From daa408e2910ee82d7942fa64a026ba84237bbb7a Mon Sep 17 00:00:00 2001
From: Yamila Moreno <yamila.moreno@kaleidos.net>
Date: Mon, 8 Sep 2025 16:51:05 +0200
Subject: [PATCH] :paperclip: Update CI

---
 .github/workflows/build-bundle.yml  |  16 ++---
 .github/workflows/build-develop.yml |  11 ++-
 .github/workflows/build-docker.yml  | 101 ++++++++++++++++++++++++++++
 .github/workflows/build-staging.yml |  11 ++-
 .github/workflows/build-tag.yml     |  11 ++-
 docker/images/Dockerfile.backend    |   4 +-
 docker/images/Dockerfile.exporter   |   3 +-
 docker/images/Dockerfile.frontend   |   3 +-
 manage.sh                           |  15 ++++-
 9 files changed, 151 insertions(+), 24 deletions(-)
 create mode 100644 .github/workflows/build-docker.yml

diff --git a/.github/workflows/build-bundle.yml b/.github/workflows/build-bundle.yml
index ab7f007f4e..4e4f815aab 100644
--- a/.github/workflows/build-bundle.yml
+++ b/.github/workflows/build-bundle.yml
@@ -1,11 +1,11 @@
-name: Build and Upload Penpot Bundle
+name: BUNDLE - Build Bundle and Updload to S3
 
 on:
   # Create bundle from manual action
   workflow_dispatch:
     inputs:
       gh_ref:
-        description: 'Name of the branch'
+        description: 'Name of the branch or ref'
         type: string
         required: true
         default: 'develop'
@@ -22,7 +22,7 @@ on:
   workflow_call:
     inputs:
       gh_ref:
-        description: 'Name of the branch'
+        description: 'Name of the branch or ref'
         type: string
         required: true
         default: 'develop'
@@ -56,10 +56,9 @@ jobs:
       - name: Extract some useful variables
         id: vars
         run: |
-          echo "commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
           echo "gh_ref=${{ inputs.gh_ref || github.ref_name }}" >> $GITHUB_OUTPUT
 
-      - name: Run manage.sh build-bundle from host
+      - name: Build bundle
         env:
           BUILD_WASM: ${{ inputs.build_wasm }}
           BUILD_STORYBOOK: ${{ inputs.build_storybook }}
@@ -76,13 +75,6 @@ jobs:
           zip -r zips/penpot.zip penpot
 
       - name: Upload Penpot bundle to S3
-        if: github.ref_type == 'branch'
-        run: |
-          aws s3 cp zips/penpot.zip s3://${{ secrets.S3_BUCKET }}/penpot-${{ steps.vars.outputs.gh_ref }}-latest.zip
-          aws s3 cp zips/penpot.zip s3://${{ secrets.S3_BUCKET }}/penpot-${{ steps.vars.outputs.commit_hash }}.zip
-
-      - name: Upload Penpot bundle to S3
-        if: github.ref_type == 'tag'
         run: |
           aws s3 cp zips/penpot.zip s3://${{ secrets.S3_BUCKET }}/penpot-${{ steps.vars.outputs.gh_ref }}.zip
 
diff --git a/.github/workflows/build-develop.yml b/.github/workflows/build-develop.yml
index 098db1290f..92dc6713a1 100644
--- a/.github/workflows/build-develop.yml
+++ b/.github/workflows/build-develop.yml
@@ -1,14 +1,21 @@
-name: DEVELOP - Build and Upload Penpot Bundle
+name: DEVELOP - Build Bundle and Docker Image
 
 on:
   schedule:
     - cron: '16 5-20 * * 1-5'
 
 jobs:
-  build-develop-bundle:
+  build-bundle:
     uses: ./.github/workflows/build-bundle.yml
     secrets: inherit
     with:
       gh_ref: "develop"
       build_wasm: "yes"
       build_storybook: "yes"
+
+  # build-docker:
+  #   needs: build-bundle
+  #   uses: ./.github/workflows/build-docker.yml
+  #   secrets: inherit
+  #   with:
+  #     gh_ref: "develop"
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
new file mode 100644
index 0000000000..6ca48575b3
--- /dev/null
+++ b/.github/workflows/build-docker.yml
@@ -0,0 +1,101 @@
+name: DOCKER - Build and Push Penpot Images
+
+on:
+  workflow_dispatch:
+    inputs:
+      gh_ref:
+        description: 'Name of the branch or ref'
+        type: string
+        required: true
+        default: 'develop'
+  workflow_call:
+    inputs:
+      gh_ref:
+        description: 'Name of the branch or ref'
+        type: string
+        required: true
+        default: 'develop'
+
+jobs:
+  build-and-push:
+    name: Build and Push Penpot Docker Images
+    runs-on: ubuntu-24.04-arm
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.gh_ref }}
+
+      - name: Extract some useful variables
+        id: vars
+        run: |
+          echo "gh_ref=${{ inputs.gh_ref || github.ref_name }}" >> $GITHUB_OUTPUT
+
+      - name: Download Penpot Bundles
+        env:
+          FILE_NAME: penpot-${{ steps.vars.outputs.gh_ref }}.zip
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
+        run: |
+          pushd docker/images
+          aws s3 cp s3://${{ secrets.S3_BUCKET }}/$FILE_NAME .
+          unzip $FILE_NAME > /dev/null
+          mv penpot/backend bundle-backend
+          mv penpot/frontend bundle-frontend
+          mv penpot/exporter bundle-exporter
+          popd
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.DOCKER_REGISTRY }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push Backend Docker image
+        uses: docker/build-push-action@v6
+        env:
+          DOCKER_IMAGE: 'penpotapp/backend'
+          BUNDLE_PATH: './bundle-backend'
+        with:
+          context: ./docker/images/
+          file: ./docker/images/Dockerfile.backend
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:${{ steps.vars.outputs.gh_ref }}
+          cache-from: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache
+          cache-to: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache,mode=max
+
+      - name: Build and push Frontend Docker image
+        uses: docker/build-push-action@v6
+        env:
+          DOCKER_IMAGE: 'penpotapp/frontend'
+          BUNDLE_PATH: './bundle-frontend'
+        with:
+          context: ./docker/images/
+          file: ./docker/images/Dockerfile.frontend
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:${{ steps.vars.outputs.gh_ref }}
+          cache-from: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache
+          cache-to: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache,mode=max
+
+      - name: Build and push Exporter Docker image
+        uses: docker/build-push-action@v6
+        env:
+          DOCKER_IMAGE: 'penpotapp/exporter'
+          BUNDLE_PATH: './bundle-exporter'
+        with:
+          context: ./docker/images/
+          file: ./docker/images/Dockerfile.exporter
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:${{ steps.vars.outputs.gh_ref }}
+          cache-from: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache
+          cache-to: type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE }}:buildcache,mode=max
diff --git a/.github/workflows/build-staging.yml b/.github/workflows/build-staging.yml
index 5c81e8ca60..d6b5f9ee02 100644
--- a/.github/workflows/build-staging.yml
+++ b/.github/workflows/build-staging.yml
@@ -1,14 +1,21 @@
-name: STAGING - Build and Upload Penpot Bundle
+name: STAGING - Build Bundle and Docker Image
 
 on:
   schedule:
     - cron: '36 5-20 * * 1-5'
 
 jobs:
-  build-staging-bundle:
+  build-bundle:
     uses: ./.github/workflows/build-bundle.yml
     secrets: inherit
     with:
       gh_ref: "staging"
       build_wasm: "yes"
       build_storybook: "yes"
+
+  # build-docker:
+  #   needs: build-bundle
+  #   uses: ./.github/workflows/build-docker.yml
+  #   secrets: inherit
+  #   with:
+  #     gh_ref: "staging"
diff --git a/.github/workflows/build-tag.yml b/.github/workflows/build-tag.yml
index f64819160b..efd75f9712 100644
--- a/.github/workflows/build-tag.yml
+++ b/.github/workflows/build-tag.yml
@@ -1,4 +1,4 @@
-name: TAG - Build and Upload Penpot Bundle
+name: TAG - Build Bundle and Docker Image
 
 on:
   push:
@@ -6,10 +6,17 @@ on:
       - '*'
 
 jobs:
-  build-tag-bundle:
+  build-bundle:
     uses: ./.github/workflows/build-bundle.yml
     secrets: inherit
     with:
       gh_ref: ${{ github.ref_name }}
       build_wasm: "no"
       build_storybook: "yes"
+
+  # build-docker:
+  #   needs: build-bundle
+  #   uses: ./.github/workflows/build-docker.yml
+  #   secrets: inherit
+  #   with:
+  #     gh_ref: ${{ github.ref_name }}
diff --git a/docker/images/Dockerfile.backend b/docker/images/Dockerfile.backend
index 3535cffd0c..9200e67101 100644
--- a/docker/images/Dockerfile.backend
+++ b/docker/images/Dockerfile.backend
@@ -126,7 +126,9 @@ RUN set -ex; \
 COPY --from=build /opt/jre /opt/jre
 COPY --from=build /opt/node /opt/node
 COPY --from=penpotapp/imagemagick:7.1.2-0 /opt/imagick /opt/imagick
-COPY --chown=penpot:penpot ./bundle-backend/ /opt/penpot/backend/
+
+ARG BUNDLE_PATH="./bundle-backend/"
+ADD --chown=penpot:penpot $BUNDLE_PATH /opt/penpot/backend/
 
 USER penpot:penpot
 WORKDIR /opt/penpot/backend
diff --git a/docker/images/Dockerfile.exporter b/docker/images/Dockerfile.exporter
index 43167cf2db..b745353cfb 100644
--- a/docker/images/Dockerfile.exporter
+++ b/docker/images/Dockerfile.exporter
@@ -89,7 +89,8 @@ RUN set -eux; \
     mkdir -p /opt/penpot; \
     chown -R penpot:penpot /opt/penpot;
 
-ADD --chown=penpot:penpot ./bundle-exporter/ /opt/penpot/exporter
+ARG BUNDLE_PATH="./bundle-exporter/"
+ADD --chown=penpot:penpot $BUNDLE_PATH /opt/penpot/exporter/
 
 WORKDIR /opt/penpot/exporter
 USER penpot:penpot
diff --git a/docker/images/Dockerfile.frontend b/docker/images/Dockerfile.frontend
index 0b3b93a127..e5276fba4e 100644
--- a/docker/images/Dockerfile.frontend
+++ b/docker/images/Dockerfile.frontend
@@ -8,7 +8,8 @@ RUN set -ex; \
     mkdir -p /opt/data/assets; \
     chown -R penpot:penpot /opt/data;
 
-ADD ./bundle-frontend/ /var/www/app/
+ARG BUNDLE_PATH="./bundle-frontend/"
+ADD $BUNDLE_PATH /var/www/app/
 ADD ./files/config.js /var/www/app/js/config.js
 ADD ./files/nginx.conf /etc/nginx/nginx.conf.template
 ADD ./files/nginx-proxies.conf /etc/nginx/nginx-proxies.conf
diff --git a/manage.sh b/manage.sh
index 32b348ffe7..0be89ae234 100755
--- a/manage.sh
+++ b/manage.sh
@@ -265,21 +265,30 @@ function build-docs-bundle {
 function build-frontend-docker-image {
     rsync -avr --delete ./bundles/frontend/ ./docker/images/bundle-frontend/;
     pushd ./docker/images;
-    docker build -t penpotapp/frontend:$CURRENT_BRANCH -t penpotapp/frontend:latest -f Dockerfile.frontend .;
+    docker build \
+        -t penpotapp/frontend:$CURRENT_BRANCH -t penpotapp/frontend:latest \
+        --build-arg BUNDLE_PATH="./bundle-frontend/" \
+        -f Dockerfile.frontend .;
     popd;
 }
 
 function build-backend-docker-image {
     rsync -avr --delete ./bundles/backend/ ./docker/images/bundle-backend/;
     pushd ./docker/images;
-    docker build -t penpotapp/backend:$CURRENT_BRANCH -t penpotapp/backend:latest -f Dockerfile.backend .;
+    docker build \
+        -t penpotapp/backend:$CURRENT_BRANCH -t penpotapp/backend:latest \
+        --build-arg BUNDLE_PATH="./bundle-backend/" \
+        -f Dockerfile.backend .;
     popd;
 }
 
 function build-exporter-docker-image {
     rsync -avr --delete ./bundles/exporter/ ./docker/images/bundle-exporter/;
     pushd ./docker/images;
-    docker build -t penpotapp/exporter:$CURRENT_BRANCH -t penpotapp/exporter:latest -f Dockerfile.exporter .;
+    docker build \
+        -t penpotapp/exporter:$CURRENT_BRANCH -t penpotapp/exporter:latest \
+        --build-arg BUNDLE_PATH="./bundle-exporter/" \
+        -f Dockerfile.exporter .;
     popd;
 }