infra: build quartz docker image to GHCR #1192
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aarnphm
reviewed
Sep 25, 2024
aarnphm
changed the title
jackyzha0
approved these changes
Sep 27, 2024
aarnphm
approved these changes
Sep 27, 2024
There was a problem hiding this comment.
Let's merge this in. Note for self:
Update metadata creation with this https://github.com/docker/metadata-action
|
Heya, could you merge this PR? Or would you like to fix the metadata first? |
|
status check is not passing, so I can't merge it. also ye if you have time, lets update to metadata-action |
|
you'll have to fix the formatting issues |
|
Added the metadata! Formatting issues were already fixed in previous commit, for some reason the CI just was just stuck waiting. |
|
let me push to the branch with tiny updates |
|
Seems like I can't push to your branch, but can you apply the following diff? 5a6,11
> tags: ['v*']
> pull_request:
> branches: [v4]
> paths:
> - .github/workflows/docker-build-push.yaml
> - quartz/**
9c15
< docker:
---
> build:
15c21
< echo "OWNER_LOWERCASE=${OWNER,,}" >>${GITHUB_ENV}
---
> echo "OWNER_LOWERCASE=${OWNER,,}" >> ${GITHUB_ENV}
18c24,30
<
---
> - uses: actions/checkout@v4
> with:
> fetch-depth: 1
> - name: Inject slug/short variables
> uses: rlespinasse/github-slug-action@v4.4.1
> - name: Set up QEMU
> uses: docker/setup-qemu-action@v3
20a33,47
> with:
> install: true
> driver-opts: |
> image=moby/buildkit:master
> network=host
> - name: Install cosign
> if: github.event_name != 'pull_request'
> uses: sigstore/cosign-installer@v3.7.0
> - name: Login to GitHub Container Registry
> uses: docker/login-action@v3
> if: github.event_name != 'pull_request'
> with:
> registry: ghcr.io
> username: ${{ github.actor }}
> password: ${{ secrets.GITHUB_TOKEN }}
22c49,60
< - name: Docker metadata
---
> - name: Extract metadata tags and labels on PRs
> if: github.event_name == 'pull_request'
> id: meta-pr
> uses: docker/metadata-action@v5
> with:
> images: ghcr.io/${{ env.OWNER_LOWERCASE }}/quartz
> tags: |
> type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}
> labels: |
> org.opencontainers.image.source="https://github.com/${{ github.repository_owner }}/quartz"
> - name: Extract metadata tags and labels for main, release or tag
> if: github.event_name != 'pull_request'
25a64,65
> flavor: |
> latest=auto
26a67,75
> tags: |
> type=semver,pattern={{version}}
> type=semver,pattern={{major}}.{{minor}}
> type=semver,pattern={{major}}.{{minor}}.{{patch}}
> type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
> type=raw,value=sha-${{ env.GITHUB_SHA_SHORT }}
> labels: |
> maintainer=${{ github.repository_owner }}
> org.opencontainers.image.source="https://github.com/${{ github.repository_owner }}/quartz"
28,29c77,79
< - name: Login to DockerHub
< uses: docker/login-action@v3
---
> - name: Build and push Docker image
> id: build-and-push
> uses: docker/build-push-action@v6
31,33c81,88
< registry: ghcr.io
< username: ${{ env.OWNER_LOWERCASE }}
< password: ${{ secrets.GITHUB_TOKEN }}
---
> push: true
> build-args: |
> GIT_SHA=${{ env.GITHUB_SHA }}
> DOCKER_LABEL=sha-${{ env.GITHUB_SHA_SHORT }}
> tags: ${{ steps.meta.outputs.tags || steps.meta-pr.outputs.tags }}
> labels: ${{ steps.meta.outputs.labels || steps.meta-pr.outputs.labels }}
> cache-from: type=gha
> cache-to: type=gha
35,36c90,97
< - name: Build and push
< uses: docker/build-push-action@v5
---
> - name: Sign the released image
> if: ${{ github.event_name != 'pull_request' }}
> env:
> COSIGN_EXPERIMENTAL: 'true'
> run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }}
> - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
> uses: aquasecurity/trivy-action@master
> if: ${{ github.event_name != 'pull_request' }}
38,40c99,117
< push: true
< tags: ${{ steps.meta.outputs.tags }}
< labels: ${{ steps.meta.outputs.labels }}
---
> image-ref: 'ghcr.io/${{ github.repository_owner }}/quartz:sha-${{ env.GITHUB_SHA_SHORT }}'
> format: 'github'
> output: 'dependency-results.sbom.json'
> github-pat: ${{ secrets.GITHUB_TOKEN }}
> scanners: 'vuln'
> - name: Run Trivy vulnerability scanner
> uses: aquasecurity/trivy-action@master
> if: ${{ github.event_name != 'pull_request' }}
> with:
> image-ref: 'ghcr.io/${{ github.repository_owner }}/quartz:sha-${{ env.GITHUB_SHA_SHORT }}'
> format: 'sarif'
> output: 'trivy-results.sarif'
> severity: 'CRITICAL'
> scanners: 'vuln'
> - name: Upload Trivy scan results to GitHub Security tab
> uses: github/codeql-action/upload-sarif@v2
> if: ${{ github.event_name != 'pull_request' }}
> with:
> sarif_file: 'trivy-results.sarif' |
|
Thanks! I've applied the patch and added you in case there are any further changes :) |
|
I see the stylecheck is still failing by the way, but it's all on files that were not touched in this branch (and probably have been long changed upstream). Shall I just rebase on top of v4? |
|
still looks like its the same file, you might just have to run it again after aarons patch |
Signed-off-by: Aaron Pham <contact@aarnphm.xyz>
aarnphm
approved these changes
Oct 7, 2024
This was referenced Oct 7, 2024
DronHazra
pushed a commit
to DronHazra/quartz
that referenced
this pull request
Oct 27, 2024
* Add GitHub action to build & push Docker image to GHCR * Use double quotes to keep `prettier` happy :) * Don't run Docker build & push on forks * -1 char commit lmao * Add git metadata to Docker image * Apply Aaron's patch * chore: run prettier --------- Signed-off-by: Aaron Pham <contact@aarnphm.xyz> Co-authored-by: Aaron Pham <contact@aarnphm.xyz>
DronHazra
pushed a commit
to DronHazra/quartz
that referenced
this pull request
Oct 28, 2024
* Add GitHub action to build & push Docker image to GHCR * Use double quotes to keep `prettier` happy :) * Don't run Docker build & push on forks * -1 char commit lmao * Add git metadata to Docker image * Apply Aaron's patch * chore: run prettier --------- Signed-off-by: Aaron Pham <contact@aarnphm.xyz> Co-authored-by: Aaron Pham <contact@aarnphm.xyz>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a workflow for building and pushing a Docker image to the GitHub container registry when things are pushed to the
v4branch. Makes deployment a little nicer, since there's no need to build the Dockerfile on the server or keep your own Docker image updated :)