Skip to content

Commit dc4716c

Browse files
nrissclaude
andauthored
feat: Docker image optimization + container_mode + sécurité
* feat: add Docker image mode and JAR caching to reduce CI minutes - New inputs use_docker_image (default true) and docker_image - SUSHI, IG Publisher, PlantUML and validator_cli now run inside ghcr.io/ansforge/fhir-ig-builder when use_docker_image=true - Cache publisher.jar and validator_cli.jar via actions/cache keyed on resolved version tag - Legacy path preserved via use_docker_image=false (backward compat) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * add Dockerfile and build workflow for ghcr.io/ansforge/fhir-ig-builder Colocating the Dockerfile in IG-workflows so the GITHUB_TOKEN (scoped to ansforge) can push directly to ghcr.io/ansforge/. Weekly cron rebuild picks up new SUSHI versions automatically. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * set use_docker_image default to false for safe rollout Avoids breaking existing workflows during initial deployment. Opt-in by setting use_docker_image: true. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * use fhir-package-installer to pre-load FHIR packages in Docker image Replace manual curl/tar approach with the fhir-package-installer library which handles correct ~/.fhir/packages/<id>#<version>/ storage, latest version resolution, and rate limiting automatically. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * perf: cache ~/.fhir/packages + monter le répertoire dans les containers Docker - Ajoute actions/cache@v4 pour ~/.fhir/packages (les deux modes) afin d'éviter les re-téléchargements de packages FHIR à chaque run - Monte ~/.fhir/packages du runner dans les containers SUSHI et Publisher pour éliminer l'overhead du filesystem overlay (+34s observé sur cercle-de-soins) - Clé de cache basée sur sushi-config.yaml avec fallback fhir-packages- Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: ajout du mode container_mode pour runs-on avec container: image: Nouveau input container_mode (default: false). Quand true : - Skip setup-java, setup-node, setup-ruby, gem install jekyll/graphviz - Skip docker pull et wrappers docker run (SUSHI/Publisher tournent directement) - Conserve actions/cache pour ~/.fhir/packages et publisher.jar - Compatible avec les steps deploy gh-pages, plantuml, validator_cli, release Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: forcer HOME=/root en container_mode pour trouver les packages FHIR de l'image GHA peut setter HOME à une valeur autre que /root dans un job container:, ce qui fait que ~/.fhir/packages ne pointe pas vers /root/.fhir/packages où fhir-package-installer a installé les packages lors du build de l'image. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(container_mode): correct cache path and HOME for SUSHI actions/cache is a JavaScript action that runs on the HOST, where HOME=/home/runner. Setting HOME=/root via GITHUB_ENV (removed) was causing it to cache to /root/.fhir/packages on the host instead of /home/runner/.fhir/packages — breaking the volume mount bridge. Fix: - Dedicated cache step for container_mode uses explicit absolute path /home/runner/.fhir/packages, matching the volume mount source. - SUSHI in container_mode sets HOME=/root inline (process-scoped only) so it reads from /root/.fhir/packages inside the container, which is the volume mount target. - Java (Publisher) naturally uses user.home=/root as the container runs as root — no explicit fix needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(container_mode): force HOME=/root for Publisher to fix internal Sushi The IG Publisher spawns a Sushi subprocess that inherits HOME=/github/home (GHA's default container HOME), causing packages to be re-downloaded to /github/home/.fhir/packages on every run instead of using the bind-mounted /root/.fhir/packages. Setting HOME=/root before the java command ensures the Publisher's internal Sushi subprocess also uses /root/.fhir/packages (the volume-mount target). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(container_mode): use /root/.fhir/packages as cache path actions/cache runs INSIDE the container via docker exec in a container job, not on the host runner. /home/runner/.fhir/packages does not exist inside the container, causing the save to silently fail. Use the absolute path /root/.fhir/packages which is where SUSHI and the Publisher actually write packages (with HOME=/root set inline). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(docker): add hl7.fhir.uv.extensions.r4 to pre-loaded FHIR packages * feat(docker): add hl7.fhir.xver-extensions to pre-loaded FHIR packages * feat(docker): add ans.fr.nos 1.3.0 and 1.5.0 to pre-loaded FHIR packages * feat(docker): add hl7.fhir.pubpack to pre-loaded FHIR packages * ci: add workflow_dispatch to docker build for manual triggers * Optimisations : publisher bundlé dans image, cache PlantUML, bug fixes - Dockerfile : pré-télécharge publisher.jar au build (version latest) - action.yml : en container_mode, détecte /root/publisher.jar et skip API call + download - action.yml : cache des JARs PlantUML (plantuml.jar et plantuml-mapping.jar) - action.yml : fix bug plantuml-mapping output dir (./plantuml → ./plantuml_mapping) - action.yml : fix bug testscript-generator (ig_directory./igs → ig_directory=./igs) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Suppression du mode use_docker_image (obsolète) Remplacé par container_mode qui est plus rapide et plus simple. Supprimé : inputs use_docker_image et docker_image, tous les steps docker run wrappers, le Setup Java JDK for release. Toutes les conditions simplifiées en conséquence. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Clarification commentaire cache FHIR packages container_mode Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Dockerfile : installe toujours la dernière version de SUSHI Suppression de l'ARG SUSHI_VERSION et du build-arg associé dans build-docker.yml. Le rebuild hebdomadaire garantit une version récente. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: correction vulnérabilités script injection (inputs via env vars) Toutes les expressions ${{ inputs.* }} et ${{ steps.*.outputs.* }} utilisées dans des blocs run: sont désormais passées via des variables d'environnement (env:) pour éviter l'injection de code shell. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 520a2c7 commit dc4716c

4 files changed

Lines changed: 304 additions & 188 deletions

File tree

.github/workflows/build-docker.yml

Lines changed: 1 addition & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ on:
77
- Dockerfile
88
- fhir-packages.txt
99
- .github/workflows/build-docker.yml
10+
workflow_dispatch:
1011
schedule:
1112
# Rebuild hebdomadaire lundi 06:00 UTC pour capter les nouvelles versions SUSHI
1213
- cron: '0 6 * * 1'
@@ -21,14 +22,6 @@ jobs:
2122
steps:
2223
- uses: actions/checkout@v4
2324

24-
- name: Resolve SUSHI version
25-
id: sushi-version
26-
shell: bash
27-
run: |
28-
VERSION=$(npm view fsh-sushi version)
29-
echo "version=$VERSION" >> $GITHUB_OUTPUT
30-
echo "SUSHI version: $VERSION"
31-
3225
- name: Log in to GitHub Container Registry
3326
uses: docker/login-action@v3
3427
with:
@@ -44,10 +37,8 @@ jobs:
4437
with:
4538
context: .
4639
push: true
47-
build-args: SUSHI_VERSION=${{ steps.sushi-version.outputs.version }}
4840
tags: |
4941
ghcr.io/ansforge/fhir-ig-builder:latest
50-
ghcr.io/ansforge/fhir-ig-builder:sushi-${{ steps.sushi-version.outputs.version }}
5142
cache-from: type=gha
5243
cache-to: type=gha,mode=max
5344

Dockerfile

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
11
FROM ubuntu:24.04
22

3-
ARG SUSHI_VERSION=3.20.0
43
ARG NODE_MAJOR=20
54
ENV DEBIAN_FRONTEND=noninteractive \
65
LANG=en_US.UTF-8 \
@@ -31,8 +30,8 @@ RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_MAJOR}.x | bash - \
3130
&& apt-get install -y nodejs \
3231
&& rm -rf /var/lib/apt/lists/*
3332

34-
# SUSHI (version épinglée via ARG — passer --build-arg SUSHI_VERSION=x.y.z pour mettre à jour)
35-
RUN npm install -g fsh-sushi@${SUSHI_VERSION}
33+
# SUSHI (dernière version stable)
34+
RUN npm install -g fsh-sushi
3635

3736
# Jekyll
3837
RUN gem install jekyll --no-document
@@ -56,4 +55,10 @@ COPY scripts/install-fhir-packages.mjs .
5655
COPY fhir-packages.txt .
5756
RUN node install-fhir-packages.mjs fhir-packages.txt
5857

58+
# Pré-télécharger le IG Publisher JAR (version latest au moment du build de l'image)
59+
RUN PUBLISHER_VERSION=$(curl -s https://api.github.com/repos/HL7/fhir-ig-publisher/releases/latest | jq -r '.tag_name') \
60+
&& wget -q "https://github.com/HL7/fhir-ig-publisher/releases/download/${PUBLISHER_VERSION}/publisher.jar" \
61+
-O /root/publisher.jar \
62+
&& echo "IG Publisher ${PUBLISHER_VERSION} pre-installed at /root/publisher.jar"
63+
5964
WORKDIR /workspace

0 commit comments

Comments
 (0)