Build and Publish Image #48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build and Publish Image | |
env: | |
REGISTRY: ghcr.io | |
CRAN_PM: https://packagemanager.posit.co/cran/__linux__ | |
OS_NAME: ubuntu | |
OS_VERSION: jammy | |
on: | |
workflow_dispatch: | |
inputs: | |
r_version: | |
description: R Version | |
required: true | |
type: choice | |
default: "4.3.2" | |
options: | |
- "4.3.2" | |
- "latest" | |
quarto_version: | |
description: Quarto version | |
required: true | |
type: choice | |
default: "1.3.450" | |
options: | |
- "1.3.450" | |
- "latest" | |
pandoc_version: | |
description: Pandoc version | |
required: true | |
type: choice | |
default: "2.9.2.1" | |
options: | |
- "2.9.2.1" | |
- "latest" | |
cran_snapshot_date: | |
description: CRAN packages snapshot date (YYYY-MM-DD) | |
required: true | |
default: "2024-01-12" | |
type: string | |
custom_tag: | |
description: Custom image tag | |
required: false | |
default: "" | |
type: string | |
jobs: | |
build_publish: | |
name: Build and Publish Image | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
steps: | |
- name: Checkout project ⬇️ | |
uses: actions/checkout@v4 | |
- name: Checkout Rocker project ⬇️ | |
uses: actions/checkout@v4 | |
with: | |
repository: rocker-org/rocker-versioned2 | |
path: ./rocker_scripts | |
ref: master | |
- name: Set up Docker Buildx 📐 | |
uses: docker/setup-buildx-action@v3 | |
with: | |
install: true | |
- name: Log in to the container registry 🗝️ | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set build variables ✏️ | |
id: build_vars | |
shell: bash | |
run: | | |
echo "IMAGE_DATE_TAG=$(date +%Y.%m.%d)" >> $GITHUB_OUTPUT | |
CRAN_DATE=$(echo ${{ github.event.inputs.cran_snapshot_date }} | sed 's/-/\./g') | |
IMAGE_NAME=${{ env.REGISTRY }}/${{ github.repository_owner }}/r_${{ github.event.inputs.r_version }}_cran_${CRAN_DATE} | |
echo "IMAGE_NAME=${IMAGE_NAME,,}" >> $GITHUB_OUTPUT | |
- name: Docker metadata 🐋 | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
${{ steps.build_vars.outputs.IMAGE_NAME }} | |
tags: | | |
${{ steps.build_vars.outputs.IMAGE_DATE_TAG }} | |
${{ github.event.inputs.custom_tag }} | |
type=raw,value=latest,enable=${{ github.ref_name == 'main' }} | |
labels: | | |
org.opencontainers.image.description=Image used in CI workflows by the Boehringer-Ingelheim organisation | |
org.opencontainers.image.vendor=Boehringer-Ingelheim | |
- name: Build and push image 🛠️ | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: ./Dockerfile | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
annotations: ${{ steps.meta.outputs.annotations }} | |
platforms: linux/amd64 | |
cache-from: type=registry,ref=${{ steps.build_vars.outputs.IMAGE_NAME }}:cache | |
cache-to: type=registry,ref=${{ steps.build_vars.outputs.IMAGE_NAME }}:cache,mode=min | |
build-args: | | |
R_VERSION=${{ github.event.inputs.r_version }} | |
CRAN=${{ env.CRAN_PM }}/${{ env.OS_VERSION }}/${{ github.event.inputs.cran_snapshot_date }} | |
OS_NAME=${{ env.OS_NAME }} | |
OS_VERSION=${{ env.OS_VERSION }} | |
PANDOC_VERSION=${{ github.event.inputs.pandoc_version }} | |
QUARTO_VERSION=${{ github.event.inputs.quarto_version }} | |
outputs: | |
IMAGE: ${{ steps.build_vars.outputs.IMAGE_NAME }} | |
TAG: ${{ steps.build_vars.outputs.IMAGE_DATE_TAG }} | |
create-release: | |
if: github.ref_name == 'main' | |
needs: build_publish | |
name: Create release | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
steps: | |
- name: Generate release body 📜 | |
id: build-release | |
shell: bash | |
run: | | |
NORMALISED_IMAGE=$(echo '${{ needs.build_publish.outputs.IMAGE }}' | sed 's/\//_/g') | |
echo "RELEASE_BODY=Check the artifacts in this release for more information about the published image." >> $GITHUB_OUTPUT | |
echo "TAGGED_IMAGE=${{ needs.build_publish.outputs.IMAGE }}:${{ needs.build_publish.outputs.TAG }}" >> $GITHUB_OUTPUT | |
echo "MANIFEST_OUTPUT_FILENAME=Image_manifest_$NORMALISED_IMAGE.json" >> $GITHUB_OUTPUT | |
echo "R_PKG_OUTPUT_FILENAME=R_package_list_$NORMALISED_IMAGE.csv" >> $GITHUB_OUTPUT | |
echo "SBOM_OUTPUT_FILENAME=SBOM_for_$NORMALISED_IMAGE.spdx.json" >> $GITHUB_OUTPUT | |
- name: Generate image manifest and R package list 🛞 | |
shell: bash | |
run: | | |
docker manifest inspect ${{ steps.build-release.outputs.TAGGED_IMAGE }} > ${{ steps.build-release.outputs.MANIFEST_OUTPUT_FILENAME }} | |
docker run -v ${PWD}:/app ${{ steps.build-release.outputs.TAGGED_IMAGE }} \ | |
R -q -e 'write.csv(installed.packages(), file="/app/${{ steps.build-release.outputs.R_PKG_OUTPUT_FILENAME }}")' | |
- name: Generate SBOM 📃 | |
uses: anchore/sbom-action@v0 | |
with: | |
image: "${{ steps.build-release.outputs.TAGGED_IMAGE }}" | |
output-file: "${{ github.workspace }}/${{ steps.build-release.outputs.SBOM_OUTPUT_FILENAME }}" | |
artifact-name: "sbom.spdx" | |
- name: Upload artifacts to release ⬆️ | |
uses: marvinpinto/action-automatic-releases@latest | |
with: | |
prerelease: false | |
repo_token: "${{ secrets.GITHUB_TOKEN }}" | |
automatic_release_tag: "latest" | |
title: ${{ needs.build_publish.outputs.TAG }} | |
files: | | |
${{ steps.build-release.outputs.MANIFEST_OUTPUT_FILENAME }} | |
${{ steps.build-release.outputs.R_PKG_OUTPUT_FILENAME }} | |
${{ steps.build-release.outputs.SBOM_OUTPUT_FILENAME }} | |
sec_ops: | |
if: github.ref_name == 'main' | |
needs: build_publish | |
permissions: | |
security-events: write | |
name: Update security artifacts | |
uses: boehringer-ingelheim/dv.ci-images/.github/workflows/secops.yml@main | |
with: | |
image_tag: "${{ needs.build_publish.outputs.image }}:${{ needs.build_publish.outputs.tag }}" |