diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml new file mode 100644 index 00000000000..fcee9859991 --- /dev/null +++ b/.github/workflows/docker-release.yml @@ -0,0 +1,48 @@ +name: (new) docker release + +on: + workflow_dispatch: + inputs: + image_version: + description: Docker Image version (base tag, i.e. v1.6.0-2) + required: true + crowdsec_version: + description: Crowdsec version (BUILD_VERSION) + required: true + latest: + description: Overwrite latest (and slim) tags? + default: false + required: true + push: + description: Really push? + default: false + required: true + +jobs: + alpine: + uses: ./.github/workflows/docker.yml + secrets: + DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} + with: + image_version: ${{ github.event.inputs.image_version }} + crowdsec_version: ${{ github.event.inputs.crowdsec_version }} + latest: ${{ github.event.inputs.latest == 'true' }} + push: ${{ github.event.inputs.push == 'true' }} + slim: true + debian: false + platforms: "[\"linux/amd64\", \"linux/386\", \"linux/arm64\", \"linux/arm/v7\", \"linux/arm/v6\"]" + + debian: + uses: ./.github/workflows/docker.yml + secrets: + DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} + with: + image_version: ${{ github.event.inputs.image_version }} + crowdsec_version: ${{ github.event.inputs.crowdsec_version }} + latest: ${{ github.event.inputs.latest == 'true' }} + push: ${{ github.event.inputs.push == 'true' }} + slim: false + debian: true + platforms: "[\"linux/amd64\", \"linux/386\", \"linux/arm64\"]" diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml new file mode 100644 index 00000000000..6d12bfd72c3 --- /dev/null +++ b/.github/workflows/docker.yml @@ -0,0 +1,165 @@ +name: (new) docker build/push + +on: + workflow_call: + secrets: + DOCKER_USERNAME: + required: true + DOCKER_PASSWORD: + required: true + inputs: + platforms: + required: true + type: string + image_version: + required: true + type: string + crowdsec_version: + required: true + type: string + latest: + required: true + type: boolean + push: + required: true + type: boolean + slim: + required: true + type: boolean + debian: + required: true + type: boolean + +env: + DOCKERHUB_IMAGE: ${{ secrets.DOCKER_USERNAME }}/crowdsec + GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/crowdsec + DIGESTS: digests-${{ inputs.debian && 'debian' || 'alpine' }} + +jobs: + build: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + platform: ${{fromJson(inputs.platforms)}} + + steps: + - + name: Prepare + id: prep + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + VERSION=${{ inputs.image_version }} + DEBIAN=${{ inputs.debian && '-debian' || '' }} + TAGS="${{ env.DOCKERHUB_IMAGE }}:${VERSION}${DEBIAN},${{ env.GHCR_IMAGE }}:${VERSION}${DEBIAN}" + if [[ ${{ inputs.latest }} == true ]]; then + TAGS=$TAGS,${{ env.DOCKERHUB_IMAGE }}:latest${DEBIAN},${{ env.GHCR_IMAGE }}:latest${DEBIAN} + fi + echo "tags=${TAGS}" >> $GITHUB_OUTPUT + echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT + - + name: Checkout + uses: actions/checkout@v4 + with: + # the "dev" image (master) needs the git tags + # for the crowdsec version number + fetch-depth: 0 + - + name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKERHUB_IMAGE }} + tags: ${{ steps.prep.outputs.tags }} + - + name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + config: .github/buildkit.toml + - + name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - + name: Build and push by digest + id: build + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile${{ inputs.debian && '.debian' || '' }} + platforms: ${{ matrix.platform }} + # tags: ${{ steps.prep.outputs.tags }} + outputs: type=image,name=${{ env.DOCKERHUB_IMAGE }},push-by-digest=true,name-canonical=true,push=true + labels: ${{ steps.meta.outputs.labels }} | + org.opencontainers.image.source=${{ github.event.repository.html_url }} + org.opencontainers.image.created=${{ steps.prep.outputs.created }} + org.opencontainers.image.revision=${{ github.sha }} + build-args: | + BUILD_VERSION=${{ inputs.crowdsec_version }} + - + name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + - + name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: ${{ env.DIGESTS }}-${{ env.PLATFORM_PAIR }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + merge: + runs-on: ubuntu-latest + if: ${{ inputs.push }} + needs: + - build + steps: + - + name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: ${{ env.DIGESTS }}-* + merge-multiple: true + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - + name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKERHUB_IMAGE }} + - + name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - + name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.DOCKERHUB_IMAGE }}@sha256:%s ' *) + - + name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.DOCKERHUB_IMAGE }}:${{ steps.meta.outputs.version }}