Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(stages)!: staged builds for full images revised #706

Closed
wants to merge 112 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
112 commits
Select commit Hold shift + click to select a range
e161451
Delete output folder
EveningStarlight Nov 28, 2024
2278644
Remove assert output folder workflow
EveningStarlight Nov 28, 2024
81b32b0
disable normal CI
EveningStarlight Nov 28, 2024
a79f9e9
add new workflows
EveningStarlight Nov 28, 2024
3a23f8e
add base-cpu Dockerfile
EveningStarlight Nov 28, 2024
1bbc444
fix uses file extension
EveningStarlight Nov 28, 2024
0e1be50
fix indent
EveningStarlight Nov 28, 2024
4dd1be8
fix hadolint
EveningStarlight Nov 28, 2024
75adf60
fix variable name
EveningStarlight Nov 28, 2024
efe8613
fix: add hadolint version
EveningStarlight Nov 28, 2024
8f68456
feat: add actions/checkout
EveningStarlight Nov 28, 2024
2cac3f3
fix: hadolint --no-fail
EveningStarlight Nov 28, 2024
532b817
Remove: dockerbits in makefile
EveningStarlight Nov 28, 2024
71b2e7d
feat: add build to CI
EveningStarlight Nov 28, 2024
81d5290
fix: indent
EveningStarlight Nov 28, 2024
fe46592
fix: variable name
EveningStarlight Nov 28, 2024
17873f0
test: secret access
EveningStarlight Nov 29, 2024
a2a5985
add steps
EveningStarlight Nov 29, 2024
fe03878
fix: add runs on
EveningStarlight Nov 29, 2024
1ecb9ac
fix: pass registry secrets
EveningStarlight Nov 29, 2024
b404970
fix: add inputs to calling action
EveningStarlight Nov 29, 2024
fa21e63
fix: pass as secrets
EveningStarlight Nov 29, 2024
869f483
fix: receive as secrets again
EveningStarlight Nov 29, 2024
2374167
fix: add secret definitions to docker-build-test-upload
EveningStarlight Nov 29, 2024
e766af6
fix: login input names
EveningStarlight Nov 29, 2024
a83f676
feat: add more steps
EveningStarlight Nov 29, 2024
ce43503
fix: trivy won't fail build
EveningStarlight Nov 29, 2024
d69a8fc
fix: matrix -> inputs
EveningStarlight Nov 29, 2024
5069fb4
add registry
EveningStarlight Nov 29, 2024
e07666c
fix: can't test on images that aren't fully built
EveningStarlight Nov 29, 2024
b805b61
fix: remove trivy scan on unfinished images
EveningStarlight Nov 29, 2024
fbb3a9a
fix: registry-name as input
EveningStarlight Dec 2, 2024
2f792c0
feat: add second stage
EveningStarlight Dec 2, 2024
cef0214
fix: add default env
EveningStarlight Dec 2, 2024
800fb6f
fix: remove defaults
EveningStarlight Dec 2, 2024
397cca3
fix: add quotes
EveningStarlight Dec 2, 2024
756ebb1
test: echo env
EveningStarlight Dec 2, 2024
18548dd
fix: stuff
EveningStarlight Dec 2, 2024
78b7b66
fix: env as build step
EveningStarlight Dec 2, 2024
9fc3167
fix quote variables
EveningStarlight Dec 2, 2024
73ef82a
fix: back to env
EveningStarlight Dec 2, 2024
9963005
fix: back to job again, this time with outputs and not output..
EveningStarlight Dec 2, 2024
941a46b
fix: use quotes
EveningStarlight Dec 2, 2024
bbba285
feat: variables are overrated anyways
EveningStarlight Dec 2, 2024
d6ec938
feat: readd variables, and call the right one..
EveningStarlight Dec 2, 2024
eaa2283
fix: rename folder
EveningStarlight Dec 2, 2024
7015c62
fix: pull the parent-image
EveningStarlight Dec 2, 2024
30285bc
fix: add LOCAL_REPO
EveningStarlight Dec 2, 2024
d840a18
Revert "fix: add LOCAL_REPO"
EveningStarlight Dec 3, 2024
bd2b57b
test everything
EveningStarlight Dec 3, 2024
42a90ac
fix: remove default: default
EveningStarlight Dec 3, 2024
66f806f
feat: add pull output
EveningStarlight Dec 3, 2024
cb9cdae
fix: reference step output
EveningStarlight Dec 3, 2024
bd6d55c
fix: terminate quote
EveningStarlight Dec 3, 2024
a5deccd
fix: add id to pull step
EveningStarlight Dec 3, 2024
a29f245
feat: test skip existing
EveningStarlight Dec 3, 2024
e35bc86
feat: more stuff
EveningStarlight Dec 3, 2024
3b28479
fix: fix ubuntu
EveningStarlight Dec 4, 2024
2382382
fix: split docker-steps into separate jobs
EveningStarlight Dec 4, 2024
aaa25b0
fix: secrets
EveningStarlight Dec 4, 2024
3560fe5
fix: restructure
EveningStarlight Dec 4, 2024
413d50c
fix: with
EveningStarlight Dec 4, 2024
3fe2d1e
fix: remove output type
EveningStarlight Dec 4, 2024
4287d08
fix: ref branch is called staged-builds
EveningStarlight Dec 4, 2024
df0c677
fix: add directory
EveningStarlight Dec 4, 2024
027f7de
fix: add || true
EveningStarlight Dec 4, 2024
4bbc259
fix: GITHUB_OUTPUT reference
EveningStarlight Dec 4, 2024
fd3118f
fix: add checkout
EveningStarlight Dec 4, 2024
37cc789
fix: add dependency chain
EveningStarlight Dec 4, 2024
98fcc0f
fix: secrets
EveningStarlight Dec 4, 2024
564d97c
fix: improper secret name
EveningStarlight Dec 4, 2024
014fbbd
feat: add check for parent being different
EveningStarlight Dec 4, 2024
7fce2d1
fix: add some brackets
EveningStarlight Dec 4, 2024
e8c5c67
fix: inputs tag
EveningStarlight Dec 4, 2024
6606bd2
test: debug base-cpu output
EveningStarlight Dec 4, 2024
3662799
test: add additional echoes
EveningStarlight Dec 4, 2024
ef6ea7e
fix: print toJson
EveningStarlight Dec 4, 2024
bc0a5ca
test: add debug
EveningStarlight Dec 4, 2024
371cb41
fix: output job name
EveningStarlight Dec 4, 2024
8c03cda
fix: boolean passed as string
EveningStarlight Dec 4, 2024
7e1bc27
fix: booleans are actually all strings
EveningStarlight Dec 4, 2024
88cb014
fix: string was already a string...
EveningStarlight Dec 4, 2024
7c244aa
fix: add brackets
EveningStarlight Dec 4, 2024
26e3ad1
test: fix to booleans
EveningStarlight Dec 4, 2024
276f203
fix: choose 1 style
EveningStarlight Dec 4, 2024
ca5769c
test: diff existing
EveningStarlight Dec 4, 2024
f1d99be
feat: add IMAGE arg to docker build
EveningStarlight Dec 4, 2024
84ea9c7
fix: add logs
EveningStarlight Dec 4, 2024
3deea5a
fix: add default value to arg
EveningStarlight Dec 4, 2024
bf61c63
fix: sed the as line
EveningStarlight Dec 4, 2024
2d6795d
remove: unused action
EveningStarlight Dec 5, 2024
3023a17
remove: unsued base image from makefile
EveningStarlight Dec 5, 2024
66cceb7
add all 14 images
EveningStarlight Dec 9, 2024
83efb3d
fix directory to additional steps
EveningStarlight Dec 9, 2024
4ce52bc
fix: remove github.job, isn't working as intended
EveningStarlight Dec 9, 2024
f1f6d52
add jupyterlab dependencies
EveningStarlight Dec 9, 2024
c5ab2c9
fix: dependancies
EveningStarlight Dec 10, 2024
68c5178
test prod
EveningStarlight Dec 10, 2024
0b3e36b
fix: comment wasn't commenting
EveningStarlight Dec 11, 2024
7b354e7
fix: split r install
EveningStarlight Dec 11, 2024
7436d18
feat: new stage order
EveningStarlight Dec 11, 2024
a9fc768
fix: missed a file
EveningStarlight Dec 11, 2024
006b559
fix: job name
EveningStarlight Dec 11, 2024
3d3c02b
fix: missing files
EveningStarlight Dec 11, 2024
828d59a
fix: parent image
EveningStarlight Dec 11, 2024
9b24962
fix: sas dependency
EveningStarlight Dec 12, 2024
a2de0a9
fix: check-diff says no diff when directory previously didn't exist
EveningStarlight Dec 12, 2024
22e5250
feat: add testing to final images
EveningStarlight Dec 12, 2024
d1f3203
fix: test
EveningStarlight Dec 12, 2024
c8e3a87
fix: tests running before finished builds
EveningStarlight Dec 13, 2024
4156ed8
fix: upload to local
EveningStarlight Dec 13, 2024
ab941b2
fix: input -> inputs
EveningStarlight Dec 16, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 0 additions & 22 deletions .github/workflows/build_push.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,31 +29,10 @@ on:
push:
branches:
- 'master'
pull_request:
types:
- 'opened'
- 'synchronize'
- 'reopened'
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

jobs:
# Any checks that run pre-build
pre-build-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master

- name: Assert committed ./output folder matches `make generate-dockerfiles` output
run: |
sudo apt-get install --yes make
make clean
make generate-dockerfiles
if ! git diff --quiet output/; then
echo 'output folder and docker-bits/resources out of sync!'
exit 1
fi

build-push:
env:
REGISTRY_NAME: k8scc01covidacr
Expand Down Expand Up @@ -81,7 +60,6 @@ jobs:
- jupyterlab-pytorch
# - jupyterlab-tensorflow removed from build. https://jirab.statcan.ca/browse/BTIS-421
- remote-desktop
needs: pre-build-checks
runs-on: ubuntu-latest
services:
registry:
Expand Down
48 changes: 48 additions & 0 deletions .github/workflows/check-diff.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: Check for changes in subdirectory

on:
workflow_call:
inputs:
image:
description: Image name
required: true
type: string
outputs:
is-diff:
description: Is there a difference between the master branch and the current branch
value: ${{ jobs.check-diff.outputs.is-diff }}

jobs:
check-diff:
runs-on: ubuntu-latest
outputs:
is-diff: ${{ steps.check-changes.outputs.is-diff }}

steps:
- uses: actions/checkout@v4

- name: Fetch master branch
run: |
git fetch origin staged-builds:staged-builds # TODO staged-builds:staged-builds to master:master

- name: Check for changes
id: check-changes
run: | # Check for changes excluding README.md
# Check if the subdirectory exists in the base branch
if ! git ls-tree -d origin/staged-builds -- "images/${{ inputs.image }}" >/dev/null 2>&1; then
echo "Subdirectory does not exist in the base branch"
echo "is-diff=true" >> $GITHUB_OUTPUT
else
CHANGES=$(git diff --name-only origin/staged-builds HEAD -- "images/${{ inputs.image }}" | grep -v "README.md" || true)
NEW_FILES=$(git diff --name-only --diff-filter=A origin/staged-builds HEAD -- "images/${{ inputs.image }}" | grep -v "README.md" || true)

CHANGES="${CHANGES}"$'\n'"${NEW_FILES}"

if [ -n "$CHANGES" ]; then
echo "Changes detected (excluding README.md)"
echo "is-diff=true" >> $GITHUB_OUTPUT
else
echo "No changes detected"
echo "is-diff=false" >> $GITHUB_OUTPUT
fi
fi
103 changes: 103 additions & 0 deletions .github/workflows/docker-build-upload.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
name: Download a parent image, build a new one, tag it, then upload the image

env:
HADOLINT_VERSION: "2.12.0"

on:
workflow_call:
inputs:
parent-image:
description: Parent image name
required: true
type: string
directory:
description: The directory of the image files
required: true
type: string
image:
description: Image name
required: true
type: string
base-image:
description: The base image to build from if not located on our own repo
required: false
type: string
registry-name:
description: url of the registry <registy-name>.azurecr.io
required: true
type: string
secrets:
REGISTRY_USERNAME:
description: The username for the container registry
required: true
REGISTRY_PASSWORD:
description: The password for the container registry
required: true

jobs:
build-upload:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000

steps:
- uses: actions/checkout@v4

- name: Run Hadolint
run: |
sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64 --output hadolint
sudo chmod +x hadolint
./hadolint images/${{ inputs.directory }}/Dockerfile --no-fail

- name: Echo disk usage before clean up
run: ./.github/scripts/echo_usage.sh

- name: Free up all available disk space before building
run: ./.github/scripts/cleanup_runner.sh

- name: Echo disk usage before build start
run: ./.github/scripts/echo_usage.sh

# Connect to Azure Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ inputs.registry-name }}.azurecr.io
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}

- name: Pull parent image
id: pull-parent
if: inputs.parent-image != ''
run: make pull/${{ inputs.parent-image }} REPO=${{ inputs.registry-name }}.azurecr.io

- name: Set BASE_IMAGE variable
run: |
if [ "${{ inputs.base-image }}" == "" ]; then
echo "BASE_IMAGE=${{ steps.pull-parent.outputs.image_name }}" >> $GITHUB_ENV
else
echo "BASE_IMAGE=${{ inputs.base-image }}" >> $GITHUB_ENV
fi

- name: Set FROM and as in Docerfile
run: |
sed -i '1i FROM ${{ env.BASE_IMAGE}} as ${{ inputs.image }}' ./images/${{ inputs.directory }}/Dockerfile

# make build emits full_image_name, image_tag, and image_repo outputs
- name: Build image
id: build-image
run: make build/${{ inputs.image }} REPO=${{ inputs.registry-name }}.azurecr.io DIRECTORY=${{ inputs.directory }}

- name: Echo disk usage after build completion
run: ./.github/scripts/echo_usage.sh

- name: Add standard tag names (short sha, sha, and branch) and any other post-build activity
run: make post-build/${{ inputs.image }} REPO=${{ inputs.registry-name }}.azurecr.io

- name: Push image to registry (default pushes all tags)
run: make push/${{ inputs.image }} REPO=${{ inputs.registry-name }}.azurecr.io

# Free up space from build process (containerscan action will run out of space if we don't)
- run: ./.github/scripts/cleanup_runner.sh
110 changes: 110 additions & 0 deletions .github/workflows/docker-pull-test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
name: Tests the image built or copied from the previous step

env:
HADOLINT_VERSION: "2.12.0"

on:
workflow_call:
inputs:
image:
description: Image name
required: true
type: string
registry-name:
description: url of the registry <registy-name>.azurecr.io
required: true
type: string
secrets:
REGISTRY_USERNAME:
description: The username for the container registry
required: true
REGISTRY_PASSWORD:
description: The password for the container registry
required: true

jobs:
pull-test:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
env:
TRIVY_VERSION: "v0.57.0"
TRIVY_DATABASES: '"ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"'
TRIVY_JAVA_DATABASES: '"ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db"'
TRIVY_MAX_RETRIES: 5
TRIVY_RETRY_DELAY: 20
LOCAL_REPO: localhost:5000

steps:
- uses: actions/checkout@v4

- name: Free up all available disk space before building
run: ./.github/scripts/cleanup_runner.sh

# Connect to Azure Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ inputs.registry-name }}.azurecr.io
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}

- name: Pull existing image
id: pull-existing
run: make pull/${{ inputs.image }} REPO=${{ inputs.registry-name }}.azurecr.io

- name: Add standard tag names (short sha, sha, and branch) and any other post-build activity
run: make post-build/${{ matrix.notebook }} REPO=${{ env.LOCAL_REPO }}

- name: Push image to local registry (default pushes all tags)
run: make push/${{ inputs.image }} REPO=${{ env.LOCAL_REPO }}

- name: Set Up Python for Test Suite
uses: actions/setup-python@v4
with:
python-version: "3.10"

- name: Set up venv for Test Suite
run: |
python -m pip install --upgrade pip
make install-python-dev-venv

- name: Test image
run: make test/${{ inputs.image }} REPO=${{ inputs.registry-name }}.azurecr.io

# Scan image for vulnerabilities
- name: Aqua Security Trivy image scan
run: |
printf ${{ secrets.CVE_ALLOWLIST }} > .trivyignore
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${{ env.TRIVY_VERSION }}

set +e

for ((i=0; i<${{ env.TRIVY_MAX_RETRIES }}; i++)); do
echo "Attempt $((i + 1)) of ${{ env.TRIVY_MAX_RETRIES }}..."

trivy image \
--db-repository ${{ env.TRIVY_DATABASES }} \
--java-db-repository ${{ env.TRIVY_JAVA_DATABASES }} \
${{ inputs.registry-name }}.azurecr.io/${{ inputs.image }}:$GITHUB_REF_NAME \
--exit-code 10 --timeout=20m --scanners vuln --severity CRITICAL
EXIT_CODE=$?

if [[ $EXIT_CODE -eq 0 ]]; then
echo "Trivy scan completed successfully."
exit 0
elif [[ $EXIT_CODE -eq 10 ]]; then
echo "Trivy scan completed successfully. Some vulnerabilities were found."
exit 10
elif [[ $i -lt $(( ${{ env.TRIVY_MAX_RETRIES }} - 1)) ]]; then
echo "Encountered unexpected error. Retrying in ${{ env.TRIVY_RETRY_DELAY }} seconds..."
sleep ${{ env.TRIVY_RETRY_DELAY }}
else
echo "Unexpected error persists after ${{ env.TRIVY_MAX_RETRIES }} attempts. Exiting."
exit 1
fi

# Free up space from build process (containerscan action will run out of space if we don't)
- run: ./.github/scripts/cleanup_runner.sh
59 changes: 59 additions & 0 deletions .github/workflows/docker-pull-upload.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Download a copy of the image of of main, retag it, and upload

env:
HADOLINT_VERSION: "2.12.0"

on:
workflow_call:
inputs:
image:
description: Image name
required: true
type: string
registry-name:
description: url of the registry <registy-name>.azurecr.io
required: true
type: string
secrets:
REGISTRY_USERNAME:
description: The username for the container registry
required: true
REGISTRY_PASSWORD:
description: The password for the container registry
required: true

jobs:
pull-upload:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000

steps:
- uses: actions/checkout@v4

- name: Free up all available disk space before building
run: ./.github/scripts/cleanup_runner.sh

# Connect to Azure Container registry (ACR)
- uses: azure/docker-login@v1
with:
login-server: ${{ inputs.registry-name }}.azurecr.io
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}

- name: Pull existing image
id: pull-existing
run: make pull/${{ inputs.image }} REPO=${{ inputs.registry-name }}.azurecr.io TAG=staged-builds
# TODO replace TAG with master

- name: Retag existing image
run: make post-build/${{ inputs.image }} REPO=${{ inputs.registry-name }}.azurecr.io SOURCE_FULL_IMAGE_NAME=${{ steps.pull-existing.outputs.image_name }}

- name: Push image to registry (default pushes all tags)
run: make push/${{ inputs.image }} REPO=${{ inputs.registry-name }}.azurecr.io

# Free up space from build process (containerscan action will run out of space if we don't)
- run: ./.github/scripts/cleanup_runner.sh
Loading
Loading