ddev/.github/workflows/push-tagged-dbimage.yml at master · CakeDC/ddev · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: Push tagged db image
defaults:
  run:
    shell: bash

on:
  workflow_dispatch:
    inputs:
      tag:
        description: Base tag for pushed dbimage (v1.25.0 for example)'
        required: true
        default: ""
      debug_enabled:
        description: 'Enable debug mode'
        type: boolean
        required: false
        default: false
env:
  REGISTRY: docker.io
  DOCKER_ORG: "${{ vars.DOCKER_ORG }}"
  TAG: "${{ github.event.inputs.tag }}"
  MULTI_ARCH_IMAGES: "mariadb_10.1 mariadb_10.2 mariadb_10.3 mariadb_10.4 mariadb_10.5 mariadb_10.6 mariadb_10.7 mariadb_10.8 mariadb_10.11 mariadb_11.4 mariadb_11.8 mysql_5.7 mysql_8.0 mysql_8.4"

permissions:
  contents: read

jobs:
  build-db-arch:
    name: build ${{ matrix.arch }} ${{ matrix.dbtype }}
    strategy:
      fail-fast: false
      matrix:
        arch: [amd64, arm64]
        dbtype: [mariadb_5.5, mariadb_10.0, mariadb_10.1, mariadb_10.2, mariadb_10.3, mariadb_10.4, mariadb_10.5, mariadb_10.6, mariadb_10.7, mariadb_10.8, mariadb_10.11, mariadb_11.4, mariadb_11.8, mysql_5.5, mysql_5.6, mysql_5.7, mysql_8.0, mysql_8.4]
        # update 'meta' step below if you change this:
        exclude:
          - arch: arm64
            dbtype: mariadb_5.5
          - arch: arm64
            dbtype: mariadb_10.0
          - arch: arm64
            dbtype: mysql_5.5
          - arch: arm64
            dbtype: mysql_5.6
    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
    steps:
      - name: Determine if multi-arch build
        id: meta
        run: |
          case "${{ matrix.dbtype }}" in
            mariadb_5.5|mariadb_10.0|mysql_5.5|mysql_5.6) echo "multi_arch=false" >> $GITHUB_OUTPUT ;;
            *) echo "multi_arch=true" >> $GITHUB_OUTPUT ;;
          esac
      - name: Load 1password secret(s)
        uses: 1password/load-secrets-action@v3
        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.owner.login == github.repository_owner }}
        with:
          export-env: true
        env:
          OP_SERVICE_ACCOUNT_TOKEN: "${{ secrets.PUSH_SERVICE_ACCOUNT_TOKEN }}"
          DOCKERHUB_TOKEN: "op://push-secrets/DOCKERHUB_TOKEN/credential"
      - uses: actions/checkout@v5
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ env.DOCKERHUB_TOKEN }}
      - name: Clean up stale arch tag before push
        run: |
          TOKEN=$(curl -s -H "Content-Type: application/json" -X POST -d '{"username":"${{ vars.DOCKERHUB_USERNAME }}","password":"${{ env.DOCKERHUB_TOKEN }}"}' https://hub.docker.com/v2/users/login/ | jq -r .token)
          ORG_IMAGE=${DOCKER_ORG}/ddev-dbserver-$(echo "${{ matrix.dbtype }}" | tr '_' '-')
          echo "Cleaning up stale tag for ${ORG_IMAGE}:${TAG}-${{ matrix.arch }}"
          curl -s -X DELETE -H "Authorization: JWT $TOKEN" "https://hub.docker.com/v2/repositories/${ORG_IMAGE}/tags/${TAG}-${{ matrix.arch }}/" >/dev/null || true
      - name: Setup tmate session
        uses: mxschmitt/action-tmate@v3
        with:
          limit-access-to-actor: true
          github-token: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
      - name: Build and push ${{ env.DOCKER_ORG }}/ddev-dbserver-${{ matrix.dbtype }}:${{ env.TAG }} ${{ matrix.arch }} image
        run: |
          set -eu
          cd containers/ddev-dbserver
          target="${{ matrix.dbtype }}_${{ matrix.arch }}"
          echo "Building target $target for arch ${{ matrix.arch }}"
          version="${TAG}"
          if [ "${{ steps.meta.outputs.multi_arch }}" = "true" ]; then
            version="${version}-${{ matrix.arch }}"
          fi
          make $target PUSH=true VERSION="${version}"
      - name: Record image information
        id: image-info
        run: |
          set -eu
          INSPECT_IMAGE=${DOCKER_ORG}/ddev-dbserver-$(echo "${{ matrix.dbtype }}" | tr '_' '-'):${TAG}
          if [ "${{ steps.meta.outputs.multi_arch }}" = "true" ]; then
            INSPECT_IMAGE=${INSPECT_IMAGE}-${{ matrix.arch }}
          fi
          INSPECT_OUTPUT=""
          # Wait for image to be available with retry logic
          MAX_RETRIES=10
          for i in $(seq 1 $MAX_RETRIES); do
            if INSPECT_OUTPUT=$(docker buildx imagetools inspect "${INSPECT_IMAGE}" 2>/dev/null); then
              break
            fi
            echo "Image ${INSPECT_IMAGE} not yet available, waiting... (attempt ${i}/${MAX_RETRIES})"
            sleep 3
          done
          if [ -z "$INSPECT_OUTPUT" ]; then
            echo "Failed to retrieve image information with 'docker buildx imagetools inspect ${INSPECT_IMAGE}'"
            exit 1
          fi
          echo "$INSPECT_OUTPUT" > image-info.txt
      - name: Upload image info artifact
        uses: actions/upload-artifact@v6
        with:
          name: image-info-ddev-dbserver-${{ matrix.dbtype }}-${{ matrix.arch }}
          path: image-info.txt
          retention-days: 1
  create-manifests:
    name: create multi-arch db manifests
    needs: build-db-arch
    runs-on: ubuntu-24.04
    steps:
      - name: Load 1password secret(s)
        uses: 1password/load-secrets-action@v3
        with:
          export-env: true
        env:
          OP_SERVICE_ACCOUNT_TOKEN: "${{ secrets.PUSH_SERVICE_ACCOUNT_TOKEN }}"
          DOCKERHUB_TOKEN: "op://push-secrets/DOCKERHUB_TOKEN/credential"
      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ env.DOCKERHUB_TOKEN }}
      - name: Create and push manifests
        run: |
          set -eu
          # Get Docker Hub token for cleanup
          TOKEN=$(curl -s -H "Content-Type: application/json" -X POST -d '{"username":"${{ vars.DOCKERHUB_USERNAME }}","password":"${{ env.DOCKERHUB_TOKEN }}"}' https://hub.docker.com/v2/users/login/ | jq -r .token)

          # Create and push multi-arch manifests
          for variant in ${MULTI_ARCH_IMAGES}; do
            ORG_IMAGE=${DOCKER_ORG}/ddev-dbserver-$(echo "${variant}" | tr '_' '-')
            docker buildx imagetools create -t ${ORG_IMAGE}:${TAG} ${ORG_IMAGE}:${TAG}-amd64 ${ORG_IMAGE}:${TAG}-arm64
            if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              docker buildx imagetools create -t ${ORG_IMAGE}:latest ${ORG_IMAGE}:${TAG}
            fi
          done

          # Clean up intermediary single-arch tags from remote registry
          for variant in ${MULTI_ARCH_IMAGES}; do
            ORG_IMAGE=${DOCKER_ORG}/ddev-dbserver-$(echo "${variant}" | tr '_' '-')
            echo "Removing ${ORG_IMAGE}:${TAG}-amd64 and ${TAG}-arm64"
            curl -s -X DELETE -H "Authorization: JWT $TOKEN" "https://hub.docker.com/v2/repositories/${ORG_IMAGE}/tags/${TAG}-amd64/" >/dev/null || true
            curl -s -X DELETE -H "Authorization: JWT $TOKEN" "https://hub.docker.com/v2/repositories/${ORG_IMAGE}/tags/${TAG}-arm64/" >/dev/null || true
          done