164 lines
6.4 KiB
YAML
164 lines
6.4 KiB
YAML
name: Build docker image
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
network:
|
|
required: false
|
|
type: string
|
|
checkpoint_sync:
|
|
required: false
|
|
type: boolean
|
|
image_name:
|
|
required: true
|
|
type: string
|
|
dockerfile_path:
|
|
required: true
|
|
type: string
|
|
dockerfile_target:
|
|
required: true
|
|
type: string
|
|
short_sha:
|
|
required: false
|
|
type: string
|
|
rust_backtrace:
|
|
required: false
|
|
type: string
|
|
rust_lib_backtrace:
|
|
required: false
|
|
type: string
|
|
colorbt_show_hidden:
|
|
required: false
|
|
type: string
|
|
zebra_skip_ipv6_tests:
|
|
required: false
|
|
type: string
|
|
rust_log:
|
|
required: false
|
|
type: string
|
|
default: info
|
|
outputs:
|
|
image_digest:
|
|
description: 'The image digest to be used on a caller workflow'
|
|
value: ${{ jobs.build.outputs.image_digest }}
|
|
|
|
jobs:
|
|
build:
|
|
name: Build images
|
|
timeout-minutes: 210
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
image_digest: ${{ steps.docker_build.outputs.digest }}
|
|
image_name: ${{ fromJSON(steps.docker_build.outputs.metadata)['image.name'] }}
|
|
permissions:
|
|
contents: 'read'
|
|
id-token: 'write'
|
|
steps:
|
|
- uses: actions/checkout@v3.3.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Inject slug/short variables
|
|
uses: rlespinasse/github-slug-action@v4
|
|
with:
|
|
short-length: 7
|
|
|
|
# Automatic tag management and OCI Image Format Specification for labels
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v4.3.0
|
|
with:
|
|
# list of Docker images to use as base name for tags
|
|
images: |
|
|
us-docker.pkg.dev/zealous-zebra/zebra/${{ inputs.image_name }}
|
|
zfnd/zebra,enable=${{ github.event_name == 'release' && !github.event.release.prerelease }}
|
|
# generate Docker tags based on the following events/attributes
|
|
tags: |
|
|
type=schedule
|
|
# semver and ref,tag automatically add a "latest" tag, but only on stable releases
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{major}}
|
|
type=ref,event=tag
|
|
type=ref,event=branch
|
|
type=ref,event=pr
|
|
type=sha
|
|
# edge is the latest commit on the default branch.
|
|
# TODO: We only want edge builds for `us-docker.pkg.dev`, because DockerHub doesn't keep up with every `main` branch commit.
|
|
type=edge,enable={{is_default_branch}}
|
|
|
|
# Setup Docker Buildx to allow use of docker cache layers from GH
|
|
- name: Set up Docker Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
with:
|
|
# TODO: change after new buildkit version gets fixed
|
|
# https://github.com/moby/buildkit/issues/3347
|
|
# https://github.com/docker/build-push-action/issues/761#issuecomment-1383822381
|
|
driver-opts: |
|
|
image=moby/buildkit:v0.10.6
|
|
|
|
- name: Authenticate to Google Cloud
|
|
id: auth
|
|
uses: google-github-actions/auth@v1.0.0
|
|
with:
|
|
retries: '3'
|
|
workload_identity_provider: 'projects/143793276228/locations/global/workloadIdentityPools/github-actions/providers/github-oidc'
|
|
service_account: 'github-service-account@zealous-zebra.iam.gserviceaccount.com'
|
|
token_format: 'access_token'
|
|
# Some builds might take over an hour, and Google's default lifetime duration for
|
|
# an access token is 1 hour (3600s). We increase this to 3 hours (10800s)
|
|
# as some builds take over an hour.
|
|
access_token_lifetime: 10800s
|
|
|
|
- name: Login to Google Artifact Registry
|
|
uses: docker/login-action@v2.1.0
|
|
with:
|
|
registry: us-docker.pkg.dev
|
|
username: oauth2accesstoken
|
|
password: ${{ steps.auth.outputs.access_token }}
|
|
|
|
- name: Login to DockerHub
|
|
# We only publish images to DockerHub if a release is not a pre-release
|
|
# Ref: https://github.com/orgs/community/discussions/26281#discussioncomment-3251177
|
|
if: ${{ github.event_name == 'release' && !github.event.release.prerelease }}
|
|
uses: docker/login-action@v2.1.0
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
# Build and push image to Google Artifact Registry, and possibly DockerHub
|
|
- name: Build & push
|
|
id: docker_build
|
|
uses: docker/build-push-action@v3.3.0
|
|
with:
|
|
target: ${{ inputs.dockerfile_target }}
|
|
context: .
|
|
file: ${{ inputs.dockerfile_path }}
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
build-args: |
|
|
NETWORK=${{ inputs.network }}
|
|
SHORT_SHA=${{ env.GITHUB_SHA_SHORT }}
|
|
RUST_BACKTRACE=${{ inputs.rust_backtrace }}
|
|
RUST_LIB_BACKTRACE=${{ inputs.rust_lib_backtrace }}
|
|
COLORBT_SHOW_HIDDEN=${{ inputs.colorbt_show_hidden }}
|
|
ZEBRA_SKIP_IPV6_TESTS=${{ inputs.zebra_skip_ipv6_tests }}
|
|
CHECKPOINT_SYNC=${{ inputs.checkpoint_sync }}
|
|
RUST_LOG=${{ inputs.rust_log }}
|
|
push: true
|
|
# To improve build speeds, for each branch we push an additional image to the registry,
|
|
# to be used as the caching layer, using the `max` caching mode.
|
|
#
|
|
# We use multiple cache sources to confirm a cache hit, starting from a per-branch cache,
|
|
# and if there's no hit, then continue with the `main` branch. When changes are added to a PR,
|
|
# they are usually smaller than the diff between the PR and `main` branch. So this provides the
|
|
# best performance.
|
|
#
|
|
# The caches are tried in top-down order, the first available cache is used:
|
|
# https://github.com/moby/moby/pull/26839#issuecomment-277383550
|
|
cache-from: |
|
|
type=registry,ref=us-docker.pkg.dev/zealous-zebra/zebra/${{ inputs.image_name }}:${{ env.GITHUB_REF_SLUG_URL }}-cache
|
|
type=registry,ref=us-docker.pkg.dev/zealous-zebra/zebra/${{ inputs.image_name }}:main-cache
|
|
cache-to: type=registry,ref=us-docker.pkg.dev/zealous-zebra/zebra/${{ inputs.image_name }}:${{ env.GITHUB_REF_SLUG_URL }}-cache,mode=max
|