fix(ci): build+push image in release flow (#3838)
This commit is contained in:
parent
0283c35225
commit
93c89ba0e8
67
.github/workflows/ci.yaml
vendored
67
.github/workflows/ci.yaml
vendored
@ -402,73 +402,6 @@ jobs:
|
|||||||
- name: Remove release packages and test artifacts
|
- name: Remove release packages and test artifacts
|
||||||
run: rm -rf ./release-packages ./test/test-results
|
run: rm -rf ./release-packages ./test/test-results
|
||||||
|
|
||||||
# Builds both amd64 and arm64 images
|
|
||||||
docker-images:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
needs: [package-linux-amd64, package-linux-arm64]
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v2
|
|
||||||
|
|
||||||
- name: Download release package
|
|
||||||
uses: actions/download-artifact@v2
|
|
||||||
with:
|
|
||||||
name: release-packages
|
|
||||||
path: ./release-packages
|
|
||||||
|
|
||||||
- name: Set up QEMU
|
|
||||||
uses: docker/setup-qemu-action@v1
|
|
||||||
|
|
||||||
- name: Set up Docker Buildx
|
|
||||||
uses: docker/setup-buildx-action@v1
|
|
||||||
|
|
||||||
- name: Run ./ci/steps/build-docker-image.sh
|
|
||||||
run: ./ci/steps/build-docker-image.sh
|
|
||||||
|
|
||||||
- name: Upload release images
|
|
||||||
uses: actions/upload-artifact@v2
|
|
||||||
with:
|
|
||||||
name: release-images
|
|
||||||
path: ./release-images
|
|
||||||
|
|
||||||
trivy-scan-image:
|
|
||||||
runs-on: ubuntu-20.04
|
|
||||||
needs: docker-images
|
|
||||||
# NOTE@jsjoeio: disabling due to a memory issue upstream
|
|
||||||
# See: https://github.com/github/codeql-action/issues/528
|
|
||||||
if: 1 == 2
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
|
|
||||||
- name: Download release images
|
|
||||||
uses: actions/download-artifact@v2
|
|
||||||
with:
|
|
||||||
name: release-images
|
|
||||||
path: ./release-images
|
|
||||||
|
|
||||||
- name: Run Trivy vulnerability scanner in image mode
|
|
||||||
# Commit SHA for v0.0.17
|
|
||||||
uses: aquasecurity/trivy-action@9438b49cc3156b2e8c77c1ba8ffbaa3bae24e3c2
|
|
||||||
with:
|
|
||||||
input: "./release-images/code-server-amd64-*.tar"
|
|
||||||
scan-type: "image"
|
|
||||||
ignore-unfixed: true
|
|
||||||
format: "template"
|
|
||||||
template: "@/contrib/sarif.tpl"
|
|
||||||
output: "trivy-image-results.sarif"
|
|
||||||
severity: "HIGH,CRITICAL"
|
|
||||||
|
|
||||||
- name: Debug Trivy SARIF file
|
|
||||||
run: cat trivy-image-results.sarif && ls -l trivy-image-results.sarif
|
|
||||||
|
|
||||||
- name: Upload Trivy scan results to GitHub Security tab
|
|
||||||
uses: github/codeql-action/upload-sarif@v1
|
|
||||||
with:
|
|
||||||
sarif_file: "trivy-image-results.sarif"
|
|
||||||
|
|
||||||
# We have to use two trivy jobs
|
|
||||||
# because GitHub only allows
|
|
||||||
# codeql/upload-sarif action per job
|
|
||||||
trivy-scan-repo:
|
trivy-scan-repo:
|
||||||
runs-on: ubuntu-20.04
|
runs-on: ubuntu-20.04
|
||||||
steps:
|
steps:
|
||||||
|
28
.github/workflows/docker.yaml
vendored
Normal file
28
.github/workflows/docker.yaml
vendored
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
name: Publish on Docker
|
||||||
|
|
||||||
|
on:
|
||||||
|
# Shows the manual trigger in GitHub UI
|
||||||
|
# helpful as a back-up in case the GitHub Actions Workflow fails
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
release:
|
||||||
|
types: [published]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
docker-images:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
|
||||||
|
- name: Set up QEMU
|
||||||
|
uses: docker/setup-qemu-action@v1
|
||||||
|
|
||||||
|
- name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v1
|
||||||
|
|
||||||
|
- name: Run ./ci/steps/docker-buildx-push.sh
|
||||||
|
run: ./ci/steps/docker-buildx-push.sh
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||||
|
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
|
@ -1,4 +1,4 @@
|
|||||||
name: publish
|
name: Publish on npm and brew
|
||||||
|
|
||||||
on:
|
on:
|
||||||
# Shows the manual trigger in GitHub UI
|
# Shows the manual trigger in GitHub UI
|
||||||
@ -22,20 +22,6 @@ jobs:
|
|||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||||
|
|
||||||
# NOTE: this job requires curl, jq and docker
|
|
||||||
# All of them are included in ubuntu-latest.
|
|
||||||
docker:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v2
|
|
||||||
|
|
||||||
- name: Run ./ci/steps/push-docker-manifest.sh
|
|
||||||
run: ./ci/steps/push-docker-manifest.sh
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
|
||||||
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
|
|
||||||
|
|
||||||
homebrew:
|
homebrew:
|
||||||
# The newest version of code-server needs to be available on npm when this runs
|
# The newest version of code-server needs to be available on npm when this runs
|
||||||
# otherwise, it will 404 and won't open a PR to bump version on homebrew/homebrew-core
|
# otherwise, it will 404 and won't open a PR to bump version on homebrew/homebrew-core
|
@ -78,8 +78,8 @@ You can disable minification by setting `MINIFY=`.
|
|||||||
|
|
||||||
This directory contains the release docker container image.
|
This directory contains the release docker container image.
|
||||||
|
|
||||||
- [./ci/steps/build-docker-image.sh](./ci/steps/build-docker-image.sh)
|
- [./ci/steps/build-docker-buildx-push.sh](./ci/steps/docker-buildx-push.sh)
|
||||||
- Builds the release containers with tags `codercom/code-server-$ARCH:$VERSION` for amd64 and arm64 with `docker buildx`.
|
- Builds the release containers with tags `codercom/code-server-$ARCH:$VERSION` for amd64 and arm64 with `docker buildx` and pushes them.
|
||||||
- Assumes debian releases are ready in `./release-packages`.
|
- Assumes debian releases are ready in `./release-packages`.
|
||||||
|
|
||||||
## images
|
## images
|
||||||
@ -107,8 +107,8 @@ Helps avoid clobbering the CI configuration.
|
|||||||
release packages into `./release-packages`.
|
release packages into `./release-packages`.
|
||||||
- [./steps/publish-npm.sh](./steps/publish-npm.sh)
|
- [./steps/publish-npm.sh](./steps/publish-npm.sh)
|
||||||
- Grabs the `npm-package` release artifact for the current commit and publishes it on npm.
|
- Grabs the `npm-package` release artifact for the current commit and publishes it on npm.
|
||||||
- [./steps/build-docker-image.sh](./steps/build-docker-image.sh)
|
- [./steps/docker-buildx-push.sh](./steps/docker-buildx-push.sh)
|
||||||
- Builds the docker image and then saves it into `./release-images/code-server-$ARCH-$VERSION.tar`.
|
- Builds the docker image and then pushes it.
|
||||||
- [./steps/push-docker-manifest.sh](./steps/push-docker-manifest.sh)
|
- [./steps/push-docker-manifest.sh](./steps/push-docker-manifest.sh)
|
||||||
- Loads all images in `./release-images` and then builds and pushes a multi architecture
|
- Loads all images in `./release-images` and then builds and pushes a multi architecture
|
||||||
docker manifest for the amd64 and arm64 images to `codercom/code-server:$VERSION` and
|
docker manifest for the amd64 and arm64 images to `codercom/code-server:$VERSION` and
|
||||||
|
@ -7,19 +7,11 @@ variable "VERSION" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
group "default" {
|
group "default" {
|
||||||
targets = ["code-server-amd64", "code-server-arm64"]
|
targets = ["code-server"]
|
||||||
}
|
}
|
||||||
|
|
||||||
target "code-server-amd64" {
|
target "code-server" {
|
||||||
dockerfile = "ci/release-image/Dockerfile"
|
dockerfile = "ci/release-image/Dockerfile"
|
||||||
tags = ["docker.io/codercom/code-server-amd64:${VERSION}"]
|
tags = ["docker.io/codercom/code-server:${VERSION}"]
|
||||||
platforms = ["linux/amd64"]
|
platforms = ["linux/amd64", "linux/arm64"]
|
||||||
output = ["type=tar,dest=./release-images/code-server-amd64-${VERSION}.tar"]
|
|
||||||
}
|
|
||||||
|
|
||||||
target "code-server-arm64" {
|
|
||||||
dockerfile = "ci/release-image/Dockerfile"
|
|
||||||
tags = ["docker.io/codercom/code-server-arm64:${VERSION}"]
|
|
||||||
platforms = ["linux/arm64"]
|
|
||||||
output = ["type=tar,dest=./release-images/code-server-arm64-${VERSION}.tar"]
|
|
||||||
}
|
}
|
||||||
|
@ -1,12 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
main() {
|
|
||||||
cd "$(dirname "$0")/../.."
|
|
||||||
source ./ci/lib.sh
|
|
||||||
|
|
||||||
mkdir -p release-images
|
|
||||||
docker buildx bake -f ci/release-image/docker-bake.hcl
|
|
||||||
}
|
|
||||||
|
|
||||||
main "$@"
|
|
37
ci/steps/docker-buildx-push.sh
Executable file
37
ci/steps/docker-buildx-push.sh
Executable file
@ -0,0 +1,37 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# See if this version already exists on Docker Hub.
|
||||||
|
function version_exists() {
|
||||||
|
local output
|
||||||
|
output=$(curl --silent "https://index.docker.io/v1/repositories/codercom/code-server/tags/$VERSION")
|
||||||
|
if [[ $output == "Tag not found" ]]; then
|
||||||
|
return 1
|
||||||
|
else
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
main() {
|
||||||
|
cd "$(dirname "$0")/../.."
|
||||||
|
|
||||||
|
# ci/lib.sh sets VERSION and provides download_artifact here
|
||||||
|
source ./ci/lib.sh
|
||||||
|
|
||||||
|
if version_exists; then
|
||||||
|
echo "$VERSION is already pushed"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Download the release-packages artifact
|
||||||
|
download_artifact release-packages ./release-packages
|
||||||
|
|
||||||
|
# Login to Docker
|
||||||
|
if [[ ${CI-} ]]; then
|
||||||
|
echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
|
||||||
|
fi
|
||||||
|
|
||||||
|
docker buildx bake -f ci/release-image/docker-bake.hcl --push
|
||||||
|
}
|
||||||
|
|
||||||
|
main "$@"
|
@ -1,56 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
# See if this version already exists on Docker Hub.
|
|
||||||
function version_exists() {
|
|
||||||
local output
|
|
||||||
output=$(curl --silent "https://index.docker.io/v1/repositories/codercom/code-server/tags/$VERSION")
|
|
||||||
if [[ $output == "Tag not found" ]]; then
|
|
||||||
return 1
|
|
||||||
else
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Import and push the Docker image for the provided arch. We must have
|
|
||||||
# individual arch repositories pushed remotely in order to use `docker
|
|
||||||
# manifest` to create single a multi-arch image.
|
|
||||||
# TODO: Switch to buildx? Seems it can do this more simply.
|
|
||||||
push() {
|
|
||||||
local arch=$1
|
|
||||||
local tag="codercom/code-server-$arch:$VERSION"
|
|
||||||
docker import "./release-images/code-server-$arch-$VERSION.tar" "$tag"
|
|
||||||
docker push "$tag"
|
|
||||||
}
|
|
||||||
|
|
||||||
main() {
|
|
||||||
cd "$(dirname "$0")/../.."
|
|
||||||
source ./ci/lib.sh
|
|
||||||
|
|
||||||
if version_exists; then
|
|
||||||
echo "$VERSION is already pushed"
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
|
|
||||||
download_artifact release-images ./release-images
|
|
||||||
if [[ ${CI-} ]]; then
|
|
||||||
echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
|
|
||||||
fi
|
|
||||||
|
|
||||||
push "amd64"
|
|
||||||
push "arm64"
|
|
||||||
|
|
||||||
export DOCKER_CLI_EXPERIMENTAL=enabled
|
|
||||||
|
|
||||||
docker manifest create "codercom/code-server:$VERSION" \
|
|
||||||
"codercom/code-server-amd64:$VERSION" \
|
|
||||||
"codercom/code-server-arm64:$VERSION"
|
|
||||||
docker manifest push --purge "codercom/code-server:$VERSION"
|
|
||||||
|
|
||||||
docker manifest create "codercom/code-server:latest" \
|
|
||||||
"codercom/code-server-amd64:$VERSION" \
|
|
||||||
"codercom/code-server-arm64:$VERSION"
|
|
||||||
docker manifest push --purge "codercom/code-server:latest"
|
|
||||||
}
|
|
||||||
|
|
||||||
main "$@"
|
|
Reference in New Issue
Block a user