Merge pull request #215 from NERSC/ci-build

[#214] add ci

Author: swelborn

.github/workflows/bake.yml

@@ -0,0 +1,213 @@
+name: Docker Bake Build and Push
+# This is mostly taken from
+# here: https://docs.docker.com/build/ci/github-actions/multi-platform/#with-bake
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io/nersc/interactem
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      tag: ${{ steps.meta.outputs.tag }}
+      services: ${{ steps.services.outputs.services }}
+      all-images: ${{ steps.services.outputs.all-images }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract metadata
+        id: meta
+        run: |
+          TAG=$(git rev-parse --short=6 HEAD)
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
+          echo "Generated tag: ${TAG}"
+
+      - name: Define services
+        id: services
+        run: |
+          # Extract services from the prod group in docker-bake.hcl
+          SERVICES=$(docker buildx bake prod --print | jq -cr '[.group.prod.targets[]]')
+          echo "Services found: ${SERVICES}"
+          echo "services=${SERVICES}" >> $GITHUB_OUTPUT
+          
+          # Create combined list including base image for merge-manifests
+          ALL_IMAGES=$(echo ${SERVICES} | jq -c '. + ["interactem"]')
+          echo "All images (including base): ${ALL_IMAGES}"
+          echo "all-images=${ALL_IMAGES}" >> $GITHUB_OUTPUT
+        working-directory: ./docker
+
+  build-base:
+    needs: prepare
+    strategy:
+      matrix:
+        include:
+          - platform: amd64
+            runner: ubuntu-24.04
+            docker-platform: linux/amd64
+          - platform: arm64
+            runner: ubuntu-24.04-arm
+            docker-platform: linux/arm64
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_PAT }}
+
+      - name: Build and push base image by digest
+        id: bake
+        uses: docker/bake-action@v6
+        with:
+          source: .
+          files: ./docker/docker-bake.hcl
+          targets: base
+          set: |
+            *.platform=${{ matrix.docker-platform }}
+            ${{ github.event_name != 'pull_request' && '*.output=type=image,push-by-digest=true,name-canonical=true,push=true' || '' }}
+            *.tags=${{ env.REGISTRY }}/interactem
+        env:
+          TAG: ${{ needs.prepare.outputs.tag }}
+          CACHE_PLATFORM: ${{ matrix.platform }}
+
+      - name: Export digest
+        if: github.event_name != 'pull_request'
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ fromJSON(steps.bake.outputs.metadata).base['containerimage.digest'] }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        if: github.event_name != 'pull_request'
+        uses: actions/upload-artifact@v4
+        with:
+          name: interactem-digest-${{ matrix.platform }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  build-services:
+    needs: [prepare, build-base]
+    strategy:
+      matrix:
+        platform:
+          - { name: amd64, runner: ubuntu-24.04, docker: linux/amd64 }
+          - { name: arm64, runner: ubuntu-24.04-arm, docker: linux/arm64 }
+        service: ${{ fromJson(needs.prepare.outputs.services) }}
+    runs-on: ${{ matrix.platform.runner }}
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_PAT }}
+
+      - name: Build and push ${{ matrix.service }} by digest
+        id: bake
+        uses: docker/bake-action@v6
+        with:
+          source: .
+          files: ./docker/docker-bake.hcl
+          targets: ${{ matrix.service }}
+          set: |
+            *.platform=${{ matrix.platform.docker }}
+            ${{ github.event_name != 'pull_request' && '*.output=type=image,push-by-digest=true,name-canonical=true,push=true' || '' }}
+            *.tags=${{ env.REGISTRY }}/${{ matrix.service }}
+        env:
+          TAG: ${{ needs.prepare.outputs.tag }}
+          CACHE_PLATFORM: ${{ matrix.platform.name }}
+
+      - name: Export digest
+        if: github.event_name != 'pull_request'
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ fromJSON(steps.bake.outputs.metadata)[matrix.service]['containerimage.digest'] }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        if: github.event_name != 'pull_request'
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.service }}-digest-${{ matrix.platform.name }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge-manifests:
+    if: github.event_name != 'pull_request'
+    needs: [prepare, build-base, build-services]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        service: ${{ fromJson(needs.prepare.outputs.all-images) }}
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_PAT }}
+
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: ${{ matrix.service }}-digest-*
+          merge-multiple: true
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          # Create manifest
+          docker buildx imagetools create \
+            -t ${{ env.REGISTRY }}/${{ matrix.service }}:${{ needs.prepare.outputs.tag }} \
+            -t ${{ env.REGISTRY }}/${{ matrix.service }}:latest \
+            $(printf '${{ env.REGISTRY }}/${{ matrix.service }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ matrix.service }}:${{ needs.prepare.outputs.tag }}

docker-compose.yml

@@ -6,6 +6,8 @@ x-backend-base:
       args:
         INSTALL_DEV: ${INSTALL_DEV-false}
       dockerfile: ../docker/Dockerfile.fastapi
+      additional_contexts:
+        - interactem-base=docker-image://ghcr.io/nersc/interactem/interactem
     env_file:
       - .env
     environment:
@@ -141,6 +143,8 @@ services:
 
     build:
       context: backend/
+      additional_contexts:
+        - interactem-base=docker-image://ghcr.io/nersc/interactem/interactem
       dockerfile: ../docker/Dockerfile.orchestrator
 
 
@@ -180,6 +184,8 @@ services:
       - "${HOME}/.superfacility/key.pem:/key.pem"
     build: 
       context: backend/
+      additional_contexts:
+        - interactem-base=docker-image://ghcr.io/nersc/interactem/interactem
       dockerfile: ../docker/Dockerfile.launcher
 
   metrics:
@@ -202,6 +208,8 @@ services:
 
     build:
       context: backend/
+      additional_contexts:
+        - interactem-base=docker-image://ghcr.io/nersc/interactem/interactem
       dockerfile: ../docker/Dockerfile.metrics
 
   prometheus:

docker/Dockerfile.fastapi

@@ -1,4 +1,4 @@
-FROM ghcr.io/nersc/interactem/interactem:latest
+FROM interactem-base
 
 WORKDIR /interactem/app
 COPY ./app/pyproject.toml ./app/poetry.lock* ./

docker/Dockerfile.launcher

@@ -1,4 +1,4 @@
-FROM ghcr.io/nersc/interactem/interactem:latest
+FROM interactem-base
 
 COPY ./sfapi_models/ /interactem/sfapi_models/
 

docker/Dockerfile.metrics

@@ -1,4 +1,4 @@
-FROM ghcr.io/nersc/interactem/interactem:latest
+FROM interactem-base
 
 WORKDIR /interactem/metrics/
 

docker/Dockerfile.operator

@@ -1,4 +1,4 @@
-FROM ghcr.io/nersc/interactem/interactem:latest
+FROM interactem-base
 
 # --- Install interactem operators deps ---
 WORKDIR /interactem/operators

docker/Dockerfile.orchestrator

@@ -1,4 +1,4 @@
-FROM ghcr.io/nersc/interactem/interactem:latest
+FROM interactem-base
 
 WORKDIR /interactem/orchestrator/
 COPY ./orchestrator/README.md ./orchestrator/pyproject.toml ./orchestrator/poetry.lock* ./

docker/bake.sh

@@ -9,8 +9,9 @@ cd $ROOT_DIR
 
 # Build all images using Docker Bake
 echo "Building all images with tag $TAG..."
-TAG=${TAG} BUILDX_BAKE_ENTITLEMENTS_FS=0 $DOCKER buildx bake --file $ROOT_DIR/docker/docker-bake.hcl base
-TAG=${TAG} BUILDX_BAKE_ENTITLEMENTS_FS=0 $DOCKER buildx bake --file $ROOT_DIR/docker/docker-bake.hcl prod
+TAG=${TAG} BUILDX_BAKE_ENTITLEMENTS_FS=0 $DOCKER buildx bake \
+    --set *.cache-from="" --set *.cache-to="" \
+    --file $ROOT_DIR/docker/docker-bake.hcl prod
 
 if [ $? -ne 0 ]; then
     echo "Failed to build images"