dmq-node/.github/workflows/release-ghcr.yaml at f7a471ef6b006becd651503e513781adbb48b800 · IntersectMBO/dmq-node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
name: Upload to ghcr.io

on:
  push:
    tags:
      - '**'
  # GITHUB_SHA: Last commit in the tagged release
  # GITHUB_REF: Tag ref of release refs/tags/<tag_name>
  release:
    types:
      - published
  # GITHUB_SHA: Last commit on the GITHUB_REF branch or tag
  # GITHUB_REF: Branch or tag that received dispatch
  workflow_dispatch: {}

permissions:
  contents: read
  packages: write

env:
  # Only to avoid some repetition
  FLAKE_REF: github:${{ github.repository }}/${{ github.ref_name }}
  GH_TOKEN: ${{ github.token }}

jobs:
  wait-for-hydra:
    name: "Wait for hydra check-runs"
    runs-on: ubuntu-latest

    steps:
      - name: Waiting for ci/hydra-build:x86_64-linux.required to complete
        run: |
          while [[ true ]]; do
            check_name='ci/hydra-build:x86_64-linux.required'
            conclusion=$(gh api "repos/$GITHUB_REPOSITORY/commits/$GITHUB_SHA/check-runs?check_name=$check_name" --paginate --jq '.check_runs[].conclusion')
            case "$conclusion" in
              success)
                echo "$check_name succeeded"
                exit 0;;
              '')
                echo "$check_name pending. Waiting 30s..."
                sleep 30;;
              *)
                echo "$check_name terminated unsuccessfully"
                exit 1;;
            esac
          done


  prepare:
    needs: [wait-for-hydra]
    name: "Prepare metadata"
    runs-on: ubuntu-latest
    outputs:
      LATEST_TAG: ${{ steps.latest-tag.outputs.LATEST_TAG }}
      LOCKED_URL: ${{ steps.flake-metadata.outputs.LOCKED_URL }}

    steps:
      - name: Install Nix
        uses: cachix/install-nix-action@v31

      - name: Display flake metadata
        id: flake-metadata
        run: |
          nix flake metadata ${{ env.FLAKE_REF }}
          nix flake metadata ${{ env.FLAKE_REF }} --json | jq -r '"LOCKED_URL=\(.url)"' >> "$GITHUB_OUTPUT"

      - name: Obtaining latest release tag
        id: latest-tag
        run: |
          LATEST_TAG=0.2.0.0
          # LATEST_TAG=$(gh api repos/$GITHUB_REPOSITORY/releases/latest --paginate --jq '.tag_name')
          # echo "LATEST_TAG=$LATEST_TAG" >> "$GITHUB_OUTPUT"
          # echo "Latest release tag is: $LATEST_TAG"


  build:
    needs: [prepare]
    name: "Upload to ghcr.io"
    runs-on: ubuntu-latest
    strategy:
      matrix:
        arch:
          - name: amd64
            system: x86_64-linux
        image:
          - name: dmq-node
            nix_key: docker-dmq

    steps:
      - name: Install Nix
        uses: cachix/install-nix-action@v31

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # NOTE We assume that hydra has already built the image, this is
      # reasonable since, before applying the tag, we must have already
      # pushed the tagged commit somewhere, and Hydra will have had the
      # change to build the image.

      - name: Uploading ${{ matrix.image.name }} (${{ matrix.arch.name }})
        run: |
          echo "::group::Downloading from cache"
          nix build \
            --accept-flake-config \
            --print-out-paths \
            --builders "" \
            --max-jobs 0 \
            --out-link ./result-${{ matrix.image.name }}-${{ matrix.arch.name }} \
            ${{ needs.prepare.outputs.LOCKED_URL }}#packages.${{ matrix.arch.system }}.${{ matrix.image.nix_key }}
          echo "::endgroup::"

          echo "::group::Uploading to registry"
          skopeo copy \
            docker-archive:./result-${{ matrix.image.name }}-${{ matrix.arch.name }} \
            docker://ghcr.io/intersectmbo/${{ matrix.image.name }}:$GITHUB_REF_NAME-${{ matrix.arch.name }}
          echo "::endgroup::"


  create-manifest:
    needs: [prepare, build]
    name: "Create Multi-Arch Manifest"
    runs-on: ubuntu-latest

    steps:
      - name: Install Nix
        uses: cachix/install-nix-action@v31

      # Regctl simplifies obtaining multi-arch digests
      - name: Install Nix Profile Commands
        run: nix profile install nixpkgs#regctl

      # The docker buildx action has a tight coupling with GH runners
      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Show buildx configuration
        run: docker buildx ls

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Create Manifests
        run: |
          REPOS=(dmq-node)
          ARCHES=(amd64)

          for REPO in "${REPOS[@]}"; do
            IMAGE_REPO="ghcr.io/intersectmbo/$REPO"
            DIGESTS=()

            echo "::group::Fetching digests for $REPO"
            for ARCH in "${ARCHES[@]}"; do
              DIGEST=$(skopeo inspect --no-tags "docker://$IMAGE_REPO:$GITHUB_REF_NAME-$ARCH" | jq -r .Digest)
              echo "$REPO $ARCH digest: $DIGEST"
              DIGESTS+=("$IMAGE_REPO@$DIGEST")
            done
            echo "::endgroup::"

            echo "::group::Creating manifest for $REPO:$GITHUB_REF_NAME"
            docker buildx imagetools create --tag "$IMAGE_REPO:$GITHUB_REF_NAME" "${DIGESTS[@]}"
            echo "::endgroup::"
          done

      - name: Verify multi-arch manifests
        run: |
          for REPO in cardano-node cardano-submit-api cardano-tracer; do
            IMAGE_REPO="ghcr.io/intersectmbo/$REPO"
            echo "::group::Inspecting $REPO:$GITHUB_REF_NAME"

            DIGEST=$(regctl manifest head "$IMAGE_REPO:$GITHUB_REF_NAME")
            echo "$REPO multi-arch manifest digest: $DIGEST"
            skopeo inspect --raw "docker://$IMAGE_REPO:$GITHUB_REF_NAME" | jq

            echo "::endgroup::"
          done

      - name: Tag Containers as :latest
        # Github releases are checked for latest tag in the first `or` operand of
        # the if statement. However, promoted pre-releases or changed full
        # releases do not count as a `published` event and so won't trigger
        # this workflow.  For those use cases a manual workflow must be run
        # from the matching release tag which the second `or` operand checks
        # for.
        if: |
          (github.event_name == 'release' && github.event.release.tag_name == needs.prepare.outputs.LATEST_TAG) ||
          (github.event_name == 'workflow_dispatch' && github.ref == format('refs/tags/{0}', needs.prepare.outputs.LATEST_TAG))
        run: |
          REPOS=(dmq-node)

          for REPO in "${REPOS[@]}"; do
            IMAGE_REPO="ghcr.io/intersectmbo/$REPO"
            DIGEST=$(regctl manifest head "$IMAGE_REPO:$GITHUB_REF_NAME")

            echo "::group::Creating manifest for $IMAGE_REPO:latest"
            docker buildx imagetools create --tag "$IMAGE_REPO:latest" "$IMAGE_REPO@$DIGEST"
            echo "::endgroup::"
          done