diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 5b3ac9891e..46a9c83dd9 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,4 +1,4 @@ -# Build Hermes Docker image, push to Docker Hub and GHCR.io. +# Build Hermes Docker image, push to GHCR.io. name: Docker @@ -6,117 +6,62 @@ on: workflow_dispatch: push: tags: - - v[0-9]+.* + - "v[0-9]+.[0-9]+.[0-9]+" + - "v[0-9]+.[0-9]+.[0-9]+-alpha.[0-9]+" + - "v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+" + - "v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+" env: - REGISTRY_IMAGE: informalsystems/hermes + REGISTRY: ghcr.io + FULL_REF: ${{ inputs.tag && format('refs/tags/{0}', inputs.tag) || github.ref }} jobs: - docker-build: + build-and-push: runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - platform: - - id: linux/amd64 - name: amd64 - - id: linux/arm64 - name: arm64 + permissions: + contents: read + id-token: write + packages: write steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 + # Checking out the repo + - uses: actions/checkout@v4 with: - images: ${{ env.REGISTRY_IMAGE }} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - + ref: ${{ inputs.tag }} + - uses: depot/setup-action@v1 - name: Login to Docker Hub - uses: docker/login-action@v3 + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == 'astriaorg/hermes' + uses: docker/login-action@v2 with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - - name: Build and push by digest - id: build - uses: docker/build-push-action@v5 - with: - context: . - file: ./ci/release/hermes.Dockerfile - platforms: ${{ matrix.platform.id }} - labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ matrix.platform.name }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - docker-merge: - runs-on: ubuntu-latest - needs: - - docker-build - steps: - - name: Download digests - uses: actions/download-artifact@v4 + username: ${{ secrets.DOCKER_USER }} + password: ${{ secrets.DOCKER_TOKEN }} + - name: Log in to GHCR + uses: docker/login-action@v2 with: - pattern: digests-* - merge-multiple: true - path: /tmp/digests - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - - - name: Login to Docker Hub - uses: docker/login-action@v3 + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + # Generate correct tabs and labels + - name: Docker metadata + id: metadata + uses: docker/metadata-action@v4 with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create --tag ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + images: ghcr.io/astriaorg/hermes + tags: | + type=ref,event=pr + type=match,pattern=refs/tags/v(.*),group=1,enable=${{ startsWith(env.FULL_REF, 'refs/tags/') }},value=${{ env.FULL_REF }} + type=sha + # set latest tag for `main` branch + type=raw,value=latest,enable=${{ env.FULL_REF == format('refs/heads/{0}', 'main') }} + - name: Build and push + uses: depot/build-push-action@v1 with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push image to GHCR - run: | - docker buildx imagetools create \ - --tag ghcr.io/${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \ - ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} + # this gets rid of the unknown/unknown image that is created without this setting + # https://github.com/docker/build-push-action/issues/820#issuecomment-1455687416 + provenance: false + context: . + file: ci/release/hermes.Dockerfile + platforms: "linux/amd64,linux/arm64" + push: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == 'astriaorg/hermes' }} + tags: ${{ steps.metadata.outputs.tags }} + labels: ${{ steps.metadata.outputs.labels }} + project: qz2p12cbtf diff --git a/ci/release/hermes.Dockerfile b/ci/release/hermes.Dockerfile index 5da3f2c6e1..fdec4ac082 100644 --- a/ci/release/hermes.Dockerfile +++ b/ci/release/hermes.Dockerfile @@ -13,13 +13,14 @@ COPY . . RUN cargo build --release FROM ubuntu:latest -LABEL maintainer="hello@informal.systems" -ARG UID=1000 -ARG GID=1000 +LABEL maintainer="jesse@astria.org" +ARG UID=1001 +ARG GID=1001 RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates RUN update-ca-certificates -RUN groupadd -g ${GID} hermes && useradd -l -m hermes -s /bin/bash -u ${UID} -g ${GID} +RUN groupadd -g ${GID} hermes +RUN useradd -l -m hermes -s /bin/bash -u ${UID} -g ${GID} WORKDIR /home/hermes USER hermes:hermes