ci: Update Docker workflow to build-push-action v2 (#1441)

* Update builder base image to python:3.8-slim
* Consolidate Docker testing and publishing workflow
   - Move out of CI workflow
   - Rename .github/workflows/publish-docker.yml -> .github/workflows/docker.yml
* Update Docker workflow to use docker/login-action@v2
   - Use update guide 
   - c.f. https://github.com/docker/build-push-action/blob/17822e4df435afa2aa88ec7d85b56ff55446ca36/UPGRADE.md
* Update Docker tagging system to be context dependent

.github/workflows/ci.yml

@@ -55,35 +55,3 @@ jobs:
       if: github.event_name == 'schedule' && matrix.python-version == 3.8
       run: |
         python -m pytest -r sx --benchmark-sort=mean tests/benchmarks/test_benchmark.py
-
-  docker:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v2
-    - name: Build Docker image
-      uses: docker/build-push-action@v1
-      with:
-        repository: pyhf/pyhf
-        dockerfile: docker/Dockerfile
-        tags: test
-        tag_with_sha: true
-        tag_with_ref: true
-        push: false
-    - name: List built images
-      run: docker images
-    - name: Run CLI API check
-      run: |
-        printf "\npyhf\n"
-        docker run --rm pyhf/pyhf:test
-        printf "\npyhf --version\n"
-        docker run --rm pyhf/pyhf:test --version
-        printf "\npyhf --help\n"
-        docker run --rm pyhf/pyhf:test --help
-    - name: Check for curl and tar
-      run: >-
-        docker run --rm
-        --entrypoint /bin/bash
-        pyhf/pyhf:test
-        -c "which curl; which tar"

.github/workflows/docker.yml

@@ -0,0 +1,123 @@
+name: Docker Images
+
+on:
+  push:
+    branches:
+    - master
+    tags:
+    - v*
+  pull_request:
+    branches:
+    - master
+  schedule:
+    - cron:  '1 0 * * *'
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  docker:
+    name: Build, test, and publish Docker images to Docker Hub
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Prepare
+        id: prep
+        run: |
+          DOCKER_IMAGE=pyhf/pyhf
+          VERSION=latest
+          if [[ $GITHUB_REF == refs/tags/* ]]; then
+            VERSION=${GITHUB_REF#refs/tags/}
+          elif [[ $GITHUB_REF == refs/pull/* ]]; then
+            VERSION=pr-${{ github.event.number }}
+          fi
+          TAGS="${DOCKER_IMAGE}:${VERSION}"
+          TAGS="$TAGS,${DOCKER_IMAGE}:latest,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
+          if [ "${{ github.event_name }}" = "release" ]; then
+            TAGS="$TAGS,${DOCKER_IMAGE}:latest-stable"
+          fi
+          echo ::set-output name=version::${VERSION}
+          echo ::set-output name=tags::${TAGS}
+          echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Test build
+        id: docker_build_test
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: docker/Dockerfile
+          tags: ${{ steps.prep.outputs.tags }}
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          load: true
+          push: false
+
+      - name: Image digest
+        run: echo ${{ steps.docker_build_test.outputs.digest }}
+
+      - name: List built images
+        run: docker images
+
+      - name: Run CLI API check
+        run: |
+          printf "\npyhf\n"
+          docker run --rm pyhf/pyhf:sha-${GITHUB_SHA::8}
+          printf "\npyhf --version\n"
+          docker run --rm pyhf/pyhf:sha-${GITHUB_SHA::8} --version
+          printf "\npyhf --help\n"
+          docker run --rm pyhf/pyhf:sha-${GITHUB_SHA::8} --help
+
+      - name: Check for curl and tar
+        run: >-
+          docker run --rm
+          --entrypoint /bin/bash
+          pyhf/pyhf:sha-${GITHUB_SHA::8}
+          -c "which curl; which tar"
+
+      - name: Build and publish to registry
+        # every PR will trigger a push event on master, so check the push event is actually coming from master
+        if: github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'scikit-hep/pyhf'
+        id: docker_build_latest
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: docker/Dockerfile
+          tags: pyhf/pyhf:latest
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          load: true
+          push: true
+
+      - name: Build and publish to registry with release tag
+        if: github.event_name == 'release' && github.event.action == 'published' && github.repository == 'scikit-hep/pyhf'
+        id: docker_build_release
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: docker/Dockerfile
+          tags: ${{ steps.prep.outputs.tags }}
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          load: true
+          push: true

docker/Dockerfile

@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=python:3.7-slim
+ARG BASE_IMAGE=python:3.8-slim
 # hadolint ignore=DL3006
 FROM ${BASE_IMAGE} as base