ci(docker): images should have independent major minor tags

bosbaber · bosbaber · commit 422db638488e · 2025-04-19T17:46:08.000+02:00
diff --git a/.github/actions/image-push/action.yml b/.github/actions/image-push/action.yml
@@ -0,0 +1,67 @@
+name: "Version hierarchy image pusher"
+description: "Will re-tag the docker image to create images for parent versions. For example, if the image is tagged 1.2.3, it will create a tag for 1.2 and 1.0 as well."
+
+inputs:
+  app_name:
+    description: "The name of the application."
+    required: true
+  package:
+    required: true
+  platform_name:
+    required: true
+  gh_token:
+    description: "GitHub token to use for authentication."
+    required: true
+  version:
+    required: true
+    description: "Version we are tagging as, for example v1.2.3 or v1.2.3-rc1"
+  
+  
+runs:
+  using: "composite"
+  steps:
+    - name: Calculate version hierarchy
+      id: hierarchy
+      uses: ./.github/actions/parent-versions
+      with:
+        version: ${{ inputs.version }}
+        generateRelease: true
+    - name: Fetch docker image from cache
+      uses: actions/cache/restore@v4
+      with:
+        path: /tmp/${{ github.sha }}-${{ inputs.package }}-${{ inputs.platform_name }}-${{ inputs.version }}.tar
+        key: ${{ github.sha }}-${{ inputs.package }}-${{ inputs.platform_name }}-${{ inputs.version }}
+        fail-on-cache-miss: true
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    - name: Login to GHCR
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ inputs.gh_token }}
+    - name: Load image into Docker
+      shell: bash
+      run: |
+        docker load --input /tmp/${{ github.sha }}-${{ inputs.package }}-${{ inputs.platform_name }}-${{ inputs.version }}.tar
+    - name: List docker images
+      shell: bash
+      run: docker images
+    - name: Push to registry
+      shell: bash
+      run: |
+        echo "Pushing image to registry"
+        docker push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ inputs.version }}
+    - name: Tag and push parent versions
+      shell: bash
+      if: ${{ steps.hierarchy.outputs.has_hierarchy == 'true' }}
+      run: |
+        echo "Tagging parent versions with ${{ inputs.version }}, ${{ steps.hierarchy.outputs.minor_parent }} and ${{ steps.hierarchy.outputs.major_parent }}"
+        docker tag ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ inputs.version }} ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name}}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ steps.hierarchy.outputs.major_parent }}
+        docker tag ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ inputs.version }} ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name}}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ steps.hierarchy.outputs.minor_parent }}
+
+        echo "Pushing parent tagged images to registry"
+        docker push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ steps.hierarchy.outputs.major_parent }}
+        docker push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-${{ inputs.platform_name }}:${{ steps.hierarchy.outputs.minor_parent }}
diff --git a/.github/actions/manifest-push/action.yml b/.github/actions/manifest-push/action.yml
@@ -0,0 +1,63 @@
+name: "Push manifest list for arm64 and amd64"  
+
+inputs:
+  app_name:
+    description: "The name of the application."
+    required: true
+  package:
+    required: true
+  gh_token:
+    description: "GitHub token to use for authentication."
+    required: true
+  version:
+    required: true
+    description: "Version we are tagging as, for example v1.2.3 or v1.2.3-rc1"
+  
+runs:
+  using: "composite"
+  steps:
+    - name: Calculate version hierarchy
+      id: hierarchy
+      uses: ./.github/actions/parent-versions
+      with:
+        version: ${{ inputs.version }}
+        generateRelease: true
+
+    - name: Login to GHCR
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ inputs.gh_token }}
+    - name: Create manifest list with parent versions
+      if: steps.hierarchy.outputs.has_hierarchy == 'true'
+      shell: bash
+      run: |
+        docker manifest create ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ inputs.version }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-amd64:${{ inputs.version }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-arm64:${{ inputs.version }}
+
+        docker manifest create ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ steps.hierarchy.outputs.minor_parent }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-amd64:${{ steps.hierarchy.outputs.minor_parent }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-arm64:${{ steps.hierarchy.outputs.minor_parent }}
+        
+        docker manifest create ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ steps.hierarchy.outputs.major_parent }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-amd64:${{ steps.hierarchy.outputs.major_parent }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-arm64:${{ steps.hierarchy.outputs.major_parent }}
+    - name: Create manifest list without parent versions
+      if: steps.hierarchy.outputs.has_hierarchy != 'true'
+      shell: bash
+      run: |
+        docker manifest create ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ inputs.version }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-amd64:${{ inputs.version }} \
+        --amend ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}-arm64:${{ inputs.version }}
+    - name: Push manifest list
+      shell: bash
+      run: |
+        docker manifest push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ inputs.version }}
+    - name: Push manifests of parent versions
+      if: steps.hierarchy.outputs.has_hierarchy == 'true'
+      shell: bash
+      run: |
+        docker manifest push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ steps.hierarchy.outputs.minor_parent }}
+        docker manifest push ghcr.io/${{ github.repository_owner }}/${{ inputs.app_name }}-${{ inputs.package }}:${{ steps.hierarchy.outputs.major_parent }}
diff --git a/.github/actions/parent-versions/action.yml b/.github/actions/parent-versions/action.yml
@@ -0,0 +1,59 @@
+name: Version hierachy calculator
+
+inputs:
+  version:
+    description: "Version we are tagging as, for example v1.2.3 or v1.2.3-rc1, but it can also be 'nightly' in which case no hierarchy will be generated"
+    required: true
+  generateRelease:
+    description: "Set to true if the image has a hierarchy, this will trigger the tagging of the parent versions."
+    required: true
+    default: false
+
+outputs:
+  has_hierarchy:
+    description: "Whether this version has a parent hierarchy"
+    value: ${{ steps.calc.outputs.has_hierarchy }}
+  version:
+    description: "Same version string as provided as input, here for convenience"
+    value: ${{ inputs.version }}
+  major_parent:
+    description: "The major parent tag (e.g. v1 or v1-rc1), empty string if no hierarchy"
+    value: ${{ steps.calc.outputs.major_parent }}
+  minor_parent:
+    description: "The minor parent tag (e.g. v1.2 or v1.2-rc1), empty string if no hierarchy"
+    value: ${{ steps.calc.outputs.minor_parent }}
+runs:
+  using: "composite"
+  steps:
+    - name: Calculate version hierarchy
+      id: calc
+      shell: bash
+      run: |
+        # if we aren't generating a release, we don't need to do anything
+        if [[ "${{ inputs.generateRelease }}" != 'true' ]]; then
+          echo "has_hierarchy=false" >> $GITHUB_OUTPUT
+          echo "major_parent="   >> $GITHUB_OUTPUT
+          echo "minor_parent="   >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
+        # strip leading 'v'
+        version="${{ inputs.version }}"
+        raw="${version#v}"
+        # extract parts
+        major_num="${raw%%.*}"
+        minor_num="$(echo "$raw" | cut -d'.' -f2)"
+        pre_release="$(echo "$raw" | grep -oP '(?<=-).*' || echo "")"
+
+        # build parents
+        minor_label="v${major_num}.${minor_num}"
+        major_label="v${major_num}"
+        if [[ -n "$pre_release" ]]; then
+          minor_label+="-$pre_release"
+          major_label+="-$pre_release"
+        fi
+
+        # emit outputs
+        echo "has_hierarchy=true"     >> $GITHUB_OUTPUT
+        echo "major_parent=$major_label" >> $GITHUB_OUTPUT
+        echo "minor_parent=$minor_label" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/node-build.yml b/.github/workflows/node-build.yml
@@ -466,10 +466,10 @@ jobs:
         run: |
           docker images
           /tmp/trivy image --db-repository ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db --java-db-repository ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db --ignore-unfixed --format table --vuln-type os,library --exit-code 1 --severity HIGH --input /tmp/${{ github.sha }}-${{ matrix.package }}-${{ matrix.platform.name }}-${{ needs.version-generator.outputs.version }}.tar
-  
+
   push:
     name: Push to registry
-    needs: [version-generator, docker-grype, docker-trivy, version-generator, node-build]
+    needs: [version-generator, docker-grype, docker-trivy, node-build]
     runs-on: ubuntu-latest
     if: needs.version-generator.outputs.dockerPush == 'true'
     strategy:
@@ -484,34 +484,18 @@ jobs:
           - backend
           - frontend
     steps:
-      - name: Fetch docker image from cache
-        uses: actions/cache/restore@v4
-        with:
-          path: /tmp/${{ github.sha }}-${{ matrix.package }}-${{ matrix.platform.name }}-${{ needs.version-generator.outputs.version }}.tar
-          key: ${{ github.sha }}-${{ matrix.package }}-${{ matrix.platform.name }}-${{ needs.version-generator.outputs.version }}
-          fail-on-cache-miss: true
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Login to GHCR
-        uses: docker/login-action@v3
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/image-push
         with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Load image into Docker
-        run: |
-          docker load --input /tmp/${{ github.sha }}-${{ matrix.package }}-${{ matrix.platform.name }}-${{ needs.version-generator.outputs.version }}.tar
-      - name: List docker images
-        run: docker images
-      - name: Push to registry
-        run: |
-          docker push ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}-${{ matrix.platform.name }}:${{ needs.version-generator.outputs.version }}
+          app_name: rafiki
+          package: ${{ matrix.package }}
+          platform_name: ${{ matrix.platform.name }}
+          version: ${{ needs.version-generator.outputs.version }}
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
   
   push-manifest:
     name: Push multi-arch manifest list
-    needs: [version-generator, push]
+    needs: [version-generator,push]
     runs-on: ubuntu-latest
     if: needs.version-generator.outputs.dockerPush == 'true'
     strategy:
@@ -521,20 +505,14 @@ jobs:
           - backend
           - frontend
     steps:
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Create manifest list  
-        run: |
-          docker manifest create ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}:${{ needs.version-generator.outputs.version }} \
-          --amend ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}-amd64:${{ needs.version-generator.outputs.version }} \
-          --amend ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}-arm64:${{ needs.version-generator.outputs.version }}
+      - uses: actions/checkout@v4
       - name: Push manifest list
-        run: |
-          docker manifest push ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}:${{ needs.version-generator.outputs.version }}
+        uses: ./.github/actions/manifest-push
+        with:
+          app_name: rafiki
+          package: ${{ matrix.package }}
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
+          version: ${{ needs.version-generator.outputs.version }}
   
   generate-release:
     runs-on: ubuntu-latest
@@ -551,7 +529,7 @@ jobs:
           tag: ${{ needs.version-generator.outputs.version }}
           includeRefIssues: false
       - name: Create Release
-        uses: ncipollo/release-action@v1.15.0
+        uses: ncipollo/release-action@v1.16.0
         with:
           allowUpdates: true
           draft: false
