feat(build): Docker build improvements (#4272)

Flagsmith · Jul 5, 2024 · 627370f · 627370f
1 parent 1eb3061
commit 627370f
Show file tree

Hide file tree

Showing 12 changed files with 219 additions and 146 deletions.
diff --git a/.github/docker_build_comment_template.md b/.github/docker_build_comment_template.md
@@ -0,0 +1,5 @@
+{{ .message }}
+
+| Image | Build Status | Security report |
+| --------------- | ------------------ | --------------------------- |
+| {{ .imageTag }} | {{ .buildStatus }} | {{ .securityReportStatus }} |
diff --git a/.github/workflows/.reusable-docker-build.yml b/.github/workflows/.reusable-docker-build.yml
@@ -22,6 +22,15 @@ on:
  type: string
  description: Image name
  required: true
+ tags:
+ type: string
+ required: false
+ default: |
+ type=ref,event=branch
+ type=ref,event=tag
+ type=ref,event=pr
+ type=semver,pattern={{version}}
+ type=semver,pattern={{major}}.{{minor}}
  build-args:
  type: string
  description: List of build-time variables
@@ -36,6 +45,11 @@ on:
  description: Whether to skip push and use Depot's ephemeral registry
  required: false
  default: false
+ comment:
+ type: boolean
+ description: Whether to update the build status in a PR comment
+ required: false
+ default: false
  outputs:
  image:
  description: Resulting image specifier
@@ -53,8 +67,9 @@ jobs:
  image: ${{ steps.image-tag.outputs.image-tag }}
 
  permissions:
- packages: write
  id-token: write
+ packages: write
+ pull-requests: write
  security-events: write
  contents: read
 
@@ -79,12 +94,34 @@ jobs:
  with:
  images: |
  ${{ inputs.registry-url }}/flagsmith/${{ inputs.image-name }}
- tags: |
- type=ref,event=branch
- type=ref,event=tag
- type=ref,event=pr
- type=semver,pattern={{version}}
- type=semver,pattern={{major}}.{{minor}}
+ tags: ${{ inputs.tags }}
+
+ - uses: chuhlomin/render-template@v1.4
+ if: inputs.comment
+ id: render-comment-initial
+ with:
+ template: .github/docker_build_comment_template.md
+ vars: |
+ message: "`${{ inputs.image-name }}` is being built... :hourglass_flowing_sand:"
+ imageTag: "Pending :hourglass_flowing_sand:"
+ buildStatus: "Building :hourglass_flowing_sand:"
+ securityReportStatus: "${{ inputs.scan && 'Pending :hourglass_flowing_sand:' || 'Skipped' }}"
+
+ - uses: peter-evans/find-comment@v3
+ if: inputs.comment
+ id: find-comment
+ with:
+ issue-number: ${{ github.event.pull_request.number }}
+ body-includes: '`${{ inputs.image-name }}` '
+
+ - uses: peter-evans/create-or-update-comment@v4
+ if: inputs.comment
+ id: add-comment
+ with:
+ comment-id: ${{ steps.find-comment.outputs.comment-id }}
+ edit-mode: replace
+ issue-number: ${{ github.event.pull_request.number }}
+ body: ${{ steps.render-comment-initial.outputs.result }}
 
  - name: Build and push image
  id: build
@@ -119,6 +156,24 @@ jobs:
  echo ::add-mask::$DEPOT_TOKEN
  echo depot-token=$DEPOT_TOKEN >> $GITHUB_OUTPUT
 
+ - uses: chuhlomin/render-template@v1.4
+ if: inputs.comment
+ id: render-comment-on-finished-build
+ with:
+ template: .github/docker_build_comment_template.md
+ vars: |
+ message: "`${{ inputs.image-name }}` image build finished :sparkles: ${{ inputs.scan && 'Executing security scan...' || '' }}"
+ imageTag: "`${{ steps.image-tag.outputs.image-tag }}`"
+ buildStatus: "Finished :white_check_mark:"
+ securityReportStatus: "${{ inputs.scan && 'Pending :hourglass_flowing_sand:' || 'Skipped' }}"
+
+ - uses: peter-evans/create-or-update-comment@v4
+ if: inputs.comment
+ with:
+ comment-id: ${{ steps.add-comment.outputs.comment-id }}
+ edit-mode: replace
+ body: ${{ steps.render-comment-on-finished-build.outputs.result }}
+
  - name: Run Trivy vulnerability scanner
  id: trivy
  if: inputs.scan
@@ -136,4 +191,28 @@ jobs:
  if: inputs.scan && (success() || failure())
  with:
  sarif_file: trivy-results.sarif
- category: ${{ inputs.image-name }}
+
+ - name: Render scan results URL
+ id: scan-results-url
+ run: >
+ echo scan-results-url=${{ format('{0}/{1}/security/code-scanning?query=pr%3A{2}+path%3Aflagsmith%2F{3}',
+ github.server_url, github.repository, github.event.pull_request.number, inputs.image-name) }} >>
+ $GITHUB_OUTPUT
+
+ - uses: chuhlomin/render-template@v1.4
+ id: render-comment-on-finished-scan
+ if: inputs.scan && inputs.comment
+ with:
+ template: .github/docker_build_comment_template.md
+ vars: |
+ message: "`${{ inputs.image-name }}` image build and security scan finished :sparkles:"
+ imageTag: "`${{ steps.image-tag.outputs.image-tag }}`"
+ buildStatus: "Finished :white_check_mark:"
+ securityReportStatus: "${{ format('[Results]({0}) :white_check_mark:', steps.scan-results-url.outputs.scan-results-url) }}"
+
+ - uses: peter-evans/create-or-update-comment@v4
+ if: inputs.scan && inputs.comment
+ with:
+ comment-id: ${{ steps.add-comment.outputs.comment-id }}
+ edit-mode: replace
+ body: ${{ steps.render-comment-on-finished-scan.outputs.result }}
diff --git a/.github/workflows/.reusable-docker-e2e-tests.yml b/.github/workflows/.reusable-docker-e2e-tests.yml
@@ -22,11 +22,16 @@ on:
  description: The concurrent number of browsers to be used on testing
  required: false
  default: 3
+ runs-on:
+ type: string
+ description: The runner label to use. Defaults to `ubuntu-latest`
+ required: false
+ default: ubuntu-latest
 
 jobs:
  run-e2e:
  name: "E2E${{ inputs.tests && format(': {0}', inputs.tests) || '' }}"
- runs-on: ubuntu-latest
+ runs-on: ${{ inputs.runs-on }}
 
  permissions:
  contents: read

diff --git a/.github/workflows/platform-docker-build-e2e-image.yml b/.github/workflows/platform-docker-build-e2e-image.yml
@@ -7,22 +7,9 @@ on:
 
 jobs:
  build-e2e-docker-image:
- runs-on: ubuntu-latest
- name: Publish E2E Frontend Image
-
- steps:
- - name: Cloning repo
- uses: actions/checkout@v4
-
- - name: Login to Github Container Registry
- uses: docker/login-action@v3
- with:
- registry: ghcr.io
- username: ${{github.actor}}
- password: ${{secrets.GITHUB_TOKEN}}
-
- - name: Build E2E Frontend Image
- run: |
- cd frontend
- docker build -f Dockerfile-base.e2e --tag ghcr.io/flagsmith/e2e-frontend-base:latest .
- docker push ghcr.io/flagsmith/e2e-frontend-base:latest
+ name: Build E2E Frontend Base Image
+ uses: ./.github/workflows/.reusable-docker-build.yml
+ with:
+ file: frontend/Dockerfile-base.e2e
+ image-name: e2e-frontend-base
+ tags: latest
diff --git a/.github/workflows/platform-docker-build-test-publish.yml b/.github/workflows/platform-docker-build-test-publish.yml
@@ -62,6 +62,7 @@ jobs:
  needs: [docker-build-api, docker-build-private-cloud-api, docker-build-e2e]
  uses: ./.github/workflows/.reusable-docker-e2e-tests.yml
  with:
+ runs-on: ${{ matrix.runs-on }}
  e2e-image: ${{ needs.docker-build-e2e.outputs.image }}
  api-image: ${{ matrix.api-image }}
  concurrency: ${{ matrix.args.concurrency }}
@@ -70,6 +71,7 @@ jobs:
 
  strategy:
  matrix:
+ runs-on: [ubuntu-latest, ARM64-2c]
  api-image:
  - ${{ needs.docker-build-api.outputs.image }}
  - ${{ needs.docker-build-private-cloud-api.outputs.image }}

diff --git a/.github/workflows/platform-pull-request.yml b/.github/workflows/platform-pull-request.yml
@@ -72,49 +72,54 @@ jobs:
  name: Build Unified Image
  uses: ./.github/workflows/.reusable-docker-build.yml
  with:
- ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
+ ephemeral: ${{ needs.check-permissions.outputs.can-write == 'false' }}
  target: oss-unified
  image-name: flagsmith
+ comment: ${{ needs.check-permissions.outputs.can-write == 'true' }}
 
  docker-build-api:
  if: github.event.pull_request.draft == false
  needs: check-permissions
  name: Build API Image
  uses: ./.github/workflows/.reusable-docker-build.yml
  with:
- ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
+ ephemeral: ${{ needs.check-permissions.outputs.can-write == 'false' }}
  target: oss-api
  image-name: flagsmith-api
+ comment: ${{ needs.check-permissions.outputs.can-write == 'true' }}
 
  docker-build-frontend:
  if: github.event.pull_request.draft == false
  needs: check-permissions
  name: Build Frontend Image
  uses: ./.github/workflows/.reusable-docker-build.yml
  with:
- ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
+ ephemeral: ${{ needs.check-permissions.outputs.can-write == 'false' }}
  target: oss-frontend
  image-name: flagsmith-frontend
+ comment: ${{ needs.check-permissions.outputs.can-write == 'true' }}
 
  docker-build-e2e:
  if: github.event.pull_request.draft == false
  needs: check-permissions
  name: Build E2E Image
  uses: ./.github/workflows/.reusable-docker-build.yml
  with:
- ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
+ ephemeral: ${{ needs.check-permissions.outputs.can-write == 'false' }}
  file: frontend/Dockerfile.e2e
  image-name: flagsmith-e2e
  scan: false
+ comment: ${{ needs.check-permissions.outputs.can-write == 'true' }}
 
  docker-build-private-cloud:
- if: github.event.pull_request.draft == false && needs.check-permissions.outputs.can-write
+ if: github.event.pull_request.draft == false && needs.check-permissions.outputs.can-write == 'true'
  needs: check-permissions
  name: Build Private Cloud Image
  uses: ./.github/workflows/.reusable-docker-build.yml
  with:
  target: private-cloud-unified
  image-name: flagsmith-private-cloud
+ comment: true
  secrets:
  secrets: |
  github_private_cloud_token=${{ secrets.GH_PRIVATE_ACCESS_TOKEN }}
@@ -123,6 +128,7 @@ jobs:
  needs: [docker-build-api, docker-build-e2e]
  uses: ./.github/workflows/.reusable-docker-e2e-tests.yml
  with:
+ runs-on: ${{ matrix.runs-on }}
  e2e-image: ${{ needs.docker-build-e2e.outputs.image }}
  api-image: ${{ needs.docker-build-api.outputs.image }}
  concurrency: ${{ matrix.args.concurrency }}
@@ -131,6 +137,7 @@ jobs:
 
  strategy:
  matrix:
+ runs-on: [ubuntu-latest, ARM64-2c]
  args:
  - tests: segment-part-1 environment
  concurrency: 1