From d5a8b6f0c08e898a4a4c440e749702b1ade1bec6 Mon Sep 17 00:00:00 2001 From: Roland Kurmann Date: Sat, 1 Mar 2025 20:19:15 +0100 Subject: [PATCH] ci: fix digest artifact names for multi-platform Docker builds (fix #367) (#376) * ci: fix digest artifact names for multi-platform Docker builds * ci: remove unused platforms parameter from Docker build steps * ci: push Docker images exceptionally on feature branch * ci: update Dockerfile to include uname command and fix label formatting * ci: update CI workflow to set platforms dynamically for Docker builds * ci: disable arm64 docker * ci: only arm64 docker * ci: update CI workflow for multiarch Docker builds and manifest creation * ci: add multiarch manifest creation * ci: fix multiarch manifest for loop * ci: restore push conditions for Docker image builds * ci: restore push conditions for Docker image builds --- .github/workflows/ci_docker.yml | 169 ++++++++++++++++++++++++++------ docker/Dockerfile | 7 +- docker/Dockerfile_only_txt | 7 +- 3 files changed, 147 insertions(+), 36 deletions(-) diff --git a/.github/workflows/ci_docker.yml b/.github/workflows/ci_docker.yml index 422ef05..31c6882 100644 --- a/.github/workflows/ci_docker.yml +++ b/.github/workflows/ci_docker.yml @@ -30,10 +30,12 @@ jobs: strategy: matrix: include: - - DOCKER_PLATFORM: linux/amd64 + - DOCKER_ARCH: amd64 platform: ubuntu-latest - - DOCKER_PLATFORM: linux/arm64 + PLATFORM_ARCH: x86_64 + - DOCKER_ARCH: arm64 platform: ubuntu-24.04-arm + PLATFORM_ARCH: arm64 runs-on: ${{ matrix.platform }} @@ -58,11 +60,6 @@ jobs: - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@v3 - # Workaround for failing builds: https://github.com/docker/build-push-action/issues/761#issuecomment-1383822381 - # TODO remove workaround when fixed - with: - driver-opts: | - image=moby/buildkit:latest - name: Login to DockerHub uses: docker/login-action@v3 @@ -79,11 +76,11 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GHCR_IO_TOKEN }} - - name: "Build image and push to Docker Hub and GitHub Container Registry" + - name: "Build image (Bookworm/Debian 12) and push to Docker Hub and GitHub Container Registry" id: docker_build_qr_reader_latest uses: docker/build-push-action@v5 with: - platforms: ${{ matrix.DOCKER_PLATFORM }} + platforms: linux/${{ matrix.DOCKER_ARCH }} # relative path to the place where source code with Dockerfile is located # TODO file:, move to docker/ context: . @@ -94,10 +91,10 @@ jobs: BASE_IMAGE=python:3.13-slim-bookworm pull: true tags: | - scit0/extract_otp_secrets:latest - scit0/extract_otp_secrets:bookworm - ghcr.io/scito/extract_otp_secrets:latest - ghcr.io/scito/extract_otp_secrets:bookworm + docker.io/scit0/extract_otp_secrets:latest-${{ matrix.PLATFORM_ARCH }} + docker.io/scit0/extract_otp_secrets:bookworm-${{ matrix.PLATFORM_ARCH }} + ghcr.io/scito/extract_otp_secrets:latest-${{ matrix.PLATFORM_ARCH }} + ghcr.io/scito/extract_otp_secrets:bookworm-${{ matrix.PLATFORM_ARCH }} # build on feature branches, push only on master branch push: ${{ github.ref == 'refs/heads/master' && github.secret_source == 'Actions'}} @@ -110,19 +107,57 @@ jobs: if: github.ref == 'refs/heads/master' uses: actions/upload-artifact@v4 with: - name: debian_digests + name: digests_bookworm_${{ matrix.PLATFORM_ARCH }} path: digests.txt + create-multiarch-debian-manifests: + name: Create multiarch manifests for Debian image + runs-on: ubuntu-latest + needs: + - build-and-push-docker-debian-image + steps: + - name: Login to DockerHub + uses: docker/login-action@v3 + if: github.secret_source == 'Actions' + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to Github Packages + uses: docker/login-action@v3 + if: github.secret_source == 'Actions' + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GHCR_IO_TOKEN }} + + - name: Create multiarch manifests + shell: bash + run: | + for tag in \ + docker.io/scit0/extract_otp_secrets:latest \ + ghcr.io/scito/extract_otp_secrets:latest \ + docker.io/scit0/extract_otp_secrets:bookworm \ + ghcr.io/scito/extract_otp_secrets:bookworm \ + ; do + docker buildx imagetools create -t $tag \ + $tag-x86_64 \ + $tag-arm64 + done + + build-and-push-docker-alpine-image: name: Build Docker Alpine image and push to repositories # run only when code is compiling and tests are passing strategy: matrix: include: - - DOCKER_PLATFORM: linux/amd64 + - DOCKER_ARCH: amd64 platform: ubuntu-latest - - DOCKER_PLATFORM: linux/arm64 + PLATFORM_ARCH: x86_64 + - DOCKER_ARCH: arm64 platform: ubuntu-24.04-arm + PLATFORM_ARCH: arm64 runs-on: ${{ matrix.platform }} @@ -167,20 +202,20 @@ jobs: id: docker_build_only_txt uses: docker/build-push-action@v5 with: + platforms: linux/${{ matrix.DOCKER_ARCH }} # relative path to the place where source code with Dockerfile is located - platforms: ${{ matrix.DOCKER_PLATFORM }} context: . file: docker/Dockerfile_only_txt # builder: ${{ steps.buildx.outputs.name }} # Note: tags has to be all lower-case pull: true tags: | - scit0/extract_otp_secrets:only-txt - scit0/extract_otp_secrets:alpine - ghcr.io/scito/extract_otp_secrets:only-txt - ghcr.io/scito/extract_otp_secrets:alpine + docker.io/scit0/extract_otp_secrets:only-txt-${{ matrix.PLATFORM_ARCH }} + docker.io/scit0/extract_otp_secrets:alpine-${{ matrix.PLATFORM_ARCH }} + ghcr.io/scito/extract_otp_secrets:only-txt-${{ matrix.PLATFORM_ARCH }} + ghcr.io/scito/extract_otp_secrets:alpine-${{ matrix.PLATFORM_ARCH }} # build on feature branches, push only on master branch - push: ${{ github.ref == 'refs/heads/master' && github.secret_source == 'Actions'}} + push: true # ${{ github.ref == 'refs/heads/master' && github.secret_source == 'Actions'}} build-args: | RUN_TESTS=true @@ -194,19 +229,59 @@ jobs: if: github.ref == 'refs/heads/master' uses: actions/upload-artifact@v4 with: - name: alpine_digests + name: digests_alpine_${{ matrix.PLATFORM_ARCH }} path: digests.txt + create-multiarch-alpine-manifests: + name: Create multiarch manifests for Alpine image + runs-on: ubuntu-latest + needs: + - build-and-push-docker-alpine-image + defaults: + run: + shell: bash + steps: + - name: Login to DockerHub + uses: docker/login-action@v3 + if: github.secret_source == 'Actions' + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to Github Packages + uses: docker/login-action@v3 + if: github.secret_source == 'Actions' + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GHCR_IO_TOKEN }} + + - name: Create multiarch manifests + shell: bash + run: | + for tag in \ + docker.io/scit0/extract_otp_secrets:only-txt \ + docker.io/scit0/extract_otp_secrets:alpine \ + ghcr.io/scito/extract_otp_secrets:only-txt \ + ghcr.io/scito/extract_otp_secrets:alpine \ + ; do + docker buildx imagetools create -t $tag \ + $tag-x86_64 \ + $tag-arm64 + done + build-and-push-docker-bullseye-image: name: Build Docker Bullseye image (for PyInstsaller) and push to repositories # run only when code is compiling and tests are passing strategy: matrix: include: - - DOCKER_PLATFORM: linux/amd64 + - DOCKER_ARCH: amd64 platform: ubuntu-latest - - DOCKER_PLATFORM: linux/arm64 + PLATFORM_ARCH: x86_64 + - DOCKER_ARCH: arm64 platform: ubuntu-24.04-arm + PLATFORM_ARCH: arm64 runs-on: ${{ matrix.platform }} @@ -247,12 +322,12 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GHCR_IO_TOKEN }} - - name: "Build image from Bullseye and push to GitHub Container Registry" + - name: "Build image from Bullseye (Debian 11) and push to GitHub Container Registry" id: docker_build_bullseye if: github.ref == 'refs/heads/master' uses: docker/build-push-action@v5 with: - platforms: ${{ matrix.DOCKER_PLATFORM }} + platforms: linux/${{ matrix.DOCKER_ARCH }} # relative path to the place where source code with Dockerfile is located context: . file: docker/Dockerfile @@ -262,8 +337,8 @@ jobs: # Note: tags has to be all lower-case pull: true tags: | - scit0/extract_otp_secrets:bullseye - ghcr.io/scito/extract_otp_secrets:bullseye + docker.io/scit0/extract_otp_secrets:bullseye-${{ matrix.PLATFORM_ARCH }} + ghcr.io/scito/extract_otp_secrets:bullseye-${{ matrix.PLATFORM_ARCH }} push: ${{ github.secret_source == 'Actions' }} - name: Image digest @@ -275,5 +350,39 @@ jobs: if: github.ref == 'refs/heads/master' uses: actions/upload-artifact@v4 with: - name: bullseye_digests + name: digests_bullseye_${{ matrix.PLATFORM_ARCH }} path: digests.txt + + create-multiarch-bullseye-manifests: + name: Create multiarch manifests for Bullseye image + runs-on: ubuntu-latest + needs: + - build-and-push-docker-bullseye-image + steps: + - name: Login to DockerHub + uses: docker/login-action@v3 + if: github.secret_source == 'Actions' + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to Github Packages + uses: docker/login-action@v3 + if: github.secret_source == 'Actions' + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GHCR_IO_TOKEN }} + + - name: Create multiarch manifests + shell: bash + run: | + for tag in \ + docker.io/scit0/extract_otp_secrets:bullseye \ + ghcr.io/scito/extract_otp_secrets:bullseye \ + ; do + docker buildx imagetools create -t $tag \ + $tag-x86_64 \ + $tag-arm64 + done + diff --git a/docker/Dockerfile b/docker/Dockerfile index 6dd2478..26329b1 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -16,7 +16,8 @@ COPY requirements*.txt src/ run_pytest.sh pytest.ini tests/ example_*.txt exampl ARG RUN_TESTS=true -RUN apt-get update && apt-get install -y --no-install-recommends \ +RUN uname -a \ + && apt-get update && apt-get install -y --no-install-recommends \ libgl1 \ libglib2.0-0 \ libsm6 \ @@ -31,6 +32,6 @@ WORKDIR /files ENTRYPOINT ["python", "/extract/extract_otp_secrets.py"] -LABEL org.opencontainers.image.source https://github.com/scito/extract_otp_secrets -LABEL org.opencontainers.image.license GPL-3.0+ +LABEL org.opencontainers.image.source=https://github.com/scito/extract_otp_secrets +LABEL org.opencontainers.image.license=GPL-3.0+ LABEL maintainer="Scito https://scito.ch, https://github.com/scito" diff --git a/docker/Dockerfile_only_txt b/docker/Dockerfile_only_txt index 6c3b87b..8602b25 100644 --- a/docker/Dockerfile_only_txt +++ b/docker/Dockerfile_only_txt @@ -17,7 +17,8 @@ COPY requirements*.txt src/ run_pytest.sh pytest.ini tests/ example_*.txt exampl ARG RUN_TESTS=true -RUN apk add --no-cache \ +RUN uname -a \ + && apk add --no-cache \ jpeg \ zlib \ && echo "Arch: $(apk --print-arch)" \ @@ -43,6 +44,6 @@ WORKDIR /files ENTRYPOINT ["python", "/extract/extract_otp_secrets.py"] -LABEL org.opencontainers.image.source https://github.com/scito/extract_otp_secrets -LABEL org.opencontainers.image.license GPL-3.0+ +LABEL org.opencontainers.image.source=https://github.com/scito/extract_otp_secrets +LABEL org.opencontainers.image.license=GPL-3.0+ LABEL maintainer="Scito https://scito.ch, https://github.com/scito"