ci: refactored docker

dashpay · Nov 10, 2023 · a258b0a · a258b0a
1 parent 6f4635f
commit a258b0a
Show file tree

Hide file tree

Showing 8 changed files with 264 additions and 521 deletions.
diff --git a/.github/actions/docker/action.yaml b/.github/actions/docker/action.yaml
@@ -1,28 +1,30 @@
 ---
-name: "Build Docker image"
-description: "Build Docker image with Rust caching"
+name: "Build and push docker image"
+description: "Build and push docker image by digest with Rust caching"
 inputs:
-  image:
-    description: Name of image in Docker Hub, like `dashpay/drive`
+  image_name:
+    description: Name of image in Docker Hub, like `drive`
     required: true
-  image_tag:
-    description: Docker image tag. Commit SHA if empty
-  dockerfile:
-    description: Path to the Dockerfile, for example `./Dockerfile`
-    default: './Dockerfile'
+  image_org:
+    description: Docker Hub organization, like `dashpay`
+    default: dashpay
+  image_version:
+    description: Docker image semver. Commit SHA if empty
+  push_tags:
+    description: Push tags to registry or digest only
+    default: "false"
   target:
     description: "Target stage within Dockerfile: dapi, drive-abci, dashmate-helper, test-suite"
-  push:
-    description: Shall we push the image to Docker Hub?
-    default: "false"
   dockerhub_username:
     description: User name to use when pushing images to Docker Hub
   dockerhub_token:
     description: Docker Hub token to use
-  platforms:
-    description: "Docker image platform to build: amd64,arm64"
   cache_mounts:
     description: Load cache mounts cache
+    default: |
+      cargo_registry_index
+      cargo_registry_cache
+      cargo_git
   cargo_profile:
     description: Cargo build profile, i.e release or dev
     default: dev
@@ -32,6 +34,10 @@ inputs:
   region:
     description: S3 bucket region
     required: true
+outputs:
+  digest:
+    value: ${{ steps.docker_build.outputs.digest }}
+    description: Docker image digest
 
 runs:
   using: composite
@@ -43,40 +49,16 @@ runs:
         password: ${{ inputs.dockerhub_token }}
       if: ${{ inputs.dockerhub_token != '' }}
 
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
-      with:
-        platforms: ${{ inputs.platforms }}
-      if: ${{ inputs.platforms != '' }}
-
-    - name: Format platforms for docker
-      uses: actions/github-script@v6
-      id: platforms
-      with:
-        result-encoding: string
-        script: |
-          return '${{inputs.platforms}}'
-             .split(',')
-             .map((platform) => `linux/${platform.trim()}`)
-             .join(',')
-      if: ${{ inputs.platforms != '' }}
-
     - name: Set up Docker BuildX
       id: buildx
       uses: docker/setup-buildx-action@v3
       with:
         install: true
         driver-opts: env.BUILDKIT_STEP_LOG_MAX_SIZE=10485760
         cleanup: false
-        platforms: ${{ steps.platforms.outputs.result }}
         config-inline: |
           [worker.oci]
-            gc = true
-            gckeepstorage = 40000 # 40 GB
-            [[worker.oci.gcpolicy]]
-              all = true
-              keepBytes = 30000000000 # 30 GB
-              keepDuration = 864000 # 10 days
+            gc = false
 
     - name: Load Docker mount cache
       uses: dcginfra/buildkit-cache-dance/inject@s5cmd
@@ -85,65 +67,51 @@ runs:
         bucket: ${{ inputs.bucket }}
         mounts: ${{ inputs.cache_mounts }}
 
-    - name: Set suffix
-      uses: actions/github-script@v6
-      id: suffix
-      with:
-        result-encoding: string
-        script: |
-          const fullTag = '${{inputs.image_tag}}';
-          if (fullTag.includes('-')) {
-            const [, fullSuffix] = fullTag.split('-');
-            const [suffix] = fullSuffix.split('.');
-            return `-${suffix}`;
-          } else {
-            return '';
-          }
-
     - name: Set Docker tags and labels from image tag
       id: docker_meta
       uses: docker/metadata-action@v5
       with:
-        images: ${{ inputs.image }}
+        images: ${{ inputs.image_org }}/${{ inputs.image_name }}
         tags: |
-          type=match,pattern=v(\d+),group=1,value=${{inputs.image_tag}},enable=${{ inputs.image_tag != '' }}
-          type=match,pattern=v(\d+.\d+),group=1,value=${{inputs.image_tag}},enable=${{ inputs.image_tag != '' }}
-          type=match,pattern=v(\d+.\d+.\d+),group=1,value=${{inputs.image_tag}},enable=${{ inputs.image_tag != '' }}
-          type=match,pattern=v(.*),group=1,value=${{inputs.image_tag}},suffix=,enable=${{ inputs.image_tag != '' }}
-          type=sha,format=long,enable=${{ inputs.image_tag == '' }}
-        flavor: |
-          suffix=${{ steps.suffix.outputs.result }},onlatest=true
-          latest=${{ github.event_name == 'release' }}
+          type=semver,pattern={{version}},value=${{inputs.image_version}},enable=${{ inputs.image_version != '' }}
+          type=sha,format=long,enable=${{ inputs.image_version != '' }}
 
-    # TODO: must be the same for dashpay/ and ECR
     - name: Configure docker layer cache
       uses: ./.github/actions/s3-layer-cache-settings
       id: layer_cache_settings
       with:
-        name: ${{ inputs.image }}
-        head_ref: ${{ inputs.image_tag }}
+        name: ${{ inputs.image_name }}
         bucket: ${{ inputs.bucket }}
 
+    - name: Set tags
+      uses: actions/github-script@v6
+      id: tags
+      with:
+        script: |
+          if ('${{ inputs.push_tags}}' != 'true') {
+            core.setOutput('tags', '');    
+          } else {
+            core.setOutput('tags', '${{ steps.docker_meta.outputs.tags }}');            
+          }
+
     - name: Build and push Docker image ${{ inputs.image }}
       id: docker_build
       uses: docker/build-push-action@v5
       with:
         context: .
         builder: ${{ steps.buildx.outputs.name }}
-        file: ${{ inputs.dockerfile }}
         target: ${{ inputs.target }}
-        tags: ${{ steps.docker_meta.outputs.tags }}
         labels: ${{ steps.docker_meta.outputs.labels }}
+        tags: ${{ steps.tags.outputs.tags }}
         build-args: |
           CARGO_BUILD_PROFILE=${{ inputs.cargo_profile }}
           RUSTC_WRAPPER=sccache
           SCCACHE_BUCKET=${{ inputs.bucket }}
           SCCACHE_REGION=${{ inputs.region }}
           SCCACHE_S3_KEY_PREFIX=${{ runner.os }}/sccache
-        platforms: ${{ steps.platforms.outputs.result }}
-        push: ${{ fromJSON(inputs.push) }}
         cache-from: ${{ steps.layer_cache_settings.outputs.cache_from }}
         cache-to: ${{ steps.layer_cache_settings.outputs.cache_to }}
+        outputs: type=image,name=${{ inputs.image_org }}/${{ inputs.image_name }},push-by-digest=${{ inputs.push_tags != 'true' }},name-canonical=true,push=true
 
     - name: Save Docker mount cache
       uses: dcginfra/buildkit-cache-dance/extract@s5cmd

diff --git a/.github/workflows/release-docker-image.yml b/.github/workflows/release-docker-image.yml
@@ -0,0 +1,104 @@
+on:
+  workflow_call:
+    inputs:
+      name:
+        type: string
+        description: Name
+        required: true
+      image_name:
+        type: string
+        description: Image name. i.e. drive, dapi
+        required: true
+      target:
+        type: string
+        description: Image target. i.e. drive-abci, dapi
+        required: true
+
+jobs:
+  build-image:
+    name: Build ${{ inputs.name }} ${{ matrix.platform }} image
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 120
+    strategy:
+      matrix:
+        include:
+          - runner: [ "self-hosted", "linux", "x64", "ubuntu-platform" ]
+            platform: linux/amd64
+          - runner: [ "self-hosted", "linux", "x64", "ubuntu-platform" ]
+            platform: linux/arm64
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure AWS credentials and bucket region
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get image version
+        uses: actions/github-script@v6
+        id: version
+        with:
+          result-encoding: string
+          script: |
+            return (
+              context.eventName === 'workflow_dispatch'
+                ? '${{ github.event.inputs.tag }}'
+                : context.payload.release.tag_name
+            );
+
+      - name: Build and push by digest
+        uses: ./.github/actions/docker
+        with:
+          image_name: ${{ inputs.image_name }}
+          image_version: ${{steps.version.outputs.result}}
+          target: ${{ inputs.target }}
+          cargo_profile: release
+          dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}
+          region: ${{ vars.AWS_REGION }}
+
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.docker_build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v3
+        with:
+          name: digests
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  publish-manifest:
+    name: Publish ${{ inputs.name }} images
+    needs: build-image
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v3
+        with:
+          name: digests
+          path: /tmp/digests
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Set suffix
+        uses: actions/github-script@v6
+        id: suffix
+        with:
+          result-encoding: string
+          script: |
+            const fullTag = '${{inputs.image_tag}}';
+            if (fullTag.includes('-')) {
+              const [, fullSuffix] = fullTag.split('-');
+              const [suffix] = fullSuffix.split('.');
+              return `-${suffix}`;
+            } else {
+              return '';
+            }