feat: introducing distroless-python #24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: main | |
| on: | |
| push: | |
| branches: [ master, main ] | |
| pull_request: | |
| branches: [ master, main ] | |
| jobs: | |
| docker: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| experimental: [false] | |
| repository: | |
| - 'ghcr.io' | |
| python: | |
| - '3.12' | |
| alpine: | |
| - '3.20' | |
| os: | |
| - 'ubuntu-latest' | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| packages: write | |
| steps: | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v4 | |
| - | |
| name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| id: image_env | |
| run: | | |
| . ./env.sh \ | |
| '${{ matrix.alpine }}' \ | |
| '${{ matrix.python }}' \ | |
| '${{ github.repository_owner }}' \ | |
| '${{ matrix.repository }}' | |
| docker pull "${SOURCE_IMAGE}" | |
| echo ALPINE_VERSION="${ALPINE_VERSION}" >> "$GITHUB_OUTPUT" | |
| echo PYTHON_VERSION="${PYTHON_VERSION}" >> "$GITHUB_OUTPUT" | |
| echo SOURCE_IMAGE="${SOURCE_IMAGE}" >> "$GITHUB_OUTPUT" | |
| echo IMAGE_TAG="${IMAGE_TAG}" >> "$GITHUB_OUTPUT" | |
| echo REPOSITORY="${REPOSITORY}" >> "$GITHUB_OUTPUT" | |
| echo BASE_IMAGE_DIGEST="$(digest_of "$SOURCE_IMAGE")" >> "$GITHUB_OUTPUT" | |
| - | |
| name: Buildroot | |
| uses: docker/build-push-action@v6 | |
| with: | |
| platforms: | | |
| linux/amd64 | |
| linux/arm64 | |
| context: "." | |
| file: Dockerfile.alpine | |
| target: buildroot | |
| cache-from: | | |
| type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | |
| type=registry,ref=docker.io/python@${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
| build-args: | | |
| ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | |
| BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
| PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | |
| SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | |
| BUILD_ROOT=/d | |
| tags: "${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot" | |
| - | |
| name: distroless | |
| uses: docker/build-push-action@v6 | |
| with: | |
| platforms: | | |
| linux/amd64 | |
| linux/arm64 | |
| context: "." | |
| file: Dockerfile.alpine | |
| target: distroless-python | |
| cache-from: | | |
| type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }} | |
| type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | |
| type=registry,ref=docker.io/python@${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
| build-args: | | |
| ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | |
| BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
| PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | |
| SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | |
| BUILD_ROOT=/d | |
| tags: "${{ steps.image_env.outputs.IMAGE_TAG }}" | |
| - | |
| name: distroless-tests | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: "." | |
| platforms: | | |
| linux/amd64 | |
| linux/arm64 | |
| file: Dockerfile.alpine | |
| target: tests | |
| cache-from: | | |
| type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }} | |
| type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | |
| type=registry,ref=docker.io/python@${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
| build-args: | | |
| ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | |
| BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
| PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | |
| SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | |
| BUILD_ROOT=/d | |
| tags: "${{ steps.image_env.outputs.IMAGE_TAG }}-test" | |
| - | |
| name: export annotations | |
| id: inspect | |
| run: | | |
| echo 'annotations<<EOF' >> "$GITHUB_OUTPUT" | |
| docker inspect '${{ steps.image_env.outputs.IMAGE_TAG }}' | jq -r '.[].Config.Labels| keys[] as $k | "\($k)=\(.[$k])"' >> "$GITHUB_OUTPUT" | |
| echo 'EOF' >> "$GITHUB_OUTPUT" | |
| - | |
| name: Login to GitHub Container Registry | |
| if: ${{ matrix.repository == 'ghcr.io' }} | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: 'ghcr.io' | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - | |
| name: Upload | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: true | |
| context: "." | |
| platforms: | | |
| linux/amd64 | |
| linux/arm64 | |
| file: Dockerfile.alpine | |
| target: distroless-python | |
| cache-from: | | |
| type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }} | |
| type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot | |
| type=registry,ref=docker.io/python@${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
| cache-to: | | |
| type=registry,ref=${{ steps.image_env.outputs.IMAGE_TAG }}-buildroot,mode=max | |
| build-args: | | |
| ALPINE_VERSION=${{ steps.image_env.outputs.ALPINE_VERSION }} | |
| BASE_IMAGE_DIGEST=${{ steps.image_env.outputs.BASE_IMAGE_DIGEST }} | |
| PYTHON_VERSION=${{ steps.image_env.outputs.PYTHON_VERSION }} | |
| SOURCE_IMAGE=${{ steps.image_env.outputs.SOURCE_IMAGE }} | |
| BUILD_ROOT=/d | |
| tags: "${{ steps.image_env.outputs.IMAGE_TAG }}" | |
| labels: ${{steps.image_env.outputs.IMAGE_LABELS}} | |