Skip to content

Commit

Permalink
Push image via artifact upload/downlod
Browse files Browse the repository at this point in the history 
- support forks pushing images via artifacts
- remove pushing from build action
- modify context to support more robust checks
  • Loading branch information
@KevinMind
KevinMind committed Jun 26, 2024
1 parent 57af989 commit c8a143c
Show file tree
Hide file tree
Showing 4 changed files with 88 additions and 83 deletions.
53 changes: 28 additions & 25 deletions .github/actions/build-docker/action.yml
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,10 @@
name: 'Docker Build'
description: 'Builds `addons-server` docker image'
inputs:
password:
required: false
description: "Docker registry password"
default: "invalid"
push:
required: false
description: "Build and push image to registry (cannot be used together with load)"
default: "false"
username:
required: false
description: "Docker registry username"
default: "invalid"

outputs:
images:
description: "The docker image name"
value: ${{ steps.image.outputs.image }}
digest:
description: "The Docker image digest"
value: ${{ steps.digest.outputs.digest }}
Expand All @@ -37,16 +27,6 @@ runs:
version: latest
buildkitd-flags: --debug

# Login to a registry to push the image
- name: Login to Container Registry
# Only login if we are pushing the image
if: ${{ inputs.push == 'true' }}
uses: docker/login-action@v3
with:
username: ${{ inputs.username }}
password: ${{ inputs.password }}


- name: Suffix for local builds
id: suffix
shell: bash
Expand All @@ -58,6 +38,15 @@ runs:
echo "suffix=ci" >> $GITHUB_OUTPUT
fi
- name: Docker Image
id: image
shell: bash
run: |
image="${{ github.repository }}"
echo "image=$image" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT
# Determine the tags for the image
# We need to support custom explicit tags allowing CI to build unique images
# that won't be pushed to the registry.
Expand Down Expand Up @@ -93,6 +82,12 @@ runs:
run: |
echo "tag=mozilla/addons-server:${{ steps.meta.outputs.version }}-cache" >> $GITHUB_OUTPUT
- name: Tar file
id: tar
shell: bash
run: |
echo "path=/tmp/image.tar" >> $GITHUB_OUTPUT
- name: Build Image
id: build
uses: docker/bake-action@v4
Expand All @@ -101,8 +96,16 @@ runs:
push: ${{ inputs.push }}
load: ${{ inputs.push == 'false' }}
set: |
*.cache-from=type=registry,ref=${{ steps.cache.outputs.tag }}
*.cache-to=type=registry,ref=${{ steps.cache.outputs.tag }},mode=max,compression-level=9,force-compression=true,ignore-error=true
*.output=type=docker,dest=${{ steps.tar.outputs.path }}
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: docker-image
path: ${{ steps.tar.outputs.path }}
retention-days: 1
compression-level: 1
overwrite: true

- name: Get image digest
id: digest
Expand Down
18 changes: 18 additions & 0 deletions .github/actions/run-docker/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,24 @@ inputs:
runs:
using: 'composite'
steps:
- uses: actions/download-artifact@v4
with:
# The artifact name should be kept in sync with
# ./.github/actions/build/action.yml which uploads the artifact
name: docker-image
path: /tmp/

# image.tar is the name of the compressed image file
# This should be kept in sync with ./.github/actions/build/action.yml
- name: Load image
shell: bash
run: |
docker load < /tmp/image.tar
# TODO: validate the digest matches the image we load
- id: id
shell: bash
run: |
Expand Down
9 changes: 0 additions & 9 deletions .github/workflows/build-docker-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,6 @@ name: Build Docker image

on:
workflow_dispatch:
inputs:
push:
description: 'Push the image to registry?'
default: "false"
required: false

concurrency:
group: ${{ github.workflow }}-${{ github.event.inputs.push }}
Expand All @@ -22,7 +17,3 @@ jobs:
- name: Build container
id: build_container
uses: ./.github/actions/build-docker
with:
push: ${{ inputs.push }}
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASS }}
91 changes: 42 additions & 49 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,9 @@ jobs:
# \$\{{ needs.context.outputs.is_fork == true }} // false
# \$\{{ needs.context.outputs.is_fork }} // false
is_fork: ${{ steps.context.outputs.is_fork }}
is_dependabot: ${{ steps.context.outputs.is_dependabot }}
is_default_branch: ${{ steps.context.outputs.is_default_branch }}
is_release_master: ${{ steps.context.outputs.is_release_master }}
is_release_tag: ${{ steps.context.outputs.is_release_tag }}

steps:
- name: Log context
Expand All @@ -65,28 +66,53 @@ jobs:
default_branch: ${{ github.event.repository.default_branch }}
shell: bash
run: |
event_name="${{ github.event_name }}"
event_action="${{ github.event.action }}"
# Stable check for if the workflow is running on the default branch
# https://stackoverflow.com/questions/64781462/github-actions-default-branch-variable
is_default_branch="${{ format('refs/heads/{0}', env.default_branch) == github.ref }}"
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
is_dependabot="${{ github.actor == 'dependabot[bot]' }}"
# In most events, the epository refers to the head which would be the fork
is_fork="${{ github.event.repository.fork }}"
# This is different in a pull_request where we need to check the head explicitly
if [[ "${{ github.event_name }}" == 'pull_request' ]]; then
# repository on a pull request refers to the base which is always mozilla/addons-server
is_fork=${{ github.event.pull_request.head.repo.fork }}
else
# In most events, the epository refers to the head which would be the fork
# This is different in a pullrequest where we need to check the head explicitly
is_fork="${{ github.event.repository.fork }}"
is_head_fork="${{ github.event.pull_request.head.repo.fork }}"
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
is_dependabot="${{ github.actor == 'dependabot[bot]' }}"
# If the head repository is a fork or if the PR is opened by dependabot
# we consider the run to be a fork. Dependabot and proper forks are treated
# the same in terms of limited read only github token scope
if [[ "$is_head_fork" == 'true' || "$is_dependabot" == 'true' ]]; then
is_fork="true"
fi
fi
is_release_master="false"
is_release_tag="false"
# Releases can only happen if we are NOT on a fork
if [[ "$is_fork" == 'false' ]]; then
# A master release occurs on a push to the default branch of the origin repository
if [[ "$event_name" == 'push' && "$is_default_branch" == 'true' ]]; then
is_release_master="true"
fi
# A tag release occurs when a release is published
if [[ "$event_name" == 'release' && "$event_action" == 'publish' ]]; then
is_release_tag="true"
fi
fi
echo "is_default_branch=$is_default_branch" >> $GITHUB_OUTPUT
echo "is_fork=$is_fork" >> $GITHUB_OUTPUT
echo "is_dependabot=$is_dependabot" >> $GITHUB_OUTPUT
echo "is_release_master=$is_release_master" >> $GITHUB_OUTPUT
echo "is_release_tag=$is_release_tag" >> $GITHUB_OUTPUT
echo "event_name: ${{ github.event_name }}"
echo "event_name: $event_name"
cat $GITHUB_OUTPUT
build:
Expand All @@ -104,43 +130,14 @@ jobs:
steps:
- uses: actions/checkout@v4

- name: Determine if build is allowed
id: should_build
shell: bash
run: |
is_fork="${{ needs.context.outputs.is_fork }}"
is_dependabot="${{ needs.context.outputs.is_dependabot }}"
# Default behaviour is to build images for any CI.yml run
should_build="true"
# Never run the build on a fork. Forks lack sufficient permissions
# to access secrets or push artifacts
if [[ "$is_fork" == 'true' ]]; then
should_build="false"
fi
# Dependabot PRs are treated as if they are from forks (see above)
if [[ "$is_dependabot" == 'true' && "${{ github.event_name }}" == 'pull_request' ]]; then
should_build="false"
fi
echo "result=$should_build" >> $GITHUB_OUTPUT
- name: Build Docker image
if: ${{ steps.should_build.outputs.result == 'true' }}
id: build
uses: ./.github/actions/build-docker
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASS }}
push: true

# Only continue if we are releasing
# Login to GAR to publish production image
- name: get the GCP auth token
if: ${{ steps.should_build.outputs.result == 'true' }}
if: needs.context.outputs.is_fork == 'false'
id: gcp-auth
uses: google-github-actions/auth@v2
with:
Expand All @@ -149,7 +146,7 @@ jobs:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}

- name: login to GAR
if: ${{ steps.should_build.outputs.result == 'true' }}
if: ${{ steps.gcp-auth.outcome == 'success' }}
uses: docker/login-action@v3
with:
registry: us-docker.pkg.dev
Expand Down Expand Up @@ -250,10 +247,7 @@ jobs:
# Only deploy docs on a push event
# to the default branch
# that is not running on a fork
if: |
github.event_name == 'push' &&
needs.context.outputs.is_default_branch == 'true' &&
needs.context.outputs.is_fork == 'false'
if: needs.context.outputs.is_release_master
permissions:
contents: read
pages: write
Expand Down Expand Up @@ -293,8 +287,7 @@ jobs:
shell: bash
run: |
is_fork="${{ needs.context.outputs.is_fork }}"
is_default_branch="${{ needs.context.outputs.is_default_branch }}"
is_push="${{ github.event_name == 'push' }}"
is_release_master="${{ needs.context.outputs.is_release_master }}"
if [[ "$is_fork" == 'true' ]]; then
cat <<'EOF'
Expand All @@ -303,7 +296,7 @@ jobs:
Please submit a PR from the base repository if you are modifying l10n extraction scripts.
EOF
else
if [[ "$is_default_branch" == 'true' && "$is_push" == 'true' ]]; then
if [[ "$is_release_master" == 'true' ]]; then
args=""
else
args="--dry-run"
Expand Down

0 comments on commit c8a143c

Please sign in to comment.