-
Notifications
You must be signed in to change notification settings - Fork 321
152 lines (125 loc) Β· 6.35 KB
/
push-main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Build from Main
on:
push:
branches:
- main
jobs:
# Build images using artifactory as image registry.
# To implement manual approvals, the workflow uses an Environment.
#
# From your GitHub repo clock Settings. In the left menu, click Environments.
# Click New environment, set the name production, and click Configure environment.
# Check the "Required reviewers" box and enter at least one user or team name.
sync:
runs-on: ubuntu-latest
environment: "production"
permissions:
contents: "read"
id-token: "write"
env:
WORKLOAD_IDENTITY_POOL_ID: projects/665270063338/locations/global/workloadIdentityPools/workspace-images-github-actions/providers/workspace-images-gha-provider
GAR_IMAGE_REGISTRY: europe-docker.pkg.dev
DH_IMAGE_REGISTRY: registry.hub.docker.com
IAM_SERVICE_ACCOUNT: workspace-images-gha-sa@gitpod-artifacts.iam.gserviceaccount.com
DAZZLE_VERSION: 0.1.17
BUILDKIT_VERSION: 0.11.6
steps:
- name: π₯ Checkout workspace-images
uses: actions/checkout@v3
with:
repository: gitpod-io/workspace-images
- name: π§ Setup tools
run: |
sudo apt-get install python3-pip shellcheck
curl -sSL https://github.com/mvdan/sh/releases/download/v3.5.0/shfmt_v3.5.0_linux_amd64 -o shfmt
sudo mv shfmt /usr/local/bin/shfmt && sudo chmod +x /usr/local/bin/shfmt
sudo pip3 install pre-commit
- name: π€ Run pre-commit
run: |
pre-commit run --all-files
- name: π Install dazzle
run: |
curl -sSL https://github.com/gitpod-io/dazzle/releases/download/v${{env.DAZZLE_VERSION}}/dazzle_${{env.DAZZLE_VERSION}}_Linux_x86_64.tar.gz | sudo tar -xvz -C /usr/local/bin
- name: π Install skopeo
run: |
. /etc/os-release
# Update ca-certificates to avoid issues with letsencrypt SSL certificates
sudo apt update && sudo apt --only-upgrade install ca-certificates -y
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key add -
sudo apt update && sudo apt install -y skopeo
- name: ποΈ Setup buildkit
run: |
curl -sSL https://github.com/moby/buildkit/releases/download/v${{env.BUILDKIT_VERSION}}/buildkit-v${{env.BUILDKIT_VERSION}}.linux-amd64.tar.gz | sudo tar xvz -C /usr
sudo buildkitd --oci-worker=true --oci-worker-net=host --debug --group docker &
sudo su -c "while ! test -S /run/buildkit/buildkitd.sock; do sleep 0.1; done"
sudo chmod +777 /run/buildkit/buildkitd.sock
- name: βοΈ Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v1.1.1
with:
version: 393.0.0
- name: π Authenticate to Google Cloud
id: "auth"
uses: google-github-actions/auth@v1.1.1
with:
token_format: "access_token"
access_token_lifetime: "43200s"
workload_identity_provider: ${{env.WORKLOAD_IDENTITY_POOL_ID}}
service_account: ${{env.IAM_SERVICE_ACCOUNT}}
- name: βπ½ Login to GAR using skopeo
run: |
sudo skopeo login -u oauth2accesstoken --password=${{ steps.auth.outputs.access_token }} ${{env.GAR_IMAGE_REGISTRY}}
- name: βπ½ Login to GAR using docker cli
run: |
docker login -u oauth2accesstoken --password=${{ steps.auth.outputs.access_token }} ${{env.GAR_IMAGE_REGISTRY}}
- name: π¨ Dazzle build
run: |
dazzle build ${{ env.GAR_IMAGE_REGISTRY }}/gitpod-artifacts/docker-dev/workspace-base-images --chunked-without-hash
dazzle build ${{ env.GAR_IMAGE_REGISTRY }}/gitpod-artifacts/docker-dev/workspace-base-images
- name: ποΈ Dazzle combine
run: |
dazzle combine ${{ env.GAR_IMAGE_REGISTRY }}/gitpod-artifacts/docker-dev/workspace-base-images --all
- name: π°οΈ Create timestamp tag
id: create-timestamp-tag
run: |
echo "TIMESTAMP_TAG=$(date '+%Y-%m-%d-%H-%M-%S')" >> $GITHUB_ENV
- name: π§ Setup copy tools
run: |
sudo pip3 install yq
- name: π Copy images with tag in the Artifact Registry
run: |
upload_image() {
local IMAGE_TAG=$1
(sudo skopeo copy --format=oci --dest-oci-accept-uncompressed-layers --retry-times=2 \
docker://${{ env.GAR_IMAGE_REGISTRY }}/gitpod-artifacts/docker-dev/workspace-base-images:$IMAGE_TAG \
docker://${{ env.GAR_IMAGE_REGISTRY }}/gitpod-artifacts/docker-dev/workspace-$IMAGE_TAG:${{ env.TIMESTAMP_TAG }} &)
(sudo skopeo copy --format=oci --dest-oci-accept-uncompressed-layers --retry-times=2 \
docker://${{ env.GAR_IMAGE_REGISTRY }}/gitpod-artifacts/docker-dev/workspace-base-images:$IMAGE_TAG \
docker://${{ env.GAR_IMAGE_REGISTRY }}/gitpod-artifacts/docker-dev/workspace-$IMAGE_TAG:latest &)
wait
}
MAX_PARALLEL=10
declare -a UPLOAD_PIDS=()
IMAGE_TAGS=$(cat .github/sync-containers.yml | yq '.sync.images."workspace-base-images"|join(" ")' -r)
for image_tag in "${IMAGE_TAGS[@]}"; do
upload_image "$image_tag" &
UPLOAD_PIDS+=($!)
if [ ${#UPLOAD_PIDS[@]} -eq $MAX_PARALLEL ]; then
# Wait for the first background process in the array
wait "${UPLOAD_PIDS[0]}"
# Remove the first element from the array
UPLOAD_PIDS=("${UPLOAD_PIDS[@]:1}")
fi
done
- name: βπ½ Login to Docker Hub using skopeo
env:
docker_user: ${{ secrets.DOCKERHUB_USER_NAME }}
docker_password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
run: |
sudo skopeo login -u ${{ env.docker_user }} --password=${{ env.docker_password }} ${{ env.DH_IMAGE_REGISTRY }}
- name: π³ Sync images with specific tags to Docker Hub
run: |
sudo skopeo sync \
--src yaml \
--dest docker \
.github/promote-images.yml ${{ env.DH_IMAGE_REGISTRY }}/gitpod