Use skopeo to "push" tag from local registry to Docker Hub

The old scripts depended on having the built images locally tagged. The new multi-arch images are pushed directly to the local registry. One might think it'd be possible to pull from localhost, tag locally, then push to Docker Hub - but that has problems [1]. The new scripts utilize registry API tooling (skopeo) to interface with the registries directly without unnecessary pull/push. Notably, the tag-latest script is replaced by a conditional block in the new script which copies the tag from localhost to latest on Docker Hub. [1]: https://stackoverflow.com/a/68576882
nextstrain · Sep 13, 2022 · d70f43a · d70f43a
1 parent 0653573
commit d70f43a
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 53 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -49,8 +49,8 @@ jobs:
         password: ${{ secrets.DOCKER_PASSWORD }}
 
     - if: github.event_name != 'pull_request' && startsWith(env.TAG, 'branch-')
-      name: Push $TAG (non-default branch)
-      run: ./devel/push $TAG
+      name: Push from local registry to docker hub (non-default branch)
+      run: ./devel/localhost-to-dockerhub $TAG
 
     - uses: actions/setup-python@v4
       with:
@@ -64,5 +64,4 @@ jobs:
     - if: startsWith(env.TAG, 'build-')
       name: Push $TAG + latest (default branch)
       run: |
-        ./devel/tag-latest $TAG
-        ./devel/push latest $TAG
+        ./devel/localhost-to-dockerhub $TAG latest
diff --git a/devel/localhost-to-dockerhub b/devel/localhost-to-dockerhub
@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# Push the nextstrain/base and nextstrain/base-builder images from the local registry to Docker Hub.
+#
+# This pushes just the provided tag. If "latest" is provided as a second argument,
+# the provided tag will also be pushed as "latest"
+#
+# Errors if any of the tagged images have already been pushed.
+#
+set -euo pipefail
+
+if [[ $# -lt 1 ]]; then
+    echo "Please provide a tag." >&2
+    exit 1
+fi
+
+tag=$1
+
+BASE_IMAGE="nextstrain/base"
+BASE_BUILDER_IMAGE="nextstrain/base-builder"
+
+if [[ $(docker image inspect --format "{{.RepoDigests}}" $BASE_IMAGE:$tag) != '[]' || $(docker image inspect --format "{{.RepoDigests}}" $BASE_BUILDER_IMAGE:$tag) != '[]' ]]; then
+    echo "At least one of $BASE_IMAGE:$tag and $BASE_BUILDER_IMAGE:$tag has already been pushed. This can happen if the newly built image is not available in the local registry." >&2
+    exit 1
+fi
+
+# copy local $tag to remote $tag
+skopeo copy --multi-arch=all --src-tls-verify=false docker://localhost:5000/$BASE_IMAGE:$tag docker://docker.io/$BASE_IMAGE:$tag
+skopeo copy --multi-arch=all --src-tls-verify=false docker://localhost:5000/$BASE_BUILDER_IMAGE:$tag docker://docker.io/$BASE_BUILDER_IMAGE:$tag
+
+if [ $# -eq 2 ] && [$2 == "latest" ]; then
+    # copy local $tag to remote latest
+    skopeo copy --multi-arch=all --src-tls-verify=false docker://localhost:5000/$BASE_IMAGE:$tag docker://docker.io/$BASE_IMAGE:latest
+    skopeo copy --multi-arch=all --src-tls-verify=false docker://localhost:5000/$BASE_BUILDER_IMAGE:$tag docker://docker.io/$BASE_BUILDER_IMAGE:latest
+fi
diff --git a/devel/push b/devel/push
diff --git a/devel/tag-latest b/devel/tag-latest