-
Notifications
You must be signed in to change notification settings - Fork 32
158 lines (135 loc) · 4.91 KB
/
docker-publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Docker
on:
push:
branches: [ "main" ]
paths:
- Dockerfile
- .github/workflows/docker-publish.yml
- build_container.sh
- Dockerfile.riscv64
- riscv64/*
pull_request:
branches: [ "main" ]
paths:
- Dockerfile
- .github/workflows/docker-publish.yml
- build_container.sh
- Dockerfile.riscv64
- riscv64/*
jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
attestations: write
id-token: write
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_ACCOUNT_ID }}
password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
- name: Generate metadata for Docker
# NOTE: The tag contains the full docker container name + tag as it is requested
# by the build-and-push step.
run: |
REGISTRY=$(./docker.sh print-registry)
echo "REGISTRY=${REGISTRY}" >> $GITHUB_ENV
echo "Registry to be published is: ${REGISTRY}"
IMAGE_NAME=$(./docker.sh print-image-name)
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
echo "Image name to be published is: ${IMAGE_NAME}"
NEXT_VERSION=$(./docker.sh print-next-version)
echo "VERSION=${NEXT_VERSION}" >> $GITHUB_ENV
echo "Next version to be published is: ${NEXT_VERSION}"
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile
push: ${{ github.event_name != 'pull_request' }}
# This is needed so that a manifest is created, and we can have the same
# docker container on both x86_64 and arm64.
platforms: linux/amd64,linux/arm64
tags: ${{ env.VERSION }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Generate artifact attestation
if: ${{ github.event_name != 'pull_request' }}
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}
push-to-registry: true
build-riscv:
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
attestations: write
id-token: write
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
if: ${{ github.event_name != 'pull_request' }}
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_ACCOUNT_ID }}
password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
- name: Generate metadata for Docker
run: |
REGISTRY=$(./docker.sh print-registry)
echo "REGISTRY=${REGISTRY}" >> $GITHUB_ENV
echo "Registry to be published is: ${REGISTRY}"
IMAGE_NAME=$(./docker.sh print-image-name)
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
echo "Image name to be published is: ${IMAGE_NAME}"
NEXT_VERSION=$(./docker.sh print-next-version)
echo "VERSION=${NEXT_VERSION}" >> $GITHUB_ENV
echo "Next version to be published is: ${NEXT_VERSION}"
- name: Build RISC-V rootfs
id: build-riscv-rootfs
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile.rootfs.riscv64
push: false
load: true
platforms: linux/amd64
tags: rootfs
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Convert rootfs to raw image
run: |
mkdir -p ./extracted
docker run --privileged --rm --volume ./riscv64/convert.sh:/convert.sh \
--volume ./extracted:/to_extract --entrypoint /convert.sh rootfs
docker system prune --all --force --volumes
- name: Build and push Docker image for RISC-V
id: build-and-push-riscv
uses: docker/build-push-action@v6
with:
context: .
file: Dockerfile.riscv64
push: ${{ github.event_name != 'pull_request' }}
platforms: linux/amd64
tags: ${{ env.VERSION }}-riscv
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Generate artifact attestation
if: ${{ github.event_name != 'pull_request' }}
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build-and-push-riscv.outputs.digest }}
push-to-registry: true