Convert rotate jwe key script into a celery task (PP-1480) (#2253) #1992
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker Build | |
on: [push] | |
concurrency: | |
group: build-${{ github.ref_name }}-${{ github.event_name }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
name: Docker build | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
outputs: | |
baseimage-changed: ${{ steps.changes.outputs.baseimage }} | |
baseimage: ${{ steps.baseimage.outputs.tag }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
# See comment here: https://github.com/actions/runner-images/issues/1187#issuecomment-686735760 | |
- name: Disable network offload | |
run: sudo ethtool -K eth0 tx off rx off | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
# If the base image build was changed, we build it first, so we can test | |
# using these changes throughout the rest of the build. If the base image | |
# build wasn't changed, we don't use it and just rely on scheduled build. | |
- name: Check if base image was changed by this branch | |
uses: dorny/paths-filter@v3 | |
id: changes | |
with: | |
filters: | | |
baseimage: | |
- 'docker/Dockerfile.baseimage' | |
# We use docker/metadata-action to generate tags, instead of using string | |
# interpolation, because it properly handles making sure special | |
# characters are escaped, and the repo owner string is lowercase. | |
- name: Generate tags for base image | |
id: baseimage-meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ghcr.io/${{ github.repository_owner }}/circ-baseimage | |
tags: | | |
type=ref,event=branch | |
type=sha | |
type=raw,value=latest,enable=${{ github.ref_name == 'main' }} | |
# We are using docker/metadata-action here for the same reason as above. | |
- name: Generate tag for latest | |
id: baseimage-latest | |
uses: docker/metadata-action@v5 | |
with: | |
images: ghcr.io/${{ github.repository_owner }}/circ-baseimage | |
tags: | | |
type=raw,value=latest | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
if: steps.changes.outputs.baseimage == 'true' | |
# Build the base image, only if needed. | |
- name: Build base image | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./docker/Dockerfile.baseimage | |
target: baseimage | |
cache-from: | | |
type=registry,ref=${{ fromJSON(steps.baseimage-latest.outputs.json).tags[0] }} | |
type=registry,ref=${{ fromJSON(steps.baseimage-meta.outputs.json).tags[0] }} | |
cache-to: | | |
type=inline | |
platforms: linux/amd64, linux/arm64 | |
tags: ${{ steps.baseimage-meta.outputs.tags }} | |
labels: ${{ steps.baseimage-meta.outputs.labels }} | |
push: true | |
if: steps.changes.outputs.baseimage == 'true' | |
# If the base image was changed, we need to use the tag we just pushed | |
# to build the common image. Otherwise, if the base image wasn't changed, | |
# we use the latest tag. If the local repo has a built base image, we use | |
# that, otherwise we just fall back to the main projects tag. | |
- name: Set correct base-image for common image build | |
id: baseimage | |
run: | | |
docker buildx imagetools inspect ${{ fromJSON(steps.baseimage-latest.outputs.json).tags[0] }} > /dev/null | |
tag_exists=$? | |
if [[ "${{ steps.changes.outputs.baseimage }}" == "true" ]]; then | |
tag="${{ fromJSON(steps.baseimage-meta.outputs.json).tags[0] }}" | |
elif [[ $tag_exists -eq 0 ]]; then | |
tag="${{ fromJSON(steps.baseimage-latest.outputs.json).tags[0] }}" | |
else | |
tag="ghcr.io/thepalaceproject/circ-baseimage:latest" | |
fi | |
echo "Base image tag: $tag" | |
echo tag="$tag" >> "$GITHUB_OUTPUT" | |
- name: Build common image | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./docker/Dockerfile | |
target: common | |
cache-to: | | |
type=gha,scope=buildkit-${{ github.run_id }},mode=min | |
platforms: linux/amd64, linux/arm64 | |
build-args: | | |
BASE_IMAGE=${{ steps.baseimage.outputs.tag }} | |
integration-test: | |
name: Test circ-${{ matrix.image }} (${{ matrix.platform }}) | |
runs-on: ubuntu-latest | |
needs: [build] | |
permissions: | |
contents: read | |
strategy: | |
fail-fast: false | |
matrix: | |
platform: ["linux/amd64", "linux/arm64"] | |
image: ["scripts", "webapp"] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
# See comment here: https://github.com/actions/runner-images/issues/1187#issuecomment-686735760 | |
- name: Disable network offload | |
run: sudo ethtool -K eth0 tx off rx off | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build & Start container | |
run: docker compose up -d --build ${{ matrix.image }} | |
env: | |
BUILD_PLATFORM: ${{ matrix.platform }} | |
BUILD_CACHE_FROM: type=gha,scope=buildkit-${{ github.run_id }} | |
BUILD_BASE_IMAGE: ${{ needs.build.outputs.baseimage }} | |
- name: Run tests | |
run: ./docker/ci/test_${{ matrix.image }}.sh ${{ matrix.image }} | |
- name: Output logs | |
if: failure() | |
run: docker logs circulation-${{ matrix.image }}-1 | |
- name: Stop container | |
if: always() | |
run: docker compose down | |
unit-test: | |
name: Unit tests | |
runs-on: ubuntu-latest | |
needs: [build] | |
permissions: | |
contents: read | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
# See comment here: https://github.com/actions/runner-images/issues/1187#issuecomment-686735760 | |
- name: Disable network offload | |
run: sudo ethtool -K eth0 tx off rx off | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Run unit tests | |
run: > | |
docker compose run --build webapp | |
bash -c " | |
source env/bin/activate && | |
poetry install --without ci --no-root --sync && | |
pytest --no-cov tests | |
" | |
env: | |
BUILD_CACHE_FROM: type=gha,scope=buildkit-${{ github.run_id }} | |
BUILD_BASE_IMAGE: ${{ needs.build.outputs.baseimage }} | |
- name: Stop container | |
if: always() | |
run: docker compose down | |
migration-test: | |
name: Migration test | |
runs-on: ubuntu-latest | |
needs: [build] | |
permissions: | |
contents: read | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
# See comment here: https://github.com/actions/runner-images/issues/1187#issuecomment-686735760 | |
- name: Disable network offload | |
run: sudo ethtool -K eth0 tx off rx off | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Test migrations | |
run: ./docker/ci/test_migrations.sh | |
env: | |
BUILD_CACHE_FROM: type=gha,scope=buildkit-${{ github.run_id }} | |
BUILD_BASE_IMAGE: ${{ needs.build.outputs.baseimage }} | |
push: | |
name: Push circ-${{ matrix.image }} | |
runs-on: ubuntu-latest | |
needs: [build, integration-test, unit-test, migration-test] | |
permissions: | |
contents: read | |
packages: write | |
strategy: | |
fail-fast: false | |
matrix: | |
image: ["scripts", "webapp", "exec"] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
# See comment here: https://github.com/actions/runner-images/issues/1187#issuecomment-686735760 | |
- name: Disable network offload | |
run: sudo ethtool -K eth0 tx off rx off | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.10" | |
- name: Install Poetry | |
uses: ./.github/actions/poetry | |
- name: Setup Dunamai | |
run: poetry install --only ci --no-root | |
env: | |
POETRY_VIRTUALENVS_CREATE: false | |
- name: Create version file | |
run: | | |
echo "__version__ = '$(dunamai from git --style semver)'" >> src/palace/manager/_version.py | |
echo "__commit__ = '$(dunamai from git --format {commit} --full-commit)'" >> src/palace/manager/_version.py | |
echo "__branch__ = '$(dunamai from git --format {branch})'" >> src/palace/manager/_version.py | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate tags for image | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ghcr.io/${{ github.repository_owner }}/circ-${{ matrix.image }} | |
tags: | | |
type=semver,pattern={{major}}.{{minor}},priority=10 | |
type=semver,pattern={{version}},priority=20 | |
type=ref,event=branch,priority=30 | |
type=sha,priority=40 | |
- name: Push image | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./docker/Dockerfile | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
target: ${{ matrix.image }} | |
cache-from: type=gha,scope=buildkit-${{ github.run_id }} | |
platforms: linux/amd64, linux/arm64 | |
build-args: | | |
BASE_IMAGE=${{ needs.build.outputs.baseimage }} |