Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build and publish core images #34

Merged
merged 18 commits into from
Dec 27, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 0 additions & 47 deletions .github/build_and_publish_images.yml

This file was deleted.

47 changes: 0 additions & 47 deletions .github/build_images.yml

This file was deleted.

60 changes: 60 additions & 0 deletions .github/workflows/build_and_publish_images.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
name: Build and Publish Base Images

on:
push:
branches:
- main
schedule:
- cron: "0 5 * * Sun"

jobs:
build-publish-image:
runs-on: ubuntu-latest
defaults:
run:
working-directory: './images'
steps:
- name: 'Checkout GitHub Action'
uses: actions/checkout@v4

- name: 'Login to GitHub Container Registry'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{github.actor}}
password: ${{secrets.GITHUB_TOKEN}}

- name: 'Build and Publish alpine image'
run: |
docker build -t ghcr.io/cfpb/regtech/sbl/alpine:v3.18.0 -f Dockerfile-alpine .
docker tag ghcr.io/cfpb/regtech/sbl/alpine:v3.18.0 ghcr.io/cfpb/regtech/sbl/alpine:v3.18.0_${{github.run_attempt}}
docker tag ghcr.io/cfpb/regtech/sbl/alpine:v3.18.0 ghcr.io/cfpb/regtech/sbl/alpine:latest
docker push ghcr.io/cfpb/regtech/sbl/alpine --all-tags

- name: 'Build and Publish python-alpine image'
run: |
docker build -t ghcr.io/cfpb/regtech/sbl/python-alpine:v3.12.0 -f Dockerfile-python-alpine .
docker tag ghcr.io/cfpb/regtech/sbl/python-alpine:v3.12.0 ghcr.io/cfpb/regtech/sbl/python-alpine:v3.12.0_${{github.run_attempt}}
docker tag ghcr.io/cfpb/regtech/sbl/python-alpine:v3.12.0 ghcr.io/cfpb/regtech/sbl/python-alpine:latest
docker push ghcr.io/cfpb/regtech/sbl/python-alpine --all-tags

- name: 'Build and Publish nginx-alpine image'
run: |
docker build -t ghcr.io/cfpb/regtech/sbl/nginx-alpine:v1.27.0 -f Dockerfile-nginx-alpine .
docker tag ghcr.io/cfpb/regtech/sbl/nginx-alpine:v1.27.0 ghcr.io/cfpb/regtech/sbl/nginx-alpine:v1.27.0_${{github.run_attempt}}
docker tag ghcr.io/cfpb/regtech/sbl/nginx-alpine:v1.27.0 ghcr.io/cfpb/regtech/sbl/nginx-alpine:latest
docker push ghcr.io/cfpb/regtech/sbl/nginx-alpine --all-tags

- name: 'Build and Publish node-js-alpine image'
run: |
docker build -t ghcr.io/cfpb/regtech/sbl/node-js-alpine:v3.20.0 -f Dockerfile-node-js-alpine .
docker tag ghcr.io/cfpb/regtech/sbl/node-js-alpine:v3.20.0 ghcr.io/cfpb/regtech/sbl/node-js-alpine:v3.20.0_${{github.run_attempt}}
docker tag ghcr.io/cfpb/regtech/sbl/node-js-alpine:v3.20.0 ghcr.io/cfpb/regtech/sbl/node-js-alpine:latest
docker push ghcr.io/cfpb/regtech/sbl/node-js-alpine --all-tags

- name: 'Build and Publish python-ubi8 image'
run: |
docker build -t ghcr.io/cfpb/regtech/sbl/python-ubi8:v3.12.0 -f Dockerfile-python-ubi8 .
docker tag ghcr.io/cfpb/regtech/sbl/python-ubi8:v3.12.0 ghcr.io/cfpb/regtech/sbl/python-ubi8:v3.12.0_${{github.run_attempt}}
docker tag ghcr.io/cfpb/regtech/sbl/python-ubi8:v3.12.0 ghcr.io/cfpb/regtech/sbl/python-ubi8:latest
docker push ghcr.io/cfpb/regtech/sbl/python-ubi8 --all-tags
57 changes: 57 additions & 0 deletions .github/workflows/build_images.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
name: Build Base Images

on:
pull_request:
branches: [main]
workflow_dispatch:

jobs:
build-images:
runs-on: ubuntu-latest
defaults:
run:
working-directory: './images'
steps:
- name: 'Checkout GitHub Action'
uses: actions/checkout@v4

- name: 'Login to GitHub Container Registry'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{github.actor}}
password: ${{secrets.GITHUB_TOKEN}}

- name: 'Build test image'
run: |
docker build -t ghcr.io/cfpb/regtech/sbl/test:do_not_use -f Dockerfile-alpine .
docker push ghcr.io/cfpb/regtech/sbl/test:do_not_use

- name: 'Build alpine image'
run: |
docker build -t ghcr.io/cfpb/regtech/sbl/alpine:3.18_${{github.run_attempt}} -f Dockerfile-alpine .

- name: 'Build python-alpine image'
run: |
docker build -t ghcr.io/cfpb/regtech/sbl/python-alpine:3.12_${{github.run_attempt}} -f Dockerfile-python-alpine .

- name: 'Build nginx-alpine image'
run: |
docker build -t ghcr.io/cfpb/regtech/sbl/nginx-alpine:1.27_${{github.run_attempt}} -f Dockerfile-nginx-alpine .

- name: 'Build node-js-alpine image'
run: |
docker build -t ghcr.io/cfpb/regtech/sbl/node-js-alpine:3.20_${{github.run_attempt}} -f Dockerfile-node-js-alpine .

- name: 'Build python-ubi8 image'
run: |
docker build -t ghcr.io/cfpb/regtech/sbl/python-ubi8:3.12_${{github.run_attempt}} -f Dockerfile-python-ubi8 .

# Github api reference only.
# We would need to use a dedicted user PAT since auto-generated GITHUB_TOKEN is not org admin which is required for delete

# - name: 'Delete test package'
# run: |
# curl -L -X DELETE -H "Accept: application/vnd.github+json" -H "Authorization: $GITHUB_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/orgs/cfpb/packages/container/regtech%2Fsbl%2Ftest
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
52 changes: 50 additions & 2 deletions images/contributing.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,55 @@

Reference [Github's documentation](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry) as needed.

## Authenticating with GHCR

## Pipeline Build and Publish Core Images
We now have a GHA pipeline to build and publish these base images to the GHCR.

#### On Pull Requests
[build_images](../.github/workflows/build_images.yml) - runs on Pull Requests to test the image build only.

#### On Merge to Main
[build_and_publish_images](../.github/workflows/build_and_publish_images.yml) - runs on Merge to Main. This workflow will build and publish the images to Github Container Registry (GHCR).

> **NOTE** The `build_and_publish_images` workflow is also scheduled to run weekly every Sunday at 5 AM to help keep the base images up-to-date with the latest security patches and such.

#### Core Image tagging
We now add a unique tag to each published set of images that are included in the `build_and_publish_images` workflow.
Tagging is using github builtin property `github.run_attempt` and appended to the image tag.

Example image with new tag format: `ghcr.io/cfpb/regtech/sbl/python-alpine:3.12_xx`

This will allow applications to pin to specific builds in the event a new change is introduced to latest that doesn't play nice with the application.
The standard build image tag is still available to support apps pinning to the latest.

### Test package
We build and push a duplicate alpine test package during the `build_image` workflow that runs on PR. This is to assure proper permission are available before we merge code changes to main and build and publish all the images.

That package is named `regtech/sbl/test:do_not_use`. It is set to private and thus not available to public.
It is not immutable, so each workflow run with build and push the same tag. This is for GHA to GHCR access testing only.

> ***Note*** `GITHIB_TOKEN` is autogenerated by GHA during each workflow execution and use to access the container registry. Due to limitations on this token, the workflow is not able to delete the test package. [Reference](https://docs.github.com/en/rest/packages/packages?apiVersion=2022-11-28#delete-a-package-for-an-organization). Even with GHA having admin to the package, since packages live at the ORG level, Github requires ORG level admin permissions to delete a package. Since `GITHUB_TOKEN` is generated and use for workflow run only, it's not possible (or desirable) to grant this access at the ORG level.
> If it's important to delete this test package, we would need to create a dedicated user PAT, grant Org Admin level and use it in the workflow step to delete the package.

### Immutable Packages
[Publish immutable action reference](https://github.com/actions/publish-immutable-action/pkgs/container/publish-immutable-action)
[Immutable Actions reference](https://github.com/features/preview/immutable-actions)

> ***Note*** This ↑ is `Public Preview` as of `12/26/24`

### Image Tagging
We now publish 3 tagged versions of each core image during in the GHA workflow for all main branch merges.
They are as follows

- *image_name*:vMAJ.MIN.PATCH
- *image_name*:vMAJ.MIN.PATCH_*unique_build*
- *image_name*:latest

---

## Local Machine build and push core images (old depracated method)

#### Authenticating with GHCR

Generate a classic PAT token with the `read:packages`, `write:packages`, and `delete:packages` permissions.

Expand All @@ -13,7 +61,7 @@ $ echo $CR_PAT | docker login ghcr.io -u USERNAME --password-stdin
> Login Succeeded
```

## Build and push to GCR
#### Build and push to GCR

```bash
$ docker build -t ghcr.io/cfpb/regtech/sbl/alpine:3.18 -f Dockerfile-alpine .
Expand Down
Loading