fix(ci): build+push image in release flow (#3838)

2021-07-29 23:31:46 +05:30 · 2021-07-29 23:31:46 +05:30 · 93c89ba0e8
parent 0283c35225
commit 93c89ba0e8
8 changed files with 74 additions and 166 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -402,73 +402,6 @@ jobs:
      - name: Remove release packages and test artifacts
        run: rm -rf ./release-packages ./test/test-results

-  # Builds both amd64 and arm64 images
-  docker-images:
-    runs-on: ubuntu-latest
-    needs: [package-linux-amd64, package-linux-arm64]
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Download release package
-        uses: actions/download-artifact@v2
-        with:
-          name: release-packages
-          path: ./release-packages
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Run ./ci/steps/build-docker-image.sh
-        run: ./ci/steps/build-docker-image.sh
-
-      - name: Upload release images
-        uses: actions/upload-artifact@v2
-        with:
-          name: release-images
-          path: ./release-images
-
-  trivy-scan-image:
-    runs-on: ubuntu-20.04
-    needs: docker-images
-    # NOTE@jsjoeio: disabling due to a memory issue upstream
-    # See: https://github.com/github/codeql-action/issues/528
-    if: 1 == 2
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Download release images
-        uses: actions/download-artifact@v2
-        with:
-          name: release-images
-          path: ./release-images
-
-      - name: Run Trivy vulnerability scanner in image mode
-        # Commit SHA for v0.0.17
-        uses: aquasecurity/trivy-action@9438b49cc3156b2e8c77c1ba8ffbaa3bae24e3c2
-        with:
-          input: "./release-images/code-server-amd64-*.tar"
-          scan-type: "image"
-          ignore-unfixed: true
-          format: "template"
-          template: "@/contrib/sarif.tpl"
-          output: "trivy-image-results.sarif"
-          severity: "HIGH,CRITICAL"
-
-      - name: Debug Trivy SARIF file
-        run: cat trivy-image-results.sarif && ls -l trivy-image-results.sarif
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: "trivy-image-results.sarif"
-
-  # We have to use two trivy jobs
-  # because GitHub only allows
-  # codeql/upload-sarif action per job
  trivy-scan-repo:
    runs-on: ubuntu-20.04
    steps:
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@ -0,0 +1,28 @@
+name: Publish on Docker
+
+on:
+  # Shows the manual trigger in GitHub UI
+  # helpful as a back-up in case the GitHub Actions Workflow fails
+  workflow_dispatch:
+
+  release:
+    types: [published]
+
+jobs:
+  docker-images:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Run ./ci/steps/docker-buildx-push.sh
+        run: ./ci/steps/docker-buildx-push.sh
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
--- a/.github/workflows/npm-brew.yaml
+++ b/.github/workflows/npm-brew.yaml
@ -1,4 +1,4 @@
-name: publish
+name: Publish on npm and brew

 on:
  # Shows the manual trigger in GitHub UI
@ -22,20 +22,6 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

-  # NOTE: this job requires curl, jq and docker
-  # All of them are included in ubuntu-latest.
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Run ./ci/steps/push-docker-manifest.sh
-        run: ./ci/steps/push-docker-manifest.sh
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-
  homebrew:
    # The newest version of code-server needs to be available on npm when this runs
    # otherwise, it will 404 and won't open a PR to bump version on homebrew/homebrew-core
--- a/ci/README.md
+++ b/ci/README.md
@ -78,8 +78,8 @@ You can disable minification by setting `MINIFY=`.

 This directory contains the release docker container image.

- [./ci/steps/build-docker-image.sh](./ci/steps/build-docker-image.sh)
-  - Builds the release containers with tags `codercom/code-server-$ARCH:$VERSION` for amd64 and arm64 with `docker buildx`.
+- [./ci/steps/build-docker-buildx-push.sh](./ci/steps/docker-buildx-push.sh)
+  - Builds the release containers with tags `codercom/code-server-$ARCH:$VERSION` for amd64 and arm64 with `docker buildx` and pushes them.
  - Assumes debian releases are ready in `./release-packages`.

 ## images
@ -107,8 +107,8 @@ Helps avoid clobbering the CI configuration.
    release packages into `./release-packages`.
 - [./steps/publish-npm.sh](./steps/publish-npm.sh)
  - Grabs the `npm-package` release artifact for the current commit and publishes it on npm.
- [./steps/build-docker-image.sh](./steps/build-docker-image.sh)
-  - Builds the docker image and then saves it into `./release-images/code-server-$ARCH-$VERSION.tar`.
+- [./steps/docker-buildx-push.sh](./steps/docker-buildx-push.sh)
+  - Builds the docker image and then pushes it.
 - [./steps/push-docker-manifest.sh](./steps/push-docker-manifest.sh)
  - Loads all images in `./release-images` and then builds and pushes a multi architecture
    docker manifest for the amd64 and arm64 images to `codercom/code-server:$VERSION` and
--- a/ci/release-image/docker-bake.hcl
+++ b/ci/release-image/docker-bake.hcl
@ -7,19 +7,11 @@ variable "VERSION" {
 }

 group "default" {
-    targets = ["code-server-amd64", "code-server-arm64"]
+    targets = ["code-server"]
 }

-target "code-server-amd64" {
+target "code-server" {
    dockerfile = "ci/release-image/Dockerfile"
-    tags = ["docker.io/codercom/code-server-amd64:${VERSION}"]
-    platforms = ["linux/amd64"]
-    output = ["type=tar,dest=./release-images/code-server-amd64-${VERSION}.tar"]
-}
-
-target "code-server-arm64" {
-    dockerfile = "ci/release-image/Dockerfile"
-    tags = ["docker.io/codercom/code-server-arm64:${VERSION}"]
-    platforms = ["linux/arm64"]
-    output = ["type=tar,dest=./release-images/code-server-arm64-${VERSION}.tar"]
+    tags = ["docker.io/codercom/code-server:${VERSION}"]
+    platforms = ["linux/amd64", "linux/arm64"]
 }
--- a/ci/steps/build-docker-image.sh
+++ b/ci/steps/build-docker-image.sh
@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-main() {
-  cd "$(dirname "$0")/../.."
-  source ./ci/lib.sh
-
-  mkdir -p release-images
-  docker buildx bake -f ci/release-image/docker-bake.hcl
-}
-
-main "$@"
--- a/ci/steps/docker-buildx-push.sh
+++ b/ci/steps/docker-buildx-push.sh
@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# See if this version already exists on Docker Hub.
+function version_exists() {
+  local output
+  output=$(curl --silent "https://index.docker.io/v1/repositories/codercom/code-server/tags/$VERSION")
+  if [[ $output == "Tag not found" ]]; then
+    return 1
+  else
+    return 0
+  fi
+}
+
+main() {
+  cd "$(dirname "$0")/../.."
+
+  # ci/lib.sh sets VERSION and provides download_artifact here
+  source ./ci/lib.sh
+
+  if version_exists; then
+    echo "$VERSION is already pushed"
+    return
+  fi
+
+  # Download the release-packages artifact
+  download_artifact release-packages ./release-packages
+
+  # Login to Docker
+  if [[ ${CI-} ]]; then
+    echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
+  fi
+
+  docker buildx bake -f ci/release-image/docker-bake.hcl --push
+}
+
+main "$@"
--- a/ci/steps/push-docker-manifest.sh
+++ b/ci/steps/push-docker-manifest.sh
@ -1,56 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# See if this version already exists on Docker Hub.
-function version_exists() {
-  local output
-  output=$(curl --silent "https://index.docker.io/v1/repositories/codercom/code-server/tags/$VERSION")
-  if [[ $output == "Tag not found" ]]; then
-    return 1
-  else
-    return 0
-  fi
-}
-
-# Import and push the Docker image for the provided arch. We must have
-# individual arch repositories pushed remotely in order to use `docker
-# manifest` to create single a multi-arch image.
-# TODO: Switch to buildx? Seems it can do this more simply.
-push() {
-  local arch=$1
-  local tag="codercom/code-server-$arch:$VERSION"
-  docker import "./release-images/code-server-$arch-$VERSION.tar" "$tag"
-  docker push "$tag"
-}
-
-main() {
-  cd "$(dirname "$0")/../.."
-  source ./ci/lib.sh
-
-  if version_exists; then
-    echo "$VERSION is already pushed"
-    return
-  fi
-
-  download_artifact release-images ./release-images
-  if [[ ${CI-} ]]; then
-    echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
-  fi
-
-  push "amd64"
-  push "arm64"
-
-  export DOCKER_CLI_EXPERIMENTAL=enabled
-
-  docker manifest create "codercom/code-server:$VERSION" \
-    "codercom/code-server-amd64:$VERSION" \
-    "codercom/code-server-arm64:$VERSION"
-  docker manifest push --purge "codercom/code-server:$VERSION"
-
-  docker manifest create "codercom/code-server:latest" \
-    "codercom/code-server-amd64:$VERSION" \
-    "codercom/code-server-arm64:$VERSION"
-  docker manifest push --purge "codercom/code-server:latest"
-}
-
-main "$@"