-
Notifications
You must be signed in to change notification settings - Fork 0
235 lines (215 loc) · 7.94 KB
/
build_docker.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
name: Build docker image
on:
workflow_dispatch:
push:
branches:
- 'main'
tags:
- 'v*'
pull_request:
env:
REGISTRY: ghcr.io
IMAGE: openmethane/openmethane-prior
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
platform:
# - linux/arm64
- linux/amd64
permissions:
contents: read
packages: write
outputs:
digest: ${{ steps.build.outputs.digest }}
registry-image-id: ${{ steps.remote-image-id.outputs.REMOTE_ID }}
# Builds and pushes the image
# Tags the image with the PR that it is linked to
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: "${{ env.REGISTRY }}/${{ env.IMAGE }}"
# tag as `build-XYZ` since images need to be tagged to push
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=raw,value=build-${{ github.run_number }}
# Duplicated from Dockerfile due to https://github.com/docker/metadata-action/issues/295
labels: |
org.opencontainers.image.title="Open Methane"
org.opencontainers.image.description="Open Methane prior estimates"
org.opencontainers.image.authors="Peter Rayner <[email protected]>, Jared Lewis <[email protected]>"
org.opencontainers.image.vendor="The Superpower Institute"
- name: Build and push image
uses: docker/build-push-action@v5
id: build
with:
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
tags: ${{ steps.meta.outputs.tags }}
build-args: |
OPENMETHANE_PRIOR_VERSION=${{ steps.meta.outputs.version }}
push: true
pull: false
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Construct remote image id
id: remote-image-id
run: |
echo "REMOTE_ID=${{ env.REGISTRY }}/${{ env.IMAGE }}@${{ steps.build.outputs.digest }}" >> $GITHUB_OUTPUT
test-unit:
# Simple test suite to verify that the docker container works as expected
timeout-minutes: 10
runs-on: ubuntu-latest
needs: build
permissions:
contents: read
packages: read
container:
image: ghcr.io/openmethane/openmethane-prior@${{ needs.build.outputs.digest }}
credentials:
username: ${{ github.actor }}
password: ${{ secrets.github_token }}
steps:
- name: Check package version
if: startsWith(github.event.ref, 'refs/tags/v')
run: |
TAG_REF="${{ github.event.ref }}"
TAG_VERSION=${TAG_REF/"refs\/tags\/"}
if [ "$OPENMETHANE_PRIOR_VERSION" != "$TAG_VERSION" ]; then
echo "OPENMETHANE_PRIOR_VERSION is $OPENMETHANE_PRIOR_VERSION; expected version is $TAG_VERSION"
exit 1
fi
- name: Run a quick test suite
run: |
cd /opt/project
cp .env.example .env
python -m pytest -r a -v tests/integration/test_domain_json.py
env:
CDSAPI_KEY: ${{ secrets.CDSAPI_ADS_KEY }}
CDSAPI_URL: https://ads.atmosphere.copernicus.eu/api
# Determine additional tags to apply to the image
image-tags:
runs-on: ubuntu-latest
needs: [ test-unit ]
outputs:
tags: ${{ steps.meta.outputs.tags }}
steps:
- name: Checkout code
uses: actions/checkout@v4
# check if the triggering ref is a vX.Y.Z tag and NOT vX.Y.Za0 (prerelease)
- name: Check for stable release
id: check-stable
if: startsWith(github.event.ref, 'refs/tags/v')
run: |
if [[ "${{ github.event.ref }}" =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "STABLE_RELEASE=true" >> $GITHUB_OUTPUT
fi
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: "${{ env.REGISTRY }}/${{ env.IMAGE }}"
tags: |
type=ref,event=pr
type=pep440,pattern={{version}}
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.event.ref, 'refs/tags/v') }}
type=raw,value=stable,enable=${{ steps.check-stable.outputs.STABLE_RELEASE == 'true' }}
tag-image-ghcr:
runs-on: ubuntu-latest
needs: [ build, image-tags ]
if: ${{ needs.image-tags.outputs.tags }}
permissions:
contents: read
packages: write
steps:
- name: Login to Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Pull built docker image
run: |
docker pull ${{ needs.build.outputs.registry-image-id }}
- name: Tag and push docker image
run: |
TAGS="${{ needs.image-tags.outputs.tags }}"
IFS=$'\n'
for tag in $TAGS; do
echo "Tagging ${{ needs.build.outputs.registry-image-id }} as $tag"
docker tag "${{ needs.build.outputs.registry-image-id }}" "$tag"
docker push "$tag"
done
- name: Remove build tag from published image
uses: dataaxiom/ghcr-cleanup-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
delete-tags: build-${{ github.run_number }}
# Push the image to ECR as well
push-ecr:
runs-on: ubuntu-latest
strategy:
matrix:
account_id:
- "654654509571"
- "058264429703"
include:
- account_id: "654654509571"
aws_access_key_secret: "AWS_ACCESS_KEY_ID_SANDBOX"
aws_secret_access_key_secret: "AWS_SECRET_ACCESS_KEY_SANDBOX"
- account_id: "058264429703"
aws_access_key_secret: "AWS_ACCESS_KEY_ID_PROD"
aws_secret_access_key_secret: "AWS_SECRET_ACCESS_KEY_PROD"
needs: [ build, image-tags ]
if: ${{ needs.image-tags.outputs.tags }}
permissions:
contents: read
packages: read
env:
ECR_REGISTRY: ${{ matrix.account_id }}.dkr.ecr.ap-southeast-2.amazonaws.com
steps:
- name: Login to Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
# TODO: Use the OIDC token instead of the access key
with:
aws-access-key-id: ${{ secrets[matrix.aws_access_key_secret] }}
aws-secret-access-key: ${{ secrets[matrix.aws_secret_access_key_secret] }}
aws-region: ap-southeast-2
- name: Login to Amazon ECR
uses: aws-actions/amazon-ecr-login@v2
- name: Pull built docker image
run: |
docker pull "${{ needs.build.outputs.registry-image-id }}"
- name: Tag and push docker image to Amazon ECR
# Replace the ghcr.io portion of the tags with the ECR URL so the tags
# are pushed to the right registry
run: |
TAGS="${{ needs.image-tags.outputs.tags }}"
IFS=$'\n'
for tag in $TAGS; do
ECR_TAG=${tag/"${{ env.REGISTRY }}"/"${{ env.ECR_REGISTRY }}"}
echo "Tagging ${{ needs.build.outputs.registry-image-id }} as $ECR_TAG"
docker tag "${{ needs.build.outputs.registry-image-id }}" "$ECR_TAG"
docker push "$ECR_TAG"
done