diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index f5054254..9bd2b721 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -15,58 +15,22 @@ on: - '*' # Allows you to run this workflow manually from the Actions tab workflow_dispatch: - +env: + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} + GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }} + GHCR_ENABLED: "${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) && 'true' || 'false' }}" jobs: - build-and-push-image: + define-variables: runs-on: ubuntu-latest - # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. - permissions: - contents: read - packages: write - attestations: write - id-token: write - env: - DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }} - GHCR_ENABLED: "${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) && 'true' || 'false' }}" - strategy: - matrix: - target: - - base - - haswell + + outputs: + images: ${{ steps.var.outputs.images }} + images_list: ${{ steps.var.outputs.images_list }} + build_matrix: ${{ steps.var.outputs.build_matrix }} + merge_matrix: ${{ steps.var.outputs.merge_matrix }} + steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - persist-credentials: false - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Login to Docker Hub - if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }} - uses: docker/login-action@v3 - with: - registry: docker.io - username: ${{ vars.DOCKER_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to GitLab Container Registry - if: ${{ (vars.GITLAB_USERNAME != '') && (env.GITLAB_TOKEN != '') }} - uses: docker/login-action@v3 - with: - registry: registry.gitlab.com - username: ${{ vars.GITLAB_USERNAME }} - password: ${{ secrets.GITLAB_TOKEN }} - - name: Setting variables uses: actions/github-script@v7 id: var @@ -93,40 +57,84 @@ jobs: images.push(glhrImage) } core.setOutput('images', images.join("\n")) + core.setOutput('images_list', images.join(",")) + const platforms = ['linux/amd64', 'linux/arm64'] + // specific CPU build variations + const includes = [ + { + platform: 'linux/amd64', + target_cpu: 'haswell', + tag_suffix: '-haswell' + } + ] + // Image builds + core.setOutput('build_matrix', JSON.stringify({ + platform: platforms, + target_cpu: ['base'], + include: includes + })) + // image publishes + core.setOutput('merge_matrix', JSON.stringify({ + tag_suffix: ['', ...includes.map((i) => i.tag_suffix).filter((i) => typeof i == 'string')] + })) + build-image: + runs-on: ubuntu-latest + + needs: define-variables + # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. + permissions: + contents: read + packages: write + attestations: write + id-token: write + strategy: + matrix: ${{ fromJSON(needs.define-variables.outputs.build_matrix) }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + # For publishing multi-platform manifests + - name: Prepare + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Docker Hub + if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }} + uses: docker/login-action@v3 + with: + registry: docker.io + username: ${{ vars.DOCKER_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitLab Container Registry + if: ${{ (vars.GITLAB_USERNAME != '') && (env.GITLAB_TOKEN != '') }} + uses: docker/login-action@v3 + with: + registry: registry.gitlab.com + username: ${{ vars.GITLAB_USERNAME }} + password: ${{ secrets.GITLAB_TOKEN }} # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels. - name: Extract metadata (tags, labels) for Docker - id: meta-base - if: ${{ matrix.target == 'base' }} - uses: docker/metadata-action@v5 - with: - flavor: | - suffix=-tiny - tags: | - type=semver,pattern=v{{version}} - type=semver,pattern=v{{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }} - type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} - type=ref,event=branch - type=ref,event=pr - images: ${{steps.var.outputs.images}} - # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509 - env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - - name: Extract metadata (tags, labels) for Docker (optimised) id: meta - if: ${{ matrix.target != 'base' }} uses: docker/metadata-action@v5 with: - flavor: | - suffix=-tiny-${{ matrix.target }} - tags: | - type=semver,pattern=v{{version}} - type=semver,pattern=v{{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }} - type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} - type=ref,event=branch - type=ref,event=pr - images: ${{steps.var.outputs.images}} + images: ${{needs.define-variables.outputs.images}} # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509 env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index @@ -136,7 +144,7 @@ jobs: # We use - uses: Swatinem/rust-cache@v2 with: - prefix-key: v0-rust-${{matrix.target}} + prefix-key: v0-rust-${{matrix.platform}}-${{matrix.target_cpu}} id: rust-cache - name: Inject cache into Docker @@ -153,17 +161,111 @@ jobs: # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. # It will not push images generated from a pull request - - name: Build and push Docker image - id: push + - name: Build and push Docker image by digest + id: build uses: docker/build-push-action@v6 with: context: . file: "Containerfile" - build-args: ${{ matrix.target != 'base' && format('TARGET_CPU={0}', matrix.target) || '' }} + build-args: ${{ matrix.target_cpu != 'base' && format('TARGET_CPU={0}', matrix.target_cpu) || '' }} + platforms: ${{ matrix.platform }} push: ${{ github.event_name != 'pull_request' }} - tags: ${{ matrix.target == 'base' && steps.meta-base.outputs.tags || steps.meta.outputs.tags }} - labels: ${{ matrix.target == 'base' && steps.meta-base.outputs.labels || steps.meta.outputs.labels }} - annotations: ${{ matrix.target == 'base' && steps.meta-base.outputs.annotations || steps.meta.outputs.annotations }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} cache-from: type=gha cache-to: type=gha,mode=max sbom: true + outputs: type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true + + # For publishing multi-platform manifests + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: ${{matrix.tag_suffix || ''}}digests-${{ env.PLATFORM_PAIR }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + merge: + runs-on: ubuntu-latest + needs: [define-variables, build-image] + strategy: + matrix: ${{ fromJSON(needs.define-variables.outputs.merge_matrix) }} + steps: + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: ${{matrix.tag_suffix || ''}}digests-* + merge-multiple: true + # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here. + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Login to Docker Hub + if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }} + uses: docker/login-action@v3 + with: + registry: docker.io + username: ${{ vars.DOCKER_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to GitLab Container Registry + if: ${{ (vars.GITLAB_USERNAME != '') && (env.GITLAB_TOKEN != '') }} + uses: docker/login-action@v3 + with: + registry: registry.gitlab.com + username: ${{ vars.GITLAB_USERNAME }} + password: ${{ secrets.GITLAB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + flavor: | + suffix=-tiny${{ matrix.tag_suffix }} + tags: | + type=semver,pattern=v{{version}} + type=semver,pattern=v{{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }} + type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} + type=ref,event=branch + type=ref,event=pr + images: ${{needs.define-variables.outputs.images}} + # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509 + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: index,manifest + + - name: Create manifest list and push + working-directory: /tmp/digests + env: + IMAGES: ${{needs.define-variables.outputs.images}} + run: | + IMAGES_LIST=($IMAGES) + for REPO in "${IMAGES_LIST[@]}"; do + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf -- "--annotation \"%s\" " "${DOCKER_METADATA_OUTPUT_ANNOTATIONS[@]}") \ + $(printf "$REPO@sha256:%s " *) + done + + - name: Inspect image + env: + IMAGES: ${{needs.define-variables.outputs.images}} + run: | + IMAGES_LIST=($IMAGES) + for REPO in "${IMAGES_LIST[@]}"; do + docker buildx imagetools inspect $REPO:${{ steps.meta.outputs.version }} + done \ No newline at end of file