From 28e805980609f39ab3032e0252a6c50c3e63d7cd Mon Sep 17 00:00:00 2001 From: Daniel Schmidt Date: Fri, 17 Oct 2025 03:38:37 -0700 Subject: [PATCH] Updates build/release workflows --- .github/workflows/build.yml | 190 ++++++++++++++++++++++++++-------- .github/workflows/release.yml | 90 +++++++--------- docker-compose.ci.yml | 6 ++ 3 files changed, 190 insertions(+), 96 deletions(-) create mode 100644 docker-compose.ci.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4bcb1d3..2c56b16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,69 +1,167 @@ -name: Build -on: [ push, pull_request, workflow_dispatch ] +name: Build / Test / Push + +on: + push: + branches: + - '**' + workflow_dispatch: + env: - REGISTRY: ghcr.io + BUILD_SUFFIX: -build-${{ github.run_id }}_${{ github.run_attempt }} + DOCKER_METADATA_SET_OUTPUT_ENV: 'true' jobs: - # TODO: DRY w/release.yml - setup: - runs-on: ubuntu-latest - + build: + runs-on: ${{ matrix.runner }} + outputs: + image-arm64: ${{ steps.gen-output.outputs.image-arm64 }} + image-x64: ${{ steps.gen-output.outputs.image-x64 }} + strategy: + fail-fast: false + matrix: + runner: + - ubuntu-24.04 + - ubuntu-24.04-arm steps: - # See https://github.com/docker/build-push-action/blob/v2.10.0/TROUBLESHOOTING.md#repository-name-must-be-lowercase - - name: Sanitize image name - uses: actions/github-script@v6 - id: image-name + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - id: build-meta + name: Docker meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + tags: type=sha,suffix=${{ env.BUILD_SUFFIX }} + + # Build cache is shared among all builds of the same architecture + - id: cache-meta + name: Docker meta + uses: docker/metadata-action@v5 with: - result-encoding: string - script: return '${{ env.REGISTRY }}/${{ github.repository }}'.toLowerCase() + images: ghcr.io/${{ github.repository }} + tags: type=raw,value=buildcache-${{ runner.arch }} - - name: Get short SHA + - id: get-registry + name: Get the sanitized registry name run: | - echo SHORT_SHA="${GITHUB_SHA:0:7}" >> $GITHUB_ENV + echo "registry=$(echo '${{ steps.build-meta.outputs.tags }}' | cut -f1 -d:)" | tee -a "$GITHUB_OUTPUT" + + - id: build + name: Build/push the arch-specific image + uses: docker/build-push-action@v6 + with: + cache-from: type=registry,ref=${{ steps.cache-meta.outputs.tags }} + cache-to: type=registry,ref=${{ steps.cache-meta.outputs.tags }},mode=max + labels: ${{ steps.build-meta.outputs.labels }} + provenance: mode=max + sbom: true + tags: ${{ steps.get-registry.outputs.registry }} + outputs: type=image,push-by-digest=true,push=true - - name: Get build start time + - id: gen-output + name: Write arch-specific image digest to outputs run: | - echo BUILD_TIMESTAMP="$(date --utc --iso-8601=seconds)" >> $GITHUB_ENV + echo "image-${RUNNER_ARCH,,}=${{ steps.get-registry.outputs.registry }}@${{ steps.build.outputs.digest }}" | tee -a "$GITHUB_OUTPUT" + merge: + runs-on: ubuntu-24.04 + needs: build + env: + DOCKER_APP_IMAGE_ARM64: ${{ needs.build.outputs.image-arm64 }} + DOCKER_APP_IMAGE_X64: ${{ needs.build.outputs.image-x64 }} outputs: - base_image_name: ${{ steps.image-name.outputs.result }} - build_image: ${{ steps.image-name.outputs.result }}:${{ env.SHORT_SHA }} + image: ${{ steps.meta.outputs.tags }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - id: meta + name: Generate tag for the app image + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + tags: type=sha,suffix=${{ env.BUILD_SUFFIX }} + + - name: Push the multi-platform app image + run: | + docker buildx imagetools create \ + --tag "$DOCKER_METADATA_OUTPUT_TAGS" \ + "$DOCKER_APP_IMAGE_ARM64" "$DOCKER_APP_IMAGE_X64" test: - if: github.event_name != 'release' - needs: [ setup ] - runs-on: ubuntu-latest - permissions: - packages: write + runs-on: ubuntu-24.04 + needs: merge env: - BUILD_IMAGE: ${{ needs.setup.outputs.build_image }} + COMPOSE_FILE: docker-compose.yml:docker-compose.ci.yml + DOCKER_APP_IMAGE: ${{ needs.merge.outputs.image }} steps: - - name: Checkout repository - uses: actions/checkout@v3 + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Compose + uses: docker/setup-compose-action@v1 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Run tests - run: ./test/run_tests.sh + - name: Run the test script + run: | + docker compose pull --quiet + ./test/run_tests.sh - - name: Log in to the Container registry - uses: docker/login-action@v2 + push: + runs-on: ubuntu-24.04 + needs: + - merge + - test + env: + DOCKER_APP_IMAGE: ${{ needs.merge.outputs.image }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 with: - registry: ${{ env.REGISTRY }} + registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push Docker image - uses: docker/build-push-action@v3 + - name: Produce permanent image tags + uses: docker/metadata-action@v5 with: - context: . - push: true - tags: ${{ env.BUILD_IMAGE }} - build-args: | - BUILD_TIMESTAMP=${{ env.BUILD_TIMESTAMP }} - BUILD_URL=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - DOCKER_TAG=${{ env.BUILD_IMAGE }} - GIT_BRANCH=${{ github.ref_name }} - GIT_COMMIT=${{ github.sha }} - GIT_URL=${{ github.repositoryUrl }} + images: ghcr.io/${{ github.repository }} + tags: | + type=sha + type=ref,event=branch + type=raw,value=latest,enable={{is_default_branch}} - outputs: - build_image: ${{ env.BUILD_IMAGE }} + - name: Retag and push the image + run: | + docker pull --quiet "$DOCKER_APP_IMAGE" + echo "$DOCKER_METADATA_OUTPUT_TAGS" | tr ' ' '\n' | xargs -n1 docker tag "$DOCKER_APP_IMAGE" + docker push --all-tags "$(echo "$DOCKER_APP_IMAGE" | cut -f1 -d:)" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0798436..5d90890 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,69 +1,59 @@ -name: Release +name: Push Release Tags on: - release: - types: - - published + push: + tags: + - '**' workflow_dispatch: - workflow_run: - workflows: ["Build"] - types: ["completed"] - branches: - - main env: - REGISTRY: ghcr.io + DOCKER_METADATA_SET_OUTPUT_ENV: 'true' jobs: - setup: + retag: runs-on: ubuntu-latest steps: - - name: Sanitize image name - uses: actions/github-script@v6 - id: image-name + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 with: - result-encoding: string - script: return '${{ env.REGISTRY }}/${{ github.repository }}'.toLowerCase() + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Get short SHA - run: | - echo SHORT_SHA="${GITHUB_SHA:0:7}" >> $GITHUB_ENV + - name: Determine the sha-based image tag to retag + id: get-base-image + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + tags: type=sha - outputs: - base_image_name: ${{ steps.image-name.outputs.result }} - build_image: ${{ steps.image-name.outputs.result }}:${{ env.SHORT_SHA }} + - name: Verify that the image was previously built + env: + BASE_IMAGE: ${{ steps.get-base-image.outputs.tags }} + run: | + docker pull "$BASE_IMAGE" - push: - if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }} - runs-on: ubuntu-latest - needs: setup - permissions: - packages: write - env: - BASE_IMAGE_NAME: ${{ needs.setup.outputs.base_image_name }} - BUILD_IMAGE: ${{ needs.setup.outputs.build_image }} - steps: - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v4 + - name: Produce release tags + id: tag-meta + uses: docker/metadata-action@v5 with: - images: ${{ env.BASE_IMAGE_NAME }} + images: ghcr.io/${{ github.repository }} + flavor: latest=false tags: | - type=raw,value=latest,enable={{is_default_branch}} + type=ref,event=tag type=semver,pattern={{major}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{version}} - - name: Log in to the Container registry - uses: docker/login-action@v2 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Tag and push image - uses: akhilerm/tag-push-action@v2.1.0 - with: - src: ${{ env.BUILD_IMAGE }} - dst: | - ${{ steps.meta.outputs.tags }} + - name: Retag the pulled image + env: + BASE_IMAGE: ${{ steps.get-base-image.outputs.tags }} + run: | + echo "$DOCKER_METADATA_OUTPUT_TAGS" | tr ' ' '\n' | xargs -n1 docker tag "$BASE_IMAGE" + docker push --all-tags "$(echo "$BASE_IMAGE" | cut -f1 -d:)" diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml new file mode 100644 index 0000000..6dd3304 --- /dev/null +++ b/docker-compose.ci.yml @@ -0,0 +1,6 @@ +--- + +services: + app: + build: !reset + image: ${DOCKER_APP_IMAGE}