diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c8561ab9..0a4e009c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -402,73 +402,6 @@ jobs: - name: Remove release packages and test artifacts run: rm -rf ./release-packages ./test/test-results - # Builds both amd64 and arm64 images - docker-images: - runs-on: ubuntu-latest - needs: [package-linux-amd64, package-linux-arm64] - steps: - - uses: actions/checkout@v2 - - - name: Download release package - uses: actions/download-artifact@v2 - with: - name: release-packages - path: ./release-packages - - - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Run ./ci/steps/build-docker-image.sh - run: ./ci/steps/build-docker-image.sh - - - name: Upload release images - uses: actions/upload-artifact@v2 - with: - name: release-images - path: ./release-images - - trivy-scan-image: - runs-on: ubuntu-20.04 - needs: docker-images - # NOTE@jsjoeio: disabling due to a memory issue upstream - # See: https://github.com/github/codeql-action/issues/528 - if: 1 == 2 - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Download release images - uses: actions/download-artifact@v2 - with: - name: release-images - path: ./release-images - - - name: Run Trivy vulnerability scanner in image mode - # Commit SHA for v0.0.17 - uses: aquasecurity/trivy-action@9438b49cc3156b2e8c77c1ba8ffbaa3bae24e3c2 - with: - input: "./release-images/code-server-amd64-*.tar" - scan-type: "image" - ignore-unfixed: true - format: "template" - template: "@/contrib/sarif.tpl" - output: "trivy-image-results.sarif" - severity: "HIGH,CRITICAL" - - - name: Debug Trivy SARIF file - run: cat trivy-image-results.sarif && ls -l trivy-image-results.sarif - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: "trivy-image-results.sarif" - - # We have to use two trivy jobs - # because GitHub only allows - # codeql/upload-sarif action per job trivy-scan-repo: runs-on: ubuntu-20.04 steps: diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml new file mode 100644 index 00000000..12a22853 --- /dev/null +++ b/.github/workflows/docker.yaml @@ -0,0 +1,28 @@ +name: Publish on Docker + +on: + # Shows the manual trigger in GitHub UI + # helpful as a back-up in case the GitHub Actions Workflow fails + workflow_dispatch: + + release: + types: [published] + +jobs: + docker-images: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Run ./ci/steps/docker-buildx-push.sh + run: ./ci/steps/docker-buildx-push.sh + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/publish.yaml b/.github/workflows/npm-brew.yaml similarity index 74% rename from .github/workflows/publish.yaml rename to .github/workflows/npm-brew.yaml index c56b41ac..107f5ea0 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/npm-brew.yaml @@ -1,4 +1,4 @@ -name: publish +name: Publish on npm and brew on: # Shows the manual trigger in GitHub UI @@ -22,20 +22,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - # NOTE: this job requires curl, jq and docker - # All of them are included in ubuntu-latest. - docker: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: Run ./ci/steps/push-docker-manifest.sh - run: ./ci/steps/push-docker-manifest.sh - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - homebrew: # The newest version of code-server needs to be available on npm when this runs # otherwise, it will 404 and won't open a PR to bump version on homebrew/homebrew-core diff --git a/ci/README.md b/ci/README.md index f92de0a7..f4c418e5 100644 --- a/ci/README.md +++ b/ci/README.md @@ -78,8 +78,8 @@ You can disable minification by setting `MINIFY=`. This directory contains the release docker container image. -- [./ci/steps/build-docker-image.sh](./ci/steps/build-docker-image.sh) - - Builds the release containers with tags `codercom/code-server-$ARCH:$VERSION` for amd64 and arm64 with `docker buildx`. +- [./ci/steps/build-docker-buildx-push.sh](./ci/steps/docker-buildx-push.sh) + - Builds the release containers with tags `codercom/code-server-$ARCH:$VERSION` for amd64 and arm64 with `docker buildx` and pushes them. - Assumes debian releases are ready in `./release-packages`. ## images @@ -107,8 +107,8 @@ Helps avoid clobbering the CI configuration. release packages into `./release-packages`. - [./steps/publish-npm.sh](./steps/publish-npm.sh) - Grabs the `npm-package` release artifact for the current commit and publishes it on npm. -- [./steps/build-docker-image.sh](./steps/build-docker-image.sh) - - Builds the docker image and then saves it into `./release-images/code-server-$ARCH-$VERSION.tar`. +- [./steps/docker-buildx-push.sh](./steps/docker-buildx-push.sh) + - Builds the docker image and then pushes it. - [./steps/push-docker-manifest.sh](./steps/push-docker-manifest.sh) - Loads all images in `./release-images` and then builds and pushes a multi architecture docker manifest for the amd64 and arm64 images to `codercom/code-server:$VERSION` and diff --git a/ci/release-image/docker-bake.hcl b/ci/release-image/docker-bake.hcl index bbb85623..3ef2f0b4 100644 --- a/ci/release-image/docker-bake.hcl +++ b/ci/release-image/docker-bake.hcl @@ -7,19 +7,11 @@ variable "VERSION" { } group "default" { - targets = ["code-server-amd64", "code-server-arm64"] + targets = ["code-server"] } -target "code-server-amd64" { +target "code-server" { dockerfile = "ci/release-image/Dockerfile" - tags = ["docker.io/codercom/code-server-amd64:${VERSION}"] - platforms = ["linux/amd64"] - output = ["type=tar,dest=./release-images/code-server-amd64-${VERSION}.tar"] -} - -target "code-server-arm64" { - dockerfile = "ci/release-image/Dockerfile" - tags = ["docker.io/codercom/code-server-arm64:${VERSION}"] - platforms = ["linux/arm64"] - output = ["type=tar,dest=./release-images/code-server-arm64-${VERSION}.tar"] + tags = ["docker.io/codercom/code-server:${VERSION}"] + platforms = ["linux/amd64", "linux/arm64"] } diff --git a/ci/steps/build-docker-image.sh b/ci/steps/build-docker-image.sh deleted file mode 100755 index 881132a9..00000000 --- a/ci/steps/build-docker-image.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -main() { - cd "$(dirname "$0")/../.." - source ./ci/lib.sh - - mkdir -p release-images - docker buildx bake -f ci/release-image/docker-bake.hcl -} - -main "$@" diff --git a/ci/steps/docker-buildx-push.sh b/ci/steps/docker-buildx-push.sh new file mode 100755 index 00000000..79b20558 --- /dev/null +++ b/ci/steps/docker-buildx-push.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +set -euo pipefail + +# See if this version already exists on Docker Hub. +function version_exists() { + local output + output=$(curl --silent "https://index.docker.io/v1/repositories/codercom/code-server/tags/$VERSION") + if [[ $output == "Tag not found" ]]; then + return 1 + else + return 0 + fi +} + +main() { + cd "$(dirname "$0")/../.." + + # ci/lib.sh sets VERSION and provides download_artifact here + source ./ci/lib.sh + + if version_exists; then + echo "$VERSION is already pushed" + return + fi + + # Download the release-packages artifact + download_artifact release-packages ./release-packages + + # Login to Docker + if [[ ${CI-} ]]; then + echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin + fi + + docker buildx bake -f ci/release-image/docker-bake.hcl --push +} + +main "$@" diff --git a/ci/steps/push-docker-manifest.sh b/ci/steps/push-docker-manifest.sh deleted file mode 100755 index 9399db7e..00000000 --- a/ci/steps/push-docker-manifest.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -# See if this version already exists on Docker Hub. -function version_exists() { - local output - output=$(curl --silent "https://index.docker.io/v1/repositories/codercom/code-server/tags/$VERSION") - if [[ $output == "Tag not found" ]]; then - return 1 - else - return 0 - fi -} - -# Import and push the Docker image for the provided arch. We must have -# individual arch repositories pushed remotely in order to use `docker -# manifest` to create single a multi-arch image. -# TODO: Switch to buildx? Seems it can do this more simply. -push() { - local arch=$1 - local tag="codercom/code-server-$arch:$VERSION" - docker import "./release-images/code-server-$arch-$VERSION.tar" "$tag" - docker push "$tag" -} - -main() { - cd "$(dirname "$0")/../.." - source ./ci/lib.sh - - if version_exists; then - echo "$VERSION is already pushed" - return - fi - - download_artifact release-images ./release-images - if [[ ${CI-} ]]; then - echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin - fi - - push "amd64" - push "arm64" - - export DOCKER_CLI_EXPERIMENTAL=enabled - - docker manifest create "codercom/code-server:$VERSION" \ - "codercom/code-server-amd64:$VERSION" \ - "codercom/code-server-arm64:$VERSION" - docker manifest push --purge "codercom/code-server:$VERSION" - - docker manifest create "codercom/code-server:latest" \ - "codercom/code-server-amd64:$VERSION" \ - "codercom/code-server-arm64:$VERSION" - docker manifest push --purge "codercom/code-server:latest" -} - -main "$@"