Create action for docker build scripts

vmcj · vmcj · commit 8944e11a8ea1 · 2024-01-15T19:34:44.000+01:00
The PRs for changes to those scripts will be stored in the registry
of the user/organisation which forked or in our GitHub docker registry
if this branch is under the domjudge organization. Here we always build
against our latest version.

The GitLab code had the option to not push the latest tag, for when we
rebuild an older container, otherwise we always release against the
overwritten value or if nothing was provided against the latest released
tag (so which latest points to). The code for world readable files has
been kept.

Our build script is extended to now also have an option to push to
another organization/namespace so we can push the image to the github
container registry of the person doing the PR.

As we don't do this often we explicit clean the github runner of older
versions to make sure we always build against the latest image available
of our dependencies and don't encounter the earlier builds if a PR is
done more often (to fix something for example).

The image can be locally tested by looking at the special tag based on
the branchname/issue_number.
diff --git a/.github/workflows/build-domjudge-container-PR.yml b/.github/workflows/build-domjudge-container-PR.yml
@@ -0,0 +1,83 @@
+name: 'Build domjudge container (PR)'
+
+on:
+  push:
+  pull_request_target:
+    branches:
+      - main
+
+env:
+  DOMJUDGE_VERSION: M.m.p
+
+jobs:
+  pr-domjudge:
+    if: ${{ github.repository != 'domjudge/domjudge-packaging' || github.ref != 'main' }} 
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: docker system prune -a -f
+
+      - name: Get an unique tag for when people PR often
+        run: |
+          GHR=${{ github.ref }}
+          echo "PR_TAG=${GHR///}" >> $GITHUB_ENV
+
+      - name: If needed overwrite the DOMJUDGE_VERSION for this run
+        run: |
+          if [ ${{ env.DOMJUDGE_VERSION }} != "M.m.p" ]; then
+            exit 0
+          fi
+          sudo apt update; sudo apt install -y jq curl
+          set -x
+            HUBURL="https://registry.hub.docker.com/v2/repositories/domjudge/domserver/tags"
+            TAG=$(curl $HUBURL|jq '.results | sort_by(.name) | .[length-2].name')
+            DJ_TAG=${TAG//\"}
+          set +x
+          echo "DOMJUDGE_VERSION=$DJ_TAG" >> $GITHUB_ENV
+
+      - name: Build the container
+        run: |
+          cd docker
+          set -x
+          sh ./build.sh "${{ env.DOMJUDGE_VERSION }}" ${{ github.actor }}
+          set +x
+
+      - run: docker image list
+
+      - name: Build and push
+        run: |
+          for IMG in domserver judgehost default-judgehost-chroot; do
+            IMAGE_NAME="${{ github.actor }}/$IMG:${{ env.DOMJUDGE_VERSION }}"
+            docker image tag "$IMAGE_NAME" ghcr.io/${{ github.actor }}/$IMG:${{ env.PR_TAG }}
+            docker image tag "$IMAGE_NAME" ${{ github.actor }}/$IMG:${{ env.PR_TAG }}
+            docker push ghcr.io/${{ github.actor }}/$IMG:${{ env.PR_TAG }}
+          done
+
+      - name: Check for wrong permisions
+        run: |
+          docker image list
+          set -x
+          for IMG in domserver judgehost; do
+            files=$(docker run --rm --pull=never "${{ github.actor }}/$IMG:${{ env.PR_TAG }}" find / -xdev -perm -o+w ! -type l ! \( -type d -a -perm -+t \) ! -type c)
+            if [ -n "$files" ]; then
+              echo "error: image ${{ github.actor }}/$IMG:${{ env.PR_TAG }} contains world-writable files:" >&2
+              printf "%s\n" "$files" >&2
+              exit 1
+            fi
+          done
+
diff --git a/.github/workflows/build-domjudge-container-release.yml b/.github/workflows/build-domjudge-container-release.yml
@@ -0,0 +1,65 @@
+name: 'Build domjudge container (Release)'
+
+on:
+  push:
+  pull_request_target:
+    branches:
+      - main
+
+env:
+  DOMJUDGE_VERSION: M.m.p
+  DOMJUDGE_LATEST: true
+
+jobs:
+  release-domjudge:
+    if: ${{ github.repository == 'domjudge/domjudge-packaging' && github.ref == 'main' }} 
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_TOKEN }}
+
+      - name: If needed overwrite the DOMJUDGE_VERSION for this run
+        run: |
+          if [ ${{ env.DOMJUDGE_VERSION }} != "M.m.p" ]; then
+            exit 0
+          fi
+          if [ ${{ env.DOMJUDGE_LATEST }} == "false" ]; then
+            echo "I don't know which version to pick!"
+            exit 1
+          fi
+          apk add jq curl
+          set -x
+            HUBURL="https://registry.hub.docker.com/v2/repositories/domjudge/domserver/tags"
+            TAG=$(curl $HUBURL|jq '.results | sort_by(.name) | .[length-2].name')
+            DJ_TAG=${TAG//\"}
+          set +x
+          echo "DOMJUDGE_VERSION=$DJ_TAG" >> $GITHUB_ENV
+
+      - name: Build the container
+        run: |
+          cd docker
+          set -x
+          sh ./build.sh "${{ env.DOMJUDGE_VERSION }}"
+          set +x
+
+      - name: Build and push
+        run: |
+          for IMG in domserver judgehost default-judgehost-chroot; do
+            docker push domjudge/$IMG:${{ env.DOMJUDGE_VERSION }}
+            if [ ${{ env.DOMJUDGE_LATEST }} = "true" ]; then
+              docker tag domjudge/$IMG:${{ env.DOMJUDGE_VERSION }} domjudge/$IMG:latest
+              docker push domjudge/$IMG:latest
+            fi
+          done
diff --git a/docker/build.sh b/docker/build.sh
@@ -6,14 +6,20 @@ then
 	export PS4='(${0}:${LINENO}): - [$?] $ '
 fi
 
-if [ "$#" -ne 1 ]
+if [ "$#" -eq 0 ] || [ "$#" -gt 2 ]
 then
-	echo "Usage: $0 domjudge-version"
+	echo "Usage: $0 domjudge-version <namespace>"
 	echo "	For example: $0 5.3.0"
+	echo "	or: $0 5.3.0 otherNamespace"
 	exit 1
 fi
 
 VERSION="$1"
+NAMESPACE="domjudge"
+if [ -n "${2+x}" ]
+then
+	NAMESPACE="$2"
+fi
 
 URL=https://www.domjudge.org/releases/domjudge-${VERSION}.tar.gz
 FILE=domjudge.tar.gz
@@ -29,22 +35,22 @@ fi
 echo "[ok] DOMjudge version ${VERSION} downloaded as domjudge.tar.gz"; echo
 
 echo "[..] Building Docker image for domserver..."
-./build-domjudge.sh "domjudge/domserver:${VERSION}"
+./build-domjudge.sh "${NAMESPACE}/domserver:${VERSION}"
 echo "[ok] Done building Docker image for domserver"
 
 echo "[..] Building Docker image for judgehost using intermediate build image..."
-./build-judgehost.sh "domjudge/judgehost:${VERSION}"
+./build-judgehost.sh "${NAMESPACE}/judgehost:${VERSION}"
 echo "[ok] Done building Docker image for judgehost"
 
 echo "[..] Building Docker image for judgehost chroot..."
-docker build -t "domjudge/default-judgehost-chroot:${VERSION}" -f judgehost/Dockerfile.chroot .
+docker build -t "${NAMESPACE}/default-judgehost-chroot:${VERSION}" -f judgehost/Dockerfile.chroot .
 echo "[ok] Done building Docker image for judgehost chroot"
 
-echo "All done. Image domjudge/domserver:${VERSION} and domjudge/judgehost:${VERSION} created"
+echo "All done. Image ${NAMESPACE}/domserver:${VERSION} and ${NAMESPACE}/judgehost:${VERSION} created"
 echo "If you are a DOMjudge maintainer with access to the domjudge organization on Docker Hub, you can now run the following command to push them to Docker Hub:"
-echo "$ docker push domjudge/domserver:${VERSION} && docker push domjudge/judgehost:${VERSION} && docker push domjudge/default-judgehost-chroot:${VERSION}"
+echo "$ docker push ${NAMESPACE}/domserver:${VERSION} && docker push ${NAMESPACE}/judgehost:${VERSION} && docker push $NAMESPACE}/default-judgehost-chroot:${VERSION}"
 echo "If this is the latest release, also run the following command:"
-echo "$ docker tag domjudge/domserver:${VERSION} domjudge/domserver:latest && \
-docker tag domjudge/judgehost:${VERSION} domjudge/judgehost:latest && \
-docker tag domjudge/default-judgehost-chroot:${VERSION} domjudge/default-judgehost-chroot:latest && \
-docker push domjudge/domserver:latest && docker push domjudge/judgehost:latest && docker push domjudge/default-judgehost-chroot:latest"
+echo "$ docker tag ${NAMESPACE}/domserver:${VERSION} ${NAMESPACE}/domserver:latest && \
+docker tag ${NAMESPACE}/judgehost:${VERSION} ${NAMESPACE}/judgehost:latest && \
+docker tag ${NAMESPACE}/default-judgehost-chroot:${VERSION} ${NAMESPACE}/default-judgehost-chroot:latest && \
+docker push ${NAMESPACE}/domserver:latest && docker push ${NAMESPACE}/judgehost:latest && docker push ${NAMESPACE}/default-judgehost-chroot:latest"
