Pulp-manager/.github/workflows/docker-build.yml at main · pulp/Pulp-manager · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Build and Push Docker Images

on:
  push:
    branches:
      - main
    tags:
      - 'v*.*.*'
      - '[0-9]+.[0-9]+.[0-9]+'
  pull_request:
    branches:
      - main
  workflow_dispatch:
  workflow_call:

env:
  IMAGE_NAME: pulp-manager

jobs:
  build-and-push:
    name: Build and Push Docker Image
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
      attestations: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Determine registries to push to
        id: registries
        run: |
          # Always include ghcr.io
          registries="ghcr.io"

          # Add docker.io and quay.io for release tags
          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
            registries="ghcr.io docker.io quay.io"
          fi

          echo "registries=${registries}" >> $GITHUB_OUTPUT
          echo "Will push to: ${registries}"

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log in to Docker Hub
        if: startsWith(github.ref, 'refs/tags/')
        uses: docker/login-action@v3
        with:
          registry: docker.io
          username: ${{ secrets.DOCKER_BOT_USERNAME }}
          password: ${{ secrets.DOCKER_BOT_PASSWORD }}

      - name: Log in to Quay.io
        if: startsWith(github.ref, 'refs/tags/')
        uses: docker/login-action@v3
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_BOT_USERNAME }}
          password: ${{ secrets.QUAY_BOT_PASSWORD }}

      - name: Determine tags
        id: tags
        run: |
          tags=""

          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
            # Release tag (e.g., v1.2.3)
            version="${{ github.ref_name }}"
            version="${version#v}"  # Remove 'v' prefix
            major=$(echo $version | cut -d. -f1)
            minor=$(echo $version | cut -d. -f1-2)
            tags="${version} ${minor} ${major} latest"
          elif [ "${{ github.ref_name }}" == "main" ]; then
            # Main branch
            tags="main latest"
          elif [ "${{ github.event_name }}" == "pull_request" ]; then
            # PR
            tags="pr-${{ github.event.pull_request.number }}"
          else
            # Other branches
            tags="${{ github.ref_name }}"
          fi

          # Add SHA tag for traceability
          sha_short=$(echo ${{ github.sha }} | cut -c1-7)
          tags="${tags} sha-${sha_short}"

          echo "tags=${tags}" >> $GITHUB_OUTPUT
          echo "Will use tags: ${tags}"

      - name: Build Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
          push: false
          load: true
          tags: pulp/${{ env.IMAGE_NAME }}:ci
          labels: |
            org.opencontainers.image.title=Pulp Manager
            org.opencontainers.image.description=FastAPI-based orchestration and management for multiple Pulp 3 servers
            org.opencontainers.image.vendor=Pulp
            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          platforms: linux/amd64

      - name: Push to registries
        id: push
        run: |
          for registry in ${{ steps.registries.outputs.registries }}; do
            echo "Pushing to ${registry}..."
            for tag in ${{ steps.tags.outputs.tags }}; do
              echo "  Tagging and pushing ${registry}/pulp/${{ env.IMAGE_NAME }}:${tag}"
              docker tag pulp/${{ env.IMAGE_NAME }}:ci ${registry}/pulp/${{ env.IMAGE_NAME }}:${tag}
              docker push ${registry}/pulp/${{ env.IMAGE_NAME }}:${tag}
            done
          done

          # Capture the image digest from ghcr.io for attestation
          first_tag=$(echo "${{ steps.tags.outputs.tags }}" | awk '{print $1}')
          digest=$(docker inspect --format='{{index .RepoDigests 0}}' "ghcr.io/pulp/${{ env.IMAGE_NAME }}:${first_tag}" | cut -d'@' -f2)
          echo "digest=${digest}" >> $GITHUB_OUTPUT
          echo "Image digest: ${digest}"

      - name: Generate artifact attestation
        if: github.event_name != 'pull_request'
        uses: actions/attest-build-provenance@v1
        with:
          subject-name: ghcr.io/pulp/${{ env.IMAGE_NAME }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true