localhost-to-dockerhub: Use skopeo to "push" images

The old scripts depended on having the built images locally tagged. The new multi-arch images are pushed directly to the local registry. One might think it'd be possible to pull from localhost, tag locally, then push to Docker Hub - but that has problems [1]. The new scripts utilize registry API tooling (skopeo) to interface with the registries directly without unnecessary pull/push. A containerized version is used since the version pre-installed on the GitHub Actions Ubuntu runners does not support --multi-arch [2]. Notably, the tag-latest script is replaced by a conditional block in the new script which copies the tag from localhost to latest on Docker Hub. [1]: https://stackoverflow.com/a/68576882 [2]: https://github.com/containers/skopeo/releases/tag/v1.6.0
nextstrain · Sep 29, 2022 · 2354f10 · 2354f10
1 parent 31ef757
commit 2354f10
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 59 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,8 +33,8 @@ jobs:
         password: ${{ secrets.DOCKER_PASSWORD }}
 
     - if: github.event_name != 'pull_request' && startsWith(env.TAG, 'branch-')
-      name: Push $TAG (non-default branch)
-      run: ./devel/push $TAG
+      name: Copy $TAG images to Docker Hub (non-default branch)
+      run: ./devel/localhost-to-dockerhub $TAG
 
     - uses: actions/setup-python@v4
       with:
@@ -46,10 +46,9 @@ jobs:
         nextstrain build --image localhost:5000/nextstrain/base:$TAG zika-tutorial -F
 
     - if: startsWith(env.TAG, 'build-')
-      name: Push $TAG + latest (default branch)
+      name: Copy $TAG + latest images to Docker Hub (default branch)
       run: |
-        ./devel/tag-latest $TAG
-        ./devel/push latest $TAG
+        ./devel/localhost-to-dockerhub $TAG latest
 
     - if: always()
       run: ./devel/stop-localhost-registry
diff --git a/README.md b/README.md
@@ -74,12 +74,9 @@ during development iterations.
 
 To push images you've built locally to Docker Hub, you can run:
 
-    ./devel/push latest
+    ./devel/localhost-to-dockerhub latest
 
-This will publish your local `nextstrain/base:latest` image.  This is also what
-happens if you run `./devel/push` with no tags specified.  If you have images
-with other tags, you may provide those tags in addition to or instead of
-`latest`.
+This will copy the `nextstrain/base:latest` and `nextstrain/base-builder:latest` images from the local Docker registry to Docker Hub. If you have images with another tag, you may provide that tag instead of `latest`.
 
 ### Best practices
 

diff --git a/devel/localhost-to-dockerhub b/devel/localhost-to-dockerhub
@@ -0,0 +1,61 @@
+#!/bin/bash
+#
+# Push the nextstrain/base and nextstrain/base-builder images from the local registry to Docker Hub.
+#
+# This pushes just the provided tag. If "latest" is provided as a second argument,
+# the provided tag will also be pushed as "latest"
+#
+# Errors if any of the tagged images have already been pushed.
+#
+set -euo pipefail
+
+if [[ $# -lt 1 ]]; then
+    echo "Please provide a tag." >&2
+    exit 1
+fi
+
+tag=$1
+
+BASE_IMAGE="nextstrain/base"
+BASE_BUILDER_IMAGE="nextstrain/base-builder"
+
+if [[ $(docker image inspect --format "{{.RepoDigests}}" $BASE_IMAGE:$tag) != '[]' || $(docker image inspect --format "{{.RepoDigests}}" $BASE_BUILDER_IMAGE:$tag) != '[]' ]]; then
+    echo "At least one of $BASE_IMAGE:$tag and $BASE_BUILDER_IMAGE:$tag has already been pushed. This can happen if the newly built image is not available in the local registry." >&2
+    exit 1
+fi
+
+
+# Use Skopeo via a Docker container to copy a tagged image.
+# https://github.com/containers/skopeo/blob/07da29fd371dd88615a0b86e91c6824237484172/install.md#container-images
+copy-image() {
+    local source="$1"
+    local dest="$2"
+
+    docker run --rm \
+        -v $HOME/.docker/config.json:/docker-auth.json:ro \
+        --network="host" \
+        quay.io/skopeo/stable \
+        copy \
+        --multi-arch=all \
+        --src-tls-verify=false \
+        --dest-authfile /docker-auth.json \
+        $source $dest
+}
+
+# copy local $tag to remote $tag
+copy-image \
+    docker://localhost:5000/$BASE_IMAGE:$tag \
+    docker://docker.io/$BASE_IMAGE:$tag
+copy-image \
+    docker://localhost:5000/$BASE_BUILDER_IMAGE:$tag \
+    docker://docker.io/$BASE_BUILDER_IMAGE:$tag
+
+if [[ "$tag" != latest && "${2:-}" == latest ]]; then
+    # copy local $tag to remote latest
+    copy-image \
+        docker://localhost:5000/$BASE_IMAGE:$tag \
+        docker://docker.io/$BASE_IMAGE:latest
+    copy-image \
+        docker://localhost:5000/$BASE_BUILDER_IMAGE:$tag \
+        docker://docker.io/$BASE_BUILDER_IMAGE:latest
+fi
diff --git a/devel/push b/devel/push
diff --git a/devel/tag-latest b/devel/tag-latest