Container version #134
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build docker image | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - 'main' | |
| tags: | |
| - 'v*' | |
| pull_request: | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE: openmethane/openmethane-prior | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| platform: | |
| # - linux/arm64 | |
| - linux/amd64 | |
| permissions: | |
| contents: read | |
| packages: write | |
| outputs: | |
| digest: ${{ steps.build.outputs.digest }} | |
| registry-image-id: ${{ steps.remote-image-id.outputs.REMOTE_ID }} | |
| # Builds and pushes the image | |
| # Tags the image with the PR that it is linked to | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: "${{ env.REGISTRY }}/${{ env.IMAGE }}" | |
| # tag as `build-XYZ` since images need to be tagged to push | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=raw,value=build-${{ github.run_number }} | |
| # Duplicated from Dockerfile due to https://github.com/docker/metadata-action/issues/295 | |
| labels: | | |
| org.opencontainers.image.title="Open Methane Prior Emissions" | |
| org.opencontainers.image.description="Method to calculate a gridded, prior emissions estimate for methane across Australia." | |
| org.opencontainers.image.authors="Peter Rayner <[email protected]>, Jared Lewis <[email protected]>" | |
| org.opencontainers.image.vendor="The Superpower Institute" | |
| - name: Build and push image | |
| uses: docker/build-push-action@v5 | |
| id: build | |
| with: | |
| platforms: ${{ matrix.platform }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| build-args: | | |
| OPENMETHANE_PRIOR_VERSION=${{ steps.meta.outputs.version }} | |
| push: true | |
| pull: false | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Construct remote image id | |
| id: remote-image-id | |
| run: | | |
| echo "REMOTE_ID=${{ env.REGISTRY }}/${{ env.IMAGE }}@${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT | |
| test-unit: | |
| # Simple test suite to verify that the docker container works as expected | |
| timeout-minutes: 10 | |
| runs-on: ubuntu-latest | |
| needs: build | |
| permissions: | |
| contents: read | |
| packages: read | |
| container: | |
| image: ghcr.io/openmethane/openmethane-prior@${{ needs.build.outputs.digest }} | |
| credentials: | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.github_token }} | |
| steps: | |
| - name: Check package version | |
| if: startsWith(github.event.ref, 'refs/tags/v') | |
| run: | | |
| TAG_REF="${{ github.event.ref }}" | |
| TAG_VERSION=${TAG_REF/"refs\/tags\/"} | |
| if [ "$OPENMETHANE_PRIOR_VERSION" != "$TAG_VERSION" ]; then | |
| echo "OPENMETHANE_PRIOR_VERSION is $OPENMETHANE_PRIOR_VERSION; expected version is $TAG_VERSION" | |
| exit 1 | |
| fi | |
| - name: Run a quick test suite | |
| run: | | |
| cd /opt/project | |
| cp .env.example .env | |
| python -m pytest -r a -v tests/integration/test_domain.py | |
| env: | |
| CDSAPI_KEY: ${{ secrets.CDSAPI_ADS_KEY }} | |
| CDSAPI_URL: https://ads.atmosphere.copernicus.eu/api | |
| # Determine additional tags to apply to the image | |
| image-tags: | |
| runs-on: ubuntu-latest | |
| needs: [ test-unit ] | |
| outputs: | |
| tags: ${{ steps.meta.outputs.tags }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| # check if the triggering ref is a vX.Y.Z tag and NOT vX.Y.Za0 (prerelease) | |
| - name: Check for stable release | |
| id: check-stable | |
| if: startsWith(github.event.ref, 'refs/tags/v') | |
| run: | | |
| if [[ "${{ github.event.ref }}" =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "STABLE_RELEASE=true" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: "${{ env.REGISTRY }}/${{ env.IMAGE }}" | |
| tags: | | |
| type=ref,event=pr | |
| type=pep440,pattern={{version}} | |
| type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.event.ref, 'refs/tags/v') }} | |
| type=raw,value=stable,enable=${{ steps.check-stable.outputs.STABLE_RELEASE == 'true' }} | |
| tag-image-ghcr: | |
| runs-on: ubuntu-latest | |
| needs: [ build, image-tags ] | |
| if: ${{ needs.image-tags.outputs.tags }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Login to Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Pull built docker image | |
| run: | | |
| docker pull ${{ needs.build.outputs.registry-image-id }} | |
| - name: Tag and push docker image | |
| run: | | |
| TAGS="${{ needs.image-tags.outputs.tags }}" | |
| IFS=$'\n' | |
| for tag in $TAGS; do | |
| echo "Tagging ${{ needs.build.outputs.registry-image-id }} as $tag" | |
| docker tag "${{ needs.build.outputs.registry-image-id }}" "$tag" | |
| docker push "$tag" | |
| done | |
| - name: Remove build tag from published image | |
| uses: dataaxiom/ghcr-cleanup-action@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| delete-tags: build-${{ github.run_number }} | |
| # Push the image to ECR as well | |
| push-ecr: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| account_id: | |
| - "654654509571" | |
| - "058264429703" | |
| include: | |
| - account_id: "654654509571" | |
| aws_access_key_secret: "AWS_ACCESS_KEY_ID_SANDBOX" | |
| aws_secret_access_key_secret: "AWS_SECRET_ACCESS_KEY_SANDBOX" | |
| - account_id: "058264429703" | |
| aws_access_key_secret: "AWS_ACCESS_KEY_ID_PROD" | |
| aws_secret_access_key_secret: "AWS_SECRET_ACCESS_KEY_PROD" | |
| needs: [ build, image-tags ] | |
| if: ${{ needs.image-tags.outputs.tags }} | |
| permissions: | |
| contents: read | |
| packages: read | |
| env: | |
| ECR_REGISTRY: ${{ matrix.account_id }}.dkr.ecr.ap-southeast-2.amazonaws.com | |
| steps: | |
| - name: Login to Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| # TODO: Use the OIDC token instead of the access key | |
| with: | |
| aws-access-key-id: ${{ secrets[matrix.aws_access_key_secret] }} | |
| aws-secret-access-key: ${{ secrets[matrix.aws_secret_access_key_secret] }} | |
| aws-region: ap-southeast-2 | |
| - name: Login to Amazon ECR | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: Pull built docker image | |
| run: | | |
| docker pull "${{ needs.build.outputs.registry-image-id }}" | |
| - name: Tag and push docker image to Amazon ECR | |
| # Replace the ghcr.io portion of the tags with the ECR URL so the tags | |
| # are pushed to the right registry | |
| run: | | |
| TAGS="${{ needs.image-tags.outputs.tags }}" | |
| IFS=$'\n' | |
| for tag in $TAGS; do | |
| ECR_TAG=${tag/"${{ env.REGISTRY }}"/"${{ env.ECR_REGISTRY }}"} | |
| echo "Tagging ${{ needs.build.outputs.registry-image-id }} as $ECR_TAG" | |
| docker tag "${{ needs.build.outputs.registry-image-id }}" "$ECR_TAG" | |
| docker push "$ECR_TAG" | |
| done |