Updated the wolfi-base-image build (#55) #384
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| DOCKER_REPOSITORY: quay.io/unstructured-io | |
| DOCKER_BUILD_REPOSITORY: quay.io/unstructured-io/build-base-images | |
| DOCKER_IMAGE: base-images | |
| jobs: | |
| set-short-sha: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| short_sha: ${{ steps.set_short_sha.outputs.short_sha }} | |
| steps: | |
| - name: Set Short SHA | |
| id: set_short_sha | |
| run: echo "short_sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT | |
| build-images: | |
| strategy: | |
| matrix: | |
| architecture: ["arm64", "amd64"] | |
| image: ["wolfi-base", "wolfi-py3.12-slim", "rocky9.2-slim", "rocky9.2-cpu", "rocky9.2-gpu"] | |
| runs-on: ubuntu-latest-m | |
| needs: [set-short-sha] | |
| env: | |
| SHORT_SHA: ${{ needs.set-short-sha.outputs.short_sha }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Login to Quay.io | |
| # build-base-images pushes images to quay.io when on the main branch | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_IO_ROBOT_USERNAME }} | |
| password: ${{ secrets.QUAY_IO_ROBOT_TOKEN }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v3 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ secrets.AWS_DEFAULT_REGION }} | |
| - name: Download APKs for chainguard/wolfi-base | |
| env: | |
| ARCH: ${{ matrix.architecture }} | |
| if: matrix.image == 'wolfi-base' | |
| run: make docker-dl-wolfi-packages | |
| - name: Build base images | |
| run: make build-base-images | |
| env: | |
| DOCKER_PLATFORM: linux/${{ matrix.architecture }} | |
| DOCKERFILE: ${{ matrix.image }} | |
| CI: "true" | |
| - name: Print images | |
| run: docker images | |
| - name: Scan image for vulnerabilities | |
| uses: anchore/scan-action@v3 | |
| with: | |
| image: "${{ env.DOCKER_BUILD_REPOSITORY }}:${{ matrix.image }}-${{ matrix.architecture }}-${{ env.SHORT_SHA }}" | |
| severity-cutoff: high | |
| fail-build: ${{ ( matrix.image == 'wolfi-base' || matrix.image == 'wolfi-py3.12-slim' ) }} | |
| output-format: table | |
| publish-images: | |
| strategy: | |
| matrix: | |
| image: ["wolfi-base", "wolfi-py3.12-slim", "rocky9.2-slim", "rocky9.2-cpu", "rocky9.2-gpu"] | |
| env: | |
| SHORT_SHA: ${{ needs.set-short-sha.outputs.short_sha }} | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' | |
| needs: [set-short-sha, build-images] | |
| steps: | |
| - uses: docker/setup-buildx-action@v1 | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Login to Quay.io | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_IO_ROBOT_USERNAME }} | |
| password: ${{ secrets.QUAY_IO_ROBOT_TOKEN }} | |
| - name: Pull AMD image | |
| run: | | |
| docker pull --platform linux/amd64 $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64-${{ env.SHORT_SHA }} | |
| docker tag $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64-${{ env.SHORT_SHA }} $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64 | |
| docker push $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64 | |
| - name: Pull ARM image | |
| run: | | |
| docker pull --platform linux/arm64 $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64-${{ env.SHORT_SHA }} | |
| docker tag $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64-${{ env.SHORT_SHA }} $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64 | |
| docker push $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64 | |
| - name: Push multiarch manifest with short SHA | |
| env: | |
| IMAGE_TAG: ${{ matrix.image }}-${{ env.SHORT_SHA }} | |
| run: | | |
| docker manifest create $DOCKER_REPOSITORY/$DOCKER_IMAGE:${IMAGE_TAG} $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64 $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64 | |
| docker manifest push $DOCKER_REPOSITORY/$DOCKER_IMAGE:${IMAGE_TAG} | |
| - name: Update latest multiarch manifest | |
| env: | |
| IMAGE_TAG: ${{ matrix.image }}-latest | |
| run: | | |
| docker manifest create $DOCKER_REPOSITORY/$DOCKER_IMAGE:${IMAGE_TAG} $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64 $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64 | |
| docker manifest push $DOCKER_REPOSITORY/$DOCKER_IMAGE:${IMAGE_TAG} | |
| shellcheck: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: ShellCheck | |
| uses: ludeeus/action-shellcheck@master | |
| shfmt: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: setup shfmt | |
| uses: mfinelli/setup-shfmt@v3 | |
| - name: Run shfmt | |
| run: shfmt -i 2 -d . |