Skip to content

Commit 1199cf1

Browse files
authored
Merge pull request #26 from target/docker
Add Docker workflow for building and merging images
2 parents 983a559 + 24cfe81 commit 1199cf1

1 file changed

Lines changed: 281 additions & 0 deletions

File tree

.github/workflows/docker.yaml

Lines changed: 281 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,281 @@
1+
name: Docker
2+
# based on https://github.com/Homebrew/brew/blob/fab1894af8c5377430a5978a08ae7b0eced61cad/.github/workflows/docker.yml
3+
4+
on:
5+
pull_request:
6+
push:
7+
branches:
8+
- main
9+
merge_group:
10+
release:
11+
types:
12+
- published
13+
14+
permissions:
15+
contents: read
16+
17+
defaults:
18+
run:
19+
shell: bash -xeuo pipefail {0}
20+
21+
env:
22+
# Add more Ubuntu versions, drop when security EOL (https://endoflife.date/ubuntu) or they don't work
23+
VERSIONS: '["24.04"]'
24+
# Set what Ubuntu version constitutes ghcr.io/target/diff-poetry-lock:${app_version}
25+
PRIMARY_VERSION: "24.04"
26+
27+
jobs:
28+
generate-tags:
29+
if: github.repository_owner == 'target'
30+
runs-on: ubuntu-latest
31+
outputs:
32+
matrix: ${{ steps.attributes.outputs.matrix }}
33+
tags: ${{ steps.attributes.outputs.tags }}
34+
labels: ${{ steps.attributes.outputs.labels }}
35+
push: ${{ steps.attributes.outputs.push }}
36+
merge: ${{ steps.attributes.outputs.merge }}
37+
steps:
38+
- name: Checkout
39+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
40+
with:
41+
fetch-depth: 0
42+
persist-credentials: false
43+
44+
- name: Fetch origin/HEAD from Git
45+
run: git fetch origin HEAD
46+
47+
- name: Determine build attributes
48+
id: attributes
49+
run: |
50+
date="$(date --rfc-3339=seconds --utc)"
51+
app_version="$(git describe --tags --dirty --abbrev=7)"
52+
53+
DELIMITER="END_LABELS_$(uuidgen)"
54+
cat <<EOS | tee -a "${GITHUB_OUTPUT}"
55+
labels<<${DELIMITER}
56+
org.opencontainers.image.created=${date}
57+
org.opencontainers.image.url=https://github.com/target/diff-poetry-lock
58+
org.opencontainers.image.documentation=https://github.com/target/diff-poetry-lock
59+
org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY}
60+
org.opencontainers.image.version=${app_version}
61+
org.opencontainers.image.revision=${GITHUB_SHA}
62+
org.opencontainers.image.vendor=${GITHUB_REPOSITORY_OWNER}
63+
org.opencontainers.image.licenses=MIT
64+
${DELIMITER}
65+
EOS
66+
67+
typeset -A tag_hash
68+
typeset -A push_hash
69+
matrix=()
70+
merge=false
71+
while IFS=$'\n' read -r version; do
72+
tags=()
73+
if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
74+
tags+=(
75+
"ghcr.io/target/diff-poetry-lock/ubuntu${version}:${app_version}"
76+
"ghcr.io/target/diff-poetry-lock/ubuntu${version}:latest"
77+
)
78+
if [[ "${version}" == "${PRIMARY_VERSION}" ]]; then
79+
tags+=(
80+
"ghcr.io/target/diff-poetry-lock:${app_version}"
81+
"ghcr.io/target/diff-poetry-lock:latest"
82+
)
83+
fi
84+
elif [[ "${GITHUB_EVENT_NAME}" == "push" &&
85+
("${GITHUB_REF}" == "refs/heads/main") &&
86+
"${version}" == "${PRIMARY_VERSION}" ]]; then
87+
tags+=(
88+
"ghcr.io/target/diff-poetry-lock:main"
89+
"ghcr.io/target/diff-poetry-lock/ubuntu${version}:main"
90+
)
91+
fi
92+
93+
if [[ "${#tags[@]}" -ne 0 ]]; then
94+
tags_as_json_array="$(
95+
jq --null-input --compact-output '$ARGS.positional' --args "${tags[@]}"
96+
)"
97+
tag_hash["${version}"]="${tags_as_json_array}"
98+
push_hash["${version}"]=true
99+
merge=true
100+
matrix+=("${version}")
101+
else
102+
push_hash["${version}"]=false
103+
fi
104+
done <<<"$(jq --raw-output '.[]' <<<"${VERSIONS}")"
105+
106+
# Transform the `matrix` variable into a JSON array.
107+
echo "matrix=$(jq --null-input --compact-output '$ARGS.positional' --args "${matrix[@]}")" >>"${GITHUB_OUTPUT}"
108+
echo "merge=${merge}" >>"${GITHUB_OUTPUT}"
109+
110+
{
111+
DELIMITER="END_TAGS_$(uuidgen)"
112+
has_previous=
113+
echo "tags<<${DELIMITER}"
114+
printf '{'
115+
for version in "${!tag_hash[@]}"; do
116+
[[ -n "${has_previous:-}" ]] && printf ','
117+
printf '"%s": %s' "${version}" "${tag_hash[$version]}"
118+
has_previous=1
119+
done
120+
echo '}'
121+
echo "${DELIMITER}"
122+
} | tee -a "${GITHUB_OUTPUT}"
123+
124+
{
125+
DELIMITER="END_PUSH_$(uuidgen)"
126+
has_previous=
127+
echo "push<<${DELIMITER}"
128+
printf '{'
129+
for version in "${!push_hash[@]}"; do
130+
[[ -n "${has_previous:-}" ]] && printf ','
131+
printf '"%s": %s' "${version}" "${push_hash[$version]}"
132+
has_previous=1
133+
done
134+
echo '}'
135+
echo "${DELIMITER}"
136+
} | tee -a "${GITHUB_OUTPUT}"
137+
138+
build:
139+
needs: generate-tags
140+
if: github.repository_owner == 'target'
141+
name: docker (${{ matrix.arch }} Ubuntu ${{ matrix.version }})
142+
runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
143+
strategy:
144+
fail-fast: false
145+
matrix:
146+
version: ["24.04"]
147+
arch: ["x86_64", "arm64"]
148+
149+
steps:
150+
- name: Checkout
151+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
152+
with:
153+
fetch-depth: 0
154+
persist-credentials: false
155+
156+
- name: Fetch origin/HEAD from Git
157+
run: git fetch origin HEAD
158+
159+
- name: Set up Docker Buildx
160+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
161+
with:
162+
cache-binary: false
163+
164+
- name: Retrieve build attributes
165+
id: attributes
166+
env:
167+
VERSION: ${{ matrix.version }}
168+
PUSH: ${{ needs.generate-tags.outputs.push }}
169+
run: |
170+
filter="$(printf '.["%s"]' "${VERSION}")"
171+
echo "push=$(jq --raw-output "${filter}" <<<"${PUSH}")" >>"${GITHUB_OUTPUT}"
172+
173+
- name: Log in to GitHub Packages (github-actions[bot])
174+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
175+
with:
176+
registry: ghcr.io
177+
username: github-actions[bot]
178+
password: ${{ secrets.GITHUB_TOKEN }}
179+
180+
- name: Build Docker image
181+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
182+
with:
183+
context: .
184+
load: true
185+
tags: diff-poetry-lock
186+
cache-from: type=registry,ref=ghcr.io/target/diff-poetry-lock/ubuntu${{ matrix.version }}:cache
187+
build-args: version=${{ matrix.version }}
188+
labels: ${{ needs.generate-tags.outputs.labels }}
189+
190+
- name: Log in to GitHub Packages with service account
191+
if: fromJSON(steps.attributes.outputs.push)
192+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
193+
with:
194+
registry: ghcr.io
195+
username: ${{ github.actor }}
196+
password: ${{ secrets.GITHUB_TOKEN }}
197+
198+
- name: Deploy the Docker image by digest
199+
id: digest
200+
if: fromJSON(steps.attributes.outputs.push)
201+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
202+
with:
203+
context: .
204+
cache-from: type=registry,ref=ghcr.io/target/diff-poetry-lock/ubuntu${{ matrix.version }}:cache
205+
cache-to: type=registry,ref=ghcr.io/target/diff-poetry-lock/ubuntu${{ matrix.version }}:cache,mode=max
206+
build-args: version=${{ matrix.version }}
207+
labels: ${{ needs.generate-tags.outputs.labels }}
208+
outputs: type=image,name=ghcr.io/target/diff-poetry-lock/ubuntu${{ matrix.version }},name-canonical=true,push=true,push-by-digest=true
209+
210+
- name: Export the Docker image digest
211+
if: fromJSON(steps.attributes.outputs.push)
212+
run: |
213+
mkdir -p "${RUNNER_TEMP}"/digests
214+
echo "${DIGEST#sha256:}" >"${RUNNER_TEMP}/digests/${VERSION}-${ARCH}"
215+
env:
216+
DIGEST: ${{ steps.digest.outputs.digest }}
217+
VERSION: ${{ matrix.version }}
218+
ARCH: ${{ matrix.arch }}
219+
220+
- name: Upload the Docker image digest
221+
if: fromJSON(steps.attributes.outputs.push)
222+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
223+
with:
224+
name: digest-${{ matrix.version }}-${{ matrix.arch }}
225+
path: ${{ runner.temp }}/digests/*
226+
227+
merge:
228+
needs: [generate-tags, build]
229+
if: github.repository_owner == 'target' && fromJSON(needs.generate-tags.outputs.merge)
230+
runs-on: ubuntu-latest
231+
strategy:
232+
fail-fast: false
233+
matrix:
234+
version: ${{ fromJSON(needs.generate-tags.outputs.matrix) }}
235+
steps:
236+
- name: Set up Docker Buildx
237+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
238+
with:
239+
cache-binary: false
240+
241+
- name: Download Docker image digests
242+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
243+
with:
244+
path: ${{ runner.temp }}/digests
245+
pattern: digest-${{ matrix.version }}-*
246+
merge-multiple: true
247+
248+
- name: Log in to GitHub Packages with Service Account
249+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
250+
with:
251+
registry: ghcr.io
252+
username: ${{ github.actor }}
253+
password: ${{ secrets.GITHUB_TOKEN }}
254+
255+
- name: Merge and push Docker image
256+
env:
257+
TAGS: ${{ needs.generate-tags.outputs.tags }}
258+
VERSION: ${{ matrix.version }}
259+
run: |
260+
filter="$(printf '.["%s"].[]' "${VERSION}")"
261+
tag_args=()
262+
while IFS=$'\n' read -r tag; do
263+
[[ -n "${tag}" ]] || continue
264+
tag_args+=("--tag=${tag}")
265+
done <<<"$(jq --raw-output "${filter}" <<<"${TAGS}")"
266+
267+
image_args=("ghcr.io/target/diff-poetry-lock/ubuntu${VERSION}@sha256:$(<"${RUNNER_TEMP}/digests/${VERSION}-x86_64")")
268+
image_args+=("ghcr.io/target/diff-poetry-lock/ubuntu${VERSION}@sha256:$(<"${RUNNER_TEMP}/digests/${VERSION}-arm64")")
269+
270+
attempts=0
271+
until docker buildx imagetools create "${tag_args[@]}" "${image_args[@]}"; do
272+
attempts=$((attempts + 1))
273+
if [[ $attempts -ge 3 ]]; then
274+
echo "[$(date -u)] ERROR: Failed after 3 attempts." >&2
275+
exit 1
276+
fi
277+
delay=$((2 ** attempts))
278+
if [[ $delay -gt 15 ]]; then delay=15; fi
279+
echo "Push failed (attempt $attempts). Retrying in ${delay} seconds..."
280+
sleep ${delay}
281+
done

0 commit comments

Comments
 (0)