "refs/heads/master" ]]; then
-            echo "DOCKER_TAG=master" >> $GITHUB_ENV
+            echo "docker_tag=master" >> $GITHUB_OUTPUT
             yarn set-docker-tag master
-
-            if ! git diff --quiet action.yml; then
-              git add action.yml
-              SKIP=lint,format,set-docker-tag-from-branch git commit -m "chore: Set docker tag for master [skip-ci]"
-              git push
-            fi
           else
             TAG=$(yq '... | select(has("uses") and .uses | test("docker://ghcr.io/getsentry/action-release-image:.*")) | .uses' action.yml | awk -F':' '{print $3}')
-            echo "DOCKER_TAG=$TAG" >> $GITHUB_ENV
+            echo "docker_tag=$TAG" >> $GITHUB_OUTPUT
 
             if [[ "${{ github.event_name }}" == "pull_request" ]]; then
               if [[ "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-                echo "Error: DOCKER_TAG $TAG matching format MAJOR.MINOR.PATCH is not allowed inside pull requests."
+                echo "Error: docker_tag $TAG matching format MAJOR.MINOR.PATCH is not allowed inside pull requests."
                 echo "Please rename the docker tag in action.yml and try again."
                 exit 1
               fi
             fi
           fi
 
+      - name: Get auth token
+        id: token
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        if: github.ref == 'refs/heads/master'
+        with:
+          app_id: ${{ vars.SENTRY_INTERNAL_APP_ID }}
+          private_key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }}
+
+      - name: Commit changes
+        uses: getsentry/[email protected]
+        if: github.ref == 'refs/heads/master'
+        with:
+          github-token: ${{ steps.token.outputs.token }}
+          message: "chore: Set docker tag for master [skip-ci]"
+
+  docker-build:
+    name: Build & publish Docker images
+    needs: prepare-docker
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    strategy:
+      matrix:
+        target:
+          - name: builder
+            image: action-release-builder-image
+          - name: app
+            image: action-release-image
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
@@ -98,7 +110,7 @@ jobs:
         with:
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.target.image }}:${{ env.DOCKER_TAG }}
+          tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.target.image }}:${{ needs.prepare-docker.outputs.docker_tag }}
           cache-from: ghcr.io/${{ github.repository_owner }}/${{ matrix.target.image }}:master
           target: ${{ matrix.target.name }}
           build-args: BUILDKIT_INLINE_CACHE=1

action.yml

@@ -84,7 +84,7 @@ runs:
         INPUT_WORKING_DIRECTORY: ${{ inputs.working_directory }}
         INPUT_DISABLE_TELEMETRY: ${{ inputs.disable_telemetry }}
         INPUT_DISABLE_SAFE_DIRECTORY: ${{ inputs.disable_safe_directory }}
-      uses: docker://ghcr.io/getsentry/action-release-image:master
+      uses: docker://ghcr.io/getsentry/action-release-image:ab-set-docker-tag-once
 
     # For actions running on macos or windows runners, we use a composite
     # action approach which allows us to install the arch specific sentry-cli