diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml index 18ed92e12..891eb1af4 100644 --- a/.github/workflows/image.yml +++ b/.github/workflows/image.yml @@ -42,6 +42,11 @@ jobs: build-image: needs: build-setup + permissions: + contents: read + packages: write # Required for GHCR + id-token: write # Required for Google Artifact Registry (GAR) + strategy: matrix: arch: ${{ fromJson(needs.build-setup.outputs.archs) }} @@ -107,118 +112,42 @@ jobs: name: symbolicator-debug@${{ matrix.arch }} path: /tmp/debug-info/* - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Prepare Docker Context run: | mkdir docker-ctx cp Dockerfile docker-ctx/ mv symbolicator docker-ctx/ - - name: Build Image - uses: docker/build-push-action@v6 - with: - context: docker-ctx/ - platforms: linux/${{ matrix.arch }} - tags: symbolicator-${{ matrix.arch }} - outputs: type=docker,dest=/tmp/symbolicator-${{ matrix.arch }}.tar - push: false - - - name: Upload Image - uses: actions/upload-artifact@v4 - with: - name: symbolicator-image@${{ matrix.arch }} - path: /tmp/symbolicator-${{ matrix.arch }}.tar - - assemble-ghcr: - needs: [build-setup, build-image] - if: "needs.build-setup.outputs.full_ci == 'true'" - - name: Assemble for Github Container Registry - runs-on: ubuntu-latest - - permissions: - packages: write - - env: - IMAGE: "ghcr.io/getsentry/symbolicator" - - steps: - - name: Docker Login - run: docker login --username '${{ github.actor }}' --password-stdin ghcr.io <<< "$GHCR_TOKEN" - env: - GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Download Images - uses: actions/download-artifact@v5 - with: - pattern: symbolicator-image@* - path: /tmp - merge-multiple: true - - - &assemble - name: Assemble and Push Images - run: | - set -x - - IMAGES=() - for image in /tmp/symbolicator-*.tar; do - NAME="$(basename $image .tar)" - ARCH="${NAME#*-}" - TARGET="${IMAGE}:${{ github.sha }}-${ARCH}" - - docker load --input "${image}" - docker tag "${NAME}" "${TARGET}" - docker push "${TARGET}" - - IMAGES+=("${TARGET}") - done - - docker buildx imagetools create -t "${IMAGE}:${{ github.sha }}" "${IMAGES[@]}" - - if [[ "${{ github.ref_name }}" == "master" ]]; then - docker buildx imagetools create -t "${IMAGE}:nightly" "${IMAGE}:${{ github.sha }}" - fi - - assemble-ar: - needs: [build-setup, build-image] - if: "needs.build-setup.outputs.full_ci == 'true'" - - name: Assemble for Google Artifact Registry - runs-on: ubuntu-latest - - permissions: - contents: read - id-token: write - - env: - IMAGE: "us-central1-docker.pkg.dev/sentryio/symbolicator/image" - - steps: - - name: Google Auth - id: auth - uses: google-github-actions/auth@v3 - with: - workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool - service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com - - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v3 + - name: Build and push ghcr image + if: "!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'" + uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01 with: - version: ">= 390.0.0" - - - name: Configure Docker - run: gcloud auth configure-docker us-central1-docker.pkg.dev - - - name: Download Images - uses: actions/download-artifact@v5 + image_name: 'symbolicator' + platforms: linux/amd64,linux/arm64 + dockerfile_path: './Dockerfile' + build_context: './docker-ctx' + ghcr: true + # we need to publish on prs for self hosted e2e tests + publish_on_pr: true + tag_nightly: false + tag_latest: false + + - name: Build and push production image + if: "needs.build-setup.outputs.full_ci == 'true'" + uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01 with: - pattern: symbolicator-image@* - path: /tmp - merge-multiple: true - - - *assemble + image_name: 'symbolicator' + platforms: linux/amd64,linux/arm64 + dockerfile_path: './Dockerfile' + build_context: './docker-ctx' + ghcr: false + google_ar: true + # note: nightly will only be tagged if on default branch + tag_nightly: true + tag_latest: false + google_ar_image_name: us-central1-docker.pkg.dev/sentryio/symbolicator/image + google_workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool + google_service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com gocd-artifacts: needs: [build-setup, build-image] @@ -260,18 +189,9 @@ jobs: timeout-minutes: 30 steps: - - name: Download Docker Image - uses: actions/download-artifact@v5 - with: - pattern: symbolicator-image@amd64 - path: /tmp - - - name: Load Docker Image - run: docker load --input /tmp/symbolicator-amd64.tar - - name: Run Sentry self-hosted e2e CI uses: getsentry/self-hosted@master with: project_name: symbolicator - image_url: symbolicator-amd64 + image_url: ghcr.io/getsentry/symbolicator:${{ github.event.pull_request.head.sha || github.sha }} CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}