Skip to content

Build and Publish Image #56

Build and Publish Image

Build and Publish Image #56

Workflow file for this run

---
name: Build and Publish Image
env:
REGISTRY: ghcr.io
CRAN_PM: https://packagemanager.posit.co/cran/__linux__
OS_NAME: ubuntu
OS_VERSION: jammy
on:
workflow_dispatch:
inputs:
r_version:
description: R Version
required: true
type: choice
default: "4.3.2"
options:
- "4.3.2"
- "latest"
quarto_version:
description: Quarto version
required: true
type: choice
default: "1.3.450"
options:
- "1.3.450"
- "latest"
pandoc_version:
description: Pandoc version
required: true
type: choice
default: "2.9.2.1"
options:
- "2.9.2.1"
- "latest"
cran_snapshot_date:
description: CRAN packages snapshot date (YYYY-MM-DD)
required: true
default: "2024-01-12"
type: string
custom_tag:
description: Custom image tag
required: false
default: ""
type: string
jobs:
build_publish:
name: Build and Publish Image
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Checkout project ⬇️
uses: actions/checkout@v4
- name: Checkout Rocker project ⬇️
uses: actions/checkout@v4
with:
repository: rocker-org/rocker-versioned2
path: ./rocker_scripts
ref: master
- name: Set up Docker Buildx 📐
uses: docker/setup-buildx-action@v3
with:
install: true
- name: Log in to the container registry 🗝️
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set build variables ✏️
id: build_vars
shell: bash
run: |
echo "IMAGE_DATE_TAG=$(date +%Y.%m.%d)" >> $GITHUB_OUTPUT
CRAN_DATE=$(echo ${{ github.event.inputs.cran_snapshot_date }} | sed 's/-/\./g')
IMAGE_NAME=${{ env.REGISTRY }}/${{ github.repository_owner }}/r_${{ github.event.inputs.r_version }}_cran_${CRAN_DATE}
echo "IMAGE_NAME=${IMAGE_NAME,,}" >> $GITHUB_OUTPUT
- name: Docker metadata 🐋
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ steps.build_vars.outputs.IMAGE_NAME }}
tags: |
${{ steps.build_vars.outputs.IMAGE_DATE_TAG }}
${{ github.event.inputs.custom_tag }}
type=raw,value=latest,enable=${{ github.ref_name == 'main' }}
labels: |
org.opencontainers.image.description=Image used in CI workflows by the Boehringer-Ingelheim organisation
org.opencontainers.image.vendor=Boehringer-Ingelheim
- name: Build and push image 🛠️
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
platforms: linux/amd64
cache-from: type=registry,ref=${{ steps.build_vars.outputs.IMAGE_NAME }}:cache
cache-to: type=registry,ref=${{ steps.build_vars.outputs.IMAGE_NAME }}:cache,mode=min
build-args: |
R_VERSION=${{ github.event.inputs.r_version }}
CRAN=${{ env.CRAN_PM }}/${{ env.OS_VERSION }}/${{ github.event.inputs.cran_snapshot_date }}
OS_NAME=${{ env.OS_NAME }}
OS_VERSION=${{ env.OS_VERSION }}
PANDOC_VERSION=${{ github.event.inputs.pandoc_version }}
QUARTO_VERSION=${{ github.event.inputs.quarto_version }}
outputs:
IMAGE: ${{ steps.build_vars.outputs.IMAGE_NAME }}
TAG: ${{ steps.build_vars.outputs.IMAGE_DATE_TAG }}
create-release:
if: github.ref_name == 'main'
needs: build_publish
name: Create release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Generate release body 📜
id: build-release
shell: bash
run: |
NORMALISED_IMAGE=$(echo '${{ needs.build_publish.outputs.IMAGE }}' | sed 's/\//_/g')
echo "TAGGED_IMAGE=${{ needs.build_publish.outputs.IMAGE }}:${{ needs.build_publish.outputs.TAG }}" >> $GITHUB_OUTPUT
echo "MANIFEST_OUTPUT_FILENAME=Image_manifest_$NORMALISED_IMAGE.json" >> $GITHUB_OUTPUT
echo "R_PKG_OUTPUT_FILENAME=R_package_list_$NORMALISED_IMAGE.csv" >> $GITHUB_OUTPUT
echo "SBOM_OUTPUT_FILENAME=SBOM_for_$NORMALISED_IMAGE.spdx.json" >> $GITHUB_OUTPUT
- name: Generate image manifest and R package list 🛞
shell: bash
run: |
docker manifest inspect ${{ steps.build-release.outputs.TAGGED_IMAGE }} > ${{ steps.build-release.outputs.MANIFEST_OUTPUT_FILENAME }}
docker run -v ${PWD}:/app ${{ steps.build-release.outputs.TAGGED_IMAGE }} \
R -q -e 'write.csv(installed.packages(), file="/app/${{ steps.build-release.outputs.R_PKG_OUTPUT_FILENAME }}")'
- name: Generate SBOM 📃
uses: anchore/sbom-action@v0
with:
image: "${{ steps.build-release.outputs.TAGGED_IMAGE }}"
output-file: "${{ github.workspace }}/${{ steps.build-release.outputs.SBOM_OUTPUT_FILENAME }}"
- name: Upload artifacts to release ⬆️
uses: marvinpinto/action-automatic-releases@latest
with:
prerelease: false
repo_token: "${{ secrets.GITHUB_TOKEN }}"
automatic_release_tag: ${{ needs.build_publish.outputs.TAG }}
title: ${{ needs.build_publish.outputs.TAG }}
files: |
${{ steps.build-release.outputs.MANIFEST_OUTPUT_FILENAME }}
${{ steps.build-release.outputs.R_PKG_OUTPUT_FILENAME }}
${{ steps.build-release.outputs.SBOM_OUTPUT_FILENAME }}
sec_ops:
if: github.ref_name == 'main'
needs: build_publish
permissions:
security-events: write
name: Update security artifacts
uses: boehringer-ingelheim/dv.ci-images/.github/workflows/secops.yml@main
with:
image_tag: "${{ needs.build_publish.outputs.image }}:${{ needs.build_publish.outputs.tag }}"
clean_up:
if: github.ref_name == 'main'
needs: build_publish
name: Package maintenance
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Clean old artifacts
uses: actions/delete-package-versions@v5
with:
package-name: ${{ needs.build_publish.outputs.IMAGE }}
min-versions-to-keep: 2