Adding more advanced workflows (#25)

.github/workflows/call-local-docker-build-promotion.yaml

@@ -0,0 +1,61 @@
+---
+# THIS IS NOT A TEMPLATE.
+# This is just for testing the repo itself.
+# This calls the reusable workflow from its local file path.
+name: Docker Build with Promotion
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'README.md'
+      - '.github/linters/**'
+  pull_request:
+    paths-ignore:
+      - 'README.md'
+      - '.github/linters/**'
+
+# cancel any previously-started, yet still active runs of this workflow on the same branch
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  packages: write
+  pull-requests: write
+
+jobs:
+
+  # run this job on every push to a PR
+  # it will push images to GHCR, but not DockerHub
+  docker-build-pr:
+    name: Call Build on PR
+    if: github.event_name == 'pull_request'
+    uses: ./.github/workflows/reusable-docker-build.yaml    
+    with:  
+      dockerhub-enable: false
+      ghcr-enable: true
+      push: true
+      image-names: |
+        ghcr.io/${{ github.repository }}
+
+  # run this job on every push to the default branch (including merges and tags)
+  # it will push images to GHCR and DockerHub
+  # tags will also include ones like `stable-<date>-<sha>` and `latest`
+  docker-build-merge:
+    name: Call Build on Push
+    # this if is filtered to only the main branch push event (see events at top)
+    if: github.event_name == 'push'
+    uses: ./.github/workflows/reusable-docker-build.yaml    
+    secrets:
+      dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+      dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
+    with:  
+      dockerhub-enable: true
+      ghcr-enable: true
+      push: true
+      image-names: |
+        docker.io/${{ github.repository }}
+        ghcr.io/${{ github.repository }}

.github/workflows/call-local-docker-build.yaml

@@ -1,7 +1,7 @@
 ---
 # THIS IS NOT A TEMPLATE.
-# This is just for linting the gha-workflows repo itself.
-# We call the reusable workflow from its file path.
+# This is just for testing the repo itself.
+# This calls the reusable workflow from its local file path.
 name: Docker Build
 
 on:
@@ -42,9 +42,8 @@ jobs:
 
     with:
       
-      dockerhub-enable: true
+      dockerhub-enable: false
       ghcr-enable: true
 
       image-names: |
-        ${{ github.repository }}
         ghcr.io/${{ github.repository }}

.github/workflows/reusable-docker-build.yaml

@@ -6,23 +6,17 @@ on:
   # REUSABLE WORKFLOW with INPUTS
   # to keep this workflow simple, assumptions are made:
     # - only able to push to Docker Hub and/or GHCR (GHCR by default)
-    # - Builds on PR with tag of `prNUMBER` (same tag each PR push)
-    # - Builds on push to main branch with tag of `latest`
-    # - Builds on tag push with semver
+    # - adds a comment to PRs of tags and label metadata
+    # - you want to use GitHub cache for buildx image layers
+    # - Builds on PR with tag of `pr-NUMBER` (same tag each PR push)
+    # - Builds on push to default_branch will have a unique tag of `stable-YYYYMMDD-SHA`
+    # - Builds on push to default_branch will have a reusable tag of `latest` (useful for easy human testing, not servers)
+    # - Builds on a tag push with semver will also have a reusable tag of `latest` and also a semver tag
+    # - Defaults to only linux/amd64 platform builds, but can build for others in parallel
 
   workflow_call:
     # allow reuse of this workflow in other repos
     inputs:
-      dockerhub-enable:
-        description: Log into Docker Hub
-        required: false
-        default: false
-        type: boolean
-      ghcr-enable:
-        description: Log into GHCR
-        required: false
-        default: true
-        type: boolean
       comment-enable:
         description: Create a PR comment with image tags and labels
         required: false
@@ -30,48 +24,76 @@ on:
         type: boolean
       context:
         description: Docker context (path) to start build from
+        # To set to a subdir, use format of "{{defaultContext}}:mysubdir"
         required: false
         type: string
-        default: .
+      dockerhub-enable:
+        description: Log into Docker Hub
+        required: false
+        default: false
+        type: boolean
       file:
         description: Dockerfile to build, relative to context path
         required: false
         type: string
-      target:
-        description: Build stage to target
+      flavor-rules:
+        # https://github.com/marketplace/actions/docker-metadata-action#flavor-input
+        description: Three rules to (optionally) set for tag-rules, latest, prefix, and suffix
         required: false
         type: string
+        # will tag latest on a git tag push, or if you add a type=semver or type=match tag-rules
+        # NOTE: if you are seeing `latest` retagged when you don't expect it, set this latest=false
+        default: |
+            latest=auto
+      ghcr-enable:
+        description: Log into GHCR
+        required: false
+        default: true
+        type: boolean
+      image-names:
+        description: A list of the account/repo names for docker build to push to
+        required: false
+        type: string
+        # this is cool because you can add multiple names to different registries
+        # and docker-build-push step will push to all of them
+        default: |
+          ghcr.io/${{ github.repository }}
       platforms:
         description: Platforms to build for
         required: false
         type: string
         # common ones: linux/amd64,linux/arm64,linux/arm/v7
         default: linux/amd64
-      image-names:
-        description: A list of the account/repo names for docker build
+      push:
+        description: Push image to registry(s)
         required: false
-        type: string
-        default: |
-          ${{ github.repository }}
-          ghcr.io/${{ github.repository }}
+        type: boolean
+        default: true
       tag-rules:
         # https://github.com/marketplace/actions/docker-metadata-action#tags-input
         description: Use docker-metadata action to create tags from a key-value pair list in CSV format
         required: false
         type: string
+        # this ruleset will create one or more tags for each image in image-names
+        # some fire in pr-only, some in push/merge-only
+        # I still recommend reusable `latest` tag for human-friendly testing (not servers)
+        # I like a full tag for prod images that reads something like `stable-<date>-<commit>`
+        # Tags starting with `gha-<run_id>` are unique to each PR commit, and used to test fresh images      # rules with is_default_branch only create the tag if it's a push/merge to default branch
+        # priority attribute is used to sort tags in the final list. The higher the value, 
+        #   the higher the priority. The first tag in the list (higher priority) will be used as 
+        #   the image version for generated OCI label and version output.
         default: |
-          type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }}
-          type=raw,value=stable-{{date 'YYYYMMDDHHmmss'}},enable=${{ endsWith(github.ref, github.event.repository.default_branch) }}
-          type=ref,event=pr
-          type=raw,value=gha-${{ github.run_id }}
-      flavor-rules:
-        # https://github.com/marketplace/actions/docker-metadata-action#flavor-input
-        description: Three rules to (optionally) set for tag-rules, latest, prefix, and suffix
+          type=raw,value=stable-{{date 'YYYYMMDD'}}-{{sha}},enable={{is_default_branch}},priority=300
+          type=ref,event=tag,priority=200
+          type=raw,value=latest,enable={{is_default_branch}},priority=100
+          type=raw,value=gha-${{ github.run_id }},enable=${{github.event_name == 'pull_request'}},priority=200
+          type=ref,event=pr,priority=100
+      target:
+        description: Build stage to target
         required: false
         type: string
-        default: |
-            latest=false
-
+      
+   
     secrets:
       dockerhub-username:
         description: Docker Hub username
@@ -103,13 +125,10 @@ jobs:
     runs-on: ubuntu-latest
 
     outputs:
-      # only outputs the unique gha- image tag that's unique to each build
+      # only outputs the unique gha- image tag that's unique to each GHA run
       ghcr-tag: ${{ steps.ghcr-tag.outputs.tag }}
 
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3.5.0
       -
         # we need qemu and buildx so we can build multiple platforms later
         name: Set up QEMU
@@ -147,6 +166,8 @@ jobs:
       -
         # this will build the images, once per platform,
         # then push to one or more registries (based on image list above in docker_meta)
+        # NOTE: this will not push if a PR is from a fork, where secrets are not available
+        # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
         name: Docker Build and Push
         id: build_image
         uses: docker/build-push-action@v4.0.0
@@ -160,10 +181,12 @@ jobs:
           # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md#cache-backend-api
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          push: true
+          push: ${{ inputs.push }}
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}
-          # add attestations for provenance and sbom
+          # add attestations for provenance and sbom (bleeding edge BuildKit features)
+          # NOTE: for now, this reults in `unknown/unknown` images in all registries but Hub
+          # https://docs.docker.com/build/attestations/attestation-storage/
           provenance: true
           sbom: true
       -
@@ -200,6 +223,5 @@ jobs:
       - name: Find the gha-run-based image tag we just pushed to ghcr.io
         id: ghcr-tag
         run: |
-          echo '::echo::on'
           # shellcheck disable=SC2086
           echo "tag=gha-${{ github.run_id }}" >> $GITHUB_OUTPUT