This repository has been archived by the owner on Sep 21, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 40
127 lines (115 loc) · 4.08 KB
/
container_images.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
on:
pull_request:
push:
branches:
- main
workflow_call:
inputs:
image-tag:
type: string
workflow_dispatch:
inputs:
image-tag:
type: string
name: 'Container images'
jobs:
determine-image-tags:
name: 'Determine image tags'
outputs:
tags: ${{ steps.determine-image-tags.outputs.tags }}
concurrency: ${{ steps.determine-image-tags.outputs.concurrency }}
runs-on: ubuntu-latest
steps:
- id: determine-image-tags
env:
EVENT_NAME: ${{ github.event_name }}
PR_NUMBER: ${{ github.event.number }}
CUSTOM_TAG: ${{ inputs.image-tag }}
run: |
concurrency="docker-build"
tags=()
if [[ "$EVENT_NAME" == "pull_request" ]]; then
tags+=("pr-$PR_NUMBER")
concurrency="$concurrency-pr-$PR_NUMBER"
fi
if [[ "$EVENT_NAME" == "push" ]]; then
tags+=("latest")
concurrency="$concurrency-latest"
fi
if [[ "$CUSTOM_TAG" != "" ]]; then
tags+=("$CUSTOM_TAG")
concurrency="$concurrency-$CUSTOM_TAG"
fi
concurrency="$concurrency-$GITHUB_SHA"
tags+=("${GITHUB_SHA:0:6}")
tags_out=""
for tag in "${tags[@]}"; do
if [ -z "$tags_out" ]; then
tags_out="\"$tag\""
else
tags_out="$tags_out,\"$tag\""
fi
done
echo "TAGS: $tags_out"
echo "CONCURRENCY: $concurrency"
echo "tags=[$tags_out]" >> $GITHUB_OUTPUT
echo "concurrency=\"$concurrency\"" >> $GITHUB_OUTPUT
build-and-push:
name: 'Build and push'
runs-on: ubuntu-latest
needs: ['determine-image-tags']
# It would be ideal to run container build jobs sequentially, but the
# current behavior of Github Workflow "concurrency" prevents this from
# being viable because it cancels any pending jobs instead of queuing
# them. An outstanding feature request to fix this can be found here:
# https://github.com/orgs/community/discussions/5435
#
# Ultimately this is a build speed optimization for us, so not a deal
# breaker to comment out for now.
#
# concurrency:
# group: ${{ needs.determine-image-tags.outputs.concurrency }}
# cancel-in-progress: false
permissions:
contents: 'read'
id-token: 'write'
strategy:
matrix:
image:
- name: 'orb'
file: 'images/orb/Dockerfile'
- name: 'orb-ns'
file: 'images/orb-ns/Dockerfile'
tag: ${{ fromJSON(needs.determine-image-tags.outputs.tags) }}
steps:
- uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- id: 'authenticate'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
token_format: 'access_token'
workload_identity_provider: 'projects/${{ secrets.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/build-pipeline/providers/build-pipeline-provider'
service_account: 'build-pipeline@${{ secrets.GCP_PROJECT_ID }}.iam.gserviceaccount.com'
- name: 'Set up Google Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v1'
with:
version: '>= 413.0.0'
- name: 'Set up Google Cloud Docker auth helper'
run: gcloud auth configure-docker us-central1-docker.pkg.dev
- name: 'Log Docker in to Google Artifact Registry'
uses: 'docker/[email protected]'
with:
registry: 'us-central1-docker.pkg.dev'
username: 'oauth2accesstoken'
password: '${{ steps.authenticate.outputs.access_token }}'
- name: Build and push container images
uses: docker/build-push-action@v4
with:
file: ${{ matrix.image.file }}
context: .
cache-from: type=gha
cache-to: type=gha,mode=max
push: true
tags: 'us-central1-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/subconscious/${{ matrix.image.name }}:${{matrix.tag}}'