Lock file maintenance (#278) #226

Workflow file for this run

.github/workflows/ci-pipeline.yml at 2c9af86

	name: CI Pipeline

	# This workflow build and run tests inside the dev container
	# only after the pull request is merged to main branch.
	# Once tests are successful it builds and pushes the
	# smaller size production image with multiarch suppport.

	on:
	push:
	branches: [ "main" ]
	####### Uncomment this to test the CI pipeline in a PR
	####### You'll also need to comment the rules containing {{branch}}
	####### in the `Extract Docker metadata` step
	# pull_request:
	# branches: [ "main" ]

	env:
	# Use docker.io for Docker Hub if empty
	REGISTRY: ghcr.io
	# github.repository as <account>/<repo>
	REGISTRY_PATH: ${{ github.repository }}
	TEST_TAG: user/app:test

	jobs:
	test:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	steps:
	# GitHub gives only repository complete in <owner>/<repo> format.
	# Need some manual shenanigans
	# Set IMAGE_NAME so we can push to <owner>/<repo>/<image>
	# Transform os/arch to os-arch for suffix target
	- name: Set ENV variables
	run: \|
	echo "IMAGE_NAME=${GITHUB_REPOSITORY#$GITHUB_REPOSITORY_OWNER/}" >> $GITHUB_ENV

	- name: Checkout repository
	uses: actions/checkout@v4

	# Login against a Docker registry
	# https://github.com/docker/login-action
	- name: Log into registry ${{ env.REGISTRY }}
	uses: docker/[email protected]
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	# This might be unnecessary as tests are not
	# multiplatform
	- name: Setup Docker buildx
	uses: docker/[email protected]

	- name: Extract Docker cache metadata
	id: meta-cache
	uses: docker/[email protected]
	with:
	# list of Docker images to use as base name for tags
	# <registry/<owner>/<repo_name>/<repo_name>-<target>
	images: \|
	${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/${{ env.IMAGE_NAME }}-cache
	tags: \|
	type=raw,value=tests

	# Build but don't push Docker image with Buildx
	# https://github.com/docker/build-push-action
	- name: Build test image
	id: build-test
	uses: docker/[email protected]
	with:
	context: .
	load: true
	target: dev
	tags: ${{ env.TEST_TAG }}
	cache-from: type=registry,ref=${{ steps.meta-cache.outputs.tags }}
	cache-to: type=registry,ref=${{ steps.meta-cache.outputs.tags }},mode=max

	# This is a barrier check to make sure we push a functional
	# docker image, we can avoid linting
	- name: Run tests in the test image
	run: \|
	docker run --rm ${{ env.TEST_TAG }} make ci-test

	# Inspired to https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
	build-arch:
	runs-on: ${{ matrix.arch.runner }}
	needs: test
	permissions:
	contents: read
	packages: write
	# This is used to complete the identity challenge
	# with sigstore/fulcio when running outside of PRs.
	id-token: write
	strategy:
	matrix:
	arch:
	- platform: linux/amd64
	runner: ubuntu-latest
	- platform: linux/arm64
	# There is no latest for ARM yet
	# https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources
	runner: ubuntu-24.04-arm
	docker_target:
	- migrations
	- http
	- socketio
	- dramatiq
	steps:
	# GitHub gives only repository complete in <owner>/<repo> format.
	# Need some manual shenanigans
	# Set IMAGE_NAME so we can push to <owner>/<repo>/<image>
	# Transform os/arch to os-arch for suffix target
	- name: Set ENV variables
	run: \|
	image_name=${GITHUB_REPOSITORY#$GITHUB_REPOSITORY_OWNER/}
	echo "IMAGE_NAME=$image_name" >> $GITHUB_ENV
	platform=${{ matrix.arch.platform }}
	echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
	image_without_tag=${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/$image_name-${{ matrix.docker_target }}
	echo "FULL_IMAGE_WITHOUT_TAG=$(echo $image_without_tag \| tr '[A-Z]' '[a-z]')" >> $GITHUB_ENV

	- name: Checkout repository
	uses: actions/checkout@v4

	# Install the cosign tool
	# https://github.com/sigstore/cosign-installer
	- name: Install cosign
	uses: sigstore/[email protected]

	- name: Setup Docker buildx
	uses: docker/[email protected]

	# Login against a Docker registry
	# https://github.com/docker/login-action
	- name: Log into registry ${{ env.REGISTRY }}
	uses: docker/[email protected]
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	# We extract metadata without tags for single image
	- name: Extract Docker metadata
	id: meta
	uses: docker/[email protected]
	with:
	# list of Docker images to use as base name for tags
	# <registry/<owner>/<repo_name>/<repo_name>-<target>
	images: \|
	${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/${{ env.IMAGE_NAME }}-${{ matrix.docker_target }}

	- name: Extract Docker cache metadata
	id: meta-cache
	uses: docker/[email protected]
	with:
	# list of Docker images to use as base name for tags
	# <registry/<owner>/<repo_name>/<repo_name>-<target>
	images: \|
	${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/${{ env.IMAGE_NAME }}-cache
	tags: \|
	type=raw,value=buildcache-${{ matrix.docker_target }}-${{ env.PLATFORM_PAIR }}

	# This build an image WITHOUT tags and outputs the digests, so that we can aggragate them later
	- name: Build and push production image
	id: build-and-push
	uses: docker/[email protected]
	with:
	context: .
	target: ${{ matrix.docker_target }}
	platforms: ${{ matrix.arch.platform }}
	outputs: type=image,push-by-digest=true,name-canonical=true,push=true
	tags: ${{ env.FULL_IMAGE_WITHOUT_TAG }}
	labels: ${{ steps.meta.outputs.labels }}
	cache-from: type=registry,ref=${{ steps.meta-cache.outputs.tags }}
	cache-to: type=registry,ref=${{ steps.meta-cache.outputs.tags }},mode=max

	- name: Export digest
	run: \|
	mkdir -p ${{ runner.temp }}/digests/${{ matrix.docker_target }}
	digest="${{ steps.build-and-push.outputs.digest }}"
	touch "${{ runner.temp }}/digests/${{ matrix.docker_target }}/${digest#sha256:}"

	- name: Upload digest
	uses: actions/upload-artifact@v4
	with:
	name: digests-${{ matrix.docker_target }}-${{ env.PLATFORM_PAIR }}
	path: ${{ runner.temp }}/digests/${{ matrix.docker_target }}/*
	if-no-files-found: error
	retention-days: 1


	aggregate-manifests:
	runs-on: ubuntu-latest
	needs: build-arch
	permissions:
	contents: read
	packages: write
	# This is used to complete the identity challenge
	# with sigstore/fulcio when running outside of PRs.
	id-token: write
	strategy:
	matrix:
	docker_target:
	- migrations
	- http
	- socketio
	- dramatiq

	steps:
	# GitHub gives only repository complete in <owner>/<repo> format.
	# Need some manual sheanigans
	# Set IMAGE_NAME so we can push to <owner>/<repo>/<image>
	- name: Set ENV variables
	run: \|
	image_name=${GITHUB_REPOSITORY#$GITHUB_REPOSITORY_OWNER/}
	echo "IMAGE_NAME=$image_name" >> $GITHUB_ENV
	image_without_tag=${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/$image_name-${{ matrix.docker_target }}
	echo "FULL_IMAGE_WITHOUT_TAG=$(echo $image_without_tag \| tr '[A-Z]' '[a-z]')" >> $GITHUB_ENV

	- name: Download digests
	uses: actions/download-artifact@v4
	with:
	path: ${{ runner.temp }}/digests/${{ matrix.docker_target }}
	pattern: digests-${{ matrix.docker_target }}-*
	merge-multiple: true

	# Install the cosign tool
	# https://github.com/sigstore/cosign-installer
	- name: Install cosign
	uses: sigstore/[email protected]

	- name: Setup Docker buildx
	uses: docker/[email protected]

	# Login against a Docker registry
	# https://github.com/docker/login-action
	- name: Log into registry ${{ env.REGISTRY }}
	uses: docker/[email protected]
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	# Extract metadata (tags, labels) for Docker
	# https://github.com/docker/metadata-action
	- name: Extract Docker metadata
	id: meta
	uses: docker/[email protected]
	with:
	# list of Docker images to use as base name for tags
	# <registry/<owner>/<repo_name>/<repo_name>-<target>
	images: \|
	${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/${{ env.IMAGE_NAME }}-${{ matrix.docker_target }}
	# generate Docker tags based on the following events/attributes
	tags: \|
	type=sha
	type=raw,value={{branch}}-latest
	type=raw,value={{branch}}-{{date 'YYYYMMDDHHmmss'}}

	- name: Create manifest list and push
	working-directory: ${{ runner.temp }}/digests/${{ matrix.docker_target }}
	run: \|
	docker buildx imagetools create $(jq -cr '.tags \| map("-t " + .) \| join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
	$(printf '${{ env.FULL_IMAGE_WITHOUT_TAG }}@sha256:%s ' *)

	- name: Inspect image
	run: \|
	docker buildx imagetools inspect ${{ env.FULL_IMAGE_WITHOUT_TAG }}:${{ steps.meta.outputs.version }}

	#TODO: Implement signature using generated key: https://docs.sigstore.dev/signing/quickstart/#signing-with-a-generated-key

	# Sign the resulting Docker image digest except on PRs.
	# This will only write to the public Rekor transparency log when the Docker
	# repository is public to avoid leaking data. If you would like to publish
	# transparency data even for private images, pass --force to cosign below.
	# https://github.com/sigstore/cosign
	- name: Sign the published Docker image using GitHub OIDC Token
	env:
	# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
	TAGS: ${{ steps.meta.outputs.tags }}
	# This step uses the identity token to provision an ephemeral certificate
	# against the sigstore community Fulcio instance.
	run: \|
	images=""
	for tag in ${TAGS}; do
	images+="${tag}@$(docker buildx imagetools inspect --format '{{json .Manifest.Digest}}' ${tag} \| xargs) "
	done
	cosign sign --yes ${images}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Lock file maintenance (#278) #226

Workflow file

Lock file maintenance (#278) #226

Uh oh!

Jobs

Run details

Workflow file for this run