From bc7b31536b42638fc5e2f766b59b2f90d0940b01 Mon Sep 17 00:00:00 2001 From: mauwii Date: Fri, 15 Sep 2023 02:09:33 +0200 Subject: [PATCH] update ci.yml - change push trigger to main branch - run local registry for PRs - add env.CACHE_FROM_REGISTRY - update env.IMAGE_REPOSITORY - remove docker credentials from env - use docker driver if PR - update metadata-action to v4.6.0 - update docker tag priority, make sha highest - fix label org.opencontainers.image.title - don't write cache if PR --- .github/workflows/ci.yml | 55 +++++++++++++++++++++++----------------- 1 file changed, 32 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 615da1b..f2feca3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,7 @@ name: ci on: push: + branches: [main] paths: - '**/Dockerfile' - '**/toolsets/*.json' @@ -34,13 +35,17 @@ jobs: distro: 'ubuntu' codename: 'focal' from-flavor: 'act' + services: + registry: + image: registry:2 + ports: [5000] + # options: --entrypoint /bin/registry env: - REGISTRY: docker.io + CACHE_FROM_REGISTRY: docker.io IMAGE_NAME: ${{ format('{0}-{1}', matrix.distro, matrix.from-flavor) }} - IMAGE_REPOSITORY: ${{ format('{0}/{1}', github.repository_owner, format('{0}-{1}', matrix.distro, matrix.from-flavor)) }} + IMAGE_REPOSITORY: ${{ format('{0}/{1}-{2}', github.repository_owner, matrix.distro, matrix.from-flavor) }} SHA: ${{ github.event.pull_request.head.sha || github.event.after }} - DOCKERHUB_USERNAME: ${{ github.repository_owner }} - DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} + REGISTRY: ${{ github.event_name == 'pull_request' && format('{0}:{1}','localhost', '5000') || 'docker.io' }} steps: - uses: actions/checkout@v4 @@ -55,10 +60,10 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2.10.0 - # with: - # driver-opts: | - # image=moby/buildkit:v0.12.2 - # network=host + with: + driver: ${{ github.event_name == 'pull_request' && 'docker' || 'docker-container' }} + driver-opts: ${{ github.event_name == 'pull_request' && 'network=host,image=moby/buildkit:v0.12.2' || '' }} + install: ${{ github.event_name == 'pull_request' && true || false }} # - name: Login to GitHub Container Registry # uses: docker/login-action@v2.1.0 @@ -71,24 +76,25 @@ jobs: # https://github.com/docker/login-action - name: Login to Docker Hub uses: docker/login-action@v2.2.0 + if: vars.DOCKERHUB_USER != '' with: - registry: ${{ env.REGISTRY }} - username: ${{ env.DOCKERHUB_USERNAME }} - password: ${{ env.DOCKERHUB_TOKEN }} + registry: ${{ env.CACHE_FROM_REGISTRY }} + username: ${{ vars.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_TOKEN }} logout: true # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v4.4.0 + uses: docker/metadata-action@v4.6.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} - images: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }} + images: ${{ github.event_name != 'pull_request' && format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) || env.IMAGE_REPOSITORY }} tags: | + type=sha,prefix=${{ matrix.from-version }}-,format=short,enable={{is_default_branch}},priority=1000 type=raw,value=${{ matrix.from-version }},enable={{is_default_branch}},priority=900 type=raw,value=${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }},priority=600 - type=sha,prefix=${{ matrix.from-version }}-,format=short,enable={{is_default_branch}},priority=100 flavor: | latest=${{ github.ref == format('refs/heads/{0}', 'main') && matrix.from-version == '22.04' }} labels: | @@ -97,7 +103,7 @@ jobs: org.opencontainers.image.documentation=${{ env.REPOSITORY_LINK }} org.opencontainers.image.revision=${{ env.SHA }} org.opencontainers.image.source=${{ github.repositoryUrl }} - org.opencontainers.image.title=${{ env.IMAGE_REPOSITORY }}:${{ github.head_ref || github.ref_name }} + org.opencontainers.image.title=${{ env.IMAGE_REPOSITORY }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }} org.opencontainers.image.url=${{ env.REPOSITORY_LINK }}/blob/${{ env.SHA }}/linux/${{ matrix.distro }}/Dockerfile org.opencontainers.image.vendor=${{ github.repository_owner }} env: @@ -125,15 +131,15 @@ jobs: CODENAME=${{ matrix.codename }} # caching to speed up the build cache-from: | - type=registry,ref=${{ env.REGISTRY_IMAGE }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }} - type=registry,ref=${{ env.REGISTRY_IMAGE }}:cache-${{ matrix.codename }} + ${{ format('type=registry,ref={0}:{1}', env.CACHE_FROM_REGISTRY, matrix.from-version) }} + ${{ format('type=registry,ref={0}:cache-{1}',env.CACHE_FROM_REGISTRY, matrix.codename) }} # cache exporter doesn't work with docker driver - cache-to: | - type=registry,ref=${{ env.REGISTRY_IMAGE }}:cache-${{ matrix.codename }},mode=max + cache-to: ${{ github.event_name != 'pull_request' && format('type=registry,ref={0}:cache-{1},mode=max',env.REGISTRY_IMAGE, matrix.codename) || '' }} # this will give us some useful information about the build provenance: mode=max - push: true - # outputs: type=image,name=${{ env.REGISTRY_IMAGE }}:${{ matrix.from-version }}-${{ github.head_ref || github.ref_name }},push=true + # push if not a PR, load if a PR + push: ${{ github.event_name != 'pull_request' }} + load: ${{ github.event_name == 'pull_request' }} env: REGISTRY_IMAGE: ${{ format('{0}/{1}', env.REGISTRY, env.IMAGE_REPOSITORY) }} @@ -145,14 +151,17 @@ jobs: with: command: sbom,compare image: ${{ steps.meta.outputs.tags }} - to: ${{ format('{0}/{1}:{2}', env.REGISTRY, env.IMAGE_REPOSITORY, matrix.from-version) }} - organization: ${{ github.repository_owner }} + # image: ${{ format('{0}:{1}-{2}', env.IMAGE_REPOSITORY, matrix.from-version, github.head_ref || github.ref_name) }} + to: ${{ format('{0}/{1}:{2}', env.CACHE_FROM_REGISTRY, env.IMAGE_REPOSITORY, matrix.from-version) }} + organization: ${{ vars.DOCKERHUB_USER }} ignore-unchanged: true only-severities: critical write-comment: ${{ github.actor != 'nektos/act' }} keep-previous-comments: true summary: ${{ github.actor != 'nektos/act' }} github-token: ${{ secrets.GITHUB_TOKEN }} + dockerhub-user: ${{ vars.DOCKERHUB_USER }} + dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN }} # ToDo: Move into a separate workflow and depend on ci and mega-linter approve-pr: