-
Notifications
You must be signed in to change notification settings - Fork 61
137 lines (120 loc) · 4.64 KB
/
docker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Build Docker Images
permissions:
contents: read
security-events: write
on:
push:
branches:
- main
- release/*
pull_request:
branches:
- main
workflow_dispatch:
inputs:
commit:
description: "Commit sha"
required: true
jobs:
build-push-images:
runs-on: ubuntu-latest-16-cores
# Usually, a successful job takes ~17 mins.
# Anything more than 30 mins is a sign that job is stuck.
# This is a workaround until we find the root cause.
timeout-minutes: 30
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: "true"
ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.commit || '' }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
if: ${{ !env.ACT }}
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PAT }}
- name: Prepare build args
id: build_args
run: |
github_sha_short=${GITHUB_SHA:0:7}
echo "IMAGE_TAG=sha-${github_sha_short}" >> $GITHUB_ENV
TEMPORAL_SHA=$(git submodule status -- temporal | awk '{print $1}')
echo "TEMPORAL_SHA=${TEMPORAL_SHA}" >> $GITHUB_ENV
TCTL_SHA=$(git submodule status -- tctl | awk '{print $1}')
echo "TCTL_SHA=${TCTL_SHA}" >> $GITHUB_ENV
TAG_LATEST=${{(github.event_name == 'push' && github.ref == 'refs/heads/main') && 'true' || 'false'}}
echo "TAG_LATEST=${TAG_LATEST}" >> $GITHUB_ENV
# Cache params are a bit of a pain
echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
cachefor () {
echo "$1.cache-from=type=local,src=/tmp/.buildx-cache/$1"
echo "$1.cache-to=type=local,dest=/tmp/.buildx-cache-new/$1"
}
echo 'cache_params<<EOF' >> $GITHUB_OUTPUT
for img in server admin-tools auto-setup; do
cachefor $img >> $GITHUB_OUTPUT
done
echo 'EOF' >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
- name: Restore Cached Docker Layers
id: restore-cache
uses: actions/cache/restore@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-cache-go-build-${{ hashFiles('**/go.sum') }}-${{steps.build_args.outputs.branch}}
restore-keys: |
${{ runner.os }}-cache-go-build-${{ hashFiles('**/go.sum') }}-
${{ runner.os }}-cache-go-build-
# You can't use `load` when building a multiarch image, so we build and load the
# native image and build multiarch images later
- name: Bake native images for security scanning
uses: docker/bake-action@v4
with:
load: true
set: |
server.platform=linux/amd64
admin-tools.platform=linux/amd64
auto-setup.platform=linux/amd64
${{ steps.build_args.outputs.cache_params }}
- name: Bake and push multiarch images
if: ${{ github.event_name == 'push' && !env.ACT }}
uses: docker/bake-action@v4
with:
push: true
set: |
${{ steps.build_args.outputs.cache_params }}
# This prevents the cache from growing in size indefinitely
- name: Move Docker Layers Cache
if: always()
run: |
test -d /tmp/.buildx-cache && rm -rf /tmp/.buildx-cache
test -d /tmp/.buildx-cache-new && mv /tmp/.buildx-cache-new /tmp/.buildx-cache
- name: Save Docker Layers Cache
uses: actions/cache/save@v3
if: always()
with:
path: /tmp/.buildx-cache
key: ${{ steps.restore-cache.outputs.cache-primary-key }}
# TODO: can we loop this somehow?
- name: Run Trivy vulnerability scanner on Server image
uses: ./.github/actions/trivy
with:
image-tags: temporaliotest/server:${{ env.IMAGE_TAG }}
image-name: server
- name: Run Trivy vulnerability scanner on Admin Tools image
if: ${{ github.event_name == 'push' && !env.ACT }}
uses: ./.github/actions/trivy
with:
image-tags: temporaliotest/admin-tools:${{ env.IMAGE_TAG }}
image-name: admin-tools
- name: Run Trivy vulnerability scanner on Auto Setup image
if: ${{ github.event_name == 'push' && !env.ACT }}
uses: ./.github/actions/trivy
with:
image-tags: temporaliotest/auto-setup:${{ env.IMAGE_TAG }}
image-name: auto-setup