arcodange-org/docker-build-workflow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding image-tag output for use in additional jobs (#26)

Browse Source
This commit is contained in:
Bret Fisher
2023-04-13 03:47:58 -04:00
committed by GitHub
parent 16d24ad29a
commit c75484b7e3
4 changed files with 46 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
.github/workflows/call-local-docker-build-promotion.yaml vendored
View File

@@ -1,61 +0,0 @@
---
# THIS IS NOT A TEMPLATE.
# This is just for testing the repo itself.
# This calls the reusable workflow from its local file path.
name: Docker Build with Promotion
on:
push:
branches:
- main
paths-ignore:
- 'README.md'
- '.github/linters/**'
pull_request:
paths-ignore:
- 'README.md'
- '.github/linters/**'
# cancel any previously-started, yet still active runs of this workflow on the same branch
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true
permissions:
contents: read
packages: write
pull-requests: write
jobs:
# run this job on every push to a PR
# it will push images to GHCR, but not DockerHub
docker-build-pr:
name: Call Build on PR
if: github.event_name == 'pull_request'
uses: ./.github/workflows/reusable-docker-build.yaml
with:
dockerhub-enable: false
ghcr-enable: true
push: true
image-names: |
ghcr.io/${{ github.repository }}
# run this job on every push to the default branch (including merges and tags)
# it will push images to GHCR and DockerHub
# tags will also include ones like `stable-<date>-<sha>` and `latest`
docker-build-merge:
name: Call Build on Push
# this if is filtered to only the main branch push event (see events at top)
if: github.event_name == 'push'
uses: ./.github/workflows/reusable-docker-build.yaml
secrets:
dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
with:
dockerhub-enable: true
ghcr-enable: true
push: true
image-names: |
docker.io/${{ github.repository }}
ghcr.io/${{ github.repository }}

49
.github/workflows/reusable-docker-build.yaml vendored
View File

@@ -92,7 +92,6 @@ on:
description: Build stage to target
required: false
type: string
secrets:
dockerhub-username:
@@ -103,10 +102,9 @@ on:
required: false
outputs:
ghcr-tag:
description: "single-use tag for ghcr.io"
value: ${{ jobs.build-image.outputs.ghcr-tag }}
image-tag:
description: "single-use image tag for GHA runs"
value: ${{ jobs.build-image.outputs.image-tag }}
# permissions: GITHUB_TOKEN are better set by the **calling** workflow
# but we'll set defaults here for reference
@@ -126,36 +124,36 @@ jobs:
outputs:
# only outputs the unique gha- image tag that's unique to each GHA run
ghcr-tag: ${{ steps.ghcr-tag.outputs.tag }}
image-tag: ${{ steps.image-tag.outputs.image-tag }}
steps:
-
# we need qemu and buildx so we can build multiple platforms later
name: Set up QEMU
- name: Set up QEMU
id: qemu
uses: docker/setup-qemu-action@v2.1.0
-
# BuildKit (used with `docker buildx`) is the best way to build images
name: Set up Docker Buildx
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2.5.0
-
name: Login to DockerHub
- name: Login to DockerHub
if: inputs.dockerhub-enable
uses: docker/login-action@v2.1.0
with:
username: ${{ secrets.dockerhub-username }}
password: ${{ secrets.dockerhub-token }}
-
name: Login to GHCR
- name: Login to GHCR
if: inputs.ghcr-enable
uses: docker/login-action@v2.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Docker meta
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v4.3.0
with:
@@ -163,12 +161,12 @@ jobs:
images: ${{ inputs.image-names }}
flavor: ${{ inputs.flavor-rules }}
tags: ${{ inputs.tag-rules }}
-
# this will build the images, once per platform,
# then push to one or more registries (based on image list above in docker_meta)
# NOTE: this will not push if a PR is from a fork, where secrets are not available
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
name: Docker Build and Push
- name: Docker Build and Push
id: build_image
uses: docker/build-push-action@v4.0.0
with:
@@ -189,10 +187,10 @@ jobs:
# https://docs.docker.com/build/attestations/attestation-storage/
provenance: true
sbom: true
-
# If PR, put image tags in the PR comments
# from https://github.com/marketplace/actions/create-or-update-comment
name: Find comment for image tags
- name: Find comment for image tags
uses: peter-evans/find-comment@v2.3.0
if: github.event_name == 'pull_request' && inputs.comment-enable
id: fc
@@ -220,8 +218,13 @@ jobs:
```
edit-mode: replace
- name: Find the gha-run-based image tag we just pushed to ghcr.io
id: ghcr-tag
# for dependent jobs, we need to output the unique tag for this GHA run
# based on the docker_meta tag priority rules, the highest priority tag
# will be sent to this output
# this step output is sent to job output, which is sent to workflow output
# use this tag in another job with needs.<job-name>.outputs.image-tag
- name: Find the primary image tag we just pushed, and output it
id: image-tag
run: |
# shellcheck disable=SC2086
echo "tag=gha-${{ github.run_id }}" >> $GITHUB_OUTPUT
echo "image-tag=${{ steps.docker_meta.outputs.version }}" >> $GITHUB_OUTPUT