-
Notifications
You must be signed in to change notification settings - Fork 493
184 lines (169 loc) · 8.59 KB
/
container_app_push.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
---
name: Application Container Image
on:
# We are deliberately *not* running on push events here to avoid double runs.
# Instead, push events will trigger from the base image and maven unit tests via workflow_call.
workflow_call:
inputs:
base-image-ref:
type: string
description: "Reference of the base image to build on in full qualified form [<registry>/]<namespace>/<repo>:<tag>"
required: false
default: "gdcc/base:unstable"
pull_request:
branches:
- develop
- master
paths:
- 'src/main/docker/**'
- 'modules/container-configbaker/**'
- '.github/workflows/container_app_push.yml'
env:
IMAGE_TAG: unstable
REGISTRY: "" # Empty means default to Docker Hub
PLATFORMS: "linux/amd64,linux/arm64"
MASTER_BRANCH_TAG: alpha
jobs:
build:
name: "Build & Test"
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
pull-requests: write
# Only run in upstream repo - avoid unnecessary runs in forks
if: ${{ github.repository_owner == 'IQSS' }}
steps:
- name: Checkout and Setup Maven
uses: IQSS/dataverse/.github/actions/setup-maven@develop
with:
pom-paths: |
pom.xml
modules/container-configbaker/pom.xml
modules/dataverse-parent/pom.xml
# TODO: Add a filter step here, that avoids building the image if this is a PR and there are other files touched than declared above.
# Use https://github.com/dorny/paths-filter to solve this. This will ensure we do not run this twice if this workflow
# will be triggered by the other workflows already (base image or java changes)
# To become a part of #10618.
- name: Build app and configbaker container image with local architecture and submodules (profile will skip tests)
run: >
mvn -B -f modules/dataverse-parent
-P ct -pl edu.harvard.iq:dataverse -am
$( [[ -n "${{ inputs.base-image-ref }}" ]] && echo "-Dbase.image=${{ inputs.base-image-ref }}" )
install
# TODO: add smoke / integration testing here (add "-Pct -DskipIntegrationTests=false")
hub-description:
needs: build
name: Push image descriptions to Docker Hub
# Run this when triggered via push or schedule as reused workflow from base / maven unit tests.
# Excluding PRs here means we will have no trouble with secrets access. Also avoid runs in forks.
if: ${{ github.event_name != 'pull_request' && github.ref_name == 'develop' && github.repository_owner == 'IQSS' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: peter-evans/dockerhub-description@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: gdcc/dataverse
short-description: "Dataverse Application Container Image providing the executable"
readme-filepath: ./src/main/docker/README.md
- uses: peter-evans/dockerhub-description@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: gdcc/configbaker
short-description: "Dataverse Config Baker Container Image providing setup tooling and more"
readme-filepath: ./modules/container-configbaker/README.md
# Note: Accessing, pushing tags etc. to DockerHub or GHCR will only succeed in upstream because secrets.
# We check for them here and subsequent jobs can rely on this to decide if they shall run.
check-secrets:
needs: build
name: Check for Secrets Availability
runs-on: ubuntu-latest
outputs:
available: ${{ steps.secret-check.outputs.available }}
steps:
- id: secret-check
# perform secret check & put boolean result as an output
shell: bash
run: |
if [ "${{ secrets.DOCKERHUB_TOKEN }}" != '' ]; then
echo "available=true" >> $GITHUB_OUTPUT;
else
echo "available=false" >> $GITHUB_OUTPUT;
fi
deploy:
needs: check-secrets
name: "Package & Publish"
runs-on: ubuntu-latest
# Only run this job if we have access to secrets. This is true for events like push/schedule which run in
# context of the main repo, but for PRs only true if coming from the main repo! Forks have no secret access.
#
# Note: The team's decision was to not auto-deploy an image on any git push where no PR exists (yet).
# Accordingly, only run for push events on branches develop and master.
if: needs.check-secrets.outputs.available == 'true' &&
( github.event_name != 'push' || ( github.event_name == 'push' && contains(fromJSON('["develop", "master"]'), github.ref_name)))
steps:
- name: Checkout and Setup Maven
uses: IQSS/dataverse/.github/actions/setup-maven@develop
with:
pom-paths: |
pom.xml
modules/container-configbaker/pom.xml
modules/dataverse-parent/pom.xml
# Depending on context, we push to different targets. Login accordingly.
- if: github.event_name != 'pull_request'
name: Log in to Docker Hub registry
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- if: ${{ github.event_name == 'pull_request' }}
name: Login to Github Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ secrets.GHCR_USERNAME }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Set up QEMU for multi-arch builds
uses: docker/setup-qemu-action@v2
- name: Re-set image tag based on branch (if master)
if: ${{ github.ref_name == 'master' }}
run: |
echo "IMAGE_TAG=${{ env.MASTER_BRANCH_TAG }}" >> $GITHUB_ENV
echo "BASE_IMAGE_TAG=${{ env.MASTER_BRANCH_TAG }}" >> $GITHUB_ENV
- name: Re-set image tag and container registry when on PR
if: ${{ github.event_name == 'pull_request' }}
run: |
echo "IMAGE_TAG=$(echo "$GITHUB_HEAD_REF" | tr '\\/_:&+,;#*' '-')" >> $GITHUB_ENV
echo "REGISTRY='-Ddocker.registry=ghcr.io'" >> $GITHUB_ENV
# Necessary to split as otherwise the submodules are not available (deploy skips install)
- name: Build app and configbaker container image with local architecture and submodules (profile will skip tests)
run: >
mvn -B -f modules/dataverse-parent
-P ct -pl edu.harvard.iq:dataverse -am
$( [[ -n "${{ inputs.base-image-ref }}" ]] && echo "-Dbase.image=${{ inputs.base-image-ref }}" )
install
- name: Deploy multi-arch application and configbaker container image
run: >
mvn
-Dapp.image.tag=${{ env.IMAGE_TAG }}
$( [[ -n "${{ inputs.base-image-ref }}" ]] && echo "-Dbase.image=${{ inputs.base-image-ref }}" )
${{ env.REGISTRY }} -Ddocker.platforms=${{ env.PLATFORMS }}
-P ct deploy
- uses: marocchino/sticky-pull-request-comment@v2
if: ${{ github.event_name == 'pull_request' }}
with:
header: registry-push
hide_and_recreate: true
hide_classify: "OUTDATED"
message: |
:package: Pushed preview images as
```
ghcr.io/gdcc/dataverse:${{ env.IMAGE_TAG }}
```
```
ghcr.io/gdcc/configbaker:${{ env.IMAGE_TAG }}
```
:ship: [See on GHCR](https://github.com/orgs/gdcc/packages/container). Use by referencing with full name as printed above, mind the registry name.