code images: Use kaniko

iakat · iakat · commit 69d9f1fa1919 · 2025-12-22T12:24:28.000+01:00
diff --git a/.github/workflows/code-ubuntu.yaml b/.github/workflows/code-ubuntu.yaml
@@ -3,160 +3,141 @@ on:
   schedule:
     - cron: "0 10 * * *"
   push:
-    branches:
-      - "**"
-    tags:
-      - "v*.*.*"
+    branches: ["**"]
+    tags: ["v*.*.*"]
   pull_request:
-    branches:
-      - "main"
+    branches: [main]
+env:
+  REGISTRY: ghcr.io
+  IMAGE_PREFIX: ghcr.io/${{ github.repository }}/code
+  KANIKO_EXTRA_ARGS: >-
+    --snapshot-mode=redo --use-new-run --cache-run-layers --cache-copy-layers --cache-ttl=168h --compressed-caching=false --cleanup
 jobs:
-  build:
+  build-base:
     strategy:
       fail-fast: false
       matrix:
         image:
           - name: ubuntu
             context: images/base
-            dockerfile: ubuntu.Dockerfile
+          - name: minimal
+            context: images/minimal
+        platform:
+          - runner: ubuntu-latest
+            arch: amd64
+          - runner: ubuntu-24.04-arm
+            arch: arm64
+    runs-on: ${{ matrix.platform.runner }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: coder/images
+          submodules: recursive
+      - uses: aevea/action-kaniko@master
+        with:
+          image: code/${{ matrix.image.name }}
+          path: ${{ matrix.image.context }}
+          build_file: ubuntu.Dockerfile
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          cache: true
+          cache_registry: code/${{ matrix.image.name }}/cache
+          extra_args: ${{ env.KANIKO_EXTRA_ARGS }}
+  manifest-base:
+    needs: build-base
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        image: [ubuntu, minimal]
+    steps:
+      - uses: imjasonh/setup-crane@v0.4
+      - name: Push manifest
+        run: |
+          crane auth login ${{ env.REGISTRY }} -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }}
+
+          IMAGE="${{ env.IMAGE_PREFIX }}/${{ matrix.image }}"
+          TAGS="latest ${{ github.sha }}"
+
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            TAGS="$TAGS ${{ github.ref_name }}"
+          fi
+
+          for TAG in $TAGS; do
+            crane index append \
+              --tag "${IMAGE}:${TAG}" \
+              --manifest "${IMAGE}:latest-amd64" \
+              --manifest "${IMAGE}:latest-arm64"
+          done
+  build-derived:
+    needs: manifest-base
+    if: always() && !failure() && !cancelled()
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
           - name: desktop
             context: images/desktop
-            dockerfile: ubuntu.Dockerfile
           - name: golang
             context: images/golang
-            dockerfile: ubuntu.Dockerfile
           - name: java
             context: images/java
-            dockerfile: ubuntu.Dockerfile
-          - name: minimal
-            context: images/minimal
-            dockerfile: ubuntu.Dockerfile
           - name: node
             context: images/node
-            dockerfile: ubuntu.Dockerfile
         platform:
           - runner: ubuntu-latest
-            arch: linux/amd64
+            arch: amd64
           - runner: ubuntu-24.04-arm
-            arch: linux/arm64
+            arch: arm64
     runs-on: ${{ matrix.platform.runner }}
     steps:
-      - name: Set variables useful for later
-        id: useful_vars
-        run: |
-          echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT
-          echo "short_sha=${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
-      - name: Checkout
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
         with:
           repository: coder/images
           submodules: recursive
-      - name: Docker meta
-        id: docker_meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}/code/${{ matrix.image.name }}
-          tags: |
-            type=schedule
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha,prefix=,format=long,event=tag
-            type=sha
-            type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }}
-            type=raw,value=${{ github.ref_name }}-${{ steps.useful_vars.outputs.short_sha }}-${{ steps.useful_vars.outputs.timestamp }},enable=${{ endsWith(github.ref, github.event.repository.default_branch) }}
-          flavor: |
-            suffix=-${{ matrix.platform.arch == 'linux/amd64' && 'amd64' || 'arm64' }}
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Login to GHCR
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+      - name: Point to our base images
+        run: |
+          sed -i \
+            -e 's|codercom/enterprise-base:ubuntu|${{ env.IMAGE_PREFIX }}/ubuntu:latest|g' \
+            -e 's|codercom/enterprise-minimal:latest|${{ env.IMAGE_PREFIX }}/minimal:latest|g' \
+            ${{ matrix.image.context }}/ubuntu.Dockerfile
+      - uses: aevea/action-kaniko@master
         with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
+          image: code/${{ matrix.image.name }}
+          path: ${{ matrix.image.context }}
+          build_file: ubuntu.Dockerfile
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Cache Docker layers
-        uses: actions/cache@v4
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-${{ matrix.image.name }}-${{ matrix.platform.arch }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-${{ matrix.image.name }}-${{ matrix.platform.arch }}-buildx-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: ${{ matrix.image.context }}
-          file: ${{ matrix.image.context }}/${{ matrix.image.dockerfile }}
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.docker_meta.outputs.tags }}
-          labels: ${{ steps.docker_meta.outputs.labels }}
-          platforms: ${{ matrix.platform.arch }}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache,mode=max
-  # Create multi-arch manifests after all platform builds complete
-  manifest:
-    needs: build
+          cache: true
+          cache_registry: code/${{ matrix.image.name }}/cache
+          extra_args: ${{ env.KANIKO_EXTRA_ARGS }}
+  manifest-derived:
+    needs: build-derived
     if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        image:
-          - ubuntu
-          - desktop
-          - golang
-          - java
-          - minimal
-          - node
+        image: [desktop, golang, java, node]
     steps:
-      - name: Set variables useful for later
-        id: useful_vars
-        run: |
-          echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT
-          echo "short_sha=${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Docker meta
-        id: docker_meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}/code/${{ matrix.image }}
-          tags: |
-            type=schedule
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha,prefix=,format=long,event=tag
-            type=sha
-            type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }}
-            type=raw,value=${{ github.ref_name }}-${{ steps.useful_vars.outputs.short_sha }}-${{ steps.useful_vars.outputs.timestamp }},enable=${{ endsWith(github.ref, github.event.repository.default_branch) }}
-      - name: Create and push manifest
+      - uses: imjasonh/setup-crane@v0.4
+      - name: Push manifest
         run: |-
-          TAGS="${{ steps.docker_meta.outputs.tags }}"
-          IMAGE_BASE="ghcr.io/${{ github.repository }}/code/${{ matrix.image }}"
-
-          for TAG in $TAGS; do
-            # Extract just the tag portion after the colon
-            TAG_NAME="${TAG##*:}"
+          crane auth login ${{ env.REGISTRY }} -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }}
 
-            docker manifest create "${IMAGE_BASE}:${TAG_NAME}" \
-              "${IMAGE_BASE}:${TAG_NAME}-amd64" \
-              "${IMAGE_BASE}:${TAG_NAME}-arm64"
+          IMAGE="${{ env.IMAGE_PREFIX }}/${{ matrix.image }}"
+          TAGS="latest ${{ github.sha }}"
 
-            docker manifest annotate "${IMAGE_BASE}:${TAG_NAME}" \
-              "${IMAGE_BASE}:${TAG_NAME}-amd64" --arch amd64
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            TAGS="$TAGS ${{ github.ref_name }}"
+          fi
 
-            docker manifest annotate "${IMAGE_BASE}:${TAG_NAME}" \
-              "${IMAGE_BASE}:${TAG_NAME}-arm64" --arch arm64
-
-            docker manifest push "${IMAGE_BASE}:${TAG_NAME}"
+          for TAG in $TAGS; do
+            crane index append \
+              --tag "${IMAGE}:${TAG}" \
+              --manifest "${IMAGE}:latest-amd64" \
+              --manifest "${IMAGE}:latest-arm64"
           done
