github actions standardization and PR testing (#16)

This is some basic standardization between workflows and PRs testing. * YAML language server for your editor * Add 2204 for all workflows * Use tagged actions so renovate can give useful changelog info * Move the renovate tailscale line comment to the correct location * Publish a form of date tag along with latest * Use tagged images so renovate can act on them in the `FROM` on the Dockerfile * Build container on PRs * Use metadata action so standard OCI labels are set
coreweave · Jun 28, 2024 · 6f23d54 · 6f23d54
2 parents 7e71b0b + 2fe91e4
commit 6f23d54
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 20 deletions.
diff --git a/.github/workflows/charts-publish-oci.yaml b/.github/workflows/charts-publish-oci.yaml
@@ -1,11 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: "Charts: Publish to GHCR OCI"
 
 on:
-  push:
-    branches:
-      - "**"
   release:
-    types: [published]
+    types: ["published", "created"]
   workflow_dispatch: {}
 
 jobs:

diff --git a/.github/workflows/mirror.yaml b/.github/workflows/mirror.yaml
@@ -1,10 +1,12 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Mirror to Gitlab
 
 on: [push]
 
 jobs:
   mirror:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v3
         with:
@@ -14,4 +16,3 @@ jobs:
           REMOTE: 'https://gitlab.com/${{ github.repository }}'
           GIT_USERNAME: ${{ secrets.ORG_GITLAB_SYNC_UN }}
           GIT_PASSWORD: ${{ secrets.ORG_GITLAB_SYNC_PW }}
-
diff --git a/.github/workflows/publish-image.yaml b/.github/workflows/publish-image.yaml
@@ -1,13 +1,19 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: "Container: Image Build"
 on:
   workflow_dispatch: {}
+  pull_request:
+    branches: ["main"]
+    types: ["opened", "synchronize", "reopened"]
   push:
     branches:
       - main
     paths:
       - "Docker/**/*"
 
 env:
+  # renovate: depName=tailscale.com datasource=go
   UPSTREAM_TS_VERSION: v1.68.0
 
 jobs:
@@ -16,31 +22,50 @@ jobs:
     permissions:
       contents: write
       packages: write
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ghcr.io/${{ github.repository }}
+          labels: |
+            org.opencontainers.image.source="https://github.com/tailscale/tailscale"
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=schedule
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=${{ env.UPSTREAM_TS_VERSION }}
+
+      - name: Set up QEMU
+        uses: docker/[email protected]
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb
+        uses: docker/setup-buildx-action@v3.3.0
 
       - name: Log into registry ghcr.io
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20
+        uses: docker/login-action@v3.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0
+        uses: docker/build-push-action@v6.2.0
         with:
-          push: true
+          push: ${{ github.event_name != 'pull_request' }}
           context: ./
           file: ./Docker/Dockerfile
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
           build-args: |
-            # renovate: depName=tailscale.com datasource=go
             VERSION=${{ env.UPSTREAM_TS_VERSION }}
-          tags: |
-            ghcr.io/${{ github.repository }}:${{ env.UPSTREAM_TS_VERSION }}
+          tags: ${{ steps.meta.outputs.tags }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: "Release"
 
 on:

diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
@@ -1,5 +1,5 @@
 ---
-  # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
   name: "Renovate"
 
   on:
@@ -41,7 +41,7 @@
   jobs:
     renovate:
       name: Renovate
-      runs-on: ubuntu-latest
+      runs-on: ubuntu-22.04
       steps:
         - name: Generate Token
           uses: actions/create-github-app-token@v1

diff --git a/Docker/Dockerfile b/Docker/Dockerfile
@@ -1,11 +1,11 @@
-FROM golang:latest AS builder
+FROM golang:1.22.4@sha256:a66eda637829ce891e9cf61ff1ee0edf544e1f6c5b0e666c7310dce231a66f28 AS builder
 WORKDIR /app
 ARG VERSION=${VERSION:-v1.68.0}
 # https://tailscale.com/kb/1118/custom-derp-servers/
 RUN go install tailscale.com/cmd/derper@${VERSION}
 RUN go install tailscale.com/cmd/derpprobe@${VERSION}
 
-FROM ubuntu:noble
+FROM ubuntu:noble@sha256:2e863c44b718727c860746568e1d54afd13b2fa71b160f5cd9058fc436217b30
 WORKDIR /app
 
 ARG DEBIAN_FRONTEND=noninteractive
@@ -23,5 +23,3 @@ RUN apt-get update && \
     chmod +x /app/healthprobe.sh
 
 ENTRYPOINT ["/app/entrypoint.sh"]
-
-LABEL org.opencontainers.image.source="https://github.com/tailscale/tailscale"