diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml new file mode 100644 index 000000000..2c4f513d5 --- /dev/null +++ b/.github/workflows/docker_build.yml @@ -0,0 +1,87 @@ +name: "Docker build" + +on: + workflow_call: + inputs: + sha: + required: true + type: string + version: + required: true + type: string + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + token: ${{ github.token }} + + - name: Download maven artifacts + uses: actions/download-artifact@v4 + with: + name: kafbat-ui-${{ inputs.version }} + path: api/target + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + + - name: Cache Docker layers + uses: actions/cache@v4 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ inputs.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + + # Build multi platform images and loading them at the same time is not possible with default container runtime : https://github.com/docker/buildx/issues/59 + # So let's use containerd instead as it supports this option + # Also containerd is one of the option to allow preserving provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations + - name: Setup docker with containerd + uses: crazy-max/ghaction-setup-docker@v3 + with: + daemon-config: | + { + "features": { + "containerd-snapshotter": true + } + } + + - name: Build docker image + id: docker_build + uses: docker/build-push-action@v5 + with: + builder: ${{ steps.buildx.outputs.name }} + context: api + platforms: linux/amd64,linux/arm64 + provenance: mode=min + sbom: true + push: false + load: true + tags: | + kafka-ui:temp + build-args: | + JAR_FILE=api-${{ inputs.version }}.jar + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache + + - name: Dump docker image + run: | + docker image save kafka-ui:temp > /tmp/image.tar + + - name: Upload docker image + uses: actions/upload-artifact@v4 + with: + name: image + path: /tmp/image.tar + retention-days: 1 diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml new file mode 100644 index 000000000..47ee65cd8 --- /dev/null +++ b/.github/workflows/docker_publish.yml @@ -0,0 +1,100 @@ +name: "Docker publish" + +on: + workflow_call: + inputs: + version: + required: true + type: string + generic_tag: + required: true + type: string + +permissions: + packages: write + id-token: write # Required to authenticate with OIDC for AWS + +jobs: + deploy: + continue-on-error: true + strategy: + fail-fast: false + matrix: + registry: [ 'docker.io', 'ghcr.io', 'ecr' ] + + runs-on: ubuntu-latest + steps: + + - name: Download docker image + uses: actions/download-artifact@v4 + with: + name: image + path: /tmp + + # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations + - name: Setup docker with containerd + uses: crazy-max/ghaction-setup-docker@v3 + with: + daemon-config: | + { + "features": { + "containerd-snapshotter": true + } + } + + - name: Load docker image into daemon + run: | + docker load --input /tmp/image.tar + + - name: Login to docker.io + if: matrix.registry == 'docker.io' + uses: docker/login-action@v3 + with: + registry: ${{ matrix.registry }} + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io + if: matrix.registry == 'ghcr.io' + uses: docker/login-action@v3 + with: + registry: ${{ matrix.registry }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Configure AWS credentials + if: matrix.registry == 'ecr' + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-east-1 # This region only for public ECR + role-to-assume: ${{ secrets.AWS_ROLE }} + + - name: Login to public ECR + if: matrix.registry == 'ecr' + id: login-ecr-public + uses: aws-actions/amazon-ecr-login@v2 + with: + registry-type: public + + - name: define env vars + run: | + if [ ${{matrix.registry }} == 'docker.io' ]; then + echo "REGISTRY=${{ matrix.registry }}" >> $GITHUB_ENV + echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV + elif [ ${{ matrix.registry }} == 'ghcr.io' ]; then + echo "REGISTRY=${{ matrix.registry }}" >> $GITHUB_ENV + echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV + elif [ ${{ matrix.registry }} == 'ecr' ]; then + echo "REGISTRY=${{ steps.login-ecr-public.outputs.registry }}" >> $GITHUB_ENV + echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV + else + echo "REGISTRY=" >> $GITHUB_ENV + echo "REPOSITORY=notworking" >> $GITHUB_ENV + fi + + - name: Push images to ${{ matrix.registry }} + run: | + docker tag kafka-ui:temp ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.generic_tag }} + docker tag kafka-ui:temp ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.version }} + docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.generic_tag }} + docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.version }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d4e180086..7701b91e6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,11 +9,14 @@ permissions: contents: read jobs: - build: + jar-build: runs-on: ubuntu-latest + permissions: contents: read - packages: write + + outputs: + version: ${{steps.build.outputs.version}} steps: - name: Checkout @@ -37,42 +40,30 @@ jobs: export VERSION=$(./mvnw -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) echo "version=${VERSION}" >> $GITHUB_OUTPUT - # docker images - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Cache Docker layers - uses: actions/cache@v4 + - name: Upload jar + uses: actions/upload-artifact@v4 with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- + name: kafbat-ui-${{ steps.build.outputs.version }} + path: api/target/api-${{ steps.build.outputs.version }}.jar + retention-days: 1 - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + docker-build: + needs: jar-build + permissions: + contents: read + uses: ./.github/workflows/docker_build.yml + secrets: inherit + with: + sha: ${{ github.sha }} + version: ${{ needs.jar-build.outputs.version }} - - name: Build & push docker image - id: docker_build_and_push - uses: docker/build-push-action@v5 - with: - builder: ${{ steps.buildx.outputs.name }} - context: api - platforms: linux/amd64,linux/arm64 - provenance: false - push: true - tags: | - ghcr.io/kafbat/kafka-ui:${{ steps.build.outputs.version }} - ghcr.io/kafbat/kafka-ui:main - build-args: | - JAR_FILE=api-${{ steps.build.outputs.version }}.jar - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache + docker-deploy: + needs: [ jar-build, docker-build ] + permissions: + packages: write + id-token: write # Required to authenticate with OIDC for AWS + uses: ./.github/workflows/docker_publish.yml + secrets: inherit + with: + version: ${{ needs.jar-build.outputs.version }} + generic_tag: main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9c7fcce52..3a3c9de23 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,47 +52,27 @@ jobs: with: name: kafbat-ui-${{ steps.build.outputs.version }} path: api/target/api-${{ steps.build.outputs.version }}.jar - ################# - # # - # Docker images # - # # - ################# - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Cache Docker layers - uses: actions/cache@v4 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- + docker-build: + needs: release + permissions: + contents: read + uses: ./.github/workflows/docker_build.yml + secrets: inherit + with: + sha: ${{ github.sha }} + version: ${{ needs.release.outputs.version }} - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push - id: docker_build_and_push - uses: docker/build-push-action@v5 - with: - builder: ${{ steps.buildx.outputs.name }} - context: api - platforms: linux/amd64,linux/arm64 - provenance: false - push: true - tags: | - ghcr.io/kafbat/kafka-ui:${{ steps.build.outputs.version }} - ghcr.io/kafbat/kafka-ui:latest - build-args: | - JAR_FILE=api-${{ steps.build.outputs.version }}.jar - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache + docker-deploy: + needs: [release, docker-build] + permissions: + packages: write + id-token: write # Required to authenticate with OIDC for AWS + uses: ./.github/workflows/docker_publish.yml + secrets: inherit + with: + version: ${{ needs.release.outputs.version }} + generic_tag: latest charts: runs-on: ubuntu-latest