Build e push de imagem OCI

.github/workflows/push.yml

@@ -0,0 +1,96 @@
+name: Faz push das imagens
+
+
+on:
+  pull_request:
+    branchs:
+      - 'feature/**'
+      - 'hotfix/**'
+      - 'release/**'
+
+jobs:
+  push:
+    name: Push
+    runs-on: ubuntu-20.04
+
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        # Nix Flakes doesn't work on shallow clones
+        fetch-depth: 0
+
+    - uses: cachix/install-nix-action@v13
+      with:
+        install_url: https://nixos-nix-install-tests.cachix.org/serve/i6laym9jw3wg9mw6ncyrk6gjx4l34vvx/install
+        install_options: '--tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve'
+        extra_nix_config: |
+          experimental-features = nix-command flakes ca-references ca-derivations
+          sandbox = false
+    - run: nix flake --version
+#    - run: nix flake metadata nixpkgs
+
+    # Remove podman via apt-get
+    - run: |
+        sudo apt-get purge -y podman containers-image containers-common
+        sudo apt-get autoremove --purge
+        sudo apt-get -y clean
+        podman --version || echo podman not installed
+
+    # Instala podman usando nix
+    - run: nix profile install github:ES-Nix/podman-rootless/6a498059fc8a120ecc2f0d8e3712f43256c4ee1d
+    # Não funciona pois não vem com os arquivos de configuração
+#    - run: nix profile install nixpkgs#podman
+    - run: |
+        sudo apt-get update
+        sudo apt-get install --no-install-recommends --no-install-suggests -y uidmap
+    - run: podman --version
+#    - run: podman info --debug
+
+    - name: Faz build da imagem de dev usando podman via nix
+      run: |
+        make build
+        echo "::set-output name=REGISTRY::$(make print-GITHUB_REGISTRY)"
+        echo "::set-output name=IMAGE_NAME::$(make print-IMAGE_NAME)"
+        echo "::set-output name=IMAGE_TAG_DEV::$(make print-IMAGE_TAG_DEV)"
+      shell: bash
+      id: dev-build
+
+    - name: Faz build da imagem de prod usando podman via nix
+      run: |
+        make prod.build
+        echo "::set-output name=REGISTRY::$(make print-GITHUB_REGISTRY)"
+        echo "::set-output name=IMAGE_NAME::$(make print-IMAGE_NAME)"
+        echo "::set-output name=IMAGE_TAG_PROD::$(make print-IMAGE_TAG_PROD)"
+      shell: bash
+      id: prod-build
+
+    - name: Log in em Quay.io para push
+      uses: redhat-actions/podman-login@v1
+      with:
+          registry: ${{ steps.dev-build.outputs.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+    # Podman Login action (https://github.com/redhat-actions/podman-login) also be used to log in,
+    # in which case 'username' and 'password' can be omitted.
+    - name: Faz push para registry da imagem de dev
+      id: push-to
+      uses: redhat-actions/push-to-registry@v2
+      with:
+        image: ${{ steps.dev-build.outputs.IMAGE_NAME }}
+        registry: ${{ steps.dev-build.outputs.REGISTRY }}
+        tags: ${{ steps.dev-build.outputs.IMAGE_TAG_DEV }}
+    - name: Print image url
+      run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}"
+
+    - name: Faz push para registry da imagem de prod
+      uses: redhat-actions/push-to-registry@v2
+      with:
+        image: ${{ steps.prod-build.outputs.IMAGE_NAME }}
+        registry: ${{ steps.prod-build.outputs.REGISTRY }}
+        tags: ${{ steps.prod-build.outputs.IMAGE_TAG_PROD }}
+    - name: Print image url
+      run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}"
+
+    - name: Lista imagens
+      run: podman images

.github/workflows/tests.yml

@@ -1,5 +1,6 @@
 name: Test builds
 
+
 on:
   pull_request:
     branchs:
@@ -8,19 +9,60 @@ on:
       - 'release/**'
 
 jobs:
-  build-dev:
-    runs-on: ubuntu-18.04
-    steps:
-      - uses: actions/checkout@v2
-      - name: Prints podman --version
-        run: podman --version
-      - name: Build dev
-        run: make dev.build
-
-  build-prod:
-    runs-on: ubuntu-18.04
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+
     steps:
-      - uses: actions/checkout@v2
+    - uses: actions/checkout@v2
+      with:
+        # Nix Flakes doesn't work on shallow clones
+        fetch-depth: 0
+
+    - uses: cachix/install-nix-action@v13
+      with:
+        install_url: https://nixos-nix-install-tests.cachix.org/serve/i6laym9jw3wg9mw6ncyrk6gjx4l34vvx/install
+        install_options: '--tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve'
+        extra_nix_config: |
+          experimental-features = nix-command flakes ca-references ca-derivations
+          sandbox = false
+    - run: nix flake --version
+#    - run: nix flake metadata nixpkgs
+
+    # Remove podman via apt-get
+    - run: |
+        sudo apt-get purge -y podman containers-image containers-common
+        sudo apt-get autoremove --purge
+        sudo apt-get -y clean
+        podman --version || echo podman not installed
+
+    # Instala podman usando nix
+    - run: nix profile install github:ES-Nix/podman-rootless/6a498059fc8a120ecc2f0d8e3712f43256c4ee1d
+    # Não funciona pois não vem com os arquivos de configuração
+#    - run: nix profile install nixpkgs#podman
+    - run: |
+        sudo apt-get update
+        sudo apt-get install --no-install-recommends --no-install-suggests -y uidmap
+    - run: podman --version
+#    - run: podman info --debug
+
+    - name: Faz build da imagem de dev usando podman via nix
+      run: |
+        make build
+        echo "::set-output name=REGISTRY::$(make print-GITHUB_REGISTRY)"
+        echo "::set-output name=IMAGE_NAME::$(make print-IMAGE_NAME)"
+        echo "::set-output name=IMAGE_TAG_DEV::$(make print-IMAGE_TAG_DEV)"
+      shell: bash
+      id: dev-build
+
+    - name: Faz build da imagem de prod usando podman via nix
+      run: |
+        make prod.build
+        echo "::set-output name=REGISTRY::$(make print-GITHUB_REGISTRY)"
+        echo "::set-output name=IMAGE_NAME::$(make print-IMAGE_NAME)"
+        echo "::set-output name=IMAGE_TAG_PROD::$(make print-IMAGE_TAG_PROD)"
+      shell: bash
+      id: prod-build
 
-      - name: Build prod
-        run: make prod.build
+    - name: Lista imagens
+      run: podman images

Containerfile.prod

@@ -0,0 +1,31 @@
+FROM python:3.8.3-slim-buster
+
+# Set python environment variables
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONUNBUFFERED 1
+ENV PIP_NO_CACHE_DIR 0
+ENV PIP_DISABLE_PIP_VERSION_CHECK 1
+
+ENV USER app_user
+
+WORKDIR /home/app_user
+
+RUN apt-get update \
+ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --no-install-suggests -y \
+    ca-certificates \
+ && apt-get -y autoremove \
+ && apt-get -y clean  \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN addgroup app_group \
+ && adduser \
+    --quiet \
+    --disabled-password \
+    --shell /bin/bash \
+    --home /home/app_user \
+    --gecos "User" app_user \
+    --ingroup app_group \
+ && chmod 0700 /home/app_user \
+ && chown --recursive app_user:app_group /home/app_user
+
+CMD ["/bin/bash"]

Makefile

@@ -1,12 +1,25 @@
-REGISTRY=imobanco
-IMAGE_NAME=python
-IMAGE_TAG=dev-latest
-INCOME_API_IMAGE=$(REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG)
+GITHUB_REGISTRY=ghcr.io
+IMAGE_NAME=imobanco/python
+IMAGE_TAG_DEV=dev-latest
+IMAGE_TAG_PROD=prod-latest
+IMAGE_DEV=$(GITHUB_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG_DEV)
+IMAGE_PROD=$(GITHUB_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG_PROD)
+CONTAINERFILE_DEV=Containerfile.dev
+CONTAINERFILE_PROD=Containerfile.prod
 
+print-%  : ; @echo $($*)
 
-dev.build:
-	podman build --file Containerfile.dev --tag $(INCOME_API_IMAGE) .
+build:
+	podman build --file $(CONTAINERFILE_DEV) --tag $(IMAGE_DEV) .
+
+pull:
+	podman pull $(IMAGE_DEV)
 
 prod.build:
-	docker build -f Dockerfile.prod .
-
+	podman build --file $(CONTAINERFILE_PROD) --tag $(IMAGE_PROD) .
+
+login.github_registry:
+	podman login $(GITHUB_REGISTRY)
+
+logout.github_registry:
+	podman logout $(GITHUB_REGISTRY)