guides: docker build github actions primer

Signed-off-by: David Karlsson <[email protected]>

Author: dvdksn

content/guides/gha.md

@@ -0,0 +1,277 @@
+---
+title: An Introduction to CI with Docker and GitHub Actions
+linkTitle: Docker and GitHub Actions
+params:
+  tags: [devops]
+  time: 10 minutes
+---
+
+This guide provides an introduction to building CI pipelines using Docker and
+GitHub Actions. You'll learn how to automate Docker builds, run containerized
+tests, and optimize your workflows for enhanced security and efficiency.
+
+You will learn how to:
+
+- Use Docker's official GitHub Actions to test and build your application.
+- Run unit tests with multi-stage builds.
+- Extract metadata and automatically generate tags and annotations for your Docker images.
+- Configure your workflow to conditionally push images based on the event type (not pushing on pull requests).
+- Generate Software Bill of Materials (SBOM) and provenance attestations to enhance security and traceability.
+
+By the end of the guide, you'll have a simple, functional GitHub Actions
+configuration for Docker builds. Use it as-is, or extend it further to fit your
+needs.
+
+## Prerequisites
+
+If you want to follow along with the guide, ensure you have the following:
+
+- A Docker account.
+- Familiarity with Dockerfiles.
+- A GitHub repository with a Dockerized application.
+
+This guide assumes basic knowledge of Docker concepts but provides explanations
+for using Docker in GitHub Actions workflows.
+
+## Setting up your GitHub Actions workflow
+
+GitHub Actions workflows define a series of steps to automate tasks, such as
+building and pushing Docker images, in response to triggers like commits or
+pull requests. In this guide, the workflow focuses on automating Docker builds
+and testing, ensuring your containerized application works correctly before
+publishing it.
+
+Create a file named `docker-ci.yml` in the `.github/workflows/` directory of
+your repository. Start with the basic workflow configuration:
+
+```yaml
+name: Build and Push Docker Image
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+```
+
+This configuration runs the workflow on pushes to the main branch and on pull
+requests. By including both triggers, you can build and test your application
+on feature branches and ensure that only approved code is pushed to your
+container registry.
+
+## Run tests
+
+A key step in CI is validating your application. By integrating tests into your
+Docker image's build process, you ensure that the application behaves as
+expected in a containerized environment. This reduces the risk of errors caused
+by differences between development and production environments.
+
+You'll use the `docker/build-push-action` to run tests as part of the image
+build. This involves adding a test stage to your Dockerfile that runs tests
+during the build process. If the tests pass, the workflow proceeds to build the
+production image and push it to your container registry.
+
+### Using Docker Build to run tests
+
+Aside from producing images, Docker builds provide isolated environments for
+running tests. For an application's unit tests, it's best practice to define a
+build stage in your Dockerfile that lets you run your tests in a containerized
+environment with a `docker build` invocation, such as:
+
+```console
+$ docker build --target tests .
+```
+
+For example, consider the following Dockerfile:
+
+```dockerfile
+# builder installs dependencies and builds the app
+FROM node:lts-alpine AS builder
+WORKDIR /src
+COPY package*.json ./
+RUN npm ci
+COPY . .
+
+# test runs the unit tests
+FROM builder AS tests
+RUN npm test
+
+# production builds the final image
+FROM node:lts-alpine AS production
+WORKDIR /app
+COPY --from=builder /src .
+CMD ["npm", "start"]
+```
+
+In this Dockerfile:
+
+- The first stage, `builder`, installs dependencies and copies the app's source code.
+- The `tests` stage runs tests using the `npm test` command.
+- The `production` stage copies the application from the `builder` stage and
+  sets the command to start the application.
+
+### Run tests with GitHub Actions
+
+In your workflow file (`docker-ci.yml`), configure the job to build and test
+your image using the `docker/build-push-action` by adding the following job:
+
+```yaml
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Test the app
+        uses: docker/build-push-action@v6
+        with:
+          target: tests
+```
+
+This configuration assumes that your Dockerfile contains a stage named `tests`
+that executes your unit tests. The `docker/build-push-action` builds the
+`tests` stage, and if the tests fail during the build, the action fails, and
+the workflow stops.
+
+Since the action uses the Git context by default, you don't need to check out
+the repository explicitly. The `docker/build-push-action` [automatically detects](https://github.com/docker/build-push-action?tab=readme-ov-file#git-context)
+the Git reference of the GitHub Actions workflow and builds with that
+repository as its context.
+
+## Extract metadata for tags and annotations
+
+To automate the tagging and labeling of your Docker images, use the
+`docker/metadata-action`. This action extracts metadata from your Git
+repository, such as branch names and commit SHAs, and uses them to generate
+tags and labels for your images.
+
+Add the metadata action to your workflow:
+
+```yaml
+- name: Extract Docker image metadata
+  id: meta
+  uses: docker/metadata-action@v5
+  with:
+    images: my-dockerhub-user/my-image
+```
+
+> [!NOTE]
+> Replace `my-dockerhub-user/my-image` in the `images` field with your image
+> repository name.
+
+This step prepares the metadata for use in tagging and labeling your images
+during the build and push process.
+
+- The `images` input defines the image repository and name to use for tags and
+  annotations.
+- The `id` property assigns a referable ID for use in later steps to build with
+  the extracted metadata values.
+
+## Authenticate to your registry
+
+Before you build the image, you'll want to authenticate to your registry.
+Authentication is required to push your built image to the registry.
+
+To authenticate with Docker Hub, add the following step to your workflow.
+
+```yaml
+- name: Log in to Docker Hub
+  uses: docker/login-action@v3
+  with:
+    username: ${{ vars.DOCKER_USERNAME }}
+    password: ${{ secrets.DOCKER_PASSWORD }}
+```
+
+This assumes `DOCKER_USERNAME` is configured as a
+[variable](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables),
+and `DOCKER_PASSWORD` as a
+[secret](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions),
+in the GitHub repository, containing the username and password for your Docker
+account.
+
+## Build and push the image
+
+Finally, build the final production image and push it to your registry. This
+example also configures the action to generate SBOM and provenance
+[attestations](/manuals/build/metadata/attestations/_index.md) at this stage.
+SBOM (Software Bill of Materials) provides a detailed list of components
+included in your image, while provenance documents where, when, and how your
+image was built. Adding these attestations is a best practice for improving
+security and ensuring software supply chain integrity.
+
+```yaml
+- name: Build and push Docker image
+  uses: docker/build-push-action@v6
+  with:
+    push: ${{ github.event_name != 'pull_request' }}
+    tags: ${{ steps.meta.outputs.tags }}
+    labels: ${{ steps.meta.outputs.labels }}
+    provenance: true
+    sbom: true
+```
+
+In this configuration:
+
+- `push: ${{ github.event_name != 'pull_request' }}` ensures that images are
+  only pushed when the event is not a pull request. This way, the workflow
+  builds and tests images for pull requests but only pushes images for commits
+  to the main branch.
+- `provenance: true` and `sbom: true` enable the generation of provenance and
+  SBOM attestations, enhancing the security and traceability of your images.
+- `tags` and `labels` use the outputs from the metadata action to apply
+  consistent tagging and labeling.
+
+## Conclusion
+
+With all the steps outlined in the previous section, here's the full workflow
+configuration:
+
+```yaml
+name: Build and Push Docker Image
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Test the app
+        uses: docker/build-push-action@v6
+        with:
+          target: tests
+
+      - name: Extract Docker image metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: my-dockerhub-user/my-image
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          provenance: true
+          sbom: true
+```
+
+### Further reading
+
+- Learn more about advanced configurations and examples in the [Docker Build
+  GitHub Actions](/manuals/build/ci/github-actions/_index.md) section.
+- For more complex build setups, you may want to consider
+  [Bake](/manuals/build/bake/_index.md). (See also the
+  [Mastering Buildx Bake guide](/guides/bake/index.md).)
+- If your builds are slow or you're building multi-platform images, take a look
+  at [Docker Build Cloud](/guides/docker-build-cloud/_index.md), a managed
+  build service that easily integrates with both local and GitHub Actions
+  workflows.

content/manuals/build/ci/github-actions/_index.md

@@ -1,5 +1,5 @@
 ---
-title: Introduction to GitHub Actions
+title: Docker Build GitHub Actions
 linkTitle: GitHub Actions
 description: Docker maintains a set of official GitHub Actions for building Docker images.
 keywords: ci, github actions, gha,  build, introduction, tutorial