-
Notifications
You must be signed in to change notification settings - Fork 495
130 lines (119 loc) · 6.56 KB
/
container_base_push.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
---
name: Container Images Releasing
on:
push:
tags:
- 'v[6-9].**'
branches:
- 'develop'
# "Path filters are not evaluated for pushes of tags" https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore
paths:
- 'modules/container-base/**'
- '!modules/container-base/src/backports/**'
- '!modules/container-base/README.md'
- 'modules/dataverse-parent/pom.xml'
- '.github/workflows/container_base_push.yml'
# These TODOs are left for #10618
# TODO: we are missing a workflow_call option here, so we can trigger this flow from pr comments and maven tests (keep the secrets availability in mind!)
# TODO: we are missing a pull_request option here (filter for stuff that would trigger the maven runs!) so we can trigger preview builds for them when coming from the main repo (keep the secrets availability in mind!)
env:
PLATFORMS: linux/amd64,linux/arm64
DEVELOPMENT_BRANCH: develop
jobs:
build:
name: Base Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
# Only run in upstream repo - avoid unnecessary runs in forks
if: ${{ github.repository_owner == 'IQSS' }}
outputs:
base-image-ref: ${{ steps.finalize.outputs.base-image-ref }}
steps:
- name: Checkout and Setup Maven
uses: IQSS/dataverse/.github/actions/setup-maven@develop
with:
pom-paths: modules/container-base/pom.xml
# Note: Accessing, pushing tags etc. to DockerHub will only succeed in upstream and
# on events in context of upstream because secrets. PRs run in context of forks by default!
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# In case this is a push to develop, we care about buildtime.
# Configure a remote ARM64 build host in addition to the local AMD64 in two steps.
- name: Setup SSH agent
if: ${{ github.event_name != 'schedule' }}
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.BUILDER_ARM64_SSH_PRIVATE_KEY }}
- name: Provide the known hosts key and the builder config
if: ${{ github.event_name != 'schedule' }}
run: |
echo "${{ secrets.BUILDER_ARM64_SSH_HOST_KEY }}" > ~/.ssh/known_hosts
mkdir -p modules/container-base/target/buildx-state/buildx/instances
cat > modules/container-base/target/buildx-state/buildx/instances/maven << EOF
{ "Name": "maven",
"Driver": "docker-container",
"Dynamic": false,
"Nodes": [{"Name": "maven0",
"Endpoint": "unix:///var/run/docker.sock",
"Platforms": [{"os": "linux", "architecture": "amd64"}],
"DriverOpts": null,
"Flags": ["--allow-insecure-entitlement=network.host"],
"Files": null},
{"Name": "maven1",
"Endpoint": "ssh://${{ secrets.BUILDER_ARM64_SSH_CONNECTION }}",
"Platforms": [{"os": "linux", "architecture": "arm64"}],
"DriverOpts": null,
"Flags": ["--allow-insecure-entitlement=network.host"],
"Files": null}]}
EOF
# Determine the base image name we are going to use from here on
- name: Determine base image name
run: |
if [[ "${{ github.ref_name }}" = "${{ env.DEVELOPMENT_BRANCH }}" ]]; then
echo "BASE_IMAGE=$( mvn initialize help:evaluate -Pct -f modules/container-base -Dexpression=base.image -q -DforceStdout )" | tee -a "${GITHUB_ENV}"
echo "BASE_IMAGE_UPCOMING=$( mvn initialize help:evaluate -Pct -f modules/container-base -Dexpression=base.image -Dbase.image.tag.suffix="" -q -DforceStdout )" | tee -a "${GITHUB_ENV}"
else
echo "BASE_IMAGE=$( mvn initialize help:evaluate -Pct -f modules/container-base -Dexpression=base.image -Dbase.image.tag.suffix="" -q -DforceStdout )" | tee -a "${GITHUB_ENV}"
fi
- name: Calculate revision number for immutable tag (on release branches only)
if: ${{ github.ref_name != env.DEVELOPMENT_BRANCH }}
id: revision-tag
uses: ./.github/actions/get-image-revision
with:
image-ref: ${{ env.BASE_IMAGE }}
tag-options-prefix: "-Dbase.image.tag.suffix='' -Ddocker.tags.revision="
- name: Configure update of "latest" tag for development branch
id: develop-tag
if: ${{ github.ref_name == env.DEVELOPMENT_BRANCH }}
run: |
echo "tag-options=-Ddocker.tags.develop=unstable -Ddocker.tags.upcoming=${BASE_IMAGE_UPCOMING#*:}" | tee -a "${GITHUB_OUTPUT}"
- name: Deploy multi-arch base container image to Docker Hub
id: build
run: |
mvn -f modules/container-base -Pct deploy -Ddocker.noCache -Ddocker.platforms=${{ env.PLATFORMS }} \
-Ddocker.imagePropertyConfiguration=override ${{ steps.develop-tag.outputs.tag-options }} ${{ steps.revision-tag.outputs.tag-options }}
- name: Determine appropriate base image ref for app image
id: finalize
run: |
if [[ "${{ github.ref_name }}" = "${{ env.DEVELOPMENT_BRANCH }}" ]]; then
echo "base-image-ref=${BASE_IMAGE_UPCOMING}" | tee -a "$GITHUB_OUTPUT"
else
echo "base-image-ref=gdcc/base:${{ steps.revision-tag.outputs.revision-tag }}" | tee -a "$GITHUB_OUTPUT"
fi
push-app-img:
name: "Rebase & Publish App Image"
permissions:
contents: read
packages: write
pull-requests: write
secrets: inherit
needs:
- build
uses: ./.github/workflows/container_app_push.yml
with:
base-image-ref: ${{ needs.build.outputs.base-image-ref }}