Skip to content

Commit

Permalink
feat: PAN-2078 deploy to dockerhub on main merge (#51)
Browse files Browse the repository at this point in the history
* feat: PAN-2078 deploy to dockerhub on main merge

* fix: force run workflow
  • Loading branch information
jpantos authored Jul 4, 2024
1 parent 083f5c9 commit b4bddb1
Show file tree
Hide file tree
Showing 4 changed files with 146 additions and 86 deletions.
9 changes: 7 additions & 2 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,19 @@ on:
GPG_PASSPHRASE:
description: 'GPG passphrase'
required: false
outputs:
version:
description: 'Version of the built package'
value: ${{ jobs.build-deb.outputs.version }}

jobs:
build-deb:
name: Build and attach .deb and .whl packages
# TODO: Change ubuntu-20.04 for the ARM public runner
runs-on: ${{ inputs.architecture == 'amd64' && 'ubuntu-latest' || 'ubuntu-20.04' }}
environment: ${{ inputs.environment }}
outputs:
version: ${{ steps.is-signed-build.outputs.built-version }}
permissions:
contents: read
strategy:
Expand Down Expand Up @@ -63,6 +69,7 @@ jobs:
id: is-signed-build
run: |
echo "HAS_SECRETS=$(if [ -n "$GPG_PRIVATE_KEY" ] && [ -n "$GPG_PASSPHRASE" ]; then echo 'true'; else echo 'false'; fi)" >> $GITHUB_OUTPUT
echo "built-version=$(poetry version --short)" >> $GITHUB_OUTPUT
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
Expand Down Expand Up @@ -112,8 +119,6 @@ jobs:
run: |
make debian debian-full
make wheel
env:
PANTOS_SERVICE_NODE_VERSION: ${{ inputs.version }}
shell: sh

- name: Sign package
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/main.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Publish dev release
on:
push:
branches:
- main

jobs:
build:
name: Build and attach .deb and .whl package
uses: ./.github/workflows/build.yml
secrets: 'inherit'
with:
architecture: amd64

publish-docker:
uses: ./.github/workflows/publish-docker.yaml
needs: [build]
secrets: 'inherit'
with:
tag: ${{ needs.build.outputs.version }}-development
architecture: amd64
environment: main
111 changes: 111 additions & 0 deletions .github/workflows/publish-docker.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
name: Build Debian Package
on:
workflow_call:
inputs:
tag:
description: 'The docker tag name'
required: true
type: string
architecture:
description: 'Architecture to build'
required: false
type: string
default: "amd64"
environment:
description: 'Environment where the secrets are stored'
required: true
type: string
secrets:
DOCKERHUB_USERNAME:
description: 'Docker Hub username'
required: false
DOCKERHUB_TOKEN:
description: 'Docker Hub token'
required: false


jobs:
publish-docker:
name: Publish docker image for ${{ inputs.tag }}/${{ inputs.architecture }}
environment:
name: ${{ inputs.environment }}
url: ${{ steps.set-output-url.outputs.deployment_dockerhub_url }}
runs-on: ${{ inputs.architecture == 'amd64' && 'ubuntu-latest' || 'ubuntu-20.04' }}
permissions:
id-token: write
steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: audit
- uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
id: buildx

- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-v1.0-service-node-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-v1.0-service-node-
- name: Login to Docker Hub
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- uses: actions/download-artifact@v4
with:
merge-multiple: true
pattern: build-
path: dist

- name: Rename built artifacts
run: |
for file in dist/*.deb; do
mv "$file" "${file%.deb}-signed.deb"
done
- name: Build and push the images
run: |
docker buildx bake \
--set "*.cache-from=type=local,src=/tmp/.buildx-cache" \
--set "*.cache-to=type=local,dest=/tmp/.buildx-cache-new" \
--set "*.platform=linux/${{ inputs.architecture }}" \
--builder ${{ steps.buildx.outputs.name }} \
--push \
-f docker-compose.yml \
app worker
env:
DOCKER_TAG: ${{ inputs.tag }}

- name: Set output url
id: set-output-url
run: |
echo "deployment_dockerhub_url=https://hub.docker.com/r/pantosio/service-node/tags?name=${{ inputs.tag }}" >> $GITHUB_OUTPUT
- uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Sign the images
run: |
for app in $(docker buildx bake -f docker-compose.yml --print --progress "plain" | jq -r '.target[].tags | add'); do
for image in $(docker buildx imagetools inspect $app --raw | jq -r '.manifests[].digest'); do
echo "Signing $image from $app";
cosign sign --yes --verbose "${app%%:*}@$image";
done;
done;
env:
DOCKER_TAG: ${{ inputs.tag }}
COSIGN_EXPERIMENTAL: "true"

- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
90 changes: 6 additions & 84 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,90 +53,12 @@ jobs:
publish-docker:
name: Publish docker image for ${{ needs.define-environment.outputs.deployment_longname }}
needs: [define-environment, build]
environment:
name: dockerhub
url: ${{ steps.set-output-url.outputs.deployment_dockerhub_url }}
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: audit
- uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
id: buildx

- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-v1.0-service-node-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-v1.0-service-node-
- name: Login to Docker Hub
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- uses: actions/download-artifact@v4
with:
merge-multiple: true
pattern: build-
path: dist

- name: Rename built artifacts
run: |
for file in dist/*.deb; do
mv "$file" "${file%.deb}-signed.deb"
done
- name: Build and push the images
run: |
docker buildx bake \
--set "*.cache-from=type=local,src=/tmp/.buildx-cache" \
--set "*.cache-to=type=local,dest=/tmp/.buildx-cache-new" \
--set "*.platform=linux/amd64,linux/arm64" \
--builder ${{ steps.buildx.outputs.name }} \
--push \
-f docker-compose.yml \
app worker
env:
PANTOS_SERVICE_NODE_VERSION: ${{ needs.define-environment.outputs.deployment_version }}
PANTOS_SERVICE_NODE_REVISION: ${{ github.run_attempt }}
DOCKER_TAG: ${{ github.event.release.tag_name }}${{ needs.define-environment.outputs.deployment_environment }}

- name: Set output url
id: set-output-url
run: |
echo "deployment_dockerhub_url=https://hub.docker.com/r/pantosio/service-node/tags?name=${{ github.event.release.tag_name }}${{ needs.define-environment.outputs.deployment_environment }}" >> $GITHUB_OUTPUT
- uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Sign the images
run: |
for app in $(docker buildx bake -f docker-compose.yml --print --progress "plain" | jq -r '.target[].tags | add'); do
for image in $(docker buildx imagetools inspect $app --raw | jq -r '.manifests[].digest'); do
echo "Signing $image from $app";
cosign sign --yes --verbose "${app%%:*}@$image";
done;
done;
env:
DOCKER_TAG: ${{ github.event.release.tag_name }}${{ needs.define-environment.outputs.deployment_environment }}
COSIGN_EXPERIMENTAL: "true"

- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
uses: ./.github/workflows/publish-docker.yaml
secrets: 'inherit'
with:
tag: ${{ github.event.release.tag_name }}${{ needs.define-environment.outputs.deployment_environment }}
architecture: amd64
environment: dockerhub

build:
name: Build and attach .deb and .whl package
Expand Down

0 comments on commit b4bddb1

Please sign in to comment.