Upgrade Docker images to Debian Trixie (#633) #662
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sourcemeta One CD | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "v*.*.*" | |
| concurrency: | |
| group: one-cd-${{ github.ref }} | |
| cancel-in-progress: false | |
| jobs: | |
| # See https://github.com/sredevopsorg/multi-arch-docker-github-workflow/blob/main/.github/workflows/multi-build.yaml | |
| docker: | |
| permissions: | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| edition: | |
| - package: one | |
| os: ubuntu-24.04 | |
| arch: amd64 | |
| enterprise: OFF | |
| license: BUSL-1.1 | |
| - package: one | |
| os: ubuntu-24.04-arm | |
| arch: arm64 | |
| enterprise: OFF | |
| license: BUSL-1.1 | |
| - package: one-enterprise | |
| os: ubuntu-24.04 | |
| arch: amd64 | |
| enterprise: ON | |
| license: LicenseRef-Commercial | |
| - package: one-enterprise | |
| os: ubuntu-24.04-arm | |
| arch: arm64 | |
| enterprise: ON | |
| license: LicenseRef-Commercial | |
| runs-on: ${{ matrix.edition.os }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - id: buildx-context | |
| run: docker context create builders | |
| - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 | |
| id: meta | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/${{ matrix.edition.package }} | |
| - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 | |
| with: | |
| endpoint: builders | |
| platforms: linux/${{ matrix.edition.arch }} | |
| - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - id: build | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| build-args: | | |
| SOURCEMETA_ONE_ENTERPRISE=${{ matrix.edition.enterprise }} | |
| SOURCEMETA_ONE_LICENSE=${{ matrix.edition.license }} | |
| platforms: linux/${{ matrix.edition.arch }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| annotations: ${{ steps.meta.outputs.annotations }} | |
| outputs: type=image,name=ghcr.io/${{ github.repository_owner }}/${{ matrix.edition.package }},push-by-digest=true,name-canonical=true,push=true,oci-mediatypes=true | |
| cache-from: type=gha,scope=ghcr.io/${{ github.repository_owner }}/${{ matrix.edition.package }}-${{ github.ref_name }}-linux/${{ matrix.edition.arch }} | |
| cache-to: type=gha,scope=ghcr.io/${{ github.repository_owner }}/${{ matrix.edition.package }}-${{ github.ref_name }}-linux/${{ matrix.edition.arch }} | |
| - run: | | |
| mkdir -p /tmp/digests | |
| digest="${{ steps.build.outputs.digest }}" | |
| touch "/tmp/digests/${digest#sha256:}" | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: digests-${{ matrix.edition.package }}--${{ matrix.edition.arch }} | |
| path: /tmp/digests/* | |
| if-no-files-found: error | |
| retention-days: 1 | |
| docker-multi-arch: | |
| needs: docker | |
| permissions: | |
| packages: write | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| edition: | |
| - package: one | |
| - package: one-enterprise | |
| steps: | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 | |
| with: | |
| path: /tmp/digests | |
| pattern: digests-${{ matrix.edition.package }}--* | |
| merge-multiple: true | |
| - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 | |
| id: meta | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/${{ matrix.edition.package }} | |
| annotations: | | |
| type=org.opencontainers.image.description,value=${{ github.event.repository.description }} | |
| tags: | | |
| type=raw,value=main,enable=${{ github.ref_name == 'main' }} | |
| type=raw,value=latest,enable=${{ github.ref_name == 'main' }} | |
| type=ref,event=tag | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 | |
| with: | |
| driver-opts: network=host | |
| - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - id: timestamp | |
| run: echo "timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_OUTPUT | |
| - working-directory: /tmp/digests | |
| run: > | |
| docker buildx imagetools create | |
| $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") | |
| --annotation='index:org.opencontainers.image.description=${{ github.event.repository.description }}' | |
| --annotation='index:org.opencontainers.image.created=${{ steps.timestamp.outputs.timestamp }}' | |
| --annotation='index:org.opencontainers.image.url=${{ github.event.repository.url }}' | |
| --annotation='index:org.opencontainers.image.source=${{ github.event.repository.url }}' | |
| $(printf 'ghcr.io/${{ github.repository_owner }}/${{ matrix.edition.package }}@sha256:%s ' *) | |
| - run: docker buildx imagetools inspect 'ghcr.io/${{ github.repository_owner }}/${{ matrix.edition.package }}:${{ steps.meta.outputs.version }}' | |
| # Signed Container Images | |
| # See https://github.com/sigstore/cosign-installer | |
| enterprise-cosign: | |
| needs: docker-multi-arch | |
| permissions: | |
| packages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad | |
| - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 | |
| id: meta | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/one-enterprise | |
| - id: manifest-digest | |
| run: | | |
| DIGEST=$(docker buildx imagetools inspect \ | |
| 'ghcr.io/${{ github.repository_owner }}/one-enterprise:${{ steps.meta.outputs.version }}' \ | |
| --format '{{json .Manifest}}' | jq --raw-output '.digest') | |
| if [[ ! "$DIGEST" =~ ^sha256:[a-f0-9]{64}$ ]]; then | |
| echo "::error::Invalid manifest digest: $DIGEST" | |
| exit 1 | |
| fi | |
| echo "digest=$DIGEST" >> "$GITHUB_OUTPUT" | |
| - run: > | |
| cosign sign --yes | |
| 'ghcr.io/${{ github.repository_owner }}/one-enterprise@${{ steps.manifest-digest.outputs.digest }}' | |
| - run: > | |
| cosign verify | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com | |
| --certificate-identity 'https://github.com/${{ github.repository }}/.github/workflows/deploy.yml@${{ github.ref }}' | |
| 'ghcr.io/${{ github.repository_owner }}/one-enterprise@${{ steps.manifest-digest.outputs.digest }}' | |
| release: | |
| needs: docker-multi-arch | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: gh config set prompt disabled | |
| if: github.ref_type == 'tag' | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| - run: gh release create ${{ github.ref_name }} --draft=false --title ${{ github.ref_name }} --target "$GITHUB_SHA" --generate-notes | |
| if: github.ref_type == 'tag' | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| public: | |
| needs: docker-multi-arch | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| deployments: write | |
| contents: write | |
| env: | |
| KRAFTCLOUD_METRO: fra | |
| KRAFTKIT_NO_CHECK_UPDATES: true | |
| SERVICE_DOMAIN: schemas.sourcemeta.com | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 | |
| id: meta | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/sourcemeta-schemas | |
| - uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 | |
| id: push | |
| with: | |
| context: . | |
| file: public/Dockerfile | |
| build-args: "SOURCEMETA_ONE=ghcr.io/sourcemeta/one-enterprise:main" | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - uses: chrnorm/deployment-action@v2 | |
| id: deploy-github | |
| with: | |
| token: '${{ github.token }}' | |
| environment-url: https://${{ env.SERVICE_DOMAIN }} | |
| environment: unikraft | |
| - id: deploy | |
| uses: unikraft/kraftkit@v0.12.3 | |
| with: | |
| auths: | | |
| github.com: | |
| user: ${{ github.actor }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| kraft cloud service create --name schemas --domain ${{ env.SERVICE_DOMAIN }} 443:8000 || true | |
| kraft cloud deploy --memory 4096 --rollout remove --image schemas --service schemas \ | |
| --kraftfile public/Kraftfile --restart on-failure --replicas 4 ./public | |
| kraft cloud service get schemas | |
| kraft cloud instance logs "$(kraft cloud service get schemas --output json | jq --raw-output '.[0].instances | split(" ") | .[0]')" | |
| curl --location --header "Accept: text/html" --retry 10 --retry-all-errors --fail https://${{ env.SERVICE_DOMAIN }} | |
| env: | |
| KRAFTCLOUD_TOKEN: ${{ secrets.KRAFTCLOUD_TOKEN }} | |
| # Update deployment status | |
| - if: ${{ steps.deploy.outcome == 'success' }} | |
| uses: chrnorm/deployment-status@v2 | |
| with: | |
| token: '${{ github.token }}' | |
| environment-url: '${{ steps.deploy-github.outputs.environment_url }}' | |
| deployment-id: '${{ steps.deploy-github.outputs.deployment_id }}' | |
| state: 'success' | |
| - if: ${{ steps.deploy.outcome != 'success' }} | |
| uses: chrnorm/deployment-status@v2 | |
| with: | |
| token: '${{ github.token }}' | |
| environment-url: '${{ steps.deploy-github.outputs.environment_url }}' | |
| deployment-id: '${{ steps.deploy-github.outputs.deployment_id }}' | |
| state: 'failure' |