Skip to content

Commit

Permalink
build docker image for releases (#9)
Browse files Browse the repository at this point in the history
  • Loading branch information
@steezeburger
steezeburger authored Jul 9, 2024
1 parent 2813f96 commit dbf03f9
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 107 deletions.
151 changes: 48 additions & 103 deletions .github/workflows/docker.yml
View file
Original file line number Diff line number Diff line change
@@ -1,122 +1,67 @@
# Build Hermes Docker image, push to Docker Hub and GHCR.io.
# Build Hermes Docker image, push to GHCR.io.

name: Docker

on:
workflow_dispatch:
push:
tags:
- v[0-9]+.*
- "v[0-9]+.[0-9]+.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-alpha.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+"

env:
REGISTRY_IMAGE: informalsystems/hermes
REGISTRY: ghcr.io
FULL_REF: ${{ inputs.tag && format('refs/tags/{0}', inputs.tag) || github.ref }}

jobs:
docker-build:
build-and-push:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
platform:
- id: linux/amd64
name: amd64
- id: linux/arm64
name: arm64
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
# Checking out the repo
- uses: actions/checkout@v4
with:
images: ${{ env.REGISTRY_IMAGE }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3

ref: ${{ inputs.tag }}
- uses: depot/setup-action@v1
- name: Login to Docker Hub
uses: docker/login-action@v3
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == 'astriaorg/hermes'
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

- name: Build and push by digest
id: build
uses: docker/build-push-action@v5
with:
context: .
file: ./ci/release/hermes.Dockerfile
platforms: ${{ matrix.platform.id }}
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v4
with:
name: digests-${{ matrix.platform.name }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1

docker-merge:
runs-on: ubuntu-latest
needs:
- docker-build
steps:
- name: Download digests
uses: actions/download-artifact@v4
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Log in to GHCR
uses: docker/login-action@v2
with:
pattern: digests-*
merge-multiple: true
path: /tmp/digests

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}

- name: Login to Docker Hub
uses: docker/login-action@v3
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Generate correct tabs and labels
- name: Docker metadata
id: metadata
uses: docker/metadata-action@v4
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

- name: Create manifest list and push
working-directory: /tmp/digests
run: |
docker buildx imagetools create --tag ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
images: ghcr.io/astriaorg/hermes
tags: |
type=ref,event=pr
type=match,pattern=refs/tags/v(.*),group=1,enable=${{ startsWith(env.FULL_REF, 'refs/tags/') }},value=${{ env.FULL_REF }}
type=sha
# set latest tag for `main` branch
type=raw,value=latest,enable=${{ env.FULL_REF == format('refs/heads/{0}', 'main') }}
- name: Build and push
uses: depot/build-push-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Push image to GHCR
run: |
docker buildx imagetools create \
--tag ghcr.io/${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \
${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
# this gets rid of the unknown/unknown image that is created without this setting
# https://github.com/docker/build-push-action/issues/820#issuecomment-1455687416
provenance: false
context: .
file: ci/release/hermes.Dockerfile
platforms: "linux/amd64,linux/arm64"
push: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == 'astriaorg/hermes' }}
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
project: qz2p12cbtf
9 changes: 5 additions & 4 deletions ci/release/hermes.Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,14 @@ COPY . .
RUN cargo build --release

FROM ubuntu:latest
LABEL maintainer="[email protected]"
ARG UID=1000
ARG GID=1000
LABEL maintainer="[email protected]"
ARG UID=1001
ARG GID=1001

RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates
RUN update-ca-certificates
RUN groupadd -g ${GID} hermes && useradd -l -m hermes -s /bin/bash -u ${UID} -g ${GID}
RUN groupadd -g ${GID} hermes
RUN useradd -l -m hermes -s /bin/bash -u ${UID} -g ${GID}

WORKDIR /home/hermes
USER hermes:hermes
Expand Down

0 comments on commit dbf03f9

Please sign in to comment.