feat: use pre-built fpm container image (#1145)

* feat: use pre-built fpm container image

Signed-off-by: Adrien Mannocci <[email protected]>

* fix: docker login before build phase

Signed-off-by: Adrien Mannocci <[email protected]>

* ci: inherit secrets from upstream workflow

Signed-off-by: Adrien Mannocci <[email protected]>

* ci(fix): docker login for test packages too

Signed-off-by: Adrien Mannocci <[email protected]>

* feat: build container image in the project itself

Signed-off-by: Adrien Mannocci <[email protected]>

* ci: enable cache build on push for testing purpose

Signed-off-by: Adrien Mannocci <[email protected]>

* chore: push only latest

Signed-off-by: Adrien Mannocci <[email protected]>

* fix: correct container tags

Signed-off-by: Adrien Mannocci <[email protected]>

* ci: switch to github packages

Signed-off-by: Adrien Mannocci <[email protected]>

* ci: disable push publish

Signed-off-by: Adrien Mannocci <[email protected]>

* fix: correct permissions

Signed-off-by: Adrien Mannocci <[email protected]>

* fix: correct permissions

Signed-off-by: Adrien Mannocci <[email protected]>

* ci: add version in comments

Signed-off-by: Adrien Mannocci <[email protected]>

* ci: use hardcode literal when useful

Signed-off-by: Adrien Mannocci <[email protected]>

* ci: use a less specific tag

Signed-off-by: Adrien Mannocci <[email protected]>

* ci: test package before publishing the container image

Signed-off-by: Adrien Mannocci <[email protected]>

* ci: re-enable cache on push

Signed-off-by: Adrien Mannocci <[email protected]>

* ci: forward test image tag

Signed-off-by: Adrien Mannocci <[email protected]>

* fix: forward correctly image tag

Signed-off-by: Adrien Mannocci <[email protected]>

* fix: push to env instead of output

Signed-off-by: Adrien Mannocci <[email protected]>

* fix: tag correctly test container image

Signed-off-by: Adrien Mannocci <[email protected]>

* ci: cleanup

Signed-off-by: Adrien Mannocci <[email protected]>

---------

Signed-off-by: Adrien Mannocci <[email protected]>

.github/workflows/build-packages.yml

@@ -1,5 +1,4 @@
 ---
-
 # Runs the build-packages based on the provided files in test.yml
 name: build-packages
 
@@ -12,6 +11,8 @@ permissions:
 jobs:
   build-packages:
     runs-on: ubuntu-latest
+    permissions:
+      packages: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/download-artifact@v3
@@ -22,6 +23,14 @@ jobs:
         with:
           name: package-parts-linuxmusl-x86-64
           path: agent/native/_build/linuxmusl-x86-64-release/
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: package
         run: make -C packaging package
       - name: package info

.github/workflows/cache.yml

@@ -0,0 +1,87 @@
+---
+name: Build Cached Container Images
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 3 * * 1-5"
+
+env:
+  DOCKER_BUILDKIT: 1
+  IMAGE_NAME: ${{ github.repository }}
+  REGISTRY: ghcr.io
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yml
+
+  publish:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: package-parts-linux-x86-64
+          path: agent/native/_build/linux-x86-64-release/
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: package-parts-linuxmusl-x86-64
+          path: agent/native/_build/linuxmusl-x86-64-release/
+
+      - name: Create a unique tag
+        run: |
+          echo "TEST_TAG=$(date +%s)" >> "${GITHUB_ENV}"
+
+      - name: Extract metadata (tags, labels) for Test Container
+        id: test-meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=${{ env.TEST_TAG }}
+
+      - name: Build and export Container image
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        with:
+          context: ./packaging/cache/
+          load: true
+          tags: ${{ steps.test-meta.outputs.tags }}
+          labels: ${{ steps.test-meta.outputs.labels }}
+
+      - name: Package
+        run: make IMAGE_TAG=${{ env.TEST_TAG }} -C packaging package
+
+      - name: Package info
+        run: make IMAGE_TAG=${{ env.TEST_TAG }} -C packaging info
+
+      - name: Extract metadata (tags, labels) for Container
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        with:
+          context: ./packaging/cache/
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/test-packages.yml

@@ -1,5 +1,4 @@
 ---
-
 # Runs the test packages based on the provided files in test.yml
 name: test-packages
 
@@ -10,12 +9,12 @@ on:
         required: true
         type: string
       max-parallel:
-        description: 'Set the maximum number of jobs that can run simultaneously in the matrix'
+        description: "Set the maximum number of jobs that can run simultaneously in the matrix"
         default: 20
         required: false
         type: number
       package-name:
-        description: 'The artifact name with the binaries to be tested'
+        description: "The artifact name with the binaries to be tested"
         default: "package"
         required: false
         type: string
@@ -38,6 +37,9 @@ jobs:
       TESTING_TYPE: ${{ matrix.item[2] }}
       ELASTIC_APM_PHP_TESTS_MATRIX_ROW: "${{ join(matrix.item, ',') }}"
       BUILD_PACKAGES: build/packages
+    permissions:
+      contents: read
+      packages: read
     steps:
       - uses: actions/checkout@v4
 
@@ -46,6 +48,13 @@ jobs:
           name: ${{ inputs.package-name }}
           path: ${{ env.BUILD_PACKAGES }}
 
+      - name: Log in to the Container registry
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       ## This will help with preparing the signed artifacts that were bundled in a zip file
       - if: ${{ inputs.package-name == 'signed-artifacts' }}
         name: Unzip signed packages

.github/workflows/test.yml

@@ -104,22 +104,30 @@ jobs:
           path: build/*junit.xml
           if-no-files-found: error
   build-packages:
+    permissions:
+      contents: read
+      packages: read
     needs:
       - build
       - static-checks-unit-tests
       - phpt-tests
     uses: ./.github/workflows/build-packages.yml
+    secrets: inherit
 
   generate-test-packages-matrix:
     uses: ./.github/workflows/generate-matrix.yml
 
   test-packages:
+    permissions:
+      contents: read
+      packages: read
     needs:
       - build-packages
       - generate-test-packages-matrix
     uses: ./.github/workflows/test-packages.yml
     with:
       include: ${{ needs.generate-test-packages-matrix.outputs.include }}
+    secrets: inherit
 
   # The very last job to report whether the Workflow passed.
   # This will act as the Branch Protection gatekeeper

packaging/Dockerfile

@@ -1,18 +1,5 @@
-FROM ruby:3.3.0-alpine3.18
-
-ENV FPM_VERSION 1.15.1
-RUN apk add --no-cache \
-    alpine-sdk make cpio curl libarchive-tools make php-pear \
-    python3 py3-virtualenv py3-setuptools py3-pip \
-    rpm unzip xz git tar dpkg \
-  && ln -sf python3 /usr/bin/python \
-  && gem install --no-document fpm -v ${FPM_VERSION}
-
-## Fix fpm issue, see https://github.com/jordansissel/fpm/issues/1227
-ADD fpm_apm.patch /tmp
-RUN (cd /usr/local/bundle/gems/fpm-${FPM_VERSION}/ ; patch -p 1 < /tmp/fpm_apm.patch ) \
-    && rm -f /tmp/fpm_apk.patch
-
+ARG IMAGE_TAG=latest
+FROM ghcr.io/elastic/apm-agent-php:${IMAGE_TAG}
 COPY create-package.sh /bin
 WORKDIR /app
 ENTRYPOINT ["/bin/create-package.sh"]

packaging/Makefile

@@ -1,6 +1,7 @@
 SHELL = /bin/bash
 MAKEFLAGS += --no-print-directory
 IMAGE:=php-packaging
+IMAGE_TAG:=latest
 NAME:=apm-agent-php
 VERSION?=$(shell grep 'VERSION' ../agent/php/ElasticApm/ElasticApm.php | cut -d= -f2 | tr -d " " | sed "s/'\(.*\)'.*/\1/g")
 OUTPUT:=build/packages
@@ -27,7 +28,7 @@ clean: ## Clean the generated packages
 
 .PHONY: prepare
 prepare: ## Build docker image for the packaging
-	docker build -t $(IMAGE) . || exit 1
+	docker build --build-arg IMAGE_TAG=$(IMAGE_TAG) -t $(IMAGE) . || exit 1
 
 .PHONY: build-docker-images
 build-docker-images: prepare prepare-apk prepare-deb prepare-rpm prepare-tar prepare-deb-apache prepare-deb-fpm ## Build all the docker images

packaging/cache/Dockerfile

@@ -0,0 +1,14 @@
+FROM ruby:3.3-alpine
+
+ENV FPM_VERSION 1.15.1
+RUN apk add --no-cache \
+    alpine-sdk make cpio curl libarchive-tools make php-pear \
+    python3 py3-virtualenv py3-setuptools py3-pip \
+    rpm unzip xz git tar dpkg \
+  && ln -sf python3 /usr/bin/python \
+  && gem install --no-document fpm -v ${FPM_VERSION}
+
+## Fix fpm issue, see https://github.com/jordansissel/fpm/issues/1227
+ADD fpm_apm.patch /tmp
+RUN (cd /usr/local/bundle/gems/fpm-${FPM_VERSION}/ ; patch -p 1 < /tmp/fpm_apm.patch ) \
+    && rm -f /tmp/fpm_apk.patch