Update temporal submodule for branch main #2447
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Docker Images | |
| permissions: | |
| contents: read | |
| security-events: write | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - release/* | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: | |
| commit: | |
| description: "Commit sha" | |
| required: true | |
| jobs: | |
| build-push-images: | |
| runs-on: ubuntu-latest-16-cores | |
| # Usually, a successful job takes ~17 mins. | |
| # Anything more than 30 mins is a sign that job is stuck. | |
| # This is a workaround until we find the root cause. | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: "true" | |
| ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.commit || '' }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to DockerHub | |
| if: ${{ !env.ACT }} | |
| uses: docker/login-action@v1 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PAT }} | |
| - name: Prepare build args | |
| id: build_args | |
| run: | | |
| github_sha_short=${GITHUB_SHA:0:7} | |
| echo "IMAGE_TAG=sha-${github_sha_short}" >> $GITHUB_ENV | |
| TEMPORAL_SHA=$(git submodule status -- temporal | awk '{print $1}') | |
| echo "TEMPORAL_SHA=${TEMPORAL_SHA}" >> $GITHUB_ENV | |
| TCTL_SHA=$(git submodule status -- tctl | awk '{print $1}') | |
| echo "TCTL_SHA=${TCTL_SHA}" >> $GITHUB_ENV | |
| TAG_LATEST=${{(github.event_name == 'push' && github.ref == 'refs/heads/main') && 'true' || 'false'}} | |
| echo "TAG_LATEST=${TAG_LATEST}" >> $GITHUB_ENV | |
| # Cache params are a bit of a pain | |
| echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | |
| cachefor () { | |
| echo "$1.cache-from=type=local,src=/tmp/.buildx-cache/$1" | |
| echo "$1.cache-to=type=local,dest=/tmp/.buildx-cache-new/$1" | |
| } | |
| echo 'cache_params<<EOF' >> $GITHUB_OUTPUT | |
| for img in server admin-tools auto-setup; do | |
| cachefor $img >> $GITHUB_OUTPUT | |
| done | |
| echo 'EOF' >> $GITHUB_OUTPUT | |
| cat $GITHUB_OUTPUT | |
| - name: Restore Cached Docker Layers | |
| id: restore-cache | |
| uses: actions/cache/restore@v3 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-cache-go-build-${{ hashFiles('**/go.sum') }}-${{steps.build_args.outputs.branch}} | |
| restore-keys: | | |
| ${{ runner.os }}-cache-go-build-${{ hashFiles('**/go.sum') }}- | |
| ${{ runner.os }}-cache-go-build- | |
| # You can't use `load` when building a multiarch image, so we build and load the | |
| # native image and build multiarch images later | |
| - name: Bake native images for security scanning | |
| uses: docker/bake-action@v4 | |
| with: | |
| load: true | |
| set: | | |
| server.platform=linux/amd64 | |
| admin-tools.platform=linux/amd64 | |
| auto-setup.platform=linux/amd64 | |
| ${{ steps.build_args.outputs.cache_params }} | |
| - name: Bake and push multiarch images | |
| if: ${{ github.event_name == 'push' && !env.ACT }} | |
| uses: docker/bake-action@v4 | |
| with: | |
| push: true | |
| set: | | |
| ${{ steps.build_args.outputs.cache_params }} | |
| # This prevents the cache from growing in size indefinitely | |
| - name: Move Docker Layers Cache | |
| if: always() | |
| run: | | |
| test -d /tmp/.buildx-cache && rm -rf /tmp/.buildx-cache | |
| test -d /tmp/.buildx-cache-new && mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
| - name: Save Docker Layers Cache | |
| uses: actions/cache/save@v3 | |
| if: always() | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ steps.restore-cache.outputs.cache-primary-key }} | |
| # TODO: can we loop this somehow? | |
| - name: Run Trivy vulnerability scanner on Server image | |
| uses: ./.github/actions/trivy | |
| with: | |
| image-tags: temporaliotest/server:${{ env.IMAGE_TAG }} | |
| image-name: server | |
| - name: Run Trivy vulnerability scanner on Admin Tools image | |
| if: ${{ github.event_name == 'push' && !env.ACT }} | |
| uses: ./.github/actions/trivy | |
| with: | |
| image-tags: temporaliotest/admin-tools:${{ env.IMAGE_TAG }} | |
| image-name: admin-tools | |
| - name: Run Trivy vulnerability scanner on Auto Setup image | |
| if: ${{ github.event_name == 'push' && !env.ACT }} | |
| uses: ./.github/actions/trivy | |
| with: | |
| image-tags: temporaliotest/auto-setup:${{ env.IMAGE_TAG }} | |
| image-name: auto-setup |