diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml new file mode 100644 index 000000000..384373f9a --- /dev/null +++ b/.github/workflows/docker_build.yml @@ -0,0 +1,93 @@ +name: "Docker build" + +on: + workflow_call: + inputs: + sha: + required: true + type: string + version: + required: true + type: string + +permissions: + contents: read + packages: write + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + token: ${{ github.token }} + + - name: Download maven artifacts + uses: actions/download-artifact@v4 + with: + name: kafbat-ui-${{ inputs.version }} + path: api/target + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + + - name: Cache Docker layers + uses: actions/cache@v4 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ inputs.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + + # Build multi platform images and loading them at the same time is not possible with default container runtime : https://github.com/docker/buildx/issues/59 + # So let's use containerd instead as it supports this option + # Also containerd is one of the option to allow preserving provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations + - name: Setup docker with containerd + uses: crazy-max/ghaction-setup-docker@v3 + with: + daemon-config: | + { + "features": { + "containerd-snapshotter": true + } + } + + - name: debug + run: | + ls -laRh api/target + + - name: Build docker image + id: docker_build + uses: docker/build-push-action@v5 + with: + builder: ${{ steps.buildx.outputs.name }} + context: api + platforms: linux/amd64,linux/arm64 + provenance: mode=min + sbom: true + push: false + load: true + tags: | + kafka-ui:temp + build-args: | + JAR_FILE=api-${{ inputs.version }}.jar + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache + + - name: Dump docker image + run: | + docker image save kafka-ui:temp > /tmp/image.tar + + - name: Upload docker image + uses: actions/upload-artifact@v4 + with: + name: image + path: /tmp/image.tar + retention-days: 1 diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml new file mode 100644 index 000000000..0fab04484 --- /dev/null +++ b/.github/workflows/docker_publish.yml @@ -0,0 +1,63 @@ + +name: "Docker publish" + +on: + workflow_call: + inputs: + version: + required: true + type: string + generic_tag: + required: true + type: string +jobs: + + # load-image: + # runs-on: ubuntu-latest + # steps: + # - name: Download docker image + # uses: actions/download-artifact@v4 + # with: + # name: image + # path: /tmp + + # # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations + # - name: Setup docker with containerd + # uses: crazy-max/ghaction-setup-docker@v3 + # with: + # daemon-config: | + # { + # "features": { + # "containerd-snapshotter": true + # } + # } + + # - name: Load docker image into daemon + # run: | + # docker load --input /tmp/image.tar + + deploy-ghcr: + permissions: + packages: write + uses: ./.github/workflows/publish_ghcr.yml + secrets: inherit + with: + version: ${{ inputs.version }} + generic_tag: ${{ inputs.generic_tag }} + + deploy-dockerhub: + uses: ./.github/workflows/publish_dockerhub.yml + secrets: inherit + with: + version: ${{ inputs.version }} + generic_tag: ${{ inputs.generic_tag }} + + deploy-ecr: + uses: ./.github/workflows/publish_ecr.yml + permissions: + contents: read # To read secrets + id-token: write # This is required for requesting the JWT + secrets: inherit + with: + version: ${{ inputs.version }} + generic_tag: ${{ inputs.generic_tag }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5778acdcf..707e2b93c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,12 +9,16 @@ permissions: contents: read jobs: - build: + jar-build: runs-on: ubuntu-latest + permissions: contents: read packages: write + outputs: + version: ${{steps.build.outputs.version}} + steps: - name: Checkout uses: actions/checkout@v4 @@ -37,195 +41,32 @@ jobs: export VERSION=$(./mvnw -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) echo "version=${VERSION}" >> $GITHUB_OUTPUT - # docker images - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - - name: Cache Docker layers - uses: actions/cache@v4 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - # Build multi platform images and loading them at the same time is not possible with default container runtime : https://github.com/docker/buildx/issues/59 - # So let's use containerd instead as it supports this option - # Also containerd is one of the option to allow preserving provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations - - name: Setup docker with containerd - uses: crazy-max/ghaction-setup-docker@v3 - with: - daemon-config: | - { - "features": { - "containerd-snapshotter": true - } - } - - - name: Build docker image - id: docker_build - uses: docker/build-push-action@v5 - with: - builder: ${{ steps.buildx.outputs.name }} - context: api - platforms: linux/amd64,linux/arm64 - provenance: mode=min - sbom: true - push: false - load: true - tags: | - kafka-ui:temp - build-args: | - JAR_FILE=api-${{ steps.build.outputs.version }}.jar - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache - - - name: Dump docker image - run: | - docker image save kafka-ui:temp > /tmp/image.tar - - - name: Upload docker image + - name: Upload jar uses: actions/upload-artifact@v4 with: - name: image - path: /tmp/image.tar - retention-days: 1 + name: kafbat-ui-${{ steps.build.outputs.version }} + path: api/target/api-${{ steps.build.outputs.version }}.jar + retention-days: 7 - deploy-ghcr: - runs-on: ubuntu-latest - needs: build + docker-build: + needs: jar-build permissions: + contents: read packages: write - - steps: - - name: Download docker image - uses: actions/download-artifact@v4 - with: - name: image - path: /tmp - - # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations - - name: Setup docker with containerd - uses: crazy-max/ghaction-setup-docker@v3 - with: - daemon-config: | - { - "features": { - "containerd-snapshotter": true - } - } - - - name: Load docker image into daemon - run: | - docker load --input /tmp/image.tar - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: "${{ github.actor }}" - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push images to GHCR - run: | - docker tag kafka-ui:temp ghcr.io/kafbat/kafka-ui:main - docker tag kafka-ui:temp ghcr.io/kafbat/kafka-ui:${{ needs.build.outputs.version }} - docker push ghcr.io/kafbat/kafka-ui:main - docker push ghcr.io/kafbat/kafka-ui:${{ needs.build.outputs.version }} - - deploy-dockerhub: - runs-on: ubuntu-latest - needs: build - - steps: - - name: Download docker image - uses: actions/download-artifact@v4 - with: - name: image - path: /tmp - - # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations - - name: Setup docker with containerd - uses: crazy-max/ghaction-setup-docker@v3 - with: - daemon-config: | - { - "features": { - "containerd-snapshotter": true - } - } - - - name: Load docker image into daemon - run: | - docker load --input /tmp/image.tar - - - name: Login to Dockerhub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Push images to dockerhub - run: | - docker tag kafka-ui:temp docker.io/kafbat/kafka-ui:main - docker tag kafka-ui:temp docker.io/kafbat/kafka-ui:${{ needs.build.outputs.version }} - docker push docker.io/kafbat/kafka-ui:main - docker push docker.io/kafbat/kafka-ui:${{ needs.build.outputs.version }} - - - deploy-ecr: - runs-on: ubuntu-latest - needs: build + uses: ./.github/workflows/docker_build.yml + secrets: inherit + with: + sha: ${{ github.sha }} + version: ${{ needs.jar-build.outputs.version }} + + docker-deploy: + needs: [jar-build, docker-build] permissions: contents: read # To read secrets id-token: write # This is required for requesting the JWT - - steps: - - name: Download docker image - uses: actions/download-artifact@v4 - with: - name: image - path: /tmp - - # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations - - name: Setup docker with containerd - uses: crazy-max/ghaction-setup-docker@v3 - with: - daemon-config: | - { - "features": { - "containerd-snapshotter": true - } - } - - - name: Load docker image into daemon - run: | - docker load --input /tmp/image.tar - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: us-east-1 # This region only for public ECR - role-to-assume: ${{ secrets.AWS_ROLE }} - - - name: Login to public ECR - id: login-ecr-public - uses: aws-actions/amazon-ecr-login@v2 - with: - registry-type: public - - - name: Push to ECR - env: - REGISTRY: ${{steps.login-ecr-public.outputs.registry }} - REGISTRY_ALIAS: j4u0y1h1 - REPOSITORY: kafka-ui - run: | - docker tag kafka-ui:temp $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:main - docker tag kafka-ui:temp $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:${{ needs.build.outputs.version }} - docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:main - docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:${{ needs.build.outputs.version }} \ No newline at end of file + packages: write + uses: ./.github/workflows/docker_publish.yml + secrets: inherit + with: + version: ${{ needs.jar-build.outputs.version }} + generic_tag: main diff --git a/.github/workflows/publish_dockerhub.yml b/.github/workflows/publish_dockerhub.yml new file mode 100644 index 000000000..b61479a5e --- /dev/null +++ b/.github/workflows/publish_dockerhub.yml @@ -0,0 +1,50 @@ + +name: "Docker hub publish" + +on: + workflow_call: + inputs: + version: + required: true + type: string + generic_tag: + required: true + type: string +jobs: + + deploy-dockerhub: + runs-on: ubuntu-latest + steps: + - name: Download docker image + uses: actions/download-artifact@v4 + with: + name: image + path: /tmp + + # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations + - name: Setup docker with containerd + uses: crazy-max/ghaction-setup-docker@v3 + with: + daemon-config: | + { + "features": { + "containerd-snapshotter": true + } + } + + - name: Load docker image into daemon + run: | + docker load --input /tmp/image.tar + + - name: Login to Dockerhub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Push images to dockerhub + run: | + docker tag kafka-ui:temp docker.io/${{ secrets.DOCKERHUB_USERNAME }}/kafka-ui:${{ inputs.generic_tag }} + docker tag kafka-ui:temp docker.io/${{ secrets.DOCKERHUB_USERNAME }}/kafka-ui:${{ inputs.version }} + docker push docker.io/${{ secrets.DOCKERHUB_USERNAME }}/kafka-ui:${{ inputs.generic_tag }} + docker push docker.io/${{ secrets.DOCKERHUB_USERNAME }}/kafka-ui:${{ inputs.version }} diff --git a/.github/workflows/publish_ecr.yml b/.github/workflows/publish_ecr.yml new file mode 100644 index 000000000..ff87518ff --- /dev/null +++ b/.github/workflows/publish_ecr.yml @@ -0,0 +1,64 @@ + +name: "Docker ECR publish" + +on: + workflow_call: + inputs: + version: + required: true + type: string + generic_tag: + required: true + type: string + +jobs: + deploy-ecr: + runs-on: ubuntu-latest + permissions: + contents: read # To read secrets + id-token: write # This is required for requesting the JWT + + steps: + - name: Download docker image + uses: actions/download-artifact@v4 + with: + name: image + path: /tmp + + # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations + - name: Setup docker with containerd + uses: crazy-max/ghaction-setup-docker@v3 + with: + daemon-config: | + { + "features": { + "containerd-snapshotter": true + } + } + + - name: Load docker image into daemon + run: | + docker load --input /tmp/image.tar + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-east-1 # This region only for public ECR + role-to-assume: ${{ secrets.AWS_ROLE }} + + - name: Login to public ECR + id: login-ecr-public + uses: aws-actions/amazon-ecr-login@v2 + with: + registry-type: public + + - name: Push to ECR + env: + REGISTRY: ${{steps.login-ecr-public.outputs.registry }} + REGISTRY_ALIAS: j4u0y1h1 + REPOSITORY: kafka-ui + run: | + docker tag kafka-ui:temp $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:${{ inputs.generic_tag }} + docker tag kafka-ui:temp $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:${{ inputs.version }} + docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:${{ inputs.generic_tag }} + docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:${{ inputs.version }} diff --git a/.github/workflows/publish_ghcr.yml b/.github/workflows/publish_ghcr.yml new file mode 100644 index 000000000..3aa84bc07 --- /dev/null +++ b/.github/workflows/publish_ghcr.yml @@ -0,0 +1,61 @@ + +name: "Docker GHCR publish" + +on: + workflow_call: + inputs: + version: + required: true + type: string + generic_tag: + required: true + type: string + +jobs: + + deploy-ghcr: + runs-on: ubuntu-latest + + permissions: + packages: write + + steps: + - name: Download docker image + uses: actions/download-artifact@v4 + with: + name: image + path: /tmp + + # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations + - name: Setup docker with containerd + uses: crazy-max/ghaction-setup-docker@v3 + with: + daemon-config: | + { + "features": { + "containerd-snapshotter": true + } + } + + - name: Load docker image into daemon + run: | + docker load --input /tmp/image.tar + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push images to GHCR + run: | + # docker tag kafka-ui:temp ghcr.io/kafbat/kafka-ui:${{ inputs.generic_tag }} + # docker tag kafka-ui:temp ghcr.io/kafbat/kafka-ui:${{ inputs.version }} + # docker push ghcr.io/kafbat/kafka-ui:${{ inputs.generic_tag }} + # docker push ghcr.io/kafbat/kafka-ui:${{ inputs.version }} + docker tag kafka-ui:temp ghcr.io/giom-l/kafka-ui:${{ inputs.generic_tag }} + docker tag kafka-ui:temp ghcr.io/giom-l/kafka-ui:${{ inputs.version }} + docker push ghcr.io/giom-l/kafka-ui:${{ inputs.generic_tag }} + docker push ghcr.io/giom-l/kafka-ui:${{ inputs.version }} + diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 267c4c990..93e0f1701 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,201 +52,29 @@ jobs: with: name: kafbat-ui-${{ steps.build.outputs.version }} path: api/target/api-${{ steps.build.outputs.version }}.jar - ################# - # # - # Docker images # - # # - ################# - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - - name: Cache Docker layers - uses: actions/cache@v4 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - # Build multi platform images and loading them at the same time is not possible with default container runtime : https://github.com/docker/buildx/issues/59 - # So let's use containerd instead as it supports this option - # Also containerd is one of the option to allow preserving provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations - - name: Setup docker with containerd - uses: crazy-max/ghaction-setup-docker@v3 - with: - daemon-config: | - { - "features": { - "containerd-snapshotter": true - } - } - - - name: Build image - id: docker_build - uses: docker/build-push-action@v5 - with: - builder: ${{ steps.buildx.outputs.name }} - context: api - platforms: linux/amd64,linux/arm64 - provenance: mode=min - sbom: true - push: false - load: true - tags: | - kafka-ui:temp - build-args: | - JAR_FILE=api-${{ steps.build.outputs.version }}.jar - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache - - - name: Dump docker image - run: | - docker image save kafka-ui:temp > /tmp/image.tar - - - name: Upload docker image - uses: actions/upload-artifact@v4 - with: - name: image - path: /tmp/image.tar - retention-days: 1 - - deploy-ghcr: - runs-on: ubuntu-latest + docker-build: needs: release permissions: + contents: read packages: write - - steps: - - name: Download docker image - uses: actions/download-artifact@v4 - with: - name: image - path: /tmp - - # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations - - name: Setup docker with containerd - uses: crazy-max/ghaction-setup-docker@v3 - with: - daemon-config: | - { - "features": { - "containerd-snapshotter": true - } - } - - - name: Load docker image into daemon - run: | - docker load --input /tmp/image.tar - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: "${{ github.actor }}" - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push images to GHCR - run: | - docker tag kafka-ui:temp ghcr.io/kafbat/kafka-ui:latest - docker tag kafka-ui:temp ghcr.io/kafbat/kafka-ui:${{ needs.release.outputs.version }} - docker push ghcr.io/kafbat/kafka-ui:latest - docker push ghcr.io/kafbat/kafka-ui:${{ needs.release.outputs.version }} - - deploy-dockerhub: - runs-on: ubuntu-latest - needs: release - - steps: - - name: Download docker image - uses: actions/download-artifact@v4 - with: - name: image - path: /tmp - - # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations - - name: Setup docker with containerd - uses: crazy-max/ghaction-setup-docker@v3 - with: - daemon-config: | - { - "features": { - "containerd-snapshotter": true - } - } - - - name: Load docker image into daemon - run: | - docker load --input /tmp/image.tar - - - name: Login to Dockerhub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Push images to dockerhub - run: | - docker tag kafka-ui:temp docker.io/kafbat/kafka-ui:latest - docker tag kafka-ui:temp docker.io/kafbat/kafka-ui:${{ needs.release.outputs.version }} - docker push docker.io/kafbat/kafka-ui:latest - docker push docker.io/kafbat/kafka-ui:${{ needs.release.outputs.version }} - - - deploy-ecr: - runs-on: ubuntu-latest - needs: release + uses: ./.github/workflows/docker_build.yml + secrets: inherit + with: + sha: ${{ github.sha }} + version: ${{ needs.release.outputs.version }} + + docker-deploy: + needs: [release, docker-build] permissions: contents: read # To read secrets id-token: write # This is required for requesting the JWT - - steps: - - name: Download docker image - uses: actions/download-artifact@v4 - with: - name: image - path: /tmp - - # setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations - - name: Setup docker with containerd - uses: crazy-max/ghaction-setup-docker@v3 - with: - daemon-config: | - { - "features": { - "containerd-snapshotter": true - } - } - - - name: Load docker image into daemon - run: | - docker load --input /tmp/image.tar - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: us-east-1 # This region only for public ECR - role-to-assume: ${{ secrets.AWS_ROLE }} - - - name: Login to public ECR - id: login-ecr-public - uses: aws-actions/amazon-ecr-login@v2 - with: - registry-type: public - - - name: Push to ECR - env: - REGISTRY: ${{steps.login-ecr-public.outputs.registry }} - REGISTRY_ALIAS: j4u0y1h1 - REPOSITORY: kafka-ui - run: | - docker tag kafka-ui:temp $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:latest - docker tag kafka-ui:temp $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:${{ needs.release.outputs.version }} - docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:latest - docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:${{ needs.release.outputs.version }} + packages: write + uses: ./.github/workflows/docker_publish.yml + secrets: inherit + with: + version: ${{ needs.release.outputs.version }} + generic_tag: latest charts: runs-on: ubuntu-latest