GHA updates.

vladd-bit · vladd-bit · commit b52cefd85767 · 2025-09-08T13:47:23.000+01:00
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -15,185 +15,261 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  build:
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          # Hub (amd64 + arm64)
-          - id: hub
-            repo: cogstacksystems/jupyter-hub
-            dockerfile: Dockerfile_hub
-            context: .
-            runner: ubuntu-22.04
-            platform: linux/amd64
-            gpu_build: "false"
-          - id: hub
-            repo: cogstacksystems/jupyter-hub
-            dockerfile: Dockerfile_hub
-            context: .
-            runner: ubuntu-22.04-arm
-            platform: linux/arm64
-            gpu_build: "false"
-
-          # Singleuser CPU (amd64 + arm64)
-          - id: singleuser-cpu
-            repo: cogstacksystems/jupyter-singleuser
-            dockerfile: Dockerfile_singleuser
-            context: .
-            runner: ubuntu-22.04
-            platform: linux/amd64
-            gpu_build: "false"
-          - id: singleuser-cpu
-            repo: cogstacksystems/jupyter-singleuser
-            dockerfile: Dockerfile_singleuser
-            context: .
-            runner: ubuntu-22.04-arm
-            platform: linux/arm64
-            gpu_build: "false"
-
-          # Singleuser GPU (amd64 only)
-          - id: singleuser-gpu
-            repo: cogstacksystems/jupyter-singleuser-gpu
-            dockerfile: Dockerfile_singleuser
-            context: .
-            runner: ubuntu-22.04
-            platform: linux/amd64
-            gpu_build: "true"
-
+  # ---------- AMD64 ----------
+  build-amd64:
+    runs-on: ubuntu-22.04
+    if: ${{ github.event_name != 'pull_request' }}
+    outputs:
+      hub_digest: ${{ steps.hub.outputs.digest }}
+      su_digest:  ${{ steps.su.outputs.digest }}
     steps:
       - uses: actions/checkout@v5
+        with: { submodules: recursive, fetch-depth: 0 }
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta (hub)
+        id: meta_hub
+        uses: docker/metadata-action@v5
         with:
-          submodules: recursive
-          fetch-depth: 0
+          images: cogstacksystems/jupyter-hub
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
+            type=ref,event=branch,enable=${{ github.event_name != 'pull_request' }}
+            type=sha,format=short
 
+      - name: Docker meta (singleuser)
+        id: meta_su
+        uses: docker/metadata-action@v5
+        with:
+          images: cogstacksystems/jupyter-singleuser
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
+            type=ref,event=branch,enable=${{ github.event_name != 'pull_request' }}
+            type=sha,format=short
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Build & push hub (amd64)
+        id: hub
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile_hub
+          platforms: linux/amd64
+          build-args: |
+            CPU_ARCHITECTURE=amd64
+            GPU_BUILD=false
+          tags: ${{ steps.meta_hub.outputs.tags }}
+          labels: ${{ steps.meta_hub.outputs.labels }}
+          cache-from: type=gha,scope=hub-amd64
+          cache-to: type=gha,mode=max,scope=hub-amd64
+          provenance: false
+          push: true
+
+      - name: Build & push singleuser (amd64)
+        id: su
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile_singleuser
+          platforms: linux/amd64
+          build-args: |
+            CPU_ARCHITECTURE=amd64
+            GPU_BUILD=false
+          tags: ${{ steps.meta_su.outputs.tags }}
+          labels: ${{ steps.meta_su.outputs.labels }}
+          cache-from: type=gha,scope=singleuser-amd64
+          cache-to: type=gha,mode=max,scope=singleuser-amd64
+          provenance: false
+          push: true
+
+
+  # ---------- ARM64 ----------
+  build-arm64:
+    runs-on: ubuntu-22.04-arm
+    if: ${{ github.event_name != 'pull_request' }}
+    outputs:
+      hub_digest: ${{ steps.hub.outputs.digest }}
+      su_digest:  ${{ steps.su.outputs.digest }}
+    steps:
+      - uses: actions/checkout@v5
       - uses: docker/setup-buildx-action@v3
 
-      # SAME TAGS FOR BOTH ARCH BUILDS
-      - name: Docker meta
-        id: meta
+      - name: Docker meta (hub)
+        id: meta_hub
+        uses: docker/metadata-action@v5
+        with:
+          images: cogstacksystems/jupyter-hub
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
+            type=ref,event=branch,enable=${{ github.event_name != 'pull_request' }}
+            type=sha,format=short
+
+      - name: Docker meta (singleuser)
+        id: meta_su
         uses: docker/metadata-action@v5
         with:
-          images: ${{ matrix.repo }}
+          images: cogstacksystems/jupyter-singleuser
           tags: |
-            # strip "v" from vX.Y.Z
             type=semver,pattern={{version}},prefix=v
             type=semver,pattern={{major}}.{{minor}},prefix=v
-            # latest on main AND on tags
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
-            # branches (non-PR)
             type=ref,event=branch,enable=${{ github.event_name != 'pull_request' }}
-            # short sha
             type=sha,format=short
 
       - uses: docker/login-action@v3
-        if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }}
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
-      - name: Build & push (native arch)
-        id: build
+      - name: Build & push hub (arm64)
+        id: hub
         uses: docker/build-push-action@v6
         with:
-          context: ${{ matrix.context }}
-          file: ${{ matrix.dockerfile }}
-          platforms: ${{ matrix.platform }}           # linux/amd64 or linux/arm64
+          context: .
+          file: Dockerfile_hub
+          platforms: linux/arm64
           build-args: |
-            CPU_ARCHITECTURE=${{ startsWith(matrix.platform, 'linux/arm64') && 'arm64' || 'amd64' }}
-            GPU_BUILD=${{ matrix.gpu_build }}
-          tags: ${{ steps.meta.outputs.tags }}        # <-- identical tag list for both arches
-          labels: |
-            ${{ steps.meta.outputs.labels }}
-            org.opencontainers.image.title=${{ matrix.id }}
-          cache-from: type=gha,scope=${{ matrix.id }}-${{ matrix.platform }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.id }}-${{ matrix.platform }}
+            CPU_ARCHITECTURE=arm64
+            GPU_BUILD=false
+          tags: ${{ steps.meta_hub.outputs.tags }}
+          labels: ${{ steps.meta_hub.outputs.labels }}
+          cache-from: type=gha,scope=hub-arm64
+          cache-to: type=gha,mode=max,scope=hub-arm64
           provenance: false
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
+
+      - name: Build & push singleuser (arm64)
+        id: su
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile_singleuser
+          platforms: linux/arm64
+          build-args: |
+            CPU_ARCHITECTURE=arm64
+            GPU_BUILD=false
+          tags: ${{ steps.meta_su.outputs.tags }}
+          labels: ${{ steps.meta_su.outputs.labels }}
+          cache-from: type=gha,scope=singleuser-arm64
+          cache-to: type=gha,mode=max,scope=singleuser-arm64
+          provenance: false
+          push: true
 
-      # Record tag -> digest for this image + arch
-      - name: Save digests for this arch
-        if: ${{ github.event_name != 'pull_request' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          arch="${{ matrix.platform == 'linux/arm64' && 'arm64' || 'amd64' }}"
-          : > "digests-${{ matrix.id }}-${arch}.txt"
-          while IFS= read -r ref; do
-            [[ -z "$ref" ]] && continue
-            echo "$ref ${{ steps.build.outputs.digest }}" >> "digests-${{ matrix.id }}-${arch}.txt"
-          done < <(printf "%s" "${{ steps.meta.outputs.tags }}")
 
-      - name: Upload digest artifact
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/upload-artifact@v4
+  # ---------- GPU (unchanged, amd64-only) ----------
+  build-gpu:
+    runs-on: ubuntu-22.04
+    if: ${{ github.event_name != 'pull_request' }}
+    steps:
+      - uses: actions/checkout@v5
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta (singleuser-gpu)
+        id: meta_gpu
+        uses: docker/metadata-action@v5
         with:
-          name: digests-${{ matrix.id }}-${{ matrix.platform == 'linux/arm64' && 'arm64' || 'amd64' }}
-          path: digests-${{ matrix.id }}-${{ matrix.platform == 'linux/arm64' && 'arm64' || 'amd64' }}.txt
+          images: cogstacksystems/jupyter-singleuser-gpu
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
+            type=ref,event=branch,enable=${{ github.event_name != 'pull_request' }}
+            type=sha,format=short
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Build & push singleuser GPU (amd64)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile_singleuser
+          platforms: linux/amd64
+          build-args: |
+            CPU_ARCHITECTURE=amd64
+            GPU_BUILD=true
+          tags: ${{ steps.meta_gpu.outputs.tags }}
+          labels: ${{ steps.meta_gpu.outputs.labels }}
+          cache-from: type=gha,scope=singleuser-gpu-amd64
+          cache-to: type=gha,mode=max,scope=singleuser-gpu-amd64
+          provenance: false
+          push: true
 
   manifest:
     runs-on: ubuntu-22.04
-    needs: build
     if: ${{ github.event_name != 'pull_request' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - id: hub
-            repo: cogstacksystems/jupyter-hub
-          - id: singleuser-cpu
-            repo: cogstacksystems/jupyter-singleuser
-
+    needs: [build-amd64, build-arm64]
     steps:
       - uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
-      # same tag list again
-      - name: Docker meta
-        id: meta
+      # Recompute tags (must match both builds)
+      - name: Docker meta (hub)
+        id: meta_hub
         uses: docker/metadata-action@v5
         with:
-          images: ${{ matrix.repo }}
+          images: cogstacksystems/jupyter-hub
           tags: |
             type=semver,pattern={{version}},prefix=v
             type=semver,pattern={{major}}.{{minor}},prefix=v
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
             type=ref,event=branch,enable=${{ github.event_name != 'pull_request' }}
             type=sha,format=short
 
-      # pull in the two digest lists for this image id
-      - name: Download digest artifacts (amd64)
-        uses: actions/download-artifact@v4
-        with:
-          name: digests-${{ matrix.id }}-amd64
-          path: .
-      - name: Download digest artifacts (arm64)
-        uses: actions/download-artifact@v4
+      - name: Docker meta (singleuser)
+        id: meta_su
+        uses: docker/metadata-action@v5
         with:
-          name: digests-${{ matrix.id }}-arm64
-          path: .
+          images: cogstacksystems/jupyter-singleuser
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
+            type=ref,event=branch,enable=${{ github.event_name != 'pull_request' }}
+            type=sha,format=short
+
+      - name: Create hub multi-arch manifests
+        shell: bash
+        env:
+          AMD64: ${{ needs.build-amd64.outputs.hub_digest }}
+          ARM64: ${{ needs.build-arm64.outputs.hub_digest }}
+        run: |
+          set -euo pipefail
+          while IFS= read -r ref; do
+            [[ -z "$ref" ]] && continue
+            img="${ref%%:*}"; tag="${ref#*:}"
+            docker buildx imagetools create \
+              --tag "$img:$tag" \
+              "$img@${AMD64}" \
+              "$img@${ARM64}"
+          done < <(printf "%s" "${{ steps.meta_hub.outputs.tags }}")
 
-      - name: Create multi-arch manifests
+      - name: Create singleuser multi-arch manifests
         shell: bash
+        env:
+          AMD64: ${{ needs.build-amd64.outputs.su_digest }}
+          ARM64: ${{ needs.build-arm64.outputs.su_digest }}
         run: |
           set -euo pipefail
           while IFS= read -r ref; do
             [[ -z "$ref" ]] && continue
-            image="${ref%%:*}"
-            tag="${ref#*:}"
-            amd64_d=$(awk -v r="$ref" '$1==r{print $2}' digests-${{ matrix.id }}-amd64.txt)
-            arm64_d=$(awk -v r="$ref" '$1==r{print $2}' digests-${{ matrix.id }}-arm64.txt)
-            [[ -z "$amd64_d" || -z "$arm64_d" ]] && { echo "skip $ref (missing digest)"; continue; }
-            echo "⛵ $image:$tag"
+            img="${ref%%:*}"; tag="${ref#*:}"
             docker buildx imagetools create \
-              --tag "$image:$tag" \
-              "$image@${amd64_d}" \
-              "$image@${arm64_d}"
-          done < <(printf "%s" "${{ steps.meta.outputs.tags }}")
+              --tag "$img:$tag" \
+              "$img@${AMD64}" \
+              "$img@${ARM64}"
+          done < <(printf "%s" "${{ steps.meta_su.outputs.tags }}")
