#369 Use Git SHA as unique Docker tag

Building a multi-platform Docker image only works in cooperation with
a remote registry, which implies a push. The image is not directly
available in the local image store. A pull is necessary to make it
locally available.
For the GitHub Action test it was necessary to use the Git SHA as unique
identifier for the system to be tested (its testing the Docker image
which is used as GitHub action). Other identifiers provided no clear
distinction as there could be other/older images with the same tag
in the remote registry.

Author: ascheman

.github/workflows/build-artifacts.yml

@@ -6,6 +6,10 @@ on:
         required: true
         type: string
         default: '17'
+      push-docker-sha:
+        required: false
+        type: boolean
+        default: false
       run-sonar:
         required: false
         type: boolean
@@ -21,6 +25,9 @@ env:
 
 jobs:
   build:
+    env:
+      DOCKER_USERNAME: ${{ github.repository_owner }}
+      DOCKER_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
     runs-on: ubuntu-latest
     steps:
       - name: Check out
@@ -57,6 +64,14 @@ jobs:
       - name: Execute Gradle build
         run: ./gradlew clean check integrationTest build --scan --stacktrace
 
+      - name: Push Docker with Git SHA as tag for subsequent tests
+        if: ${{ inputs.push-docker-sha }}
+        run: |
+          ./gradlew dockerPush -Ddocker.image.additional.tags=${{ github.sha }}
+          docker pull "ghcr.io/aim42/hsc:${{ github.sha }}"
+          echo "Docker Images:"
+          docker images
+
       - name: Cache SonarCloud packages
         uses: actions/cache@v4
         if: ${{ inputs.run-sonar }}
@@ -82,6 +97,8 @@ jobs:
       - name: Collect state upon failure
         if: failure()
         run: |
+          echo "Docker Images:"
+          docker images
           echo "Git:"
           git status
           echo "Env:"

.github/workflows/gradle-build.yml

@@ -15,11 +15,15 @@ on:
 
 jobs:
   build-artifacts:
+    permissions:
+      packages: write
+      contents: read
     uses: ./.github/workflows/build-artifacts.yml
     with:
       # SonarQube requires JDK 17 or higher
       java-version: '17'
       run-sonar: ${{ github.repository == 'aim42/htmlSanityCheck' }}
+      push-docker-sha: true
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
@@ -33,9 +37,11 @@ jobs:
 
       - name: Prepare Docker image for test
         run: |
-          tag=$(git branch --show-current | tr '/' '-')
-          docker pull ghcr.io/aim42/hsc:${tag}
-          docker tag ghcr.io/aim42/hsc:${tag} ghcr.io/aim42/hsc:v2
+          tag="${{ github.sha }}"
+          docker pull "ghcr.io/aim42/hsc:${tag}"
+          echo "Docker Images:"
+          docker images
+          docker tag "ghcr.io/aim42/hsc:${tag}" ghcr.io/aim42/hsc:v2
 
       - name: Download Artifacts
         uses: actions/download-artifact@v5
@@ -65,6 +71,8 @@ jobs:
       - name: Collect state upon failure
         if: failure()
         run: |
+          echo "Docker Images:"
+          docker images
           echo "Git:"
           git status
           echo "Env:"
@@ -162,6 +170,8 @@ jobs:
       - name: Collect state upon failure
         if: failure()
         run: |
+          echo "Docker Images:"
+          docker images
           echo "Maven Repo:"
           (cd $HOME && find .m2 -ls)
           echo "Git:"
@@ -172,4 +182,4 @@ jobs:
           pwd
           echo "Files:"
           find * -ls
-          ./gradlew javaToolchains
+          ./gradlew javaToolchains

htmlSanityCheck-cli/build.gradle

@@ -62,6 +62,8 @@ docker {
 }
 
 tasks.register('dockerBuildLocal', com.fussionlabs.gradle.docker.tasks.DockerBuildx) {
+    def tag = "${'git branch --show-current'.execute().text.trim().replaceAll('/', '-')}"
+    logger.quiet("Using tag '${tag}' for dockerBuildLocal")
     loadImage = true
     pushImage = false