Skip to content

Deploy image to GHCR ๐Ÿช‚ #1156

Deploy image to GHCR ๐Ÿช‚

Deploy image to GHCR ๐Ÿช‚ #1156

Workflow file for this run

name: Deploy image to GHCR ๐Ÿช‚
env:
REGISTRY: ghcr.io
# PLATFORMs is a comma-separted list of architectures to build for.
# We disable linux/arm64 due to runner mem saturation.
PLATFORMS: linux/amd64
on:
repository_dispatch:
types:
- scheduled
workflow_dispatch:
inputs:
origin:
description: DockerHub org or username where the base image is located
required: true
type: choice
default: rocker
options:
- rocker
- rhub
distribution:
description: Rocker/RHub Distro Name.
required: true
type: choice
default: rstudio
options:
- rstudio
- rstudio-local
- gcc13
- gcc14
- atlas
- valgrind
- intel
- nosuggests
- mkl
r_version:
description: |
R version (also used as the tag to pull the origin image).
required: true
type: choice
default: "4.4.0"
options:
- "4.1.0"
- "4.1.1"
- "4.1.2"
- "4.1.3"
- "4.2.0"
- "4.2.1"
- "4.2.2"
- "4.3.0"
- "4.3.1"
- "4.3.2"
- "4.3.3"
- "4.4.0"
- "latest"
latest_r_version:
description: |
R Version to be aliased as the 'latest' tag".
(Only relevant for rocker images).
required: false
type: string
default: "4.4.0"
bioc_version:
description: BioConductor Release
required: true
type: choice
default: "3.19"
options:
- "3.13"
- "3.14"
- "3.15"
- "3.16"
- "3.17"
- "3.18"
- "3.19"
- "devel"
latest_bioc_version:
description: |
BioC Version to be aliased as the 'latest' tag".
(Only relevant for rocker images).
required: false
type: string
default: "3.19"
tag:
description: |
Custom Image Tag/Version. Defaults to current date in the `YYYY.MM.DD` format if unspecified.
required: false
default: ""
tag_latest:
description: Tag image as `latest`
default: false
type: boolean
release_tag:
description: |
Release tag to which SBOM generated for image should be attached.
Release tags follow the `YYYY.MM.DD` format.
This must be specified if you want to upload artifacts to the release.
required: false
default: ""
jobs:
normalize-inputs:
name: Normalize inputs ๐Ÿงน
runs-on: ubuntu-latest
steps:
- name: Normalize ๐Ÿงฝ
id: normalizer
run: |
function normalize() {
local var=$1
if [ "$var" == "" ]
then {
var=$2
}
fi
echo ${var}
}
ORIGIN=$(normalize ${{ github.event.inputs.origin }} ${{ github.event.client_payload.origin }})
DISTRIBUTION=$(normalize ${{ github.event.inputs.distribution }} ${{ github.event.client_payload.distribution }})
ORIGIN_DISTRIBUTION=${DISTRIBUTION//"-local"}
R_VERSION=$(normalize ${{ github.event.inputs.r_version }} ${{ github.event.client_payload.r_version }})
BIOC_VERSION=$(normalize ${{ github.event.inputs.bioc_version }} ${{ github.event.client_payload.bioc_version }})
LATEST_R_VERSION=$(normalize ${{ github.event.inputs.latest_r_version }} ${{ github.event.client_payload.latest_r_version }})
LATEST_BIOC_VERSION=$(normalize ${{ github.event.inputs.latest_bioc_version }} ${{ github.event.client_payload.latest_bioc_version }})
TAG=$(normalize ${{ github.event.inputs.tag }} ${{ github.event.client_payload.tag }})
TAG_LATEST=$(normalize ${{ github.event.inputs.tag_latest }} ${{ github.event.client_payload.tag_latest }})
RELEASE_TAG=$(normalize ${{ github.event.inputs.release_tag }} ${{ github.event.client_payload.release_tag }})
RELEASE_TAG=$(normalize ${RELEASE_TAG} $(date +%Y%m%d))
echo "ORIGIN=$ORIGIN" >> $GITHUB_OUTPUT
echo "ORIGIN_DISTRIBUTION=$ORIGIN_DISTRIBUTION" >> $GITHUB_OUTPUT
echo "DISTRIBUTION=$DISTRIBUTION" >> $GITHUB_OUTPUT
echo "R_VERSION=$R_VERSION" >> $GITHUB_OUTPUT
echo "BIOC_VERSION=$BIOC_VERSION" >> $GITHUB_OUTPUT
echo "LATEST_R_VERSION=$LATEST_R_VERSION" >> $GITHUB_OUTPUT
echo "LATEST_BIOC_VERSION=$LATEST_BIOC_VERSION" >> $GITHUB_OUTPUT
echo "TAG=$TAG" >> $GITHUB_OUTPUT
echo "TAG_LATEST=$TAG_LATEST" >> $GITHUB_OUTPUT
echo "RELEASE_TAG=$RELEASE_TAG" >> $GITHUB_OUTPUT
shell: bash
outputs:
origin: ${{ steps.normalizer.outputs.ORIGIN }}
origin_distribution: ${{ steps.normalizer.outputs.ORIGIN_DISTRIBUTION }}
distribution: ${{ steps.normalizer.outputs.DISTRIBUTION }}
r_version: ${{ steps.normalizer.outputs.R_VERSION }}
bioc_version: ${{ steps.normalizer.outputs.BIOC_VERSION }}
latest_r_version: ${{ steps.normalizer.outputs.LATEST_R_VERSION }}
latest_bioc_version: ${{ steps.normalizer.outputs.LATEST_BIOC_VERSION }}
tag: ${{ steps.normalizer.outputs.TAG }}
tag_latest: ${{ steps.normalizer.outputs.TAG_LATEST }}
release_tag: ${{ steps.normalizer.outputs.RELEASE_TAG }}
build:
runs-on: ubuntu-latest
needs: normalize-inputs
name: Build & Deploy ๐Ÿš€ ${{ needs.normalize-inputs.outputs.distribution }} - ${{ needs.normalize-inputs.outputs.r_version }} | BioC - ${{ needs.normalize-inputs.outputs.bioc_version }}
# Token permissions
permissions:
contents: read
packages: write
id-token: write
attestations: write
# Build steps
steps:
- name: Reclaim Disk Space ๐Ÿšฎ
uses: insightsengineering/disk-space-reclaimer@v1
with:
tools-cache: false
android: true
dotnet: true
haskell: true
large-packages: true
swap-storage: false
docker-images: true
- name: Checkout repository ๐Ÿ’ณ
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
id: buildx
with:
install: true
- name: Set up QEMU
id: qemu
uses: docker/setup-qemu-action@v3
with:
platforms: ${{ env.PLATFORMS }}
- name: Cache Docker layers โ™ป๏ธ
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ needs.normalize-inputs.outputs.distribution }}-${{ needs.normalize-inputs.outputs.r_version }}-${{ needs.normalize-inputs.outputs.bioc_version }}
restore-keys: |
${{ runner.os }}-buildx-${{ needs.normalize-inputs.outputs.distribution }}-${{ needs.normalize-inputs.outputs.r_version }}-${{ needs.normalize-inputs.outputs.bioc_version }}
${{ runner.os }}-buildx-${{ needs.normalize-inputs.outputs.distribution }}-${{ needs.normalize-inputs.outputs.r_version }}-
${{ runner.os }}-buildx-${{ needs.normalize-inputs.outputs.distribution }}-
${{ runner.os }}-buildx-
- name: Log in to the Container registry ๐Ÿ—
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set build variables ๐Ÿ“
id: build_vars
run: |
# Set Image name
image_name="${{ needs.normalize-inputs.outputs.distribution }}_${{ needs.normalize-inputs.outputs.r_version }}_bioc_${{ needs.normalize-inputs.outputs.bioc_version }}"
# For Fedora-based rhub images.
if [[ "${{ needs.normalize-inputs.outputs.distribution }}" =~ ^gcc.*|^atlas$|^valgrind$|^intel$|^nosuggests$|^mkl$ ]]
then {
image_name="${{ needs.normalize-inputs.outputs.distribution }}"
}
fi
# Set default tag as 'YYYY.MM.DD' date if it isn't set
tag="${{ needs.normalize-inputs.outputs.tag }}"
if [ "${tag}" == "" ]
then {
tag=$(date +%Y.%m.%d)
}
fi
tag_latest="${{ needs.normalize-inputs.outputs.tag_latest }}"
# Set full image name
full_names="${{ env.REGISTRY }}/${{ github.repository_owner }}/${image_name}:${tag}"
attestation_image_name="${{ env.REGISTRY }}/${{ github.repository_owner }}/${image_name}"
echo "ATTESTATION_IMAGE_NAME=${attestation_image_name}" >> $GITHUB_OUTPUT
echo "OUTPUT_IMAGE_NAME=${full_names}" >> $GITHUB_OUTPUT
# if [ "${tag_latest}" == "true" ]
# then
# full_names="$full_names,${{ env.REGISTRY }}/${{ github.repository_owner }}/${image_name}:latest"
# fi
if [ "${image_name}" == "rstudio-local_${{ needs.normalize-inputs.outputs.latest_r_version }}_bioc_${{ needs.normalize-inputs.outputs.latest_bioc_version }}" ] \
|| [ "${image_name}" == "rstudio_${{ needs.normalize-inputs.outputs.latest_r_version }}_bioc_${{ needs.normalize-inputs.outputs.latest_bioc_version }}" ]
then
full_names="$full_names,${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ needs.normalize-inputs.outputs.distribution }}:latest"
full_names="$full_names,${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ needs.normalize-inputs.outputs.distribution }}:${tag}"
fi
echo "FULL_NAMES=${full_names}" >> $GITHUB_OUTPUT
echo "github.ref = ${{ github.ref }}"
# Set push if branch is main
if [ "${{ github.ref }}" == 'refs/heads/main' ]; then
echo "DOCKER_PUSH=true" >> $GITHUB_OUTPUT
echo "DOCKER_PUSH = true"
else
echo "DOCKER_PUSH=false" >> $GITHUB_OUTPUT
echo "DOCKER_PUSH = false"
fi
echo "SBOM_OUTPUT_FILENAME=$GITHUB_WORKSPACE/sbom.json" >> $GITHUB_OUTPUT
- name: Build and push image ๐Ÿ—
id: push-image
uses: docker/build-push-action@v5
with:
context: ./
file: Dockerfile
push: ${{ steps.build_vars.outputs.DOCKER_PUSH }}
tags: ${{ steps.build_vars.outputs.FULL_NAMES }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new
build-args: |
ORIGIN=${{ needs.normalize-inputs.outputs.origin }}
ORIGIN_DISTRIBUTION=${{ needs.normalize-inputs.outputs.origin_distribution }}
DISTRIBUTION=${{ needs.normalize-inputs.outputs.distribution }}
R_VERSION=${{ needs.normalize-inputs.outputs.r_version }}
BIOC_VERSION=${{ needs.normalize-inputs.outputs.bioc_version }}
platforms: ${{ env.PLATFORMS }}
- name: Generate image manifest and R package list ๐Ÿณ
run: |
docker manifest inspect ${{ steps.build_vars.outputs.OUTPUT_IMAGE_NAME }} > manifest.json
docker run -v ${PWD}:/app ${{ steps.build_vars.outputs.OUTPUT_IMAGE_NAME }} \
R -e 'write.csv(installed.packages(), file="/app/package_list.csv")'
- name: Reclaim Disk Space for SBOM Generation ๐Ÿšฎ
uses: insightsengineering/disk-space-reclaimer@v1
with:
tools-cache: false
android: true
dotnet: true
haskell: true
large-packages: true
swap-storage: false
docker-images: true
- name: Generate SBOM ๐Ÿ“ƒ
uses: anchore/sbom-action@v0
with:
image: "${{ steps.build_vars.outputs.OUTPUT_IMAGE_NAME }}"
output-file: "${{ steps.build_vars.outputs.SBOM_OUTPUT_FILENAME }}"
artifact-name: "sbom.spdx"
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ steps.build_vars.outputs.ATTESTATION_IMAGE_NAME }}
subject-digest: ${{ steps.push-image.outputs.digest }}
push-to-registry: true
- name: Generate SBOM attestation
uses: actions/attest-sbom@v1
with:
subject-name: ${{ steps.build_vars.outputs.ATTESTATION_IMAGE_NAME }}
subject-digest: ${{ steps.push-image.outputs.digest }}
sbom-path: ${{ steps.build_vars.outputs.SBOM_OUTPUT_FILENAME }}
push-to-registry: true
- name: Upload image manifest to release ๐Ÿ”ผ
uses: svenstaro/upload-release-action@v2
if: "${{ needs.normalize-inputs.outputs.release_tag }} != ''"
with:
repo_token: ${{ secrets.REPO_GITHUB_TOKEN }}
file: "manifest.json"
asset_name: "image.manifest.${{ steps.build_vars.outputs.OUTPUT_IMAGE_NAME }}.json"
tag: "${{ needs.normalize-inputs.outputs.release_tag }}"
overwrite: true
- name: Upload R package list to release ๐Ÿ”ผ
uses: svenstaro/upload-release-action@v2
if: "${{ needs.normalize-inputs.outputs.release_tag }} != ''"
with:
repo_token: ${{ secrets.REPO_GITHUB_TOKEN }}
file: "package_list.csv"
asset_name: "package.list.${{ steps.build_vars.outputs.OUTPUT_IMAGE_NAME }}.csv"
tag: "${{ needs.normalize-inputs.outputs.release_tag }}"
overwrite: true
- name: Upload SBOM to release ๐Ÿ”ผ
uses: svenstaro/upload-release-action@v2
if: "${{ needs.normalize-inputs.outputs.release_tag }} != ''"
with:
repo_token: ${{ secrets.REPO_GITHUB_TOKEN }}
file: "${{ steps.build_vars.outputs.SBOM_OUTPUT_FILENAME }}"
asset_name: "SBOM for ${{ steps.build_vars.outputs.OUTPUT_IMAGE_NAME }}.spdx.json"
tag: "${{ needs.normalize-inputs.outputs.release_tag }}"
overwrite: true
- name: Move cache โ™ป๏ธ
run: |
rm -rf /tmp/.buildx-cache
if [ -f /tmp/.buildx-cache-new ]
then {
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
}
fi