Use pre-built images for nginx & service containers

.github/workflows/ghcr.yml

@@ -2,15 +2,45 @@ name: GHCR
 
 on:
   workflow_dispatch:
-  push:
-    branches: [master]
+  # See: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow_run
+  workflow_run:
+    workflows: [Test]
+    types: [completed]
     tags: ["v*.*.*"]
 
 env:
   REGISTRY: ghcr.io
 
 jobs:
+  debug:
+    steps:
+      run: 'echo "github.event_name: [ ${{ github.event_name }} ]"'
+      run: 'echo "github.event.workflow_run.conclusion: [ ${{ github.event.workflow_run.conclusion }} ]"'
+      run: "echo 'condition: [ ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} ]'"
+  check-images-are-used:
+    # Only run this job if tests pass, or this workflow was triggered manually.
+    if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        image: [nginx, service]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/central-${{ matrix.image }}
+      - name: "Checking release image is referenced in docker-compose.yml..."
+        if: ${{ github.ref_type == 'tag' }}
+        run: 'grep "${{ steps.meta.outputs.tags }}" docker-compose.yml'
+
   build-push-image:
+    needs: check-images-are-used
     runs-on: ubuntu-latest
     permissions:
       contents: read

docker-compose.yml

@@ -34,9 +34,7 @@ services:
       - DKIM_KEY_PATH=/etc/exim4/dkim.key.temp
     restart: always
   service:
-    build:
-      context: .
-      dockerfile: service.dockerfile
+    image: 'ghcr.io/getodk/central-service:2025.1'
     depends_on:
       - secrets
       - postgres14
@@ -79,9 +77,7 @@ services:
     logging:
       driver: local
   nginx:
-    build:
-      context: .
-      dockerfile: nginx.dockerfile
+    image: 'ghcr.io/getodk/central-nginx:2025.1'
     depends_on:
       - service
       - enketo

test/snapshots.docker-compose.yml

@@ -0,0 +1,7 @@
+services:
+  service:
+    build:
+      dockerfile: service.dockerfile
+  nginx:
+    build:
+      dockerfile: nginx.dockerfile

test/test-images.sh

@@ -3,6 +3,13 @@ set -o pipefail
 
 log() { echo >&2 "[$(basename "$0")] $*"; }
 
+docker_compose() {
+  docker compose \
+      --file docker-compose.yml \
+      --file test/snapshots.docker-compose.yml \
+      "$@"
+}
+
 tmp="$(mktemp)"
 
 check_path() {
@@ -13,7 +20,7 @@ check_path() {
   for (( i=0; ; ++i )); do
     log "Checking response from $requestPath ..."
     echo -e "GET $requestPath HTTP/1.0\r\nHost: local\r\n\r\n" |
-        docker compose exec --no-TTY nginx \
+        docker_compose exec --no-TTY nginx \
             openssl s_client -quiet -connect 127.0.0.1:443 \
             >"$tmp" 2>&1 || true
     if grep --silent --fixed-strings "$expected" "$tmp"; then
@@ -43,10 +50,10 @@ SYSADMIN_EMAIL=no-reply@getodk.org' > .env
 touch ./files/allow-postgres14-upgrade
 
 log "Building docker containers..."
-docker compose build
+docker_compose build
 
 log "Starting containers..."
-docker compose up --detach
+docker_compose up --detach
 
 log "Verifying frontend..."
 check_path 30 / 'ODK Central'
@@ -57,7 +64,7 @@ check_path 2 /v1/projects '[]'
 log "  Backend started OK."
 
 log "Verifying pm2..."
-docker compose exec service npx pm2 list | tee "$tmp"
+docker_compose exec service npx pm2 list | tee "$tmp"
 processCount="$(grep --count online "$tmp")"
 if [[ "$processCount" != 4 ]]; then
   log "!!! PM2 returned an unexpected count for online processes."