Build Docker Image #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Docker Image | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| no-cache: | |
| description: 'Disable Docker build cache' | |
| required: false | |
| default: false | |
| type: boolean | |
| workflow_call: | |
| push: | |
| paths: | |
| - '.github/workflows/build_docker.yml' | |
| schedule: | |
| # Rebuild monthly to refresh base layers and clear old cache | |
| - cron: '0 2 1 * *' | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: executorch-arm-container | |
| jobs: | |
| build-docker: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # read is sufficient for checkout | |
| packages: write # needed to push image to GHCR | |
| id-token: write # needed if attestation/signing re-enabled | |
| # attestations: write # add back only if attestation step is enabled | |
| outputs: | |
| image-tag: ${{ steps.meta.outputs.tags }} | |
| image-digest: ${{ steps.build.outputs.digest }} | |
| steps: | |
| - name: Delete unnecessary files from runner | |
| run: | | |
| sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache | |
| sudo docker image prune --all --force | |
| sudo docker builder prune -a | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Format repo slug | |
| # Format the repository slug to lowercase for use in the Docker image tags | |
| id: repo_slug | |
| run: echo "REPO_SLUG=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.REPO_SLUG }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=sha,prefix={{branch}}- | |
| - name: Build and push Docker image | |
| id: build | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./.docker/Dockerfile | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64 | |
| no-cache: ${{ github.event.inputs.no-cache == 'true' }} | |
| # Simplified caching strategy | |
| cache-from: | | |
| type=gha | |
| type=registry,ref=${{ env.REGISTRY }}/${{ env.REPO_SLUG }}/${{ env.IMAGE_NAME }}:cache | |
| cache-to: | | |
| type=gha,mode=max | |
| type=registry,ref=${{ env.REGISTRY }}/${{ env.REPO_SLUG }}/${{ env.IMAGE_NAME }}:cache,mode=max | |
| # - name: Generate artifact attestation | |
| # uses: actions/attest-build-provenance@v3 | |
| # with: | |
| # subject-name: ${{ env.REGISTRY }}/${{ env.REPO_SLUG }}/${{ env.IMAGE_NAME }} | |
| # subject-digest: ${{ steps.build.outputs.digest }} | |
| # push-to-registry: true | |
| - name: Cache cleanup (monthly) | |
| if: github.event.schedule == '0 2 1 * *' | |
| run: | | |
| echo "Monthly cache cleanup triggered" | |
| # GitHub Actions cache will automatically clean old entries | |
| # Registry cache cleanup happens via image retention policies |