CI #562
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '0 0 * * *' | |
| env: | |
| DOCKER_REPOSITORY: quay.io/unstructured-io | |
| DOCKER_BUILD_REPOSITORY: quay.io/unstructured-io/build-base-images | |
| DOCKER_IMAGE: base-images | |
| jobs: | |
| set-short-sha: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| short_sha: ${{ steps.set_short_sha.outputs.short_sha }} | |
| steps: | |
| - name: Set Short SHA | |
| id: set_short_sha | |
| run: echo "short_sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT | |
| build-images: | |
| strategy: | |
| matrix: | |
| architecture: ["arm64", "amd64"] | |
| image: | |
| [ | |
| "wolfi-base", | |
| "wolfi-py3.12-slim", | |
| "rocky9.2-slim", | |
| "rocky9.2-cpu", | |
| # "rocky9.2-gpu", [TODO] Resolve | |
| # 1005.6 Error: Failed to download metadata for repo 'cuda-rhel9-x86_64': Yum repo downloading error: Downloading error(s): | |
| # Cannot download, all mirrors were already tried without success; | |
| ] | |
| runs-on: ${{ matrix.architecture == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest-m' }} | |
| needs: [set-short-sha] | |
| env: | |
| SHORT_SHA: ${{ needs.set-short-sha.outputs.short_sha }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Login to Quay.io | |
| # build-base-images pushes images to quay.io when on the main branch | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_IO_ROBOT_USERNAME }} | |
| password: ${{ secrets.QUAY_IO_ROBOT_TOKEN }} | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v3 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ secrets.AWS_DEFAULT_REGION }} | |
| - name: Download APKs for chainguard/wolfi-base | |
| env: | |
| ARCH: ${{ matrix.architecture }} | |
| if: matrix.image == 'wolfi-base' | |
| run: make docker-dl-wolfi-packages | |
| - name: Build base images | |
| run: make build-base-images | |
| env: | |
| DOCKER_PLATFORM: linux/${{ matrix.architecture }} | |
| DOCKERFILE: ${{ matrix.image }} | |
| CI: "true" | |
| - name: Print images | |
| run: docker images | |
| - name: Scan image for vulnerabilities | |
| uses: anchore/scan-action@v3 | |
| with: | |
| image: "${{ env.DOCKER_BUILD_REPOSITORY }}:${{ matrix.image }}-${{ matrix.architecture }}-${{ env.SHORT_SHA }}" | |
| severity-cutoff: high | |
| fail-build: ${{ ( matrix.image == 'wolfi-base' || matrix.image == 'wolfi-py3.12-slim' ) }} | |
| output-format: table | |
| publish-images: | |
| strategy: | |
| matrix: | |
| image: | |
| [ | |
| "wolfi-base", | |
| "wolfi-py3.12-slim", | |
| "rocky9.2-slim", | |
| "rocky9.2-cpu", | |
| # "rocky9.2-gpu", | |
| ] | |
| env: | |
| SHORT_SHA: ${{ needs.set-short-sha.outputs.short_sha }} | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' | |
| needs: [set-short-sha, build-images] | |
| steps: | |
| - uses: docker/setup-buildx-action@v1 | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Login to Quay.io | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_IO_ROBOT_USERNAME }} | |
| password: ${{ secrets.QUAY_IO_ROBOT_TOKEN }} | |
| - name: Pull AMD image | |
| run: | | |
| docker pull --platform linux/amd64 $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64-${{ env.SHORT_SHA }} | |
| docker tag $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64-${{ env.SHORT_SHA }} $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64 | |
| docker push $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64 | |
| - name: Pull ARM image | |
| run: | | |
| docker pull --platform linux/arm64 $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64-${{ env.SHORT_SHA }} | |
| docker tag $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64-${{ env.SHORT_SHA }} $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64 | |
| docker push $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64 | |
| - name: Push multiarch manifest with short SHA | |
| env: | |
| IMAGE_TAG: ${{ matrix.image }}-${{ env.SHORT_SHA }} | |
| run: | | |
| docker manifest create $DOCKER_REPOSITORY/$DOCKER_IMAGE:${IMAGE_TAG} $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64 $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64 | |
| docker manifest push $DOCKER_REPOSITORY/$DOCKER_IMAGE:${IMAGE_TAG} | |
| - name: Update latest multiarch manifest | |
| env: | |
| IMAGE_TAG: ${{ matrix.image }}-latest | |
| run: | | |
| docker manifest create $DOCKER_REPOSITORY/$DOCKER_IMAGE:${IMAGE_TAG} $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-amd64 $DOCKER_BUILD_REPOSITORY:${{ matrix.image }}-arm64 | |
| docker manifest push $DOCKER_REPOSITORY/$DOCKER_IMAGE:${IMAGE_TAG} | |
| shellcheck: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: ShellCheck | |
| uses: ludeeus/action-shellcheck@master | |
| shfmt: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: setup shfmt | |
| uses: mfinelli/setup-shfmt@v3 | |
| - name: Run shfmt | |
| run: shfmt -i 2 -d . |