ci: continuous image generation in github registry (#74)

Signed-off-by: Carlos Feria <[email protected]>

Author: carlosthe19916

.github/workflows/build-push-images.yaml

@@ -0,0 +1,205 @@
+name: Reusable Build and Push Image
+
+on:
+  workflow_call:
+    inputs:
+      registry:
+        description: Registry hostname + namespace of image
+        required: true
+        type: string
+      image_name:
+        description: The name of the image
+        required: true
+        type: string
+      containerfile:
+        description: Path to Dockerfile or Containerfile for build
+        required: true
+        type: string
+      pre_build_cmd:
+        description: "Command to run before building images"
+        required: false
+        type: string
+      architectures:
+        description: Valid JSON string representing architectures to build
+        default: '["amd64", "arm64"]'
+        type: string
+        required: false
+      build-args:
+        description: "Build args to be passed to buildah bud. Separate arguments by newline."
+        default: ""
+        required: false
+        type: string
+      extra-args:
+        description: "Extra args to be passed to buildah bud. Separate arguments by newline. Do not use quotes."
+        default: ""
+        required: false
+        type: string
+      context:
+        description: "Path to directory to use as the build context."
+        default: "."
+        required: false
+        type: string
+      swap-size-gb:
+        description: "Swap space to create, in Gigabytes."
+        default: ""
+        required: false
+        type: string
+    secrets:
+      registry_username:
+        description: "Registry username"
+        required: true
+      registry_password:
+        description: "Registry password"
+        required: true
+    outputs:
+      tag:
+        description: "The tag of the image pushed to the registry"
+        value: ${{ jobs.prepare.outputs.tag }}
+      digest:
+        description: "The digest of the image pushed to the registry"
+        value: ${{ jobs.manifest.outputs.digest }}
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.define-tag.outputs.tag }}
+    steps:
+      - name: Define & sanitize tag
+        id: define-tag
+        shell: bash
+        run: |
+          tag=${{ github.ref == 'refs/heads/main' && 'latest' || github.ref_name }}
+
+          # Replace "/" by "-" as "/" is not a valid character for a container tag
+          tag="${tag#release/}"
+          echo $tag
+          echo "tag=$tag" >> "$GITHUB_OUTPUT"
+
+  build:
+    needs: [ prepare ]
+    runs-on: ubuntu-latest
+    env:
+      tag: ${{ needs.prepare.outputs.tag }}
+    strategy:
+      matrix:
+        architecture: ${{ fromJSON(inputs.architectures) }}
+    steps:
+      - name: Get more swap space
+        shell: bash
+        if: "${{ inputs.swap-size-gb != '' }}"
+        run: |
+          echo "Before swap"
+          free -h
+          swapon --show
+
+          # Make swap
+          SWAP_FILE="$(swapon --show=NAME | tail -n 1)"
+          export SWAP_FILE
+          sudo swapoff "${SWAP_FILE}"
+          sudo rm "${SWAP_FILE}"
+          sudo fallocate -l "${{ inputs.swap-size-gb }}"G "${SWAP_FILE}"
+          sudo chmod 600 "${SWAP_FILE}"
+          sudo mkswap "${SWAP_FILE}"
+          sudo swapon "${SWAP_FILE}"
+
+          echo "After swap"
+          free -h
+          swapon --show
+
+      - name: Maximize disk space
+        shell: bash
+        run: |
+          echo "Space before clearing:"
+          df . -h
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf "/usr/local/share/boost"
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+          echo "Space after clearing:"
+          df . -h
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Configure QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3
+        with:
+          platforms: all
+
+      - name: Image meta
+        id: meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f #v5
+        with:
+          images: ${{ inputs.registry }}/${{ inputs.image_name }}
+          tags: |
+            type=schedule
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+
+      - name: Run pre build command
+        shell: bash
+        run: "${{ inputs.pre_build_cmd }}"
+        if: "${{ inputs.pre_build_cmd != '' }}"
+
+      - name: Build Image
+        id: build
+        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 #v2
+        with:
+          image: ${{ inputs.image_name }}
+          tags: ${{ env.tag }}-${{ matrix.architecture }}
+          build-args: ${{ inputs.build-args }}
+          extra-args: "--no-cache --rm ${{ inputs.extra-args }}"
+          archs: ${{ matrix.architecture }}
+          labels: ${{ steps.meta.outputs.labels }}
+          containerfiles: ${{ inputs.containerfile }}
+          context: ${{ inputs.context }}
+
+      - name: Push To Registry
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
+        id: push
+        with:
+          image: ${{ steps.build.outputs.image }}
+          tags: ${{ env.tag }}-${{ matrix.architecture }}
+          username: ${{ secrets.registry_username }}
+          password: ${{ secrets.registry_password }}
+          registry: ${{ inputs.registry }}
+
+  manifest:
+    needs: [ prepare, build ]
+    runs-on: ubuntu-latest
+    outputs:
+      digest: ${{ steps.push.outputs.digest }}
+    env:
+      tag: ${{ needs.prepare.outputs.tag }}
+    steps:
+      - name: Log in to registry
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 #v1
+        with:
+          username: ${{ secrets.registry_username }}
+          password: ${{ secrets.registry_password }}
+          registry: ${{ inputs.registry }}
+
+      - name: Create manifest
+        shell: bash
+        run: |
+          podman manifest create "${{ inputs.registry }}/${{ inputs.image_name }}:${{ env.tag }}"
+          for arch in $(echo '${{ inputs.architectures }}' | jq -r '.[]'); do
+            podman manifest add \
+              "${{ inputs.registry }}/${{ inputs.image_name }}:${{ env.tag }}" \
+              "${{ inputs.registry }}/${{ inputs.image_name }}:${{ env.tag }}-${arch}"
+          done
+
+      - name: Push To Registry
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c #v2
+        id: push
+        with:
+          image: ${{ inputs.image_name }}
+          tags: ${{ env.tag }}
+          username: ${{ secrets.registry_username }}
+          password: ${{ secrets.registry_password }}
+          registry: ${{ inputs.registry }}

.github/workflows/ci.yaml

@@ -15,9 +15,9 @@ jobs:
   ci:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - name: Use Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6
         with:
           node-version: 22
           cache: npm

.github/workflows/deploy.yaml

@@ -26,8 +26,8 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6
         with:
           node-version: 22
           cache: npm
@@ -36,11 +36,11 @@ jobs:
       - name: Build
         run: NODE_ENV=development BASE_URL=/rhtas-console-ui/ MOCK=on npm run build
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b #v4
         with:
           path: "./client/dist"
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

.github/workflows/image-build.yaml

@@ -0,0 +1,49 @@
+name: Multiple Architecture Image Build
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+      - "release/*"
+    tags:
+      - "v*"
+
+concurrency:
+  group: build-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ui-image-build:
+    uses: ./.github/workflows/build-push-images.yaml
+    with:
+      registry: "ghcr.io"
+      image_name: "${{ github.repository_owner }}/rhtas-console-ui"
+      containerfile: "./Dockerfile"
+      architectures: '[ "amd64", "arm64" ]'
+      extra-args: "--ulimit nofile=4096:4096"
+    secrets:
+      registry_username: ${{ github.actor }}
+      registry_password: ${{ secrets.GITHUB_TOKEN }}
+
+  attestations:
+    needs: ui-image-build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+      packages: write
+    steps:
+      - name: Log in to registry
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 #v1
+        with:
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
+        with:
+          subject-name: ghcr.io/${{ github.repository_owner }}/rhtas-console-ui
+          subject-digest: ${{ needs.ui-image-build.outputs.digest }}
+          push-to-registry: true