mirror of
https://forgejo.ellis.link/continuwuation/continuwuity.git
synced 2025-09-10 14:32:50 +02:00
15f8ad8201
When BUILDKIT_ENDPOINT is set, the build happens on a remote BuildKit instance, making several runner setup steps unnecessary: - Rust toolchain installation (not needed for remote builds) - QEMU setup (cross-platform emulation handled by BuildKit) - All caching steps (Rust registry, cargo target, apt cache/lib) - Cache injection step (BuildKit manages its own cache) - Timelord timestamp caching (not needed with persistent build cache) Also added output to git SHA and timestamp steps to show their values. This should significantly reduce build time when using persistent BuildKit by eliminating ~7 setup steps per matrix job.
332 lines
14 KiB
YAML
332 lines
14 KiB
YAML
name: Release Docker Image
|
|
concurrency:
|
|
group: "release-image-${{ github.ref }}"
|
|
|
|
on:
|
|
pull_request:
|
|
paths-ignore:
|
|
- "*.md"
|
|
- "**/*.md"
|
|
- ".gitlab-ci.yml"
|
|
- ".gitignore"
|
|
- "renovate.json"
|
|
- "pkg/**"
|
|
- "docs/**"
|
|
push:
|
|
branches:
|
|
- main
|
|
paths-ignore:
|
|
- "*.md"
|
|
- "**/*.md"
|
|
- ".gitlab-ci.yml"
|
|
- ".gitignore"
|
|
- "renovate.json"
|
|
- "pkg/**"
|
|
- "docs/**"
|
|
# Allows you to run this workflow manually from the Actions tab
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
BUILTIN_REGISTRY: forgejo.ellis.link
|
|
BUILTIN_REGISTRY_ENABLED: "${{ ((vars.BUILTIN_REGISTRY_USER && secrets.BUILTIN_REGISTRY_PASSWORD) || (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false)) && 'true' || 'false' }}"
|
|
|
|
jobs:
|
|
define-variables:
|
|
runs-on: ubuntu-latest
|
|
|
|
outputs:
|
|
images: ${{ steps.var.outputs.images }}
|
|
images_list: ${{ steps.var.outputs.images_list }}
|
|
build_matrix: ${{ steps.var.outputs.build_matrix }}
|
|
|
|
steps:
|
|
- name: Setting variables
|
|
uses: https://github.com/actions/github-script@v7
|
|
id: var
|
|
with:
|
|
script: |
|
|
const githubRepo = '${{ github.repository }}'.toLowerCase()
|
|
const repoId = githubRepo.split('/')[1]
|
|
|
|
core.setOutput('github_repository', githubRepo)
|
|
const builtinImage = '${{ env.BUILTIN_REGISTRY }}/' + githubRepo
|
|
let images = []
|
|
if (process.env.BUILTIN_REGISTRY_ENABLED === "true") {
|
|
images.push(builtinImage)
|
|
} else {
|
|
// Fallback to official registry for forks/PRs without credentials
|
|
images.push('forgejo.ellis.link/continuwuation/continuwuity')
|
|
}
|
|
core.setOutput('images', images.join("\n"))
|
|
core.setOutput('images_list', images.join(","))
|
|
const platforms = ['linux/amd64', 'linux/arm64']
|
|
core.setOutput('build_matrix', JSON.stringify({
|
|
platform: platforms,
|
|
target_cpu: ['base'],
|
|
include: platforms.map(platform => { return {
|
|
platform,
|
|
slug: platform.replace('/', '-')
|
|
}})
|
|
}))
|
|
|
|
build-image:
|
|
runs-on: dind
|
|
needs: define-variables
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
attestations: write
|
|
id-token: write
|
|
strategy:
|
|
matrix:
|
|
{
|
|
"target_cpu": ["base"],
|
|
"profile": ["release"],
|
|
"include":
|
|
[
|
|
{ "platform": "linux/amd64", "slug": "linux-amd64" },
|
|
{ "platform": "linux/arm64", "slug": "linux-arm64" },
|
|
],
|
|
"platform": ["linux/amd64", "linux/arm64"],
|
|
}
|
|
|
|
steps:
|
|
- name: Echo strategy
|
|
run: echo '${{ toJSON(fromJSON(needs.define-variables.outputs.build_matrix)) }}'
|
|
- name: Echo matrix
|
|
run: echo '${{ toJSON(matrix) }}'
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
persist-credentials: false
|
|
- name: Install rust
|
|
if: ${{ env.BUILDKIT_ENDPOINT == '' }}
|
|
id: rust-toolchain
|
|
uses: ./.forgejo/actions/rust-toolchain
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
# Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
|
|
driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
|
|
endpoint: ${{ env.BUILDKIT_ENDPOINT || '' }}
|
|
- name: Set up QEMU
|
|
if: ${{ env.BUILDKIT_ENDPOINT == '' }}
|
|
uses: docker/setup-qemu-action@v3
|
|
# Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
|
|
- name: Login to builtin registry
|
|
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.BUILTIN_REGISTRY }}
|
|
username: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
|
|
password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
|
|
|
|
# This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
|
|
- name: Extract metadata (labels, annotations) for Docker
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{needs.define-variables.outputs.images}}
|
|
# default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
|
|
env:
|
|
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
|
|
|
|
# This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
|
|
# It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
|
|
# It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
|
|
# It will not push images generated from a pull request
|
|
- name: Get short git commit SHA
|
|
id: sha
|
|
run: |
|
|
calculatedSha=$(git rev-parse --short ${{ github.sha }})
|
|
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
|
|
- name: Get Git commit timestamps
|
|
run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
|
|
|
|
- uses: ./.forgejo/actions/timelord
|
|
if: ${{ env.BUILDKIT_ENDPOINT == '' }}
|
|
with:
|
|
key: timelord-v0
|
|
path: .
|
|
|
|
- name: Cache Rust registry
|
|
if: ${{ env.BUILDKIT_ENDPOINT == '' }}
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: |
|
|
.cargo/git
|
|
.cargo/git/checkouts
|
|
.cargo/registry
|
|
.cargo/registry/src
|
|
key: rust-registry-image-${{hashFiles('**/Cargo.lock') }}
|
|
- name: Cache cargo target
|
|
if: ${{ env.BUILDKIT_ENDPOINT == '' }}
|
|
id: cache-cargo-target
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: |
|
|
cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
|
|
key: cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}-${{hashFiles('**/Cargo.lock') }}-${{steps.rust-toolchain.outputs.rustc_version}}
|
|
- name: Cache apt cache
|
|
if: ${{ env.BUILDKIT_ENDPOINT == '' }}
|
|
id: cache-apt
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: |
|
|
var-cache-apt-${{ matrix.slug }}
|
|
key: var-cache-apt-${{ matrix.slug }}
|
|
- name: Cache apt lib
|
|
if: ${{ env.BUILDKIT_ENDPOINT == '' }}
|
|
id: cache-apt-lib
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: |
|
|
var-lib-apt-${{ matrix.slug }}
|
|
key: var-lib-apt-${{ matrix.slug }}
|
|
- name: inject cache into docker
|
|
if: ${{ env.BUILDKIT_ENDPOINT == '' }}
|
|
uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.3.0
|
|
with:
|
|
cache-map: |
|
|
{
|
|
".cargo/registry": "/usr/local/cargo/registry",
|
|
".cargo/git/db": "/usr/local/cargo/git/db",
|
|
"cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}": {
|
|
"target": "/app/target",
|
|
"id": "cargo-target-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}"
|
|
},
|
|
"var-cache-apt-${{ matrix.slug }}": "/var/cache/apt",
|
|
"var-lib-apt-${{ matrix.slug }}": "/var/lib/apt"
|
|
}
|
|
skip-extraction: ${{ steps.cache.outputs.cache-hit }}
|
|
|
|
- name: Build and push Docker image by digest
|
|
id: build
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: "docker/Dockerfile"
|
|
build-args: |
|
|
GIT_COMMIT_HASH=${{ github.sha }}
|
|
GIT_COMMIT_HASH_SHORT=${{ env.COMMIT_SHORT_SHA }}
|
|
GIT_REMOTE_URL=${{github.event.repository.html_url }}
|
|
GIT_REMOTE_COMMIT_URL=${{github.event.head_commit.url }}
|
|
platforms: ${{ matrix.platform }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
annotations: ${{ steps.meta.outputs.annotations }}
|
|
cache-from: type=gha
|
|
# cache-to: type=gha,mode=max
|
|
sbom: true
|
|
outputs: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' && format('type=image,"name={0}",push-by-digest=true,name-canonical=true,push=true', needs.define-variables.outputs.images_list) || 'type=docker' }}
|
|
env:
|
|
SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
|
|
|
|
# For publishing multi-platform manifests
|
|
- name: Export digest
|
|
run: |
|
|
mkdir -p /tmp/digests
|
|
digest="${{ steps.build.outputs.digest }}"
|
|
touch "/tmp/digests/${digest#sha256:}"
|
|
|
|
- name: Extract binary from container (image)
|
|
id: extract-binary-image
|
|
run: |
|
|
mkdir -p /tmp/binaries
|
|
digest="${{ steps.build.outputs.digest }}"
|
|
echo "container_id=$(docker create --platform ${{ matrix.platform }} ${{ needs.define-variables.outputs.images_list }}@$digest)" >> $GITHUB_OUTPUT
|
|
- name: Extract binary from container (copy)
|
|
run: docker cp ${{ steps.extract-binary-image.outputs.container_id }}:/sbin/conduwuit /tmp/binaries/conduwuit-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
|
|
- name: Extract binary from container (cleanup)
|
|
run: docker rm ${{ steps.extract-binary-image.outputs.container_id }}
|
|
|
|
- name: Upload binary artifact
|
|
uses: forgejo/upload-artifact@v4
|
|
with:
|
|
name: conduwuit-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
|
|
path: /tmp/binaries/conduwuit-${{ matrix.target_cpu }}-${{ matrix.slug }}-${{ matrix.profile }}
|
|
if-no-files-found: error
|
|
|
|
- name: Upload digest
|
|
uses: forgejo/upload-artifact@v4
|
|
with:
|
|
name: digests-${{ matrix.slug }}
|
|
path: /tmp/digests/*
|
|
if-no-files-found: error
|
|
retention-days: 5
|
|
|
|
merge:
|
|
runs-on: dind
|
|
needs: [define-variables, build-image]
|
|
steps:
|
|
- name: Download digests
|
|
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
|
|
uses: forgejo/download-artifact@v4
|
|
with:
|
|
path: /tmp/digests
|
|
pattern: digests-*
|
|
merge-multiple: true
|
|
# Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
|
|
- name: Login to builtin registry
|
|
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.BUILTIN_REGISTRY }}
|
|
username: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
|
|
password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Set up Docker Buildx
|
|
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
# Use persistent BuildKit if BUILDKIT_ENDPOINT is set (e.g. tcp://buildkit:8125)
|
|
driver: ${{ env.BUILDKIT_ENDPOINT != '' && 'remote' || 'docker-container' }}
|
|
endpoint: ${{ env.BUILDKIT_ENDPOINT || '' }}
|
|
|
|
- name: Extract metadata (tags) for Docker
|
|
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
tags: |
|
|
type=semver,pattern={{version}},prefix=v
|
|
type=semver,pattern={{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }},prefix=v
|
|
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }},prefix=v
|
|
type=ref,event=branch,prefix=${{ format('refs/heads/{0}', github.event.repository.default_branch) != github.ref && 'branch-' || '' }}
|
|
type=ref,event=pr
|
|
type=sha,format=long
|
|
type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}
|
|
images: ${{needs.define-variables.outputs.images}}
|
|
# default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
|
|
env:
|
|
DOCKER_METADATA_ANNOTATIONS_LEVELS: index
|
|
|
|
- name: Create manifest list and push
|
|
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
|
|
working-directory: /tmp/digests
|
|
env:
|
|
IMAGES: ${{needs.define-variables.outputs.images}}
|
|
shell: bash
|
|
run: |
|
|
IFS=$'\n'
|
|
IMAGES_LIST=($IMAGES)
|
|
ANNOTATIONS_LIST=($DOCKER_METADATA_OUTPUT_ANNOTATIONS)
|
|
TAGS_LIST=($DOCKER_METADATA_OUTPUT_TAGS)
|
|
for REPO in "${IMAGES_LIST[@]}"; do
|
|
docker buildx imagetools create \
|
|
$(for tag in "${TAGS_LIST[@]}"; do echo "--tag"; echo "$tag"; done) \
|
|
$(for annotation in "${ANNOTATIONS_LIST[@]}"; do echo "--annotation"; echo "$annotation"; done) \
|
|
$(for reference in *; do printf "$REPO@sha256:%s\n" $reference; done)
|
|
done
|
|
|
|
- name: Inspect image
|
|
if: ${{ env.BUILTIN_REGISTRY_ENABLED == 'true' }}
|
|
env:
|
|
IMAGES: ${{needs.define-variables.outputs.images}}
|
|
shell: bash
|
|
run: |
|
|
IMAGES_LIST=($IMAGES)
|
|
for REPO in "${IMAGES_LIST[@]}"; do
|
|
docker buildx imagetools inspect $REPO:${{ steps.meta.outputs.version }}
|
|
done
|