From 7d4c78ecc04054fc28a742a125cbbf5a4cf7c10f Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 13:57:15 +0100 Subject: [PATCH 01/21] adds official labels to Gobra container --- .github/workflows/test.yml | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7441179aa..ec0544384 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -33,7 +33,7 @@ jobs: SILICON_SILVER_REF=$(git -C viperserver/silicon/silver rev-parse HEAD) && \ CARBON_SILVER_REF=$(git -C viperserver/carbon/silver rev-parse HEAD) && \ if [ "$SILICON_SILVER_REF" != "$CARBON_SILVER_REF" ]; then echo "Silicon and Carbon reference different Silver commits ($SILICON_SILVER_REF and $CARBON_SILVER_REF)" && exit 1 ; fi - - name: Create image tag + - name: Create image tag and labels run: | IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME @@ -46,6 +46,15 @@ jobs: # Use Docker `latest` tag convention [ "$VERSION" == "master" ] && VERSION=latest echo "IMAGE_TAG=$IMAGE_ID:$VERSION" >> $GITHUB_ENV + # image labels are new-line separated key value pairs (according to https://specs.opencontainers.org/image-spec/annotations/) + CREATED_LABEL="org.opencontainers.image.created=$(date --rfc-3339=seconds)" + AUTHORS_LABEL="org.opencontainers.image.authors=Viper Project (https://viper.ethz.ch)" + URL_LABEL="org.opencontainers.image.url=https://github.com/viperproject/gobra/pkgs/container/gobra" + SOURCE_LABEL="org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}" + REVISION_LABEL="org.opencontainers.image.revision=${{ github.sha }}" + LICENSE_LABEL="org.opencontainers.image.licenses=MPL-2.0" + DESCRIPTION_LABEL="org.opencontainers.image.description=Gobra image for revision ${{ github.sha }} built by workflow run ${{ github.run_id }}" + echo "IMAGE_LABELS=CREATED_LABEL\nAUTHORS_LABEL\nURL_LABEL\nSOURCE_LABEL\nREVISION_LABEL\nLICENSE_LABEL\nDESCRIPTION_LABEL" >> $GITHUB_ENV # used to enable Docker caching (see https://github.com/docker/build-push-action) - name: Set up Docker Buildx @@ -60,7 +69,7 @@ jobs: target: build # only build up to and including stage 'build' file: workflow-container/Dockerfile tags: ${{ env.IMAGE_TAG }} - labels: "runnumber=${{ github.run_id }}" + labels: ${{ env.IMAGE_LABELS }} push: false # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} @@ -173,7 +182,7 @@ jobs: load: true # make the built image available in docker (locally) file: workflow-container/Dockerfile tags: ${{ env.IMAGE_TAG }} - labels: "runnumber=${{ github.run_id }}" + labels: ${{ env.IMAGE_LABELS }} push: false # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} @@ -202,7 +211,7 @@ jobs: echo "SHOULD_DEPLOY=$SHOULD_DEPLOY" >> $GITHUB_ENV - name: Login to Github Packages - if: env.SHOULD_DEPLOY == 'true' + # if: env.SHOULD_DEPLOY == 'true' uses: docker/login-action@v3 with: registry: ghcr.io @@ -210,13 +219,13 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Push entire image - if: env.SHOULD_DEPLOY == 'true' + # if: env.SHOULD_DEPLOY == 'true' uses: docker/build-push-action@v5 with: context: . file: workflow-container/Dockerfile tags: ${{ env.IMAGE_TAG }} - labels: "runnumber=${{ github.run_id }}" + labels: ${{ env.IMAGE_LABELS }} push: true # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} From 76a6c138320eaa6b1a174a75a5e7a9225b1e5e4e Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 13:59:20 +0100 Subject: [PATCH 02/21] temporarily disables tests --- .github/workflows/test.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ec0544384..38204bc73 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -82,7 +82,12 @@ jobs: docker run \ --mount type=volume,dst=/build/gobra/sync,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device=$PWD/sync \ ${{ env.IMAGE_TAG }} \ - /bin/sh -c "$(cat .github/test-and-measure-ram.sh)" + /bin/sh -c "echo 'Test'" + + # docker run \ + # --mount type=volume,dst=/build/gobra/sync,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device=$PWD/sync \ + # ${{ env.IMAGE_TAG }} \ + # /bin/sh -c "$(cat .github/test-and-measure-ram.sh)" - name: Get max RAM usage by Java and Z3 if: ${{ always() }} From 78ef782e2083432e6c7fc8a4bea4f3f33a4b5f7c Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 14:00:50 +0100 Subject: [PATCH 03/21] fixes container labels --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 38204bc73..33612df48 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -54,7 +54,7 @@ jobs: REVISION_LABEL="org.opencontainers.image.revision=${{ github.sha }}" LICENSE_LABEL="org.opencontainers.image.licenses=MPL-2.0" DESCRIPTION_LABEL="org.opencontainers.image.description=Gobra image for revision ${{ github.sha }} built by workflow run ${{ github.run_id }}" - echo "IMAGE_LABELS=CREATED_LABEL\nAUTHORS_LABEL\nURL_LABEL\nSOURCE_LABEL\nREVISION_LABEL\nLICENSE_LABEL\nDESCRIPTION_LABEL" >> $GITHUB_ENV + echo "IMAGE_LABELS=$CREATED_LABEL\n$AUTHORS_LABEL\n$URL_LABEL\n$SOURCE_LABEL\n$REVISION_LABEL\n$LICENSE_LABEL\n$DESCRIPTION_LABEL" >> $GITHUB_ENV # used to enable Docker caching (see https://github.com/docker/build-push-action) - name: Set up Docker Buildx From d0c96a8bc2e3c76e2b88bf09a3d5be3603989925 Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 14:18:05 +0100 Subject: [PATCH 04/21] alternative approach to setting container labels --- .github/workflows/test.yml | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 33612df48..255d55ef2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,6 +16,14 @@ jobs: runs-on: ubuntu-latest env: IMAGE_NAME: gobra + IMAGE_LABELS: | + org.opencontainers.image.created=$(date --rfc-3339=seconds) + org.opencontainers.image.authors=Viper Project (https://viper.ethz.ch) + org.opencontainers.image.url=https://github.com/viperproject/gobra/pkgs/container/gobra + org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.licenses=MPL-2.0 + org.opencontainers.image.description=Gobra image for revision ${{ github.sha }} built by workflow run ${{ github.run_id }} CONCLUSION_SUCCESS: "success" CONCLUSION_FAILURE: "failure" # Output levels according to severity. @@ -47,14 +55,14 @@ jobs: [ "$VERSION" == "master" ] && VERSION=latest echo "IMAGE_TAG=$IMAGE_ID:$VERSION" >> $GITHUB_ENV # image labels are new-line separated key value pairs (according to https://specs.opencontainers.org/image-spec/annotations/) - CREATED_LABEL="org.opencontainers.image.created=$(date --rfc-3339=seconds)" - AUTHORS_LABEL="org.opencontainers.image.authors=Viper Project (https://viper.ethz.ch)" - URL_LABEL="org.opencontainers.image.url=https://github.com/viperproject/gobra/pkgs/container/gobra" - SOURCE_LABEL="org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}" - REVISION_LABEL="org.opencontainers.image.revision=${{ github.sha }}" - LICENSE_LABEL="org.opencontainers.image.licenses=MPL-2.0" - DESCRIPTION_LABEL="org.opencontainers.image.description=Gobra image for revision ${{ github.sha }} built by workflow run ${{ github.run_id }}" - echo "IMAGE_LABELS=$CREATED_LABEL\n$AUTHORS_LABEL\n$URL_LABEL\n$SOURCE_LABEL\n$REVISION_LABEL\n$LICENSE_LABEL\n$DESCRIPTION_LABEL" >> $GITHUB_ENV + # CREATED_LABEL="org.opencontainers.image.created=$(date --rfc-3339=seconds)" + # AUTHORS_LABEL="org.opencontainers.image.authors=Viper Project (https://viper.ethz.ch)" + # URL_LABEL="org.opencontainers.image.url=https://github.com/viperproject/gobra/pkgs/container/gobra" + # SOURCE_LABEL="org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}" + # REVISION_LABEL="org.opencontainers.image.revision=${{ github.sha }}" + # LICENSE_LABEL="org.opencontainers.image.licenses=MPL-2.0" + # DESCRIPTION_LABEL="org.opencontainers.image.description=Gobra image for revision ${{ github.sha }} built by workflow run ${{ github.run_id }}" + # echo "IMAGE_LABELS=$CREATED_LABEL\n$AUTHORS_LABEL\n$URL_LABEL\n$SOURCE_LABEL\n$REVISION_LABEL\n$LICENSE_LABEL\n$DESCRIPTION_LABEL" >> $GITHUB_ENV # used to enable Docker caching (see https://github.com/docker/build-push-action) - name: Set up Docker Buildx From 28551ce838c5f5f642122ef517e1ef96082242d7 Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 14:24:28 +0100 Subject: [PATCH 05/21] properly evaluates image creation time --- .github/workflows/test.yml | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 255d55ef2..5ebcc448c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,13 +17,12 @@ jobs: env: IMAGE_NAME: gobra IMAGE_LABELS: | - org.opencontainers.image.created=$(date --rfc-3339=seconds) - org.opencontainers.image.authors=Viper Project (https://viper.ethz.ch) - org.opencontainers.image.url=https://github.com/viperproject/gobra/pkgs/container/gobra - org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} - org.opencontainers.image.revision=${{ github.sha }} - org.opencontainers.image.licenses=MPL-2.0 - org.opencontainers.image.description=Gobra image for revision ${{ github.sha }} built by workflow run ${{ github.run_id }} + org.opencontainers.image.authors="Viper Project (https://viper.ethz.ch)" + org.opencontainers.image.url="https://github.com/viperproject/gobra/pkgs/container/gobra" + org.opencontainers.image.source="${{ github.server_url }}/${{ github.repository }}" + org.opencontainers.image.revision="${{ github.sha }}" + org.opencontainers.image.licenses="MPL-2.0" + org.opencontainers.image.description="Gobra image for revision ${{ github.sha }} built by workflow run ${{ github.run_id }}" CONCLUSION_SUCCESS: "success" CONCLUSION_FAILURE: "failure" # Output levels according to severity. @@ -55,7 +54,7 @@ jobs: [ "$VERSION" == "master" ] && VERSION=latest echo "IMAGE_TAG=$IMAGE_ID:$VERSION" >> $GITHUB_ENV # image labels are new-line separated key value pairs (according to https://specs.opencontainers.org/image-spec/annotations/) - # CREATED_LABEL="org.opencontainers.image.created=$(date --rfc-3339=seconds)" + CREATED_LABEL="org.opencontainers.image.created=$(date --rfc-3339=seconds)" # AUTHORS_LABEL="org.opencontainers.image.authors=Viper Project (https://viper.ethz.ch)" # URL_LABEL="org.opencontainers.image.url=https://github.com/viperproject/gobra/pkgs/container/gobra" # SOURCE_LABEL="org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}" @@ -63,6 +62,7 @@ jobs: # LICENSE_LABEL="org.opencontainers.image.licenses=MPL-2.0" # DESCRIPTION_LABEL="org.opencontainers.image.description=Gobra image for revision ${{ github.sha }} built by workflow run ${{ github.run_id }}" # echo "IMAGE_LABELS=$CREATED_LABEL\n$AUTHORS_LABEL\n$URL_LABEL\n$SOURCE_LABEL\n$REVISION_LABEL\n$LICENSE_LABEL\n$DESCRIPTION_LABEL" >> $GITHUB_ENV + echo "CREATED_LABEL=$CREATED_LABEL" >> $GITHUB_ENV # used to enable Docker caching (see https://github.com/docker/build-push-action) - name: Set up Docker Buildx @@ -77,7 +77,9 @@ jobs: target: build # only build up to and including stage 'build' file: workflow-container/Dockerfile tags: ${{ env.IMAGE_TAG }} - labels: ${{ env.IMAGE_LABELS }} + labels: | + ${{ env.IMAGE_LABELS }} + ${{ env.CREATED_LABEL }} push: false # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} @@ -195,7 +197,9 @@ jobs: load: true # make the built image available in docker (locally) file: workflow-container/Dockerfile tags: ${{ env.IMAGE_TAG }} - labels: ${{ env.IMAGE_LABELS }} + labels: | + ${{ env.IMAGE_LABELS }} + ${{ env.CREATED_LABEL }} push: false # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} @@ -238,7 +242,9 @@ jobs: context: . file: workflow-container/Dockerfile tags: ${{ env.IMAGE_TAG }} - labels: ${{ env.IMAGE_LABELS }} + labels: | + ${{ env.IMAGE_LABELS }} + ${{ env.CREATED_LABEL }} push: true # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} From af67c564c2c8c8828e56b4d96069b4d70a6ac1d6 Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 14:32:48 +0100 Subject: [PATCH 06/21] slightly improves image creation label --- .github/workflows/test.yml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5ebcc448c..36209adc1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,6 +16,7 @@ jobs: runs-on: ubuntu-latest env: IMAGE_NAME: gobra + # image labels are new-line separated key value pairs (according to https://specs.opencontainers.org/image-spec/annotations/): IMAGE_LABELS: | org.opencontainers.image.authors="Viper Project (https://viper.ethz.ch)" org.opencontainers.image.url="https://github.com/viperproject/gobra/pkgs/container/gobra" @@ -40,7 +41,7 @@ jobs: SILICON_SILVER_REF=$(git -C viperserver/silicon/silver rev-parse HEAD) && \ CARBON_SILVER_REF=$(git -C viperserver/carbon/silver rev-parse HEAD) && \ if [ "$SILICON_SILVER_REF" != "$CARBON_SILVER_REF" ]; then echo "Silicon and Carbon reference different Silver commits ($SILICON_SILVER_REF and $CARBON_SILVER_REF)" && exit 1 ; fi - - name: Create image tag and labels + - name: Create image tag run: | IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME @@ -53,21 +54,16 @@ jobs: # Use Docker `latest` tag convention [ "$VERSION" == "master" ] && VERSION=latest echo "IMAGE_TAG=$IMAGE_ID:$VERSION" >> $GITHUB_ENV - # image labels are new-line separated key value pairs (according to https://specs.opencontainers.org/image-spec/annotations/) - CREATED_LABEL="org.opencontainers.image.created=$(date --rfc-3339=seconds)" - # AUTHORS_LABEL="org.opencontainers.image.authors=Viper Project (https://viper.ethz.ch)" - # URL_LABEL="org.opencontainers.image.url=https://github.com/viperproject/gobra/pkgs/container/gobra" - # SOURCE_LABEL="org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}" - # REVISION_LABEL="org.opencontainers.image.revision=${{ github.sha }}" - # LICENSE_LABEL="org.opencontainers.image.licenses=MPL-2.0" - # DESCRIPTION_LABEL="org.opencontainers.image.description=Gobra image for revision ${{ github.sha }} built by workflow run ${{ github.run_id }}" - # echo "IMAGE_LABELS=$CREATED_LABEL\n$AUTHORS_LABEL\n$URL_LABEL\n$SOURCE_LABEL\n$REVISION_LABEL\n$LICENSE_LABEL\n$DESCRIPTION_LABEL" >> $GITHUB_ENV - echo "CREATED_LABEL=$CREATED_LABEL" >> $GITHUB_ENV # used to enable Docker caching (see https://github.com/docker/build-push-action) - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Create image creation label + run: | + CREATED_LABEL="org.opencontainers.image.created=\"$(date --rfc-3339=seconds)\"" + echo "CREATED_LABEL=$CREATED_LABEL" >> $GITHUB_ENV + - name: Build image up to including stage 'build' # note that the action's name is misleading: this step does NOT push uses: docker/build-push-action@v5 From a5595a9a72b99bf0883fb6e8bac608e3aca47267 Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 14:42:55 +0100 Subject: [PATCH 07/21] prints image metadata during CI --- .github/workflows/test.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 36209adc1..8278c7085 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -65,6 +65,7 @@ jobs: echo "CREATED_LABEL=$CREATED_LABEL" >> $GITHUB_ENV - name: Build image up to including stage 'build' + id: image-build # note that the action's name is misleading: this step does NOT push uses: docker/build-push-action@v5 with: @@ -81,6 +82,9 @@ jobs: cache-from: type=gha, scope=${{ github.workflow }} cache-to: type=gha, scope=${{ github.workflow }} + - name: Print metadata + run: echo ${{ steps.image-build.outputs.metadata }} + - name: Execute all tests run: | # create a directory to sync with the docker container and to store the created pidstats From 97675ac2bb794d0e5d84b25f79235ec2a05a0c9a Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 14:59:17 +0100 Subject: [PATCH 08/21] switches to using metadata action --- .github/workflows/test.yml | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8278c7085..6354dcb8d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -53,6 +53,7 @@ jobs: [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v\.?//') # Use Docker `latest` tag convention [ "$VERSION" == "master" ] && VERSION=latest + echo "IMAGE_ID=$IMAGE_ID" >> $GITHUB_ENV echo "IMAGE_TAG=$IMAGE_ID:$VERSION" >> $GITHUB_ENV # used to enable Docker caching (see https://github.com/docker/build-push-action) @@ -64,6 +65,15 @@ jobs: CREATED_LABEL="org.opencontainers.image.created=\"$(date --rfc-3339=seconds)\"" echo "CREATED_LABEL=$CREATED_LABEL" >> $GITHUB_ENV + - name: Create image metadata + id: image-metadata + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE_ID }} + labels: | + ${{ env.IMAGE_LABELS }} + ${{ env.CREATED_LABEL }} + - name: Build image up to including stage 'build' id: image-build # note that the action's name is misleading: this step does NOT push @@ -73,10 +83,8 @@ jobs: load: true # make the built image available in docker (locally) target: build # only build up to and including stage 'build' file: workflow-container/Dockerfile - tags: ${{ env.IMAGE_TAG }} - labels: | - ${{ env.IMAGE_LABELS }} - ${{ env.CREATED_LABEL }} + tags: ${{ steps.image-metadata.outputs.tags }} + labels: ${{ steps.image-metadata.outputs.labels }} push: false # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} @@ -196,10 +204,8 @@ jobs: context: . load: true # make the built image available in docker (locally) file: workflow-container/Dockerfile - tags: ${{ env.IMAGE_TAG }} - labels: | - ${{ env.IMAGE_LABELS }} - ${{ env.CREATED_LABEL }} + tags: ${{ steps.image-metadata.outputs.tags }} + labels: ${{ steps.image-metadata.outputs.labels }} push: false # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} @@ -241,10 +247,8 @@ jobs: with: context: . file: workflow-container/Dockerfile - tags: ${{ env.IMAGE_TAG }} - labels: | - ${{ env.IMAGE_LABELS }} - ${{ env.CREATED_LABEL }} + tags: ${{ steps.image-metadata.outputs.tags }} + labels: ${{ steps.image-metadata.outputs.labels }} push: true # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} From 8be5644e61715ba03f9a7ac4673ee94374e0e1ee Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 15:45:23 +0100 Subject: [PATCH 09/21] remove printing of metadata --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6354dcb8d..d766f806a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -90,8 +90,8 @@ jobs: cache-from: type=gha, scope=${{ github.workflow }} cache-to: type=gha, scope=${{ github.workflow }} - - name: Print metadata - run: echo ${{ steps.image-build.outputs.metadata }} + # - name: Print metadata + # run: echo ${{ steps.image-build.outputs.metadata }} - name: Execute all tests run: | From d8021fc21897af38d42c39d7d6cae1a381bf1dbc Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 17:03:12 +0100 Subject: [PATCH 10/21] disables provenance attestation --- .github/workflows/test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d766f806a..5e7349397 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -86,6 +86,7 @@ jobs: tags: ${{ steps.image-metadata.outputs.tags }} labels: ${{ steps.image-metadata.outputs.labels }} push: false + provenance: false # without this, GH displays 2 architecture (unknown/unknown) and omits labels # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} cache-to: type=gha, scope=${{ github.workflow }} @@ -207,6 +208,7 @@ jobs: tags: ${{ steps.image-metadata.outputs.tags }} labels: ${{ steps.image-metadata.outputs.labels }} push: false + provenance: false # without this, GH displays 2 architecture (unknown/unknown) and omits labels # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} cache-to: type=gha, scope=${{ github.workflow }} @@ -250,6 +252,7 @@ jobs: tags: ${{ steps.image-metadata.outputs.tags }} labels: ${{ steps.image-metadata.outputs.labels }} push: true + provenance: false # without this, GH displays 2 architecture (unknown/unknown) and omits labels # use GitHub cache: cache-from: type=gha, scope=${{ github.workflow }} cache-to: type=gha, scope=${{ github.workflow }} From 71562ca464c1780c21573dc521f8c2390c53d107 Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 21:56:50 +0100 Subject: [PATCH 11/21] removes quites for image labels --- .github/workflows/test.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5e7349397..2b5297835 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,12 +18,12 @@ jobs: IMAGE_NAME: gobra # image labels are new-line separated key value pairs (according to https://specs.opencontainers.org/image-spec/annotations/): IMAGE_LABELS: | - org.opencontainers.image.authors="Viper Project (https://viper.ethz.ch)" - org.opencontainers.image.url="https://github.com/viperproject/gobra/pkgs/container/gobra" - org.opencontainers.image.source="${{ github.server_url }}/${{ github.repository }}" - org.opencontainers.image.revision="${{ github.sha }}" - org.opencontainers.image.licenses="MPL-2.0" - org.opencontainers.image.description="Gobra image for revision ${{ github.sha }} built by workflow run ${{ github.run_id }}" + org.opencontainers.image.authors=Viper Project + org.opencontainers.image.url=https://github.com/viperproject/gobra/pkgs/container/gobra + org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.licenses=MPL-2.0 + org.opencontainers.image.description=Gobra image for revision ${{ github.sha }} built by workflow run ${{ github.run_id }} CONCLUSION_SUCCESS: "success" CONCLUSION_FAILURE: "failure" # Output levels according to severity. @@ -62,7 +62,7 @@ jobs: - name: Create image creation label run: | - CREATED_LABEL="org.opencontainers.image.created=\"$(date --rfc-3339=seconds)\"" + CREATED_LABEL="org.opencontainers.image.created=$(date --rfc-3339=seconds)" echo "CREATED_LABEL=$CREATED_LABEL" >> $GITHUB_ENV - name: Create image metadata From 983c49401f592eaf7a5eafa5d63f079182663d00 Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 22:12:08 +0100 Subject: [PATCH 12/21] simplifies workflow --- .github/workflows/test.yml | 28 +++++++++++----------------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2b5297835..0b72690e6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,6 +16,7 @@ jobs: runs-on: ubuntu-latest env: IMAGE_NAME: gobra + IMAGE_ID: ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} # image labels are new-line separated key value pairs (according to https://specs.opencontainers.org/image-spec/annotations/): IMAGE_LABELS: | org.opencontainers.image.authors=Viper Project @@ -41,20 +42,6 @@ jobs: SILICON_SILVER_REF=$(git -C viperserver/silicon/silver rev-parse HEAD) && \ CARBON_SILVER_REF=$(git -C viperserver/carbon/silver rev-parse HEAD) && \ if [ "$SILICON_SILVER_REF" != "$CARBON_SILVER_REF" ]; then echo "Silicon and Carbon reference different Silver commits ($SILICON_SILVER_REF and $CARBON_SILVER_REF)" && exit 1 ; fi - - name: Create image tag - run: | - IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME - - # Change all uppercase to lowercase - IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]') - # Strip git ref prefix from version - VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') - # Strip "v" prefix from tag name - [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v\.?//') - # Use Docker `latest` tag convention - [ "$VERSION" == "master" ] && VERSION=latest - echo "IMAGE_ID=$IMAGE_ID" >> $GITHUB_ENV - echo "IMAGE_TAG=$IMAGE_ID:$VERSION" >> $GITHUB_ENV # used to enable Docker caching (see https://github.com/docker/build-push-action) - name: Set up Docker Buildx @@ -73,6 +60,13 @@ jobs: labels: | ${{ env.IMAGE_LABELS }} ${{ env.CREATED_LABEL }} + tags: + type=schedule + type=ref,event=branch + type=ref,event=tag + type=ref,event=pr + # these are the default options so far. We additionally add the commit hash: + type=sha - name: Build image up to including stage 'build' id: image-build @@ -100,12 +94,12 @@ jobs: mkdir -p $PWD/sync docker run \ --mount type=volume,dst=/build/gobra/sync,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device=$PWD/sync \ - ${{ env.IMAGE_TAG }} \ + ${{ steps.image-metadata.outputs.tags[0] }} \ /bin/sh -c "echo 'Test'" # docker run \ # --mount type=volume,dst=/build/gobra/sync,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device=$PWD/sync \ - # ${{ env.IMAGE_TAG }} \ + # ${{ steps.image-metadata.outputs.tags[0] }} \ # /bin/sh -c "$(cat .github/test-and-measure-ram.sh)" - name: Get max RAM usage by Java and Z3 @@ -216,7 +210,7 @@ jobs: - name: Test final container by verifying a file run: | docker run \ - ${{ env.IMAGE_TAG }} \ + ${{ steps.image-metadata.outputs.tags[0] }} \ -i tutorial-examples/basicAnnotations.gobra - name: Decide whether image should be deployed or not From fe7e84d9eb738f485d595d3bf395849ea0ce0400 Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 22:13:39 +0100 Subject: [PATCH 13/21] fixes syntax error in workflow --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0b72690e6..7151368be 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -60,13 +60,13 @@ jobs: labels: | ${{ env.IMAGE_LABELS }} ${{ env.CREATED_LABEL }} - tags: + tags: | type=schedule type=ref,event=branch type=ref,event=tag type=ref,event=pr - # these are the default options so far. We additionally add the commit hash: type=sha + # the first 4 tags correspond to the default options. We additionally add the commit hash - name: Build image up to including stage 'build' id: image-build From fa9d6e6b83fa4d217320e62aa1cd0727c9ab9848 Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 22:15:19 +0100 Subject: [PATCH 14/21] attempts to fix dependencies within environment variables --- .github/workflows/test.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7151368be..741c47cc5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,12 +10,14 @@ on: push: # run this workflow on every push pull_request: # run this workflow on every pull_request +env: + IMAGE_NAME: gobra + jobs: # there is a single job to avoid copying the built docker image from one job to the other build-test-deploy-container: runs-on: ubuntu-latest env: - IMAGE_NAME: gobra IMAGE_ID: ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} # image labels are new-line separated key value pairs (according to https://specs.opencontainers.org/image-spec/annotations/): IMAGE_LABELS: | From 37e98777dad159c7abd2a8400cc4277bd3a8c09a Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 22:18:16 +0100 Subject: [PATCH 15/21] fixes syntax error in workflow file --- .github/workflows/test.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 741c47cc5..4b19454d3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,15 +10,12 @@ on: push: # run this workflow on every push pull_request: # run this workflow on every pull_request -env: - IMAGE_NAME: gobra - jobs: # there is a single job to avoid copying the built docker image from one job to the other build-test-deploy-container: runs-on: ubuntu-latest env: - IMAGE_ID: ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }} + IMAGE_ID: ghcr.io/${{ github.repository_owner }}/gobra # image labels are new-line separated key value pairs (according to https://specs.opencontainers.org/image-spec/annotations/): IMAGE_LABELS: | org.opencontainers.image.authors=Viper Project From 77cd1ca898ed05ad3277a88871936d9ff9f967fa Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 22:23:13 +0100 Subject: [PATCH 16/21] adds debug output --- .github/workflows/test.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4b19454d3..3f4b28b03 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -84,8 +84,11 @@ jobs: cache-from: type=gha, scope=${{ github.workflow }} cache-to: type=gha, scope=${{ github.workflow }} - # - name: Print metadata - # run: echo ${{ steps.image-build.outputs.metadata }} + - name: Print metadata + run: | + echo "${{ steps.image-metadata.outputs.tags }}" + echo "${{ steps.image-metadata.outputs.tags[0] }}" + echo "${{ steps.image-metadata.outputs.tags[1] }}" - name: Execute all tests run: | From a1dcfab5864cdd481a2abcfb5ff58e3acdfc2221 Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 22:30:28 +0100 Subject: [PATCH 17/21] fixes extraction of first image label --- .github/workflows/test.yml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3f4b28b03..dabaaef4c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -67,6 +67,9 @@ jobs: type=sha # the first 4 tags correspond to the default options. We additionally add the commit hash + - name: Get first tag + run: echo "IMAGE_TAG=$(echo "${{ steps.image-metadata.outputs.tags }}" | head -1)" >> $GITHUB_ENV + - name: Build image up to including stage 'build' id: image-build # note that the action's name is misleading: this step does NOT push @@ -84,24 +87,18 @@ jobs: cache-from: type=gha, scope=${{ github.workflow }} cache-to: type=gha, scope=${{ github.workflow }} - - name: Print metadata - run: | - echo "${{ steps.image-metadata.outputs.tags }}" - echo "${{ steps.image-metadata.outputs.tags[0] }}" - echo "${{ steps.image-metadata.outputs.tags[1] }}" - - name: Execute all tests run: | # create a directory to sync with the docker container and to store the created pidstats mkdir -p $PWD/sync docker run \ --mount type=volume,dst=/build/gobra/sync,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device=$PWD/sync \ - ${{ steps.image-metadata.outputs.tags[0] }} \ + ${{ env.IMAGE_TAG }} \ /bin/sh -c "echo 'Test'" # docker run \ # --mount type=volume,dst=/build/gobra/sync,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device=$PWD/sync \ - # ${{ steps.image-metadata.outputs.tags[0] }} \ + # ${{ env.IMAGE_TAG }} \ # /bin/sh -c "$(cat .github/test-and-measure-ram.sh)" - name: Get max RAM usage by Java and Z3 @@ -212,7 +209,7 @@ jobs: - name: Test final container by verifying a file run: | docker run \ - ${{ steps.image-metadata.outputs.tags[0] }} \ + ${{ env.IMAGE_TAG }} \ -i tutorial-examples/basicAnnotations.gobra - name: Decide whether image should be deployed or not From 2dd0d3dc57e1aa48f6881b939097d8f8ad9a90fa Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 22:36:05 +0100 Subject: [PATCH 18/21] Reverts "temporarily disables tests" This reverts commit 76a6c138320eaa6b1a174a75a5e7a9225b1e5e4e. --- .github/workflows/test.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index dabaaef4c..67bdbca4b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -94,12 +94,7 @@ jobs: docker run \ --mount type=volume,dst=/build/gobra/sync,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device=$PWD/sync \ ${{ env.IMAGE_TAG }} \ - /bin/sh -c "echo 'Test'" - - # docker run \ - # --mount type=volume,dst=/build/gobra/sync,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device=$PWD/sync \ - # ${{ env.IMAGE_TAG }} \ - # /bin/sh -c "$(cat .github/test-and-measure-ram.sh)" + /bin/sh -c "$(cat .github/test-and-measure-ram.sh)" - name: Get max RAM usage by Java and Z3 if: ${{ always() }} From 1372041042a14a681ff8ff285d3d9bc19dba3554 Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 22:37:19 +0100 Subject: [PATCH 19/21] reverts to publishing the built image only on certain branches --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 67bdbca4b..3b5b442fe 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -224,7 +224,7 @@ jobs: echo "SHOULD_DEPLOY=$SHOULD_DEPLOY" >> $GITHUB_ENV - name: Login to Github Packages - # if: env.SHOULD_DEPLOY == 'true' + if: env.SHOULD_DEPLOY == 'true' uses: docker/login-action@v3 with: registry: ghcr.io @@ -232,7 +232,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Push entire image - # if: env.SHOULD_DEPLOY == 'true' + if: env.SHOULD_DEPLOY == 'true' uses: docker/build-push-action@v5 with: context: . From 5d8361aa3e5a87e7c0edb7fd3e2c6f9d1ed4d36b Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 22:53:28 +0100 Subject: [PATCH 20/21] adds 'latest' for images created on the default branch --- .github/workflows/test.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3b5b442fe..6cbf5ec09 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -60,12 +60,15 @@ jobs: ${{ env.IMAGE_LABELS }} ${{ env.CREATED_LABEL }} tags: | + # the first 4 tags correspond to the default options type=schedule type=ref,event=branch type=ref,event=tag type=ref,event=pr + # use (short) commit hash as tag: type=sha - # the first 4 tags correspond to the default options. We additionally add the commit hash + # set latest tag for default branch: + type=raw,value=latest,enable={{is_default_branch}} - name: Get first tag run: echo "IMAGE_TAG=$(echo "${{ steps.image-metadata.outputs.tags }}" | head -1)" >> $GITHUB_ENV From e46c19ee410f122c6484aef69b7189c6f8f21090 Mon Sep 17 00:00:00 2001 From: Linard Arquint Date: Fri, 9 Feb 2024 22:59:52 +0100 Subject: [PATCH 21/21] sets priorities for image tags --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6cbf5ec09..dc3743fb0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -67,8 +67,8 @@ jobs: type=ref,event=pr # use (short) commit hash as tag: type=sha - # set latest tag for default branch: - type=raw,value=latest,enable={{is_default_branch}} + # use latest tag for default branch and with highest priority (1000 is the highest default priority for the other types): + type=raw,value=latest,priority=1100,enable={{is_default_branch}} - name: Get first tag run: echo "IMAGE_TAG=$(echo "${{ steps.image-metadata.outputs.tags }}" | head -1)" >> $GITHUB_ENV