@ teracyhq-incubator#1 | improve the github actions

hoatle · Mar 30, 2022 · 1242f6b · 1242f6b
1 parent d94244d
commit 1242f6b
Show file tree

Hide file tree

Showing 7 changed files with 150 additions and 6 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,53 @@
+name: CI
+
+on:
+  workflow_dispatch:
+  push:
+  pull_request:
+
+env:
+  DOCKER_BUILD_ENABLED: true
+  DOCKER_PUSH_ENABLED: true
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Login to Docker registries
+        if: github.event_name != 'pull_request' && env.DOCKER_BUILD_ENABLED == 'true' && env.DOCKER_PUSH_ENABLED == 'true'
+        uses: ./actions/docker-multiple-login-develop
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build Docker base image
+        uses: ./actions/docker-build-push-sign-develop
+        with:
+          meta-registries: localhost:5000/local,localhost:5000/local2
+          meta-image-name: base
+          buildx-driver-opts: |
+            network=host
+          build-file: ./Dockerfile_base
+          push-enabled: true
+
+      - name: Build, push and sign Docker image
+        uses: ./actions/docker-build-push-sign-develop
+        with:
+          meta-image-name: test
+          buildx-driver-opts: |
+            network=host
+          build-enabled: ${{ env.DOCKER_BUILD_ENABLED }}
+          build-args: |
+            BASE_IMAGE=localhost:5000/local/base:${{ github.ref_name }}
+          push-enabled: ${{ github.event_name != 'pull_request' && env.DOCKER_PUSH_ENABLED == 'true' }}
+          cosign-key-base64: ${{ secrets.COSIGN_KEY_BASE64 }}
+          cosign-password: ${{ secrets.COSIGN_PASSWORD }}
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 .DS_Store
+cosign.key
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,5 @@
+ARG BASE_IMAGE=local/base:develop
+
+FROM ${BASE_IMAGE}
+
+RUN echo "Hello world 2!"
diff --git a/Dockerfile_base b/Dockerfile_base
@@ -0,0 +1,3 @@
+FROM alpine
+
+RUN echo "Hello world!"
diff --git a/actions/docker-build-push-sign-develop/action.yml b/actions/docker-build-push-sign-develop/action.yml
@@ -8,7 +8,15 @@ inputs:
       type=semver,pattern={{version}}
       type=ref,suffix=-{{sha}},event=branch
       type=ref,event=branch
+  # to build meta-images [<registry>/<image-name>,]
+  meta-registries:
+    required: false
+    description: "specify the list of registries to push the image into"
+  meta-image-name:
+    required: true
+    description: "specify the docker image name to be pushed into the specified registries"
   meta-images:
+    deprecationMessage: "use meta-registries and meta-image-name instead"
     description: "specify the list of images (<registry>/<name>,) to be built, pushed, signed"
     required: true
   buildx-driver-opts:
@@ -35,7 +43,7 @@ inputs:
   build-platforms:
     description: "the target platforms"
     required: false
-    default: "linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7,linux/arm/v8"
+    default: "linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7"
   build-load:
     description: "export the docker image for local usage"
     required: false
@@ -54,17 +62,69 @@ inputs:
   cosign-password:
     description: "the password to unlock the private cosign key"
     required: false
+outputs:
+  meta-version:
+    description: "docker-meta version output"
+    value: ${{ steps.docker-meta.outputs.version }}
 
 runs:
   using: "composite"
   steps:
+    - name: Normalized env vars
+      id: nev
+      run: |
+        DEFAULT_REGISTRIES="ghcr.io/${GITHUB_REPOSITORY}"
+        # build docker meta images from registries (list of registries, separated by comma) and image name
+        # if registries is empty -> use github package registry
+        # the meta images are the list of <registry>/<image_name>
+        # build_meta_images <image_name>
+        # build_meta_images <registries> <image_name>
+        build_meta_images() {
+          local registries=$1 # can be empty
+          local image_name=$2 # required, most not empty
+          if [ -z "$image_name" ]; then
+            if [ -z "$registries" ]; then
+              echo "args required: build_meta_images <image_name> or build_meta_images <registries> <image_name>"
+              return
+            else
+              registries=$DEFAULT_REGISTRIES
+              image_name=$1
+            fi
+          fi
+
+          local meta_images=();
+
+          IFS=', ' read -r -a array <<< "$registries"
+          for reg in "${array[@]}"
+          do
+            meta_images+=("$reg/$image_name")
+          done
+          printf -v joined '%s,' "${meta_images[@]}"
+          echo "${joined%,}"
+        }
+
+        if [ -z "$IMAGE_NAME" ]; then
+          echo "inputs.meta-image-name is required";
+          exit 1;
+        fi
+
+        if [ -z "$REGISTRIES" ]; then
+          META_IMAGES=$(build_meta_images ${IMAGE_NAME})
+        else
+          META_IMAGES=$(build_meta_images $REGISTRIES ${IMAGE_NAME})
+        fi
+        echo "::set-output name=meta_images::${META_IMAGES}"
+      shell: bash
+      env:
+        REGISTRIES: "${{ inputs.meta-registries }}"
+        IMAGE_NAME: "${{ inputs.meta-image-name }}"
+
     - name: Docker meta
       id: docker-meta
       uses: docker/metadata-action@v3
-      if: ${{ inputs.build-enabled == 'true' }}
       with:
         tags: ${{ inputs.meta-tags }}
-        images: ${{ inputs.meta-images }}
+        images: ${{ inputs.meta-images || steps.nev.outputs.meta_images }}
 
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v1
@@ -82,7 +142,7 @@ runs:
       if: ${{ inputs.build-enabled == 'true' }}
       with:
         context: ${{ inputs.build-context }}
-        file: ${{ inputs.build-file }}
+        file: ${{ inputs.build-context }}/${{ inputs.build-file }}
         build-args: ${{ inputs.build-args }}
         load: ${{ inputs.build-load }}
         platforms: ${{ inputs.build-platforms }}

diff --git a/actions/docker-multiple-login-develop/action.yml b/actions/docker-multiple-login-develop/action.yml
@@ -128,14 +128,32 @@ runs:
         username: ${{ inputs.azure-client-id  }}
         password: ${{ inputs.azure-client-secret }}
 
+    # _json_key_base64 is not supported so we must convert it
+    - name: GCR Keys
+      if: ${{ inputs.gcr-json-key-base64 }}
+      run: |
+        echo "$GCR_JSON_KEY_BASE64" | base64 --decode >> .gcr-key
+        while read -r line;
+        do
+         echo "::add-mask::${line}"
+        done <<< "$(cat .gcr-key)"
+        echo "GCR_JSON_KEY<<EOF" >> $GITHUB_ENV
+        cat .gcr-key >> $GITHUB_ENV
+        echo "EOF" >> $GITHUB_ENV
+        # clean up
+        rm .gcr-key
+      shell: bash
+      env:
+        GCR_JSON_KEY_BASE64: ${{ inputs.gcr-json-key-base64 }}
+
     # https://github.com/docker/login-action#google-container-registry-gcr
     - name: Login to Google Container Registry (GCR)
       uses: docker/login-action@v1
       if: ${{ inputs.gcr-json-key-base64 }}
       with:
         registry: gcr.io
-        username: _json_key_base64
-        password: ${{ inputs.gcr-json-key-base64 }}
+        username: _json_key
+        password: ${{ env.GCR_JSON_KEY }}
 
     # https://github.com/docker/login-action#google-artifact-registry-gar
     - name: Login to Google Artifact Registry (GAR)

diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQlAr5GZ3nvtuyspUzX2H/+HCMuC9
++THi0CDCAc5zzgD/2Fjb15ZPhuBI3apsCAVYG/zq4WTJLRrdJhuD8I09bA==
+-----END PUBLIC KEY-----