-
Notifications
You must be signed in to change notification settings - Fork 35
425 lines (377 loc) · 16.1 KB
/
__build-workflow.yaml
File metadata and controls
425 lines (377 loc) · 16.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
name: Reusable build
on:
workflow_call:
secrets:
dockerhub-token:
description: Token to use for logging in to the registry when "push" input is set.
required: false
gh-pat:
description: GitHub Personal Access Token (used to recursively checkout submodules).
required: false
slack-webhook-url:
description: Slack webhook URL to send notifications to in case of failures.
required: false
slack-team-id:
description: Slack team ID to mention in slack notification in case of failures.
required: false
inputs:
username:
description: Username to use for logging in to the registry when "push" input is set.
required: false
type: string
registry:
description: |
Registry to use for image(s) naming and pushing.
When using docker hub set it to 'docker.io'.
required: true
type: string
image-name:
description: Image name to use for image(s) naming and pushing (e.g. kong/kong-operator).
required: true
type: string
verify-image-script:
description: Path to the script that will be used to verify the built image.
required: false
type: string
default: ./scripts/verify-version.sh
push:
description: Indicates whether to push the built image(s) to specified registry.
required: true
type: boolean
file:
description: The name of the Dockerfile to use.
required: false
type: string
default: Dockerfile
additional-build-contexts:
description: >
Additional build context to include in the build (format name=path),
it's used for EE build to additionaly include path to OSS repo.
required: false
type: string
target:
description: The target to be built.
required: false
type: string
default: distroless
outputs:
description: Set outputs for docker/build-push-action.
required: false
type: string
latest:
description: Whether to tag this build latest
type: boolean
default: false
tag:
description: Tag used for tagging the image(s)
type: string
required: false
slack-send:
description: |
Indicates whether to send slack notification in case of failure.
When set to true, specify the slack-webhook-url and slack-team-id secrets.
default: false
type: boolean
outputs:
full_tag:
value: ${{ jobs.build-multi-arch.outputs.full_tag }}
tags:
value: ${{ jobs.build.outputs.tags }}
version:
value: ${{ jobs.build.outputs.version }}
permissions:
contents: read
actions: read
jobs:
semver:
runs-on: ubuntu-latest
outputs:
fullversion: ${{ steps.semver_parser.outputs.fullversion }}
major: ${{ steps.semver_parser.outputs.major }}
minor: ${{ steps.semver_parser.outputs.minor }}
patch: ${{ steps.semver_parser.outputs.patch }}
prerelease: ${{ steps.semver_parser.outputs.prerelease }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
- uses: mukunku/tag-exists-action@5c39604fe8aef7e65acb6fbcf96ec580f7680313 # v1.7.0
id: check-tag
if: ${{ inputs.tag != '' }}
name: check if tag already exists
with:
tag: ${{ inputs.tag }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Fail if tag already exists
if: ${{ inputs.tag != '' && steps.check-tag.outputs.exists == 'true' }}
run: exit 1
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
with:
fetch-depth: 0
- name: Parse semver string
id: semver_parser
if: ${{ inputs.tag != '' }}
uses: booxmedialtd/ws-action-parse-semver@7784200024d6b3fc01253e617ec0168daf603de3 # v1.4.7
with:
input_string: ${{ inputs.tag }}
version_extractor_regex: "v(.*)$"
build:
name: Build image
runs-on: ubuntu-latest
# NOTE: Needed by https://github.com/8398a7/action-slack?tab=readme-ov-file#require-permissions
permissions:
contents: read
actions: read
needs:
- semver
strategy:
# Whatever gets changed here should be changed in the multi-arch job below.
matrix:
include:
- os: linux
arch: amd64
- os: linux
arch: arm64
outputs:
tags: ${{ steps.meta.outputs.tags }}
version: ${{ steps.meta.outputs.version }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
- name: Configure Git for private repositories (this is needed by repositories that include this workflow and have other private dependencies)
run: git config --global url."https://${{ secrets.gh-pat }}@github.com".insteadOf "https://github.com"
- name: Cache Docker layers
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Log in to the Container registry
if: ${{ inputs.push }}
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.dockerhub-token }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Add standard tags
if: ${{ inputs.tag != '' }}
run: |
(
echo 'TAGS_STANDARD<<EOF'
echo 'type=raw,value=${{ needs.semver.outputs.fullversion }}'
echo 'EOF'
) >> $GITHUB_ENV
- name: Add major.minor tag
if: ${{ inputs.tag != '' && needs.semver.outputs.prerelease == '' }}
run: |
(
echo 'TAGS_SUPPLEMENTAL<<EOF'
echo ""
echo 'type=raw,value=${{ needs.semver.outputs.major }}.${{ needs.semver.outputs.minor }}'
echo 'EOF'
) >> $GITHUB_ENV
- name: Docker meta
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
with:
images: |
${{ inputs.registry }}/${{ inputs.image-name }}
# Generate Docker tags based on the following events/attributes.
tags: |
type=schedule,pattern=nightly
type=schedule,pattern={{date 'YYYYMMDD'}}
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
${{ env.TAGS_STANDARD }}${{ env.TAGS_SUPPLEMENTAL }}
flavor: latest=${{ inputs.latest }},suffix=-${{ matrix.arch }}
# Setup Golang to use go pkg cache which is utilized in Dockerfile's cache mount.
- name: Setup golang
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
with:
go-version-file: go.mod
# Path for additional-build-contexts may point to dependencies that are pulled by Go toolchain,
# so we need to download them before building the image.
- name: Set up Go dependencies for additional build contexts
if: ${{ inputs.additional-build-contexts != ''}}
run: go mod download
- run: echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
- run: echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_ENV
- name: Build image
id: build
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
build-contexts: ${{ inputs.additional-build-contexts }}
push: ${{ inputs.push }}
file: ${{ inputs.file }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
target: ${{ inputs.target }}
platforms: ${{ matrix.os }}/${{ matrix.arch }}
build-args: |
TAG=${{ steps.meta.outputs.version }}
COMMIT=${{ github.sha }}
REPO_INFO=https://github.com/${{ github.repository }}.git
GOPATH=${{ env.GOPATH}}
GOCACHE=${{ env.GOCACHE}}
secrets: |
pat-github=${{ secrets.gh-pat }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
# Use outputs when push is set to false to allow subsequent steps to have
# access to this image.
# Ref: https://docs.docker.com/build/ci/github-actions/test-before-push/
outputs: |
${{ !inputs.push && 'type=docker,dest=/tmp/image.tar' }}
- uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
with:
platforms: ${{ matrix.arch }}
- name: Load the image into Docker
if: ${{ !inputs.push }}
run: docker load --input /tmp/image.tar
- name: Test the image by running it with -version flag
# NOTE: we can't use steps.build.outputs.tags here because it's there's more than one tag
# and we need to run the image with the same os/arch combination as it was downloaded.
# Below 'docker images ...' relies on the fact that there will only be 1 image with
# reference ${{ inputs.image-name }}.
run: |
chmod +x ${{ inputs.verify-image-script }}
docker images
docker run --rm \
--platform ${{ matrix.os }}/${{ matrix.arch }} \
${{ inputs.image-name }}:${{ steps.meta.outputs.version }} -version | ${{ inputs.verify-image-script }} ${{ github.repository }}
- name: Upload artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: image-${{ matrix.os }}-${{ matrix.arch }}
path: /tmp/image.tar
- name: Send slack notification if job fails.
if: ${{ failure() && inputs.slack-send }}
uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
env:
SLACK_WEBHOOK_URL: ${{ secrets.slack-webhook-url }}
with:
status: failure
fields: repo,message,commit,author,action,eventName,ref,workflow
text: ":red_circle: Docker build failed. cc: <!subteam^${{ secrets.slack-team-id }}>"
build-multi-arch:
name: Build and push multi-arch manifest
runs-on: ubuntu-latest
if: ${{ inputs.push }}
# NOTE: Needed by https://github.com/8398a7/action-slack?tab=readme-ov-file#require-permissions
permissions:
contents: read
actions: read
outputs:
full_tag: ${{ steps.tag.outputs.tag }}
needs:
- semver
- build
steps:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
- name: Configure Git for private repositories (this is needed by repositories that include this workflow and have other private dependencies)
run: git config --global url."https://${{ secrets.gh-pat }}@github.com".insteadOf "https://github.com"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Add standard tags
if: ${{ inputs.tag != '' }}
run: |
(
echo 'TAGS_STANDARD<<EOF'
echo 'type=raw,value=${{ needs.semver.outputs.fullversion }}'
echo 'EOF'
) >> $GITHUB_ENV
- name: Add major.minor tag
if: ${{ inputs.tag != '' && needs.semver.outputs.prerelease == '' }}
run: |
(
echo 'TAGS_SUPPLEMENTAL<<EOF'
echo ""
echo 'type=raw,value=${{ needs.semver.outputs.major }}.${{ needs.semver.outputs.minor }}'
echo 'EOF'
) >> $GITHUB_ENV
- name: Docker metadata
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
with:
images: |
${{ inputs.registry }}/${{ inputs.image-name }}
# Generate Docker tags based on the following events/attributes.
tags: |
type=schedule,pattern=nightly
type=schedule,pattern={{date 'YYYYMMDD'}}
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
${{ env.TAGS_STANDARD }}${{ env.TAGS_SUPPLEMENTAL }}
flavor: latest=${{ inputs.latest }}
- name: Log in to the Container registry
if: ${{ inputs.push }}
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.dockerhub-token }}
# Prepare today's date in the same format as the pattern used in the metadata-action above for schedule trigger.
- name: Prepare today's date string
id: date
run: echo "today=$(date '+%Y%m%d')" >> "$GITHUB_OUTPUT"
# When building with `inputs.tag` set, `steps.meta.outputs.tags` contains multiple entries, so it cannot be used
# directly in sources. Instead, the sources are constructed using the `inputs.registry`, `inputs.image-name` and
# `needs.semver.outputs.fullversion`.
- uses: int128/docker-manifest-create-action@8aac06098a12365ccdf99372dcfb453ccce8a0b0 # v2.16.0
if: ${{ inputs.tag != '' }}
with:
tags: ${{ steps.meta.outputs.tags }}
sources: |
${{ inputs.registry }}/${{ inputs.image-name }}:${{ needs.semver.outputs.fullversion }}-amd64
${{ inputs.registry }}/${{ inputs.image-name }}:${{ needs.semver.outputs.fullversion }}-arm64
# When building on schedule, `steps.meta.outputs.tags` contains multiple entries, so it cannot be used
# directly in sources. Instead, the sources are constructed using the `inputs.registry`, `inputs.image-name` and
# the current date.
- uses: int128/docker-manifest-create-action@8aac06098a12365ccdf99372dcfb453ccce8a0b0 # v2.16.0
if: ${{ inputs.tag == '' && github.event_name == 'schedule' }}
with:
tags: ${{ steps.meta.outputs.tags }}
sources: |
${{ inputs.registry }}/${{ inputs.image-name }}:${{ steps.date.outputs.today }}-amd64
${{ inputs.registry }}/${{ inputs.image-name }}:${{ steps.date.outputs.today }}-arm64
# When building on push (e.g. on main), `steps.meta.outputs.tags` contains only a single entry, so it can be used
# directly in sources.
- uses: int128/docker-manifest-create-action@8aac06098a12365ccdf99372dcfb453ccce8a0b0 # v2.16.0
if: ${{ inputs.tag == '' && github.event_name == 'push' }}
with:
tags: ${{ steps.meta.outputs.tags }}
sources: |
${{ steps.meta.outputs.tags }}-amd64
${{ steps.meta.outputs.tags }}-arm64
- name: Set output tag
if: ${{ inputs.tag != '' }}
id: tag
run: |
echo "tag=${{ inputs.registry }}/${{ inputs.image-name }}:${{ needs.semver.outputs.fullversion }}" >> $GITHUB_OUTPUT
- name: Send slack notification if job fails.
if: ${{ failure() && inputs.slack-send }}
uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
env:
SLACK_WEBHOOK_URL: ${{ secrets.slack-webhook-url }}
with:
status: failure
fields: repo,message,commit,author,action,eventName,ref,workflow
text: ":red_circle: Docker build failed. cc: <!subteam^${{ secrets.slack-team-id }}>"