Build, Test, Push #68
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, Test, Push | |
| on: | |
| schedule: | |
| - cron: "0 10 * * 0" # Every Sunday at 10AM | |
| push: | |
| branches: | |
| - master | |
| - develop | |
| - feature/* | |
| tags: | |
| - "v*.*.*" | |
| workflow_dispatch: # Allow manually triggering a build | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| IMAGE: docksal/mariadb | |
| LATEST_VERSION: "10.11" | |
| #DOCKSAL_VERSION: develop | |
| jobs: | |
| build: | |
| name: "Build: ${{ matrix.version }}/${{ matrix.arch }}" | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| fail-fast: false # Don't cancel other jobs if one fails | |
| matrix: | |
| include: | |
| - | |
| arch: amd64 | |
| version: "10.4" | |
| - | |
| arch: arm64 | |
| version: "10.4" | |
| - | |
| arch: amd64 | |
| version: "10.5" | |
| - | |
| arch: arm64 | |
| version: "10.5" | |
| - | |
| arch: amd64 | |
| version: "10.6" | |
| - | |
| arch: arm64 | |
| version: "10.6" | |
| - | |
| arch: amd64 | |
| version: "10.11" | |
| - | |
| arch: arm64 | |
| version: "10.11" | |
| env: | |
| ARCH: ${{ matrix.arch }} | |
| VERSION_PREFIX: "" | |
| VERSION: ${{ matrix.version }} | |
| UPSTREAM_IMAGE: mariadb:${{ matrix.version }} | |
| BUILD_DIR: "." | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v4 | |
| - | |
| name: Environment variables | |
| run: | | |
| # Export variables for further steps | |
| echo GIT_SHA7="${GITHUB_SHA:0:7}" | tee -a ${GITHUB_ENV} | |
| echo BUILD_IMAGE_TAG="${IMAGE}:${VERSION_PREFIX}${VERSION}-build" | tee -a ${GITHUB_ENV} | |
| # Pull the host public SSH key at runtime instead of relying on a static value stored in secrets. | |
| echo ARM64_HOST_SSH_CERT="$(ssh-keyscan -t rsa ${{ secrets.ARM64_HOST }} 2>/dev/null)" | tee -a ${GITHUB_ENV} | |
| - | |
| name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Check Docker | |
| run: | | |
| docker version | |
| docker info | |
| - | |
| name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - | |
| # Build and cache image in the registry | |
| name: Build image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ${{ env.BUILD_DIR }} | |
| file: ${{ env.BUILD_DIR }}/Dockerfile | |
| build-args: | | |
| UPSTREAM_IMAGE=${{ env.UPSTREAM_IMAGE }} | |
| VERSION=${{ env.VERSION }} | |
| platforms: linux/${{ env.ARCH }} | |
| # Push intermediate arch-specific build tag to repo | |
| tags: ${{ env.BUILD_IMAGE_TAG }}-${{ env.GIT_SHA7 }}-${{ env.ARCH }} | |
| push: ${{ github.event_name != 'pull_request' }} # Don't push for PRs | |
| # Disable automatic image attestations | |
| # With image attestations enabled, the image tag pushed to the registry is a manifest list. | |
| # That makes it impossible to stitch different platform images together in a manifest list, since you | |
| # cannot have a manifest list of manifest lists. | |
| # See https://docs.docker.com/build/attestations/attestation-storage/ | |
| # TODO: Refactor to allow for image attestations | |
| provenance: false | |
| sbom: false | |
| # BUILD_IMAGE_TAG - persistent multi-arch tag, updated at the end of the build (success or failure) | |
| # Use registry cache with max mode to cahce all image layers in the registry | |
| cache-from: type=registry,ref=${{ env.BUILD_IMAGE_TAG }}-cache-${{ env.ARCH }} | |
| cache-to: type=registry,ref=${{ env.BUILD_IMAGE_TAG }}-cache-${{ env.ARCH }},mode=max | |
| test: | |
| name: "Test: ${{ matrix.version }}/${{ matrix.arch }}" | |
| runs-on: ubuntu-22.04 | |
| needs: build | |
| strategy: | |
| fail-fast: false # Don't cancel other jobs if one fails | |
| matrix: | |
| include: | |
| # Disabled arm64 tests. | |
| # TODO: Refactor tests to be compatible with a remote host test runner. | |
| # TODO: Remember to re-enabled the test results check in "push". | |
| - | |
| arch: amd64 | |
| version: "10.4" | |
| # - | |
| # arch: arm64 | |
| # version: "10.4" | |
| - | |
| arch: amd64 | |
| version: "10.5" | |
| # - | |
| # arch: arm64 | |
| # version: "10.5" | |
| - | |
| arch: amd64 | |
| version: "10.6" | |
| # - | |
| # arch: arm64 | |
| # version: "10.6" | |
| - | |
| arch: amd64 | |
| version: "10.11" | |
| # - | |
| # arch: arm64 | |
| # version: "10.11" | |
| env: | |
| ARCH: ${{ matrix.arch }} | |
| VERSION_PREFIX: "" | |
| VERSION: ${{ matrix.version }} | |
| steps: | |
| - | |
| name: Setup Bats | |
| uses: bats-core/[email protected] | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v4 | |
| - | |
| name: Environment variables | |
| run: | | |
| # Export variables for further steps | |
| echo GIT_SHA7="${GITHUB_SHA:0:7}" | tee -a ${GITHUB_ENV} | |
| echo BUILD_IMAGE_TAG="${IMAGE}:${VERSION_PREFIX}${VERSION}-build" | tee -a ${GITHUB_ENV} | |
| # Pull the host public SSH key at runtime instead of relying on a static value stored in secrets. | |
| echo ARM64_HOST_SSH_CERT="$(ssh-keyscan -t rsa ${{ secrets.ARM64_HOST }} 2>/dev/null)" | tee -a ${GITHUB_ENV} | |
| - | |
| name: Check Docker | |
| run: | | |
| docker version | |
| docker info | |
| - | |
| # Run tests | |
| name: Test | |
| id: tests | |
| working-directory: ${{ env.BUILD_DIR }} | |
| env: | |
| BUILD_IMAGE_TAG: ${{ env.BUILD_IMAGE_TAG }}-${{ env.GIT_SHA7 }}-${{ env.ARCH }} | |
| VERSION: ${{ env.VERSION }} | |
| run: | | |
| make test | |
| ([[ $? == 0 ]] && echo "pass" || echo "fail") | tee ${{ github.workspace }}/test-results-${VERSION_PREFIX}${VERSION}-${ARCH}.txt | |
| # Store tests results as an artifact (used by downstream jobs) | |
| # Note: Cannot use "::set-output name=var_name::var_value" as var_name would need to be dynamic here. | |
| # Dynamic variable names cannot be used when mapping step outputs to job outputs. | |
| # Step outputs cannot be accessed directly from other jobs. Dead end. | |
| - name: Store test results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: test-results-${{ env.GIT_SHA7 }}-${{ env.VERSION_PREFIX }}${{ env.VERSION }}-${{ env.ARCH }} | |
| path: ${{ github.workspace }}/test-results-*.txt | |
| if-no-files-found: error | |
| overwrite: true | |
| push: | |
| name: "Push: ${{ matrix.version }}/multi" | |
| runs-on: ubuntu-22.04 | |
| # Wait for test to either succeed or fail | |
| needs: test | |
| if: always() | |
| strategy: | |
| matrix: | |
| version: | |
| - "10.4" | |
| - "10.5" | |
| - "10.6" | |
| - "10.11" | |
| env: | |
| VERSION_PREFIX: "" | |
| VERSION: ${{ matrix.version }} | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v4 | |
| - | |
| name: Environment variables | |
| run: | | |
| # Export variables for further steps | |
| echo GIT_SHA7="${GITHUB_SHA:0:7}" | tee -a ${GITHUB_ENV} | |
| echo BUILD_IMAGE_TAG="${IMAGE}:${VERSION_PREFIX}${VERSION}-build" | tee -a ${GITHUB_ENV} | |
| - | |
| # Login to Docker Hub | |
| name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - | |
| name: Retrieve test results | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: test-results-${{ env.GIT_SHA7 }}-* | |
| merge-multiple: true | |
| - | |
| # Generate persistent tags (edge, stable, release) | |
| name: Docker image tags | |
| id: docker_tags | |
| # Don't push broken builds to persistent tags (both amd64 and arm64 tests must pass) | |
| # TODO: re-enable the arm64 test results check once those tests are re-enabled | |
| run: | | |
| amd64_tests=$(cat test-results-${VERSION_PREFIX}${VERSION}-amd64.txt) | |
| #arm64_tests=$(cat test-results-${VERSION_PREFIX}${VERSION}-arm64.txt) | |
| # && [[ "${arm64_tests}" == "pass" ]] | |
| if [[ "${amd64_tests}" == "pass" ]]; then | |
| .github/scripts/docker-tags.sh | |
| fi | |
| - | |
| # Create and push multi-arch image manifests | |
| name: Push multi-arch images | |
| env: | |
| # build tags are always pushed (build caching, debugging needs) | |
| # edge, stage, release are only pushed if tests were successful (see docker_tags step) | |
| TAGS: | | |
| ${{ env.BUILD_IMAGE_TAG }} | |
| ${{ steps.docker_tags.outputs.tags }} | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} # Needed for docker-tag-delete.sh | |
| DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} # Needed for docker-tag-delete.sh | |
| run: | | |
| set -xeuo pipefail | |
| IFS="${IFS}," # Also split strings by comma (in case list of tag is comma-separated) | |
| for tag in ${TAGS}; do | |
| if [[ "${tag}" == "" ]]; then continue; fi | |
| docker manifest create --amend ${tag} \ | |
| ${{ env.BUILD_IMAGE_TAG }}-${{ env.GIT_SHA7 }}-amd64 \ | |
| ${{ env.BUILD_IMAGE_TAG }}-${{ env.GIT_SHA7 }}-arm64 | |
| docker manifest inspect ${tag} | |
| docker manifest push ${tag} | |
| done | |
| # Clean up intermediate arch-specific image tags (DockerHub only) | |
| .github/scripts/docker-tag-delete.sh "${{ env.BUILD_IMAGE_TAG }}-${{ env.GIT_SHA7 }}-amd64" | |
| .github/scripts/docker-tag-delete.sh "${{ env.BUILD_IMAGE_TAG }}-${{ env.GIT_SHA7 }}-arm64" |