feat(ci): refactor package building to be common between tags and pr

ayuskauskas · ayuskauskas · commit c345589fedf3 · 2026-02-12T09:26:34.000-08:00
diff --git a/.github/actions/build-package/action.yml b/.github/actions/build-package/action.yml
@@ -0,0 +1,152 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'Build Package'
+description: 'Common steps for building and pushing Docker images'
+
+inputs:
+  package_name:
+    required: true
+    description: 'Name of the package to build'
+  tags:
+    required: true
+    description: 'Docker tags to apply (can be multiline YAML string)'
+  registry:
+    required: false
+    default: 'ghcr.io'
+    description: 'Container registry domain'
+  image_name:
+    required: false
+    description: 'Base image name (repository name)'
+  build_args:
+    required: false
+    default: ''
+    description: 'Build arguments from preprocess script'
+  generate_attestation:
+    required: false
+    default: 'false'
+    description: 'Whether to generate artifact attestation'
+  save_image_info:
+    required: false
+    default: 'false'
+    description: 'Whether to save image tags to an artifact (for PR builds)'
+
+outputs:
+  image_tags:
+    description: 'The tags that were applied to the built image'
+    value: ${{ steps.meta.outputs.tags }}
+  image_digest:
+    description: 'The digest of the built image'
+    value: ${{ steps.push.outputs.digest }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Log in to the Container registry
+      uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Generate package version map
+      id: package-versions
+      run: |
+        # Get all tags, extract package/version pairs, find latest for each package
+        PACKAGE_VERSIONS=$(git tag -l | \
+          grep -E '^[^/]+/[0-9]+\.[0-9]+\.[0-9]+$' | \
+          sort -t/ -k1,1 -k2,2V | \
+          awk -F/ '
+            {
+              package = $1
+              version = $2
+              packages[package] = version
+            }
+            END {
+              printf "{"
+              first = 1
+              for (package in packages) {
+                if (!first) printf ","
+                printf "\"%s\":\"%s\"", package, packages[package]
+                first = 0
+              }
+              printf "}"
+            }
+          ')
+        
+        echo "PACKAGE_VERSIONS=${PACKAGE_VERSIONS}" >> $GITHUB_OUTPUT
+        echo "Generated package version map: ${PACKAGE_VERSIONS}"
+
+    - name: Run preprocess script
+      id: preprocess
+      shell: bash
+      run: |
+        PREPROCESS_SCRIPT="${{ inputs.package_name }}/preprocess.sh"
+        if [ -f "$PREPROCESS_SCRIPT" ]; then
+          echo "Running preprocess script: $PREPROCESS_SCRIPT"
+          chmod +x "$PREPROCESS_SCRIPT"
+          "$PREPROCESS_SCRIPT"
+        else
+          echo "No preprocess script found at $PREPROCESS_SCRIPT"
+          echo "BUILD_ARGS=" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+      with:
+        images: ${{ inputs.registry }}/${{ inputs.image_name }}/${{ inputs.package_name }}
+        tags: ${{ inputs.tags }}
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build and push Docker image
+      id: push
+      uses: docker/build-push-action@v6
+      with:
+        context: ${{ inputs.package_name }}
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        platforms: linux/amd64,linux/arm64
+        build-args: ${{ steps.preprocess.outputs.BUILD_ARGS != '' && steps.preprocess.outputs.BUILD_ARGS || inputs.build_args }}
+
+    - name: Generate artifact attestation
+      if: inputs.generate_attestation == 'true'
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-name: ${{ inputs.registry }}/${{ inputs.image_name }}/${{ inputs.package_name }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: true
+
+    - name: Save image info
+      if: inputs.save_image_info == 'true'
+      shell: bash
+      run: |
+        mkdir -p /tmp/image-info
+        echo "${{ steps.meta.outputs.tags }}" > /tmp/image-info/${{ inputs.package_name }}.txt
+
+    - name: Upload image info
+      if: inputs.save_image_info == 'true'
+      uses: actions/upload-artifact@v4
+      with:
+        name: image-info-${{ inputs.package_name }}
+        path: /tmp/image-info/${{ inputs.package_name }}.txt
+        retention-days: 1
diff --git a/.github/workflows/build_container.yaml b/.github/workflows/build_container.yaml
@@ -28,7 +28,7 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
-# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
+# There is a single job in this workflow. It uses the composite build-package action.
 jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
@@ -38,71 +38,23 @@ jobs:
       packages: write
       attestations: write
       id-token: write
-      # 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
-      - name: Log in to the Container registry
-        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Setup env vars
-        run: echo "PACKAGE_NAME=$(echo "${{ github.ref_name }}" | sed 's;refs/tags;;g'| cut -f 1 -d /)" >> $GITHUB_ENV
-      
-      # Run preprocess script if it exists to get build args (e.g., dependency versions)
-      - name: Run preprocess script
-        id: preprocess
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract package name from tag
+        id: extract
         run: |
-          PREPROCESS_SCRIPT="${{ env.PACKAGE_NAME }}/preprocess.sh"
-          if [ -f "$PREPROCESS_SCRIPT" ]; then
-            echo "Running preprocess script: $PREPROCESS_SCRIPT"
-            chmod +x "$PREPROCESS_SCRIPT"
-            "$PREPROCESS_SCRIPT"
-          else
-            echo "No preprocess script found at $PREPROCESS_SCRIPT"
-            echo "BUILD_ARGS=" >> $GITHUB_OUTPUT
-          fi
-      
-      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
-        with:
-          images: ${{ env.REGISTRY }}/${{env.IMAGE_NAME}}/${{ env.PACKAGE_NAME }}
-          tags: |
-            type=match,pattern=\d.\d.\d
-      
-      # Setup for multi-platform
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+          PACKAGE_NAME=$(echo "${{ github.ref_name }}" | cut -f 1 -d /)
+          echo "package_name=${PACKAGE_NAME}" >> $GITHUB_OUTPUT
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-     
-     
-     # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
-      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see [Usage](https://github.com/docker/build-push-action#usage) in the README of the `docker/build-push-action` repository.
-      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
       - name: Build and push Docker image
-        id: push
-        uses: docker/build-push-action@v6
-        with:
-          context: ${{ env.PACKAGE_NAME }}
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          build-args: ${{ steps.preprocess.outputs.BUILD_ARGS }}
-      
-      # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). 
-      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v2
+        uses: ./.github/actions/build-package
         with:
-          subject-name: ${{ env.REGISTRY }}/${{env.IMAGE_NAME}}/${{ env.PACKAGE_NAME }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          package_name: ${{ steps.extract.outputs.package_name }}
+          tags: |
+            type=match,pattern=\d.\d.\d
+          registry: ${{ env.REGISTRY }}
+          image_name: ${{ env.IMAGE_NAME }}
+          generate_attestation: 'true'
+          save_image_info: 'false'
diff --git a/.github/workflows/build_package.yml b/.github/workflows/build_package.yml
@@ -0,0 +1,144 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Build Package (Reusable)
+
+on:
+  workflow_call:
+    inputs:
+      package_name:
+        required: true
+        type: string
+        description: Name of the package to build
+      tags:
+        required: true
+        type: string
+        description: Docker tags to apply (can be multiline YAML string)
+      registry:
+        required: false
+        type: string
+        default: ghcr.io
+        description: Container registry domain
+      image_name:
+        required: false
+        type: string
+        default: ${{ github.repository }}
+        description: Base image name (repository name)
+      build_args:
+        required: false
+        type: string
+        default: ''
+        description: Build arguments from preprocess script
+      generate_attestation:
+        required: false
+        type: boolean
+        default: false
+        description: Whether to generate artifact attestation
+      save_image_info:
+        required: false
+        type: boolean
+        default: false
+        description: Whether to save image tags to an artifact (for PR builds)
+    outputs:
+      image_tags:
+        description: The tags that were applied to the built image
+        value: ${{ jobs.build.outputs.image_tags }}
+      image_digest:
+        description: The digest of the built image
+        value: ${{ jobs.build.outputs.image_digest }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    outputs:
+      image_tags: ${{ steps.meta.outputs.tags }}
+      image_digest: ${{ steps.push.outputs.digest }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ inputs.registry }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run preprocess script
+        id: preprocess
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PREPROCESS_SCRIPT="${{ inputs.package_name }}/preprocess.sh"
+          if [ -f "$PREPROCESS_SCRIPT" ]; then
+            echo "Running preprocess script: $PREPROCESS_SCRIPT"
+            chmod +x "$PREPROCESS_SCRIPT"
+            "$PREPROCESS_SCRIPT"
+          else
+            echo "No preprocess script found at $PREPROCESS_SCRIPT"
+            echo "BUILD_ARGS=" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ inputs.registry }}/${{ inputs.image_name }}/${{ inputs.package_name }}
+          tags: ${{ inputs.tags }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ inputs.package_name }}
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          build-args: ${{ steps.preprocess.outputs.BUILD_ARGS != '' && steps.preprocess.outputs.BUILD_ARGS || inputs.build_args }}
+
+      - name: Generate artifact attestation
+        if: inputs.generate_attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ inputs.registry }}/${{ inputs.image_name }}/${{ inputs.package_name }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Save image info
+        if: inputs.save_image_info
+        run: |
+          mkdir -p /tmp/image-info
+          echo "${{ steps.meta.outputs.tags }}" > /tmp/image-info/${{ inputs.package_name }}.txt
+
+      - name: Upload image info
+        if: inputs.save_image_info
+        uses: actions/upload-artifact@v4
+        with:
+          name: image-info-${{ inputs.package_name }}
+          path: /tmp/image-info/${{ inputs.package_name }}.txt
+          retention-days: 1
diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml
