-
Notifications
You must be signed in to change notification settings - Fork 46
176 lines (159 loc) · 7.29 KB
/
cache-base-image.yml
File metadata and controls
176 lines (159 loc) · 7.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
name: Update base OS image
run-name: Updating the base OS and install necessary extra packages (multiplatform)
# This workflow builds the pgEdge base test image with full reproducibility metadata:
# - Captures build timestamp, git commit SHA, branch, and Rocky Linux version
# - Embeds build information in /etc/pgedge/build-info.txt within the image
# - Tags images with both :latest and :${GIT_COMMIT} for version tracking
# - Adds OCI labels for standard metadata inspection
# - Prints all build metadata to workflow output for issue reproduction
on:
workflow_dispatch:
inputs:
image_name:
description: 'Base image name (without registry/owner prefix)'
required: false
default: 'base-test-image'
type: string
image_tag:
description: 'Additional custom tag (besides :latest and :<commit-sha>)'
required: false
default: ''
type: string
permissions:
contents: read
packages: write
jobs:
pull-and-test:
strategy:
fail-fast: true
runs-on: ubuntu-latest
steps:
- name: Checkout spock
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Add permissions
run: |
sudo chmod -R a+w ${GITHUB_WORKSPACE}
# See https://github.com/orgs/community/discussions/27086
- name: set lower case owner name
run: |
echo "OWNER_LC=${OWNER,,}" >> ${GITHUB_ENV}
env:
OWNER: '${{ github.repository_owner }}'
# Capture build metadata for reproducibility
- name: Capture build metadata
id: meta
run: |
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> ${GITHUB_ENV}
echo "GIT_COMMIT=$(git rev-parse HEAD)" >> ${GITHUB_ENV}
echo "GIT_BRANCH=$(git rev-parse --abbrev-ref HEAD)" >> ${GITHUB_ENV}
echo "ROCKYLINUX_VERSION=$(docker run --rm rockylinux:9 cat /etc/rocky-release)" >> ${GITHUB_ENV}
echo "IMAGE_NAME=${{ inputs.image_name || 'base-test-image' }}" >> ${GITHUB_ENV}
# Print build information
echo "========================================="
echo "pgEdge Base Image Build Information"
echo "========================================="
echo "Image Name: ${{ inputs.image_name || 'base-test-image' }}"
echo "Custom Tag: ${{ inputs.image_tag }}"
echo "Build Date: $(date -u +'%Y-%m-%dT%H:%M:%SZ')"
echo "Git Commit: $(git rev-parse HEAD)"
echo "Git Branch: $(git rev-parse --abbrev-ref HEAD)"
echo "Rocky Linux: $(docker run --rm rockylinux:9 cat /etc/rocky-release)"
echo "Platforms: linux/amd64, linux/arm64"
echo "========================================="
# Set up QEMU for multiplatform builds
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
with:
platforms: linux/amd64,linux/arm64
- name: Set up Docker Buildx
# Codacy wants us to use full commit SHA. This is for v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
with:
platforms: linux/amd64,linux/arm64
# Login to GHCR
- uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
with:
registry: ghcr.io
username: $OWNER_LC
password: ${{ secrets.GITHUB_TOKEN }}
# Prepare cached version of the base image with build metadata
- name: Build and push multiplatform base system image
uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318
with:
context: .
file: tests/docker/Dockerfile-base.el9
platforms: linux/amd64,linux/arm64
push: true
tags: |
ghcr.io/${{ env.OWNER_LC }}/${{ env.IMAGE_NAME }}:latest
ghcr.io/${{ env.OWNER_LC }}/${{ env.IMAGE_NAME }}:${{ env.GIT_COMMIT }}
${{ inputs.image_tag && format('ghcr.io/{0}/{1}:{2}', env.OWNER_LC, env.IMAGE_NAME, inputs.image_tag) || '' }}
build-args: |
BUILD_DATE=${{ env.BUILD_DATE }}
GIT_COMMIT=${{ env.GIT_COMMIT }}
GIT_BRANCH=${{ env.GIT_BRANCH }}
ROCKYLINUX_VERSION=${{ env.ROCKYLINUX_VERSION }}
cache-from: type=gha,scope=base
cache-to: type=gha,mode=max,scope=base
provenance: false
sbom: false
# Verify multiplatform manifest
- name: Inspect multiplatform manifest
run: |
docker buildx imagetools inspect ghcr.io/${{ env.OWNER_LC }}/${{ env.IMAGE_NAME }}:latest
# Verify and display build information from the image
- name: Display build information
run: |
echo ""
echo "========================================="
echo "Multiplatform Image Built Successfully!"
echo "========================================="
echo "Image Name: ${{ env.IMAGE_NAME }}"
echo "Platforms: linux/amd64, linux/arm64"
echo ""
echo "Image Tags:"
echo " - ghcr.io/${{ env.OWNER_LC }}/${{ env.IMAGE_NAME }}:latest"
echo " - ghcr.io/${{ env.OWNER_LC }}/${{ env.IMAGE_NAME }}:${{ env.GIT_COMMIT }}"
if [ -n "${{ inputs.image_tag }}" ]; then
echo " - ghcr.io/${{ env.OWNER_LC }}/${{ env.IMAGE_NAME }}:${{ inputs.image_tag }}"
fi
echo ""
echo "To pull this specific build:"
echo " docker pull ghcr.io/${{ env.OWNER_LC }}/${{ env.IMAGE_NAME }}:${{ env.GIT_COMMIT }}"
echo ""
echo "Docker will automatically select the correct architecture:"
echo " - linux/amd64 for Intel/AMD systems"
echo " - linux/arm64 for Apple Silicon Macs (M1/M2/M3/M4)"
echo ""
echo "To view build info from the image:"
echo " docker run --rm ghcr.io/${{ env.OWNER_LC }}/${{ env.IMAGE_NAME }}:latest cat /etc/pgedge/build-info.txt"
echo ""
echo "To inspect image labels:"
echo " docker inspect ghcr.io/${{ env.OWNER_LC }}/${{ env.IMAGE_NAME }}:latest | jq '.[0].Config.Labels'"
echo "========================================="
# ==============================================================================
# Build Complete!
# ==============================================================================
# The base image is available at:
# https://github.com/pgedge/spock/pkgs/container/<image-name>
#
# Workflow Inputs (configurable through Actions UI):
# - image_name: Base image name (default: 'base-test-image')
# - image_tag: Optional custom tag in addition to :latest and :<commit-sha>
#
# Each build includes comprehensive reproducibility metadata:
# 1. /etc/pgedge/build-info.txt - Embedded build information file
# 2. OCI image labels with build timestamp, commit SHA, and branch
# 3. Commit-specific tag (:<commit-sha>) for immutable references
# 4. Optional custom tag (:<custom-tag>) if provided
# 5. Workflow output with all build parameters
#
# To reproduce any build:
# 1. Check workflow output or image labels for git commit SHA
# 2. Checkout that commit: git checkout <sha>
# 3. Run the docker build command shown in /etc/pgedge/build-info.txt
#
# Documentation: tests/docker/Dockerfile-base.md
# ==============================================================================