commodore/.github/workflows/container-image.yml at 20928cde683ba57a50cc0520df4e460d4c97df1b · projectsyn/commodore · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
name: Build & Push Container Image
on:
  push:
    branches:
    - master
    tags:
    - v*
  pull_request: {}

permissions:
  contents: read

# NOTE(sg): Configure the workflow to cancel old runs for the same Git ref
# when a new run is started.
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  GHCR_IMAGE: ghcr.io/${{ github.repository }}
  DOCKER_IMAGE: docker.io/${{ github.repository }}

jobs:
  get-version:
    name: Render version for Python package and container image
    runs-on: ubuntu-latest
    outputs:
      tag: ${{ steps.image-tag.outputs.tag }}
      gitversion: ${{ steps.get-version-info.outputs.gitversion }}
      pyversion: ${{ steps.get-version-info.outputs.pyversion }}
    steps:
    - uses: actions/checkout@v6
      with:
        fetch-depth: 0 # NOTE(aa): Required in order to have tag information available
    - name: Get version information
      id: get-version-info
      run: |
        GITVERSION="$(git describe --tags --always --match=v* --dirty=+dirty || (echo "command failed $?"; exit 1))"
        PYVERSION="$(git describe --tags --always --match=v* | cut -d- -f1,2 || (echo "command failed $?"; exit 1))"
        echo "git version: $GITVERSION, pyversion: $PYVERSION"
        echo "gitversion=${GITVERSION}" >> ${GITHUB_OUTPUT}
        echo "pyversion=${PYVERSION}" >> ${GITHUB_OUTPUT}
    - name: Set image tag latest
      if: github.ref == 'refs/heads/master'
      run: echo "TAG=latest" >> ${GITHUB_ENV}
    - name: Set image tag for PRs to branch name
      if: github.event_name == 'pull_request'
      run: echo "TAG=${GITHUB_HEAD_REF//\//-}" >> ${GITHUB_ENV}
    - name: Set image tag from Git tag
      if: startsWith(github.ref, 'refs/tags/v')
      run: echo "TAG=$(echo ${GITHUB_REF#refs/tags/})" >> ${GITHUB_ENV}
    - name: Set image tag as output
      id: image-tag
      run: |
        echo "tag=${{ env.TAG }}" >> ${GITHUB_OUTPUT}

  build:
    name: Build container image
    needs:
      - get-version
    strategy:
      fail-fast: false # NOTE(sg): allow matrix jobs to complete even if one of them fails
      matrix:
        platform:
          - name: linux/amd64
            runner: ubuntu-24.04
          - name: linux/arm64
            runner: ubuntu-24.04-arm
    permissions:
      # The permissions are set to allow the job to write to the GitHub Container Registry (GHCR) and read from the repository.
      attestations: write
      actions: read
      checks: write
      contents: write
      deployments: none
      id-token: write
      issues: read
      discussions: read
      packages: write
      pages: none
      pull-requests: read
      repository-projects: read
      security-events: read
      statuses: read
    runs-on: ${{ matrix.platform.runner }}
    steps:
    - name: Prepare environment for current platform
      run: |
        platform=${{ matrix.platform.name }}
        echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
    - name: checkout
      uses: actions/checkout@v6
    - name: Login to ghcr.io
      uses: docker/login-action@v4
      with:
        registry: ghcr.io
        username: ${{ github.repository_owner }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - name: Generate Docker image metadata
      id: meta
      uses: docker/metadata-action@v6
      with:
        images: |
          ${{ env.GHCR_IMAGE }}
        tags: |
          type=raw,value=${{ needs.get-version.outputs.tag }},enable=true
    - name: Set up Docker context for Buildx
      run: |
        docker context create builders
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v4
      with:
        endpoint: builders
        platforms: ${{ matrix.platform.name }}
    - name: Build and push by digest
      id: build
      uses: docker/build-push-action@v7
      env:
        DOCKER_BUILDKIT: 1
      with:
        context: .
        platforms: ${{ matrix.platform.name }}
        labels: ${{ steps.meta.outputs.labels }}
        annotations: ${{ steps.meta.outputs.annotations }}
        outputs: type=image,name=${{ env.GHCR_IMAGE }},push-by-digest=true,name-canonical=true,push=true,oci-mediatypes=true
        cache-from: |
          type=gha,scope=${{ github.repository }}-${{ github.ref_name }}-${{ matrix.platform.name }}
          type=gha,scope=${{ github.repository }}-master-${{ matrix.platform.name }}
        cache-to: type=gha,mode=max,scope=${{ github.repository }}-${{ github.ref_name }}-${{ matrix.platform.name }}
        build-args: |
          GITVERSION=${{ needs.get-version.outputs.gitversion }}
          PYVERSION=${{ needs.get-version.outputs.pyversion }}
    - name: Export digest
      run: |
        mkdir -p /tmp/digests
        digest="${{ steps.build.outputs.digest }}"
        touch "/tmp/digests/${digest#sha256:}"
    - name: Upload digest
      uses: actions/upload-artifact@v7
      with:
        name: digests-${{ env.PLATFORM_PAIR }}
        path: /tmp/digests/*
        if-no-files-found: error
        retention-days: 1

  merge:
    name: Merge Docker manifests
    runs-on: ubuntu-latest
    permissions:
      attestations: write
      actions: read
      checks: read
      contents: read
      deployments: none
      id-token: write
      issues: read
      discussions: read
      packages: write
      pages: none
      pull-requests: read
      repository-projects: read
      security-events: read
      statuses: read
    needs:
      - get-version
      - build
    steps:
    - name: Download digests
      uses: actions/download-artifact@v8
      with:
        path: /tmp/digests
        pattern: digests-*
        merge-multiple: true
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v4
      with:
        driver-opts: |
          network=host
    - name: Login to docker.io
      if: github.event_name != 'pull_request'
      uses: docker/login-action@v4
      with:
        registry: docker.io
        username: ${{ secrets.DOCKER_USERNAME }}
        password: ${{ secrets.DOCKER_PASSWORD }}
    - name: Login to ghcr.io
      uses: docker/login-action@v4
      with:
        registry: ghcr.io
        username: ${{ github.repository_owner }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - name: Generate Docker metadata
      id: meta
      uses: docker/metadata-action@v6
      with:
        images: |
          ${{ env.GHCR_IMAGE }}
          ${{ github.event_name != 'pull_request' && env.DOCKER_IMAGE || '' }}
        annotations: |
          type=org.opencontainers.image.description,value=${{ github.event.repository.description || 'No description provided' }}
        tags: |
          type=raw,value=${{ needs.get-version.outputs.tag }},enable=true
    - name: Get timestamp in RFC3339
      id: timestamp
      run: |
        echo "timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_OUTPUT
    - name: Create manifest list and push
      # NOTE(sg): This will push the manifest list to both ghcr.io and
      # docker.io when the docker.io image is enabled in the "Generate Docker
      # metadata" step.
      working-directory: /tmp/digests
      run: |
        docker buildx imagetools create \
          $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
          --annotation='index:org.opencontainers.image.description=${{ github.event.repository.description }}' \
          --annotation='index:org.opencontainers.image.created=${{ steps.timestamp.outputs.timestamp }}' \
          --annotation='index:org.opencontainers.image.url=${{ github.event.repository.url }}' \
          --annotation='index:org.opencontainers.image.source=${{ github.event.repository.url }}' \
          $(printf '${{ env.GHCR_IMAGE }}@sha256:%s ' *)
    - name: Inspect ghcr.io image
      run: |
        docker buildx imagetools inspect '${{ env.GHCR_IMAGE }}:${{ steps.meta.outputs.version }}'
    - name: Inspect docker.io image
      if: github.event_name != 'pull_request'
      run: |
        docker buildx imagetools inspect '${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }}'

    - name: Run image
      if: github.event_name == 'pull_request'
      run: |
        docker run ghcr.io/projectsyn/commodore:${{ needs.get-version.outputs.tag }} version

    - name: Delete untagged container images
      # We always delete all untagged container images after building an
      # image. This way, there should never be stale untagged images laying
      # around in the registry. In combination with the workflow that
      # deletes PR tags after the PR is closed we should be able to keep the
      # container image registry size in check.
      uses: dataaxiom/ghcr-cleanup-action@v1
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        package: ${{ github.event.repository.name }}
        validate: true

  release:
    name: Create GitHub release
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/v')
    permissions:
      contents: write
    needs:
    - merge
    steps:
    - uses: actions/checkout@v6
      with:
        fetch-depth: 0 # NOTE(aa): Required in order to have tag information available
    - name: Build changelog from PRs with labels
      id: build_changelog
      uses: mikepenz/release-changelog-builder-action@v6
      with:
        configuration: ".github/changelog-configuration.json"
        # PreReleases still get a changelog, but the next full release gets a diff since the last full release,
        # combining possible changelogs of all previous PreReleases in between.
        # PreReleases show a partial changelog since last PreRelease.
        ignorePreReleases: "${{ !contains(github.ref, '-rc') }}"
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Read release message from tag commit
      id: tag_message
      run: |
        git fetch origin +refs/tags/*:refs/tags/*
        # Extract tag message
        TAG_MSG=$(git tag -n --format='%(contents:body)' ${GITHUB_REF##refs/tags/} | tr -d '\r')
        # Join multiple lines belonging to the same paragraph for GitHub
        # markdown.
        # Paragraph breaks should be '\n\n'. List items should be '\n*'. We
        # replace single line breaks which don't preceed a '*' with a space
        # with sed. Note `sed -z` operates on the whole input instead of
        # line-wise. Note that this currently still breaks markdown code
        # blocks.
        TAG_MSG=$(echo "$TAG_MSG" | sed -z 's/\([^\n]\)\n\([^\n\*]\)/\1 \2/g')
        # Set action output `messsage` as JSON-encoded string to preserve
        # newlines. We decode with `fromJSON()` below.
        TAG_MSG=$(jq -n --arg msg "${TAG_MSG}" '$msg')
        echo "message=${TAG_MSG}" >> $GITHUB_OUTPUT
      env:
        GITHUB_REF: ${{ github.ref }}
    - name: Create Release
      uses: ncipollo/release-action@v1
      with:
        body: "# Summary\n\n${{fromJSON(steps.tag_message.outputs.message)}}\n\n# Changes\n\n${{steps.build_changelog.outputs.changelog}}"
        prerelease: "${{ contains(github.ref, '-rc') }}"
        # Ensure target branch for release is "master"
        commit: master
        token: ${{ secrets.GITHUB_TOKEN }}