Skip to content

Commit

Permalink
Infra: Add actions to publish to ECR & Docker Hub (#347)
Browse files Browse the repository at this point in the history
Co-authored-by: Roman Zabaluev <[email protected]>
  • Loading branch information
giom-l and Haarolean authored Oct 7, 2024
1 parent 941358d commit 07f0e0e
Show file tree
Hide file tree
Showing 4 changed files with 235 additions and 77 deletions.
87 changes: 87 additions & 0 deletions .github/workflows/docker_build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
name: "Docker build"

on:
workflow_call:
inputs:
sha:
required: true
type: string
version:
required: true
type: string

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
token: ${{ github.token }}

- name: Download maven artifacts
uses: actions/download-artifact@v4
with:
name: kafbat-ui-${{ inputs.version }}
path: api/target

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3

- name: Cache Docker layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ inputs.sha }}
restore-keys: |
${{ runner.os }}-buildx-
# Build multi platform images and loading them at the same time is not possible with default container runtime : https://github.com/docker/buildx/issues/59
# So let's use containerd instead as it supports this option
# Also containerd is one of the option to allow preserving provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations
- name: Setup docker with containerd
uses: crazy-max/ghaction-setup-docker@v3
with:
daemon-config: |
{
"features": {
"containerd-snapshotter": true
}
}
- name: Build docker image
id: docker_build
uses: docker/build-push-action@v5
with:
builder: ${{ steps.buildx.outputs.name }}
context: api
platforms: linux/amd64,linux/arm64
provenance: mode=min
sbom: true
push: false
load: true
tags: |
kafka-ui:temp
build-args: |
JAR_FILE=api-${{ inputs.version }}.jar
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache

- name: Dump docker image
run: |
docker image save kafka-ui:temp > /tmp/image.tar
- name: Upload docker image
uses: actions/upload-artifact@v4
with:
name: image
path: /tmp/image.tar
retention-days: 1
100 changes: 100 additions & 0 deletions .github/workflows/docker_publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
name: "Docker publish"

on:
workflow_call:
inputs:
version:
required: true
type: string
generic_tag:
required: true
type: string

permissions:
packages: write
id-token: write # Required to authenticate with OIDC for AWS

jobs:
deploy:
continue-on-error: true
strategy:
fail-fast: false
matrix:
registry: [ 'docker.io', 'ghcr.io', 'ecr' ]

runs-on: ubuntu-latest
steps:

- name: Download docker image
uses: actions/download-artifact@v4
with:
name: image
path: /tmp

# setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations
- name: Setup docker with containerd
uses: crazy-max/ghaction-setup-docker@v3
with:
daemon-config: |
{
"features": {
"containerd-snapshotter": true
}
}
- name: Load docker image into daemon
run: |
docker load --input /tmp/image.tar
- name: Login to docker.io
if: matrix.registry == 'docker.io'
uses: docker/login-action@v3
with:
registry: ${{ matrix.registry }}
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to ghcr.io
if: matrix.registry == 'ghcr.io'
uses: docker/login-action@v3
with:
registry: ${{ matrix.registry }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Configure AWS credentials
if: matrix.registry == 'ecr'
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-1 # This region only for public ECR
role-to-assume: ${{ secrets.AWS_ROLE }}

- name: Login to public ECR
if: matrix.registry == 'ecr'
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public

- name: define env vars
run: |
if [ ${{matrix.registry }} == 'docker.io' ]; then
echo "REGISTRY=${{ matrix.registry }}" >> $GITHUB_ENV
echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
elif [ ${{ matrix.registry }} == 'ghcr.io' ]; then
echo "REGISTRY=${{ matrix.registry }}" >> $GITHUB_ENV
echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
elif [ ${{ matrix.registry }} == 'ecr' ]; then
echo "REGISTRY=${{ steps.login-ecr-public.outputs.registry }}" >> $GITHUB_ENV
echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
else
echo "REGISTRY=" >> $GITHUB_ENV
echo "REPOSITORY=notworking" >> $GITHUB_ENV
fi
- name: Push images to ${{ matrix.registry }}
run: |
docker tag kafka-ui:temp ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.generic_tag }}
docker tag kafka-ui:temp ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.version }}
docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.generic_tag }}
docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.version }}
67 changes: 29 additions & 38 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,14 @@ permissions:
contents: read

jobs:
build:
jar-build:
runs-on: ubuntu-latest

permissions:
contents: read
packages: write

outputs:
version: ${{steps.build.outputs.version}}

steps:
- name: Checkout
Expand All @@ -37,42 +40,30 @@ jobs:
export VERSION=$(./mvnw -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)
echo "version=${VERSION}" >> $GITHUB_OUTPUT
# docker images

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Cache Docker layers
uses: actions/cache@v4
- name: Upload jar
uses: actions/upload-artifact@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
name: kafbat-ui-${{ steps.build.outputs.version }}
path: api/target/api-${{ steps.build.outputs.version }}.jar
retention-days: 1

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
docker-build:
needs: jar-build
permissions:
contents: read
uses: ./.github/workflows/docker_build.yml
secrets: inherit
with:
sha: ${{ github.sha }}
version: ${{ needs.jar-build.outputs.version }}

- name: Build & push docker image
id: docker_build_and_push
uses: docker/build-push-action@v5
with:
builder: ${{ steps.buildx.outputs.name }}
context: api
platforms: linux/amd64,linux/arm64
provenance: false
push: true
tags: |
ghcr.io/kafbat/kafka-ui:${{ steps.build.outputs.version }}
ghcr.io/kafbat/kafka-ui:main
build-args: |
JAR_FILE=api-${{ steps.build.outputs.version }}.jar
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
docker-deploy:
needs: [ jar-build, docker-build ]
permissions:
packages: write
id-token: write # Required to authenticate with OIDC for AWS
uses: ./.github/workflows/docker_publish.yml
secrets: inherit
with:
version: ${{ needs.jar-build.outputs.version }}
generic_tag: main
58 changes: 19 additions & 39 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,47 +52,27 @@ jobs:
with:
name: kafbat-ui-${{ steps.build.outputs.version }}
path: api/target/api-${{ steps.build.outputs.version }}.jar
#################
# #
# Docker images #
# #
#################
- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Cache Docker layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
docker-build:
needs: release
permissions:
contents: read
uses: ./.github/workflows/docker_build.yml
secrets: inherit
with:
sha: ${{ github.sha }}
version: ${{ needs.release.outputs.version }}

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
id: docker_build_and_push
uses: docker/build-push-action@v5
with:
builder: ${{ steps.buildx.outputs.name }}
context: api
platforms: linux/amd64,linux/arm64
provenance: false
push: true
tags: |
ghcr.io/kafbat/kafka-ui:${{ steps.build.outputs.version }}
ghcr.io/kafbat/kafka-ui:latest
build-args: |
JAR_FILE=api-${{ steps.build.outputs.version }}.jar
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
docker-deploy:
needs: [release, docker-build]
permissions:
packages: write
id-token: write # Required to authenticate with OIDC for AWS
uses: ./.github/workflows/docker_publish.yml
secrets: inherit
with:
version: ${{ needs.release.outputs.version }}
generic_tag: latest

charts:
runs-on: ubuntu-latest
Expand Down

0 comments on commit 07f0e0e

Please sign in to comment.