Re-usable docker-run action

using a shared image across job boundaries. This is a follow-up to ADDSRV-720. docker-build uploads a compressed image artifact. docker-run downloads and extracts the image artifact. Then runs whatever commands you specify on the image.
mozilla · Mar 1, 2024 · 780197d · 780197d
1 parent b5e7153
commit 780197d
Show file tree

Hide file tree

Showing 3 changed files with 101 additions and 31 deletions.
diff --git a/.github/actions/build-docker/action.yml b/.github/actions/build-docker/action.yml
@@ -1,9 +1,9 @@
 name: 'Docker Build'
 description: 'Builds `addons-server` docker image'
 inputs:
-  load:
+  upload:
     required: false
-    description: "Build and load image to local docker daemon. (cannot be used together with push)"
+    description: "Upload the image to github for use in other jobs in your workflow"
     default: "false"
   no_cache:
     required: false
@@ -19,7 +19,7 @@ inputs:
     default: "false"
   push:
     required: false
-    description: "Build and push image to registry (cannot be used together with load)"
+    description: "Build and push image to registry"
     default: "false"
   python_version:
     required: false
@@ -38,14 +38,28 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - name: Validate inputs
+    ###############################################################################################
+    # These steps are synchronized between run-docker and build-docker. They produce the same values
+    # If run on a single workflow and allow a single docker build to be run across N jobs.
+    # If you modify these values, you must modify the corresponding values in both
+    - name: Define Artifact Path
+      id: artifact
       shell: bash
       run: |
-        if [[ ${{ inputs.load == 'true' }} == ${{ inputs.push == 'true' }} ]]; then
-          echo "Cannot use load and push together. Must choose only one of them."
-          exit 1
-        fi
+        # These need to be kept in sync with the build-docker action
+        DIR=/tmp
+        FILE=artifact.tar
+        NAME="$(git rev-parse --short HEAD)"
 
+        echo "dir=$DIR" >> "$GITHUB_OUTPUT"
+        echo "file=$FILE" >> "$GITHUB_OUTPUT"
+        echo "path=$DIR/$FILE" >> "$GITHUB_OUTPUT"
+        echo "name=$NAME" >> "$GITHUB_OUTPUT"
+    ###############################################################################################
+
+    - name: Validate inputs
+      shell: bash
+      run: |
         if [[ "${{ inputs.push  }}" == "true" && "${{ github.ref }}" == "refs/heads/master" ]]; then
           echo "Cannot push to registry from master branch unless we migrate our master build job to GHA."
           exit 1
@@ -68,11 +82,6 @@ runs:
         username: ${{ inputs.username }}
         password: ${{ inputs.password }}
 
-    - name: Set commit sha
-      id: sha
-      shell: bash
-      run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-
     # Determine the tags for the image
     - name: Docker meta
       id: meta
@@ -83,8 +92,8 @@ runs:
         tags: |
           type=schedule
           type=ref,event=tag
-          type=ref,event=branch,suffix=-${{ steps.sha.outputs.sha_short }}
-          type=ref,event=pr,suffix=-${{ steps.sha.outputs.sha_short }}
+          type=ref,event=branch,suffix=-${{ steps.artifact.outputs.name }}
+          type=ref,event=pr,suffix=-${{ steps.artifact.outputs.name }}
           # set latest tag for default branch
           # Disabled for now as we do not use this action for
           # The production build
@@ -97,10 +106,17 @@ runs:
         platforms: linux/amd64
         pull: ${{ inputs.pull }}
         push: ${{ inputs.push }}
-        load: ${{ inputs.load }}
         no-cache: ${{ inputs.no_cache }}
+        outputs: type=docker,dest=${{ steps.artifact.outputs.path }},compression=gzip
         tags: ${{ steps.meta.outputs.tags }}
         cache-from: type=gha
         cache-to: type=gha,mode=max
         build-args: |
             PYTHON_VERSION=${{ inputs.python_version }}
+
+    - name: Upload artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ steps.artifact.outputs.name }}
+        path: ${{ steps.artifact.outputs.path }}
+        compression-level: 0
diff --git a/.github/actions/run-docker/action.yml b/.github/actions/run-docker/action.yml
@@ -0,0 +1,52 @@
+name: 'Docker Run Action'
+description: 'Run a command in a new container'
+inputs:
+  image:
+    description: "The Docker image to run"
+    required: true
+  options:
+    description: 'Options'
+    required: false
+  run:
+    description: 'Run command in container'
+    required: true
+runs:
+  using: 'composite'
+  steps:
+    ###############################################################################################
+    # These steps are synchronized between run-docker and build-docker. They produce the same values
+    # If run on a single workflow and allow a single docker build to be run across N jobs.
+    # If you modify these values, you must modify the corresponding values in both
+    - name: Define Artifact Path
+      id: artifact
+      shell: bash
+      run: |
+        # These need to be kept in sync with the build-docker action
+        DIR=/tmp
+        FILE=artifact.tar
+        NAME="$(git rev-parse --short HEAD)"
+
+        echo "dir=$DIR" >> "$GITHUB_OUTPUT"
+        echo "file=$FILE" >> "$GITHUB_OUTPUT"
+        echo "path=$DIR/$FILE" >> "$GITHUB_OUTPUT"
+        echo "name=$NAME" >> "$GITHUB_OUTPUT"
+    ###############################################################################################
+
+    - name: Download artifact
+      id: download
+      uses: actions/download-artifact@v4
+      with:
+        name: ${{ steps.artifact.outputs.name }}
+        path: ${{ steps.artifact.outputs.dir }}
+
+    - name: Load Docker image
+      shell: bash
+      run: |
+        docker load --input ${{ steps.artifact.outputs.path }}
+
+    - name: Run Docker Container
+      shell: bash
+      run: |
+        echo "${{ inputs.run }}" > exec.sh
+        chmod +x exec.sh
+        cat exec.sh | docker run -i --rm ${{ inputs.image }} bash
diff --git a/.github/workflows/verify-docker-image.yml b/.github/workflows/verify-docker-image.yml
@@ -6,27 +6,29 @@ on:
       - master
 
 jobs:
-  verify_docker_image:
+  build:
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
 
-      - name: Build container
-        id: build_container
+      - name: Build image
+        id: build
         uses: ./.github/actions/build-docker
         with:
-          load: true
-
-      - name: List images
-        shell: bash
-        run: |
-          docker images
-          echo "target: ${{ steps.build_container.outputs.tags }}"
+          upload: true
+    outputs:
+      tags: ${{ steps.build.outputs.tags }}
 
+  verify:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - uses: actions/checkout@v4
       - name: Smoke test
-        shell: bash
-        run: |
-          docker run ${{ steps.build_container.outputs.tags }} sh -c \
-            "echo 'from olympia.lib.settings_base import *' > settings_local.py && \
-            DJANGO_SETTINGS_MODULE='settings_local' python3 ./manage.py check"
+        uses: ./.github/actions/run-docker
+        with:
+          image: ${{ needs.build.outputs.tags }}
+          run: |
+            echo 'from olympia.lib.settings_base import *' > settings_local.py
+            DJANGO_SETTINGS_MODULE="settings_local" python3 ./manage.py check