docker images

Author: crocodile-dentist

.github/workflows/release-ghcr.yaml

@@ -0,0 +1,208 @@
+name: Upload to ghcr.io
+
+on:
+  push:
+    tags:
+      - '**'
+  # GITHUB_SHA: Last commit in the tagged release
+  # GITHUB_REF: Tag ref of release refs/tags/<tag_name>
+  release:
+    types:
+      - published
+  # GITHUB_SHA: Last commit on the GITHUB_REF branch or tag
+  # GITHUB_REF: Branch or tag that received dispatch
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  # Only to avoid some repetition
+  FLAKE_REF: github:${{ github.repository }}/${{ github.ref_name }}
+  GH_TOKEN: ${{ github.token }}
+
+jobs:
+  wait-for-hydra:
+    name: "Wait for hydra check-runs"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Waiting for ci/hydra-build:x86_64-linux.required to complete
+        run: |
+          while [[ true ]]; do
+            check_name='ci/hydra-build:x86_64-linux.required'
+            conclusion=$(gh api "repos/$GITHUB_REPOSITORY/commits/$GITHUB_SHA/check-runs?check_name=$check_name" --paginate --jq '.check_runs[].conclusion')
+            case "$conclusion" in
+              success)
+                echo "$check_name succeeded"
+                exit 0;;
+              '')
+                echo "$check_name pending. Waiting 30s..."
+                sleep 30;;
+              *)
+                echo "$check_name terminated unsuccessfully"
+                exit 1;;
+            esac
+          done
+
+
+  prepare:
+    needs: [wait-for-hydra]
+    name: "Prepare metadata"
+    runs-on: ubuntu-latest
+    outputs:
+      LATEST_TAG: ${{ steps.latest-tag.outputs.LATEST_TAG }}
+      LOCKED_URL: ${{ steps.flake-metadata.outputs.LOCKED_URL }}
+
+    steps:
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+
+      - name: Display flake metadata
+        id: flake-metadata
+        run: |
+          nix flake metadata ${{ env.FLAKE_REF }}
+          nix flake metadata ${{ env.FLAKE_REF }} --json | jq -r '"LOCKED_URL=\(.url)"' >> "$GITHUB_OUTPUT"
+
+      - name: Obtaining latest release tag
+        id: latest-tag
+        run: |
+          LATEST_TAG=$(gh api repos/$GITHUB_REPOSITORY/releases/latest --paginate --jq '.tag_name')
+          echo "LATEST_TAG=$LATEST_TAG" >> "$GITHUB_OUTPUT"
+          echo "Latest release tag is: $LATEST_TAG"
+
+
+  build:
+    needs: [prepare]
+    name: "Upload to ghcr.io"
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch:
+          - name: amd64
+            system: x86_64-linux
+          - name: arm64
+            system: aarch64-linux
+        image:
+          - name: dmq-node
+            nix_key: docker-hydra
+
+    steps:
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # NOTE We assume that hydra has already built the image, this is
+      # reasonable since, before applying the tag, we must have already
+      # pushed the tagged commit somewhere, and Hydra will have had the
+      # change to build the image.
+
+      - name: Uploading ${{ matrix.image.name }} (${{ matrix.arch.name }})
+        run: |
+          echo "::group::Downloading from cache"
+          nix build \
+            --accept-flake-config \
+            --print-out-paths \
+            --builders "" \
+            --max-jobs 0 \
+            --out-link ./result-${{ matrix.image.name }}-${{ matrix.arch.name }} \
+            ${{ needs.prepare.outputs.LOCKED_URL }}#packages.${{ matrix.arch.system }}.${{ matrix.image.nix_key }}
+          echo "::endgroup::"
+
+          echo "::group::Uploading to registry"
+          skopeo copy \
+            docker-archive:./result-${{ matrix.image.name }}-${{ matrix.arch.name }} \
+            docker://ghcr.io/intersectmbo/${{ matrix.image.name }}:$GITHUB_REF_NAME-${{ matrix.arch.name }}
+          echo "::endgroup::"
+
+
+  create-manifest:
+    needs: [prepare, build]
+    name: "Create Multi-Arch Manifest"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+
+      # Regctl simplifies obtaining multi-arch digests
+      - name: Install Nix Profile Commands
+        run: nix profile install nixpkgs#regctl
+
+      # The docker buildx action has a tight coupling with GH runners
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Show buildx configuration
+        run: docker buildx ls
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create Manifests
+        run: |
+          REPOS=(cardano-node cardano-submit-api cardano-tracer)
+          ARCHES=(amd64 arm64)
+
+          for REPO in "${REPOS[@]}"; do
+            IMAGE_REPO="ghcr.io/intersectmbo/$REPO"
+            DIGESTS=()
+
+            echo "::group::Fetching digests for $REPO"
+            for ARCH in "${ARCHES[@]}"; do
+              DIGEST=$(skopeo inspect --no-tags "docker://$IMAGE_REPO:$GITHUB_REF_NAME-$ARCH" | jq -r .Digest)
+              echo "$REPO $ARCH digest: $DIGEST"
+              DIGESTS+=("$IMAGE_REPO@$DIGEST")
+            done
+            echo "::endgroup::"
+
+            echo "::group::Creating manifest for $REPO:$GITHUB_REF_NAME"
+            docker buildx imagetools create --tag "$IMAGE_REPO:$GITHUB_REF_NAME" "${DIGESTS[@]}"
+            echo "::endgroup::"
+          done
+
+      - name: Verify multi-arch manifests
+        run: |
+          for REPO in cardano-node cardano-submit-api cardano-tracer; do
+            IMAGE_REPO="ghcr.io/intersectmbo/$REPO"
+            echo "::group::Inspecting $REPO:$GITHUB_REF_NAME"
+
+            DIGEST=$(regctl manifest head "$IMAGE_REPO:$GITHUB_REF_NAME")
+            echo "$REPO multi-arch manifest digest: $DIGEST"
+            skopeo inspect --raw "docker://$IMAGE_REPO:$GITHUB_REF_NAME" | jq
+
+            echo "::endgroup::"
+          done
+
+      - name: Tag Containers as :latest
+        # Github releases are checked for latest tag in the first `or` operand of
+        # the if statement. However, promoted pre-releases or changed full
+        # releases do not count as a `published` event and so won't trigger
+        # this workflow.  For those use cases a manual workflow must be run
+        # from the matching release tag which the second `or` operand checks
+        # for.
+        if: |
+          (github.event_name == 'release' && github.event.release.tag_name == needs.prepare.outputs.LATEST_TAG) ||
+          (github.event_name == 'workflow_dispatch' && github.ref == format('refs/tags/{0}', needs.prepare.outputs.LATEST_TAG))
+        run: |
+          REPOS=(cardano-node cardano-submit-api cardano-tracer)
+
+          for REPO in "${REPOS[@]}"; do
+            IMAGE_REPO="ghcr.io/intersectmbo/$REPO"
+            DIGEST=$(regctl manifest head "$IMAGE_REPO:$GITHUB_REF_NAME")
+
+            echo "::group::Creating manifest for $IMAGE_REPO:latest"
+            docker buildx imagetools create --tag "$IMAGE_REPO:latest" "$IMAGE_REPO@$DIGEST"
+            echo "::endgroup::"
+          done

nix/outputs.nix

@@ -24,6 +24,21 @@ let
       # (inputs.self.rev or inputs.self.dirtyShortRev)
       project.projectCross.musl64.hsPkgs.dmq-node.components.exes.dmq-node;
     default = dmq-node;
+    docker-dmq = pkgs.dockerTools.buildImage {
+      name = "docker-dmq";
+      tag = "latest";
+      created = "now";
+      copyToRoot = pkgs.buildEnv {
+        name = "dmq-env";
+        paths = [
+          pkgs.busybox
+          pkgs.dockerTools.caCertificates
+        ];
+      };
+      config = {
+        Entrypoint = [ "${packages.dmq-node-static}/bin/dmq-node-static" ];
+      };
+    };
   };
 
   app = {