|
| 1 | +name: Docker |
| 2 | +# based on https://github.com/Homebrew/brew/blob/fab1894af8c5377430a5978a08ae7b0eced61cad/.github/workflows/docker.yml |
| 3 | + |
| 4 | +on: |
| 5 | + pull_request: |
| 6 | + push: |
| 7 | + branches: |
| 8 | + - main |
| 9 | + merge_group: |
| 10 | + release: |
| 11 | + types: |
| 12 | + - published |
| 13 | + |
| 14 | +permissions: |
| 15 | + contents: read |
| 16 | + |
| 17 | +defaults: |
| 18 | + run: |
| 19 | + shell: bash -xeuo pipefail {0} |
| 20 | + |
| 21 | +env: |
| 22 | + # Add more Ubuntu versions, drop when security EOL (https://endoflife.date/ubuntu) or they don't work |
| 23 | + VERSIONS: '["24.04"]' |
| 24 | + # Set what Ubuntu version constitutes ghcr.io/target/diff-poetry-lock:${app_version} |
| 25 | + PRIMARY_VERSION: "24.04" |
| 26 | + |
| 27 | +jobs: |
| 28 | + generate-tags: |
| 29 | + if: github.repository_owner == 'target' |
| 30 | + runs-on: ubuntu-latest |
| 31 | + outputs: |
| 32 | + matrix: ${{ steps.attributes.outputs.matrix }} |
| 33 | + tags: ${{ steps.attributes.outputs.tags }} |
| 34 | + labels: ${{ steps.attributes.outputs.labels }} |
| 35 | + push: ${{ steps.attributes.outputs.push }} |
| 36 | + merge: ${{ steps.attributes.outputs.merge }} |
| 37 | + steps: |
| 38 | + - name: Checkout |
| 39 | + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 40 | + with: |
| 41 | + fetch-depth: 0 |
| 42 | + persist-credentials: false |
| 43 | + |
| 44 | + - name: Fetch origin/HEAD from Git |
| 45 | + run: git fetch origin HEAD |
| 46 | + |
| 47 | + - name: Determine build attributes |
| 48 | + id: attributes |
| 49 | + run: | |
| 50 | + date="$(date --rfc-3339=seconds --utc)" |
| 51 | + app_version="$(git describe --tags --dirty --abbrev=7)" |
| 52 | +
|
| 53 | + DELIMITER="END_LABELS_$(uuidgen)" |
| 54 | + cat <<EOS | tee -a "${GITHUB_OUTPUT}" |
| 55 | + labels<<${DELIMITER} |
| 56 | + org.opencontainers.image.created=${date} |
| 57 | + org.opencontainers.image.url=https://github.com/target/diff-poetry-lock |
| 58 | + org.opencontainers.image.documentation=https://github.com/target/diff-poetry-lock |
| 59 | + org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY} |
| 60 | + org.opencontainers.image.version=${app_version} |
| 61 | + org.opencontainers.image.revision=${GITHUB_SHA} |
| 62 | + org.opencontainers.image.vendor=${GITHUB_REPOSITORY_OWNER} |
| 63 | + org.opencontainers.image.licenses=MIT |
| 64 | + ${DELIMITER} |
| 65 | + EOS |
| 66 | +
|
| 67 | + typeset -A tag_hash |
| 68 | + typeset -A push_hash |
| 69 | + matrix=() |
| 70 | + merge=false |
| 71 | + while IFS=$'\n' read -r version; do |
| 72 | + tags=() |
| 73 | + if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then |
| 74 | + tags+=( |
| 75 | + "ghcr.io/target/diff-poetry-lock/ubuntu${version}:${app_version}" |
| 76 | + "ghcr.io/target/diff-poetry-lock/ubuntu${version}:latest" |
| 77 | + ) |
| 78 | + if [[ "${version}" == "${PRIMARY_VERSION}" ]]; then |
| 79 | + tags+=( |
| 80 | + "ghcr.io/target/diff-poetry-lock:${app_version}" |
| 81 | + "ghcr.io/target/diff-poetry-lock:latest" |
| 82 | + ) |
| 83 | + fi |
| 84 | + elif [[ "${GITHUB_EVENT_NAME}" == "push" && |
| 85 | + ("${GITHUB_REF}" == "refs/heads/main") && |
| 86 | + "${version}" == "${PRIMARY_VERSION}" ]]; then |
| 87 | + tags+=( |
| 88 | + "ghcr.io/target/diff-poetry-lock:main" |
| 89 | + "ghcr.io/target/diff-poetry-lock/ubuntu${version}:main" |
| 90 | + ) |
| 91 | + fi |
| 92 | +
|
| 93 | + if [[ "${#tags[@]}" -ne 0 ]]; then |
| 94 | + tags_as_json_array="$( |
| 95 | + jq --null-input --compact-output '$ARGS.positional' --args "${tags[@]}" |
| 96 | + )" |
| 97 | + tag_hash["${version}"]="${tags_as_json_array}" |
| 98 | + push_hash["${version}"]=true |
| 99 | + merge=true |
| 100 | + matrix+=("${version}") |
| 101 | + else |
| 102 | + push_hash["${version}"]=false |
| 103 | + fi |
| 104 | + done <<<"$(jq --raw-output '.[]' <<<"${VERSIONS}")" |
| 105 | +
|
| 106 | + # Transform the `matrix` variable into a JSON array. |
| 107 | + echo "matrix=$(jq --null-input --compact-output '$ARGS.positional' --args "${matrix[@]}")" >>"${GITHUB_OUTPUT}" |
| 108 | + echo "merge=${merge}" >>"${GITHUB_OUTPUT}" |
| 109 | +
|
| 110 | + { |
| 111 | + DELIMITER="END_TAGS_$(uuidgen)" |
| 112 | + has_previous= |
| 113 | + echo "tags<<${DELIMITER}" |
| 114 | + printf '{' |
| 115 | + for version in "${!tag_hash[@]}"; do |
| 116 | + [[ -n "${has_previous:-}" ]] && printf ',' |
| 117 | + printf '"%s": %s' "${version}" "${tag_hash[$version]}" |
| 118 | + has_previous=1 |
| 119 | + done |
| 120 | + echo '}' |
| 121 | + echo "${DELIMITER}" |
| 122 | + } | tee -a "${GITHUB_OUTPUT}" |
| 123 | +
|
| 124 | + { |
| 125 | + DELIMITER="END_PUSH_$(uuidgen)" |
| 126 | + has_previous= |
| 127 | + echo "push<<${DELIMITER}" |
| 128 | + printf '{' |
| 129 | + for version in "${!push_hash[@]}"; do |
| 130 | + [[ -n "${has_previous:-}" ]] && printf ',' |
| 131 | + printf '"%s": %s' "${version}" "${push_hash[$version]}" |
| 132 | + has_previous=1 |
| 133 | + done |
| 134 | + echo '}' |
| 135 | + echo "${DELIMITER}" |
| 136 | + } | tee -a "${GITHUB_OUTPUT}" |
| 137 | +
|
| 138 | + build: |
| 139 | + needs: generate-tags |
| 140 | + if: github.repository_owner == 'target' |
| 141 | + name: docker (${{ matrix.arch }} Ubuntu ${{ matrix.version }}) |
| 142 | + runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }} |
| 143 | + strategy: |
| 144 | + fail-fast: false |
| 145 | + matrix: |
| 146 | + version: ["24.04"] |
| 147 | + arch: ["x86_64", "arm64"] |
| 148 | + |
| 149 | + steps: |
| 150 | + - name: Checkout |
| 151 | + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 152 | + with: |
| 153 | + fetch-depth: 0 |
| 154 | + persist-credentials: false |
| 155 | + |
| 156 | + - name: Fetch origin/HEAD from Git |
| 157 | + run: git fetch origin HEAD |
| 158 | + |
| 159 | + - name: Set up Docker Buildx |
| 160 | + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 |
| 161 | + with: |
| 162 | + cache-binary: false |
| 163 | + |
| 164 | + - name: Retrieve build attributes |
| 165 | + id: attributes |
| 166 | + env: |
| 167 | + VERSION: ${{ matrix.version }} |
| 168 | + PUSH: ${{ needs.generate-tags.outputs.push }} |
| 169 | + run: | |
| 170 | + filter="$(printf '.["%s"]' "${VERSION}")" |
| 171 | + echo "push=$(jq --raw-output "${filter}" <<<"${PUSH}")" >>"${GITHUB_OUTPUT}" |
| 172 | +
|
| 173 | + - name: Log in to GitHub Packages (github-actions[bot]) |
| 174 | + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 |
| 175 | + with: |
| 176 | + registry: ghcr.io |
| 177 | + username: github-actions[bot] |
| 178 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 179 | + |
| 180 | + - name: Build Docker image |
| 181 | + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 |
| 182 | + with: |
| 183 | + context: . |
| 184 | + load: true |
| 185 | + tags: diff-poetry-lock |
| 186 | + cache-from: type=registry,ref=ghcr.io/target/diff-poetry-lock/ubuntu${{ matrix.version }}:cache |
| 187 | + build-args: version=${{ matrix.version }} |
| 188 | + labels: ${{ needs.generate-tags.outputs.labels }} |
| 189 | + |
| 190 | + - name: Log in to GitHub Packages with service account |
| 191 | + if: fromJSON(steps.attributes.outputs.push) |
| 192 | + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 |
| 193 | + with: |
| 194 | + registry: ghcr.io |
| 195 | + username: ${{ github.actor }} |
| 196 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 197 | + |
| 198 | + - name: Deploy the Docker image by digest |
| 199 | + id: digest |
| 200 | + if: fromJSON(steps.attributes.outputs.push) |
| 201 | + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 |
| 202 | + with: |
| 203 | + context: . |
| 204 | + cache-from: type=registry,ref=ghcr.io/target/diff-poetry-lock/ubuntu${{ matrix.version }}:cache |
| 205 | + cache-to: type=registry,ref=ghcr.io/target/diff-poetry-lock/ubuntu${{ matrix.version }}:cache,mode=max |
| 206 | + build-args: version=${{ matrix.version }} |
| 207 | + labels: ${{ needs.generate-tags.outputs.labels }} |
| 208 | + outputs: type=image,name=ghcr.io/target/diff-poetry-lock/ubuntu${{ matrix.version }},name-canonical=true,push=true,push-by-digest=true |
| 209 | + |
| 210 | + - name: Export the Docker image digest |
| 211 | + if: fromJSON(steps.attributes.outputs.push) |
| 212 | + run: | |
| 213 | + mkdir -p "${RUNNER_TEMP}"/digests |
| 214 | + echo "${DIGEST#sha256:}" >"${RUNNER_TEMP}/digests/${VERSION}-${ARCH}" |
| 215 | + env: |
| 216 | + DIGEST: ${{ steps.digest.outputs.digest }} |
| 217 | + VERSION: ${{ matrix.version }} |
| 218 | + ARCH: ${{ matrix.arch }} |
| 219 | + |
| 220 | + - name: Upload the Docker image digest |
| 221 | + if: fromJSON(steps.attributes.outputs.push) |
| 222 | + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 |
| 223 | + with: |
| 224 | + name: digest-${{ matrix.version }}-${{ matrix.arch }} |
| 225 | + path: ${{ runner.temp }}/digests/* |
| 226 | + |
| 227 | + merge: |
| 228 | + needs: [generate-tags, build] |
| 229 | + if: github.repository_owner == 'target' && fromJSON(needs.generate-tags.outputs.merge) |
| 230 | + runs-on: ubuntu-latest |
| 231 | + strategy: |
| 232 | + fail-fast: false |
| 233 | + matrix: |
| 234 | + version: ${{ fromJSON(needs.generate-tags.outputs.matrix) }} |
| 235 | + steps: |
| 236 | + - name: Set up Docker Buildx |
| 237 | + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 |
| 238 | + with: |
| 239 | + cache-binary: false |
| 240 | + |
| 241 | + - name: Download Docker image digests |
| 242 | + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 |
| 243 | + with: |
| 244 | + path: ${{ runner.temp }}/digests |
| 245 | + pattern: digest-${{ matrix.version }}-* |
| 246 | + merge-multiple: true |
| 247 | + |
| 248 | + - name: Log in to GitHub Packages with Service Account |
| 249 | + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 |
| 250 | + with: |
| 251 | + registry: ghcr.io |
| 252 | + username: ${{ github.actor }} |
| 253 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 254 | + |
| 255 | + - name: Merge and push Docker image |
| 256 | + env: |
| 257 | + TAGS: ${{ needs.generate-tags.outputs.tags }} |
| 258 | + VERSION: ${{ matrix.version }} |
| 259 | + run: | |
| 260 | + filter="$(printf '.["%s"].[]' "${VERSION}")" |
| 261 | + tag_args=() |
| 262 | + while IFS=$'\n' read -r tag; do |
| 263 | + [[ -n "${tag}" ]] || continue |
| 264 | + tag_args+=("--tag=${tag}") |
| 265 | + done <<<"$(jq --raw-output "${filter}" <<<"${TAGS}")" |
| 266 | +
|
| 267 | + image_args=("ghcr.io/target/diff-poetry-lock/ubuntu${VERSION}@sha256:$(<"${RUNNER_TEMP}/digests/${VERSION}-x86_64")") |
| 268 | + image_args+=("ghcr.io/target/diff-poetry-lock/ubuntu${VERSION}@sha256:$(<"${RUNNER_TEMP}/digests/${VERSION}-arm64")") |
| 269 | +
|
| 270 | + attempts=0 |
| 271 | + until docker buildx imagetools create "${tag_args[@]}" "${image_args[@]}"; do |
| 272 | + attempts=$((attempts + 1)) |
| 273 | + if [[ $attempts -ge 3 ]]; then |
| 274 | + echo "[$(date -u)] ERROR: Failed after 3 attempts." >&2 |
| 275 | + exit 1 |
| 276 | + fi |
| 277 | + delay=$((2 ** attempts)) |
| 278 | + if [[ $delay -gt 15 ]]; then delay=15; fi |
| 279 | + echo "Push failed (attempt $attempts). Retrying in ${delay} seconds..." |
| 280 | + sleep ${delay} |
| 281 | + done |
0 commit comments