Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Infra: Add actions to publish to ECR & Docker Hub #347

Merged
merged 10 commits into from
Oct 7, 2024
87 changes: 87 additions & 0 deletions .github/workflows/docker_build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
name: "Docker build"

on:
workflow_call:
inputs:
sha:
required: true
type: string
version:
required: true
type: string

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
token: ${{ github.token }}

- name: Download maven artifacts
uses: actions/download-artifact@v4
with:
name: kafbat-ui-${{ inputs.version }}
path: api/target

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3

- name: Cache Docker layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ inputs.sha }}
restore-keys: |
${{ runner.os }}-buildx-

# Build multi platform images and loading them at the same time is not possible with default container runtime : https://github.com/docker/buildx/issues/59
# So let's use containerd instead as it supports this option
# Also containerd is one of the option to allow preserving provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations
- name: Setup docker with containerd
uses: crazy-max/ghaction-setup-docker@v3
with:
daemon-config: |
{
"features": {
"containerd-snapshotter": true
}
}

- name: Build docker image
id: docker_build
uses: docker/build-push-action@v5
with:
builder: ${{ steps.buildx.outputs.name }}
context: api
platforms: linux/amd64,linux/arm64
provenance: mode=min
sbom: true
push: false
load: true
tags: |
kafka-ui:temp
build-args: |
JAR_FILE=api-${{ inputs.version }}.jar
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache

- name: Dump docker image
run: |
docker image save kafka-ui:temp > /tmp/image.tar

- name: Upload docker image
uses: actions/upload-artifact@v4
with:
name: image
path: /tmp/image.tar
retention-days: 1
100 changes: 100 additions & 0 deletions .github/workflows/docker_publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
name: "Docker publish"

on:
workflow_call:
inputs:
version:
required: true
type: string
generic_tag:
required: true
type: string

permissions:
packages: write
id-token: write # Required to authenticate with OIDC for AWS

jobs:
Haarolean marked this conversation as resolved.
Show resolved Hide resolved
deploy:
continue-on-error: true
strategy:
fail-fast: false
matrix:
registry: [ 'docker.io', 'ghcr.io', 'ecr' ]

runs-on: ubuntu-latest
steps:

- name: Download docker image
uses: actions/download-artifact@v4
with:
name: image
path: /tmp

# setup containerd to preserve provenance attestations :https://docs.docker.com/build/attestations/#creating-attestations
- name: Setup docker with containerd
uses: crazy-max/ghaction-setup-docker@v3
with:
daemon-config: |
{
"features": {
"containerd-snapshotter": true
}
}

- name: Load docker image into daemon
run: |
docker load --input /tmp/image.tar

- name: Login to docker.io
if: matrix.registry == 'docker.io'
uses: docker/login-action@v3
with:
registry: ${{ matrix.registry }}
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to ghcr.io
if: matrix.registry == 'ghcr.io'
uses: docker/login-action@v3
with:
registry: ${{ matrix.registry }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Configure AWS credentials
if: matrix.registry == 'ecr'
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-1 # This region only for public ECR
role-to-assume: ${{ secrets.AWS_ROLE }}

- name: Login to public ECR
if: matrix.registry == 'ecr'
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
with:
registry-type: public

- name: define env vars
run: |
if [ ${{matrix.registry }} == 'docker.io' ]; then
echo "REGISTRY=${{ matrix.registry }}" >> $GITHUB_ENV
echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
elif [ ${{ matrix.registry }} == 'ghcr.io' ]; then
echo "REGISTRY=${{ matrix.registry }}" >> $GITHUB_ENV
echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
elif [ ${{ matrix.registry }} == 'ecr' ]; then
echo "REGISTRY=${{ steps.login-ecr-public.outputs.registry }}" >> $GITHUB_ENV
echo "REPOSITORY=${{ github.repository }}" >> $GITHUB_ENV
else
echo "REGISTRY=" >> $GITHUB_ENV
echo "REPOSITORY=notworking" >> $GITHUB_ENV
fi

- name: Push images to ${{ matrix.registry }}
run: |
docker tag kafka-ui:temp ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.generic_tag }}
docker tag kafka-ui:temp ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.version }}
docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.generic_tag }}
docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ inputs.version }}
67 changes: 29 additions & 38 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,14 @@ permissions:
contents: read

jobs:
build:
jar-build:
runs-on: ubuntu-latest

permissions:
contents: read
packages: write

outputs:
version: ${{steps.build.outputs.version}}

steps:
- name: Checkout
Expand All @@ -37,42 +40,30 @@ jobs:
export VERSION=$(./mvnw -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)
echo "version=${VERSION}" >> $GITHUB_OUTPUT

# docker images

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Cache Docker layers
uses: actions/cache@v4
- name: Upload jar
uses: actions/upload-artifact@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
name: kafbat-ui-${{ steps.build.outputs.version }}
path: api/target/api-${{ steps.build.outputs.version }}.jar
retention-days: 1

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
docker-build:
needs: jar-build
permissions:
contents: read
uses: ./.github/workflows/docker_build.yml
secrets: inherit
with:
sha: ${{ github.sha }}
version: ${{ needs.jar-build.outputs.version }}

- name: Build & push docker image
id: docker_build_and_push
uses: docker/build-push-action@v5
with:
builder: ${{ steps.buildx.outputs.name }}
context: api
platforms: linux/amd64,linux/arm64
provenance: false
push: true
tags: |
ghcr.io/kafbat/kafka-ui:${{ steps.build.outputs.version }}
ghcr.io/kafbat/kafka-ui:main
build-args: |
JAR_FILE=api-${{ steps.build.outputs.version }}.jar
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
docker-deploy:
needs: [ jar-build, docker-build ]
permissions:
packages: write
id-token: write # Required to authenticate with OIDC for AWS
uses: ./.github/workflows/docker_publish.yml
secrets: inherit
with:
version: ${{ needs.jar-build.outputs.version }}
generic_tag: main
58 changes: 19 additions & 39 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,47 +52,27 @@ jobs:
with:
name: kafbat-ui-${{ steps.build.outputs.version }}
path: api/target/api-${{ steps.build.outputs.version }}.jar
#################
# #
# Docker images #
# #
#################
- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Cache Docker layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
docker-build:
needs: release
permissions:
contents: read
uses: ./.github/workflows/docker_build.yml
secrets: inherit
with:
sha: ${{ github.sha }}
version: ${{ needs.release.outputs.version }}

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
id: docker_build_and_push
uses: docker/build-push-action@v5
with:
builder: ${{ steps.buildx.outputs.name }}
context: api
platforms: linux/amd64,linux/arm64
provenance: false
push: true
tags: |
ghcr.io/kafbat/kafka-ui:${{ steps.build.outputs.version }}
ghcr.io/kafbat/kafka-ui:latest
build-args: |
JAR_FILE=api-${{ steps.build.outputs.version }}.jar
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
docker-deploy:
needs: [release, docker-build]
permissions:
packages: write
id-token: write # Required to authenticate with OIDC for AWS
uses: ./.github/workflows/docker_publish.yml
secrets: inherit
with:
version: ${{ needs.release.outputs.version }}
generic_tag: latest

charts:
runs-on: ubuntu-latest
Expand Down
Loading